Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 18 May 2016 16:32 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A593B12D5CC; Wed, 18 May 2016 09:32:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4CVaZojMej5; Wed, 18 May 2016 09:32:11 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F04012D1AA; Wed, 18 May 2016 09:32:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id BECFFBE2C; Wed, 18 May 2016 17:32:09 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udyUo65eMuG4; Wed, 18 May 2016 17:32:09 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 24747BDF9; Wed, 18 May 2016 17:32:09 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1463589129; bh=hNj1prQFJO+uvtlR+EhO4cNTTejLjR1bJPQxPKDt1Us=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=37eREEzipGXdNAfwBwqgFNLSF6O9VFXireH4VH4zp3yJf+vDDndWNUrEn2bAhHDVm b9QdfO7MvKp8n03T0aNUENMvaS353zfVSaV6gRGU4Sbcx+s3DR6mAlscAKyjKDrUSa hP/VjdCF5fkjSuTQ9ryRpZIMX9rDUC4sGsWvLaXc=
To: Brian Haberman <brian@innovationslab.net>, The IESG <iesg@ietf.org>
References: <20160518155109.14693.29705.idtracker@ietfa.amsl.com> <7398a12b-5f01-275f-7dc6-178c6b611891@innovationslab.net> <573C93CD.4040901@cs.tcd.ie> <2e4e9c39-06a9-43ea-eee7-1c0a0a67ad22@innovationslab.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <573C9906.4000506@cs.tcd.ie>
Date: Wed, 18 May 2016 17:32:06 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <2e4e9c39-06a9-43ea-eee7-1c0a0a67ad22@innovationslab.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="NrwwJDUhLWqBVswDBUg5JcN440tLWPltn"
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/PFrSh9Fdw388S1QaKNiHOCgJzZU>
Cc: sidr@ietf.org, sidr-chairs@ietf.org, draft-ietf-sidr-rpsl-sig@ietf.org, "Sandra L. Murphy" <sandy@tislabs.com>
Subject: Re: [sidr] Stephen Farrell's Discuss on draft-ietf-sidr-rpsl-sig-11: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 16:32:12 -0000
goto bottom:-) On 18/05/16 17:20, Brian Haberman wrote: > Hiya Stephen, > > On 5/18/16 12:09 PM, Stephen Farrell wrote: >> >> Hiya, >> >> On 18/05/16 17:06, Brian Haberman wrote: >>> Hiya Stephen, >>> >>> On 5/18/16 11:51 AM, Stephen Farrell wrote: >>>> Stephen Farrell has entered the following ballot position for >>>> draft-ietf-sidr-rpsl-sig-11: Discuss >>>> >>>> When responding, please keep the subject line intact and reply to all >>>> email addresses included in the To and CC lines. (Feel free to cut this >>>> introductory paragraph, however.) >>>> >>>> >>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >>>> for more information about IESG DISCUSS and COMMENT positions. >>>> >>>> >>>> The document, along with other ballot positions, can be found here: >>>> https://datatracker.ietf.org/doc/draft-ietf-sidr-rpsl-sig/ >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> >>>> I'd like to check one thing - this may be needed for strict >>>> compliance with RPKI thing but it seems kinda weird to also >>>> impose that here, but anyway... >>>> >>>> Is 3.2 step 1 needed? That seems like useless complexity >>>> here. If it is needed, how does the verifier check that >>>> it's really a single-use? I don't see the point TBH. >>>> >>> >>> This text was driven by the statement in RFC 6487 (Section 3) that says: >>> >>> The private key associated with an EE certificate is used to sign a >>> single RPKI signed object, i.e., the EE certificate is used to >>> validate only one object. >>> >>> Step 1 in 3.2 is there so that this approach follows the above directive >>> on the use of the RPKI infrastructure/certificates. >> >> Well... sure. But what is the benefit here? IIRC that was > > I *think* the benefit is supposed to be compliance with the RPKI approach... > >> something related to making more fine-grained revocation >> possible or something which doesn't seem that useful here >> since a verifier will likely already have processed stuff >> already or am I mixed up? > > I don't think you are mixed up, but I will let others in SIDR chime in... Yeah, be good if someone could justify doing that. Maybe there's a good reason, though I'm not seeing it. > >> >> If there's no benefit, it seems like that adds a bunch of >> CA code just for fun (or "compliance" maybe;-) > > I could very easily see dropping step 1 from 3.2 and simply augmenting > the intro sentence with something about certs/keys generated per 3487. My guess is that that'd lead signing implementers to not generate new and possibly useless certs. I guess I'd be ok with that but it seems a bit unfair of us to be sorta kinda not telling 'em that they ought have the code for that. (The verifier doesn't know/care in this case afaics, though of course that means that the once-only aspect is also a bit "pretendy" too I suppose.) Anyway, yeah, maybe having someone more up to speed on sidr than I say why this makes sense here is the best next step so that we don't muck up or take the pretendy route? Cheers, S. > > Regards, > Brian > >
- [sidr] Stephen Farrell's Discuss on draft-ietf-si… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Sandra Murphy
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Brian Haberman
- Re: [sidr] Stephen Farrell's Discuss on draft-iet… Brian Haberman