Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt

Sean Turner <> Sat, 16 July 2016 23:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8E8212D18E for <>; Sat, 16 Jul 2016 16:02:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id M0SqEb-ti_P4 for <>; Sat, 16 Jul 2016 16:02:57 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 03CAE12D123 for <>; Sat, 16 Jul 2016 16:02:56 -0700 (PDT)
Received: by with SMTP id x1so45658735qkb.3 for <>; Sat, 16 Jul 2016 16:02:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zO4ewMBvoq3/MMTUbkoWA5xM1TW0J1HYPyTAvOqMvuQ=; b=WcgK/W48IWH9pV8NV0/kskAEiodrBbTo7gbdJpEUkMMFlum11i1gCCZ1UBIp5hefPE 58RpOM8fNUFjiPe9Z94QqbgFSNO5JlXy+NkfT+IkYmem1A3Y/6tESEzD1Fvga3w77zXe UIEDZXc0K/6J+ABO/AoQRCNnIZjO8Z7fy7RoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zO4ewMBvoq3/MMTUbkoWA5xM1TW0J1HYPyTAvOqMvuQ=; b=VFkq+7ypwvUmK0e7RLqJwz7d4TFk2d/4M+tGLGZv+qZ64b1XOy7XcJ1sysAycj5r4d WTPESio40EyQeF5teO248OslnfikKdZ4qYXEpS0A9+S8l6UmAwg+JKGHs75904LJS2Ln M3IW7w93O5zFRMuo1EoYjKBzZt2kvhZyZLQg9MrW0Q4E0haCj5AlXEUvXPIq1LzsO5jh At0JAiaMgIpumjEu7v+SHrqLYe4Uym+XWAdEXmB3Z6VJW7DOjuK/I0F3b6PpvkGr328+ j+aiHBDnINY8z5qD/q/9Ci0DEVhzAP4qs+zs3DJbGoPhbm6s+A+6sOQMMISAWXeFiYXp ygmg==
X-Gm-Message-State: ALyK8tJ/ZrhqamosnYqcWwuo5rjvm+28ELLhFSDDjqslX2MXaedVPJkzbgfnq+I690mO7g==
X-Received: by with SMTP id u6mr35599214qka.188.1468710176118; Sat, 16 Jul 2016 16:02:56 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id z1sm230139qkc.40.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 16 Jul 2016 16:02:55 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <>
In-Reply-To: <>
Date: Sat, 16 Jul 2016 19:02:53 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Tim Bruijnzeels <>, sidr chairs <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Cc: sidr <>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Jul 2016 23:03:00 -0000

> On Jul 08, 2016, at 09:00, Sean Turner <> wrote:
>> On Jul 08, 2016, at 05:35, Tim Bruijnzeels <> wrote:
>> Stephen Kent comment on -04 of this document saying that it should not attempt to update the BGPSec Router Certificate I-D because it's not an RFC, just yet. It's currently in IESG Processing. The current document therefore has a request and some suggestion to the authors to change the document (in which case the section can be deleted in the next (hopefully final) version of this document.
>> I don't mind either way. Maybe the chairs have an idea about what the best process is. But in either case we would like to ask the BGPSec Router Certificate authors to review the included text.
> Tim,
> Just so I’m following along:
> - This draft replaces the text in RFC 6487 s7.2 so should rpki-validation-reconsidered draft include the “Updates: 6487 (if approved)” header?  My understanding is that the proposal is that all RPKI validators follow these new steps so that would make sense process wise.

I would like to propose that sidr-rpki-validation-reconsidered include an updates header, i.e., “Updates: 6487 (if approved)”, be included on the 1st page of the draft in the appropriate location.

Of the options presented in the change below for sidr-bgpsec-pki-profiles, I’d like to rely on the change proposed above and not make the OLD/NEW changes I proposed below, i.e., I am suggesting making no changes to the introductory text in s3.3 of sidr-bgpsec-pki-profiles to refer to sidr-rpki-validation-reconsidered because it’s an unnecessary change.

Steve’s suggested some other edits a a result of this thread and rpki-validation-reconsidered, so if the chairs direct me I can upload a new version of sidr-bgpsec-pki-profiles.  Since AD review hasn’t really happened yet, maybe we can treat these as late, but timely WGLC comments?


> - bgpsec-pki-profiles s3.3 currently refers to RFC 6487 s7 for validation procedures and technically if rpki-validation-reconsidered updates RFC 6487 when bgpsec-pki-profiles refers to RFC 6487 it includes those references so I wouldn’t necessarily have to add a explicit reference to rpki-validation-reconsidered … but people will forget this and miss the update and I know Wes hates chasing references ;)  So, to drive this point home we could do the following tweak in addition to adding your suggested bullet and separate-certificate per ASN suggestion:
> OLD:
>  The validation procedure used for BGPsec Router Certificates is
>  identical to the validation procedure described in Section 7 of
>  [RFC6487], but using the constraints applied come from this
>  specification.
> NEW:
>  The validation procedure used for BGPsec Router Certificates is
>  identical to the validation procedure described in Section 7 of
>  [ID.sidr-rpki-validation-reconsidered], but using the constraints
>  applied come from this specification.
> Note I’d probably also add ID.idr-rpki-validation-reconsidered to the required reading list in the terminology section :/
> spt