Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bis-04.txt> (Resource Public Key Infrastructure (RPKI) Trust Anchor Locator) to Proposed Standard
Richard Hansen <rhansen@bbn.com> Wed, 15 July 2015 04:53 UTC
Return-Path: <rhansen@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55FF1A02F1; Tue, 14 Jul 2015 21:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4THsMGKXNjw; Tue, 14 Jul 2015 21:53:04 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20AA51A0276; Tue, 14 Jul 2015 21:53:04 -0700 (PDT)
Received: from socket.bbn.com ([192.1.120.102]:38446) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rhansen@bbn.com>) id 1ZFEgi-000JFq-FX; Wed, 15 Jul 2015 00:52:56 -0400
X-Submitted: to socket.bbn.com (Postfix) with ESMTPSA id 35A65400DC
Message-ID: <55A5E727.7020605@bbn.com>
Date: Wed, 15 Jul 2015 00:52:55 -0400
From: Richard Hansen <rhansen@bbn.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: ietf@ietf.org
References: <20150709134637.7120.70507.idtracker@ietfa.amsl.com>
In-Reply-To: <20150709134637.7120.70507.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/S9VjSoC-DjlqXJ5TiysiW0O0CYU>
Cc: sidr@ietf.org
Subject: Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bis-04.txt> (Resource Public Key Infrastructure (RPKI) Trust Anchor Locator) to Proposed Standard
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 04:53:06 -0000
There is one substantive issue I noticed: embedded newlines in the
Base64 string.
Section 2.1 refers to Base64 encoding, defined in RFC4648 Section 4.
RFC4648 Section 3.1 says:
Implementations MUST NOT add line feeds to base-encoded data unless
the specification referring to this document explicitly directs base
encoders to add line feeds after a specific number of characters.
This draft does not say anything about adding newlines to the Base64
string, yet:
* all published TALs (that I could find) contain embedded newlines at
regular intervals, in violation of this specification
* the example in Section 2.3 contains embedded newlines every 57
characters
All existing implementations support embedded newlines at arbitrary
places in the Base64 string, including multiple newlines in a row (if
I'm reading everyone's code correctly).
I see three possible fixes:
1. Add a note next to the example in Section 2.3 that says that
newlines were added to the example due to line length limitations
in the RFC format. Encourage TAL publishers to fix their TALs by
removing the embedded newlines.
2. Permit but don't require newlines. For example, change Section 2.1
item #3 from:
3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509],
encoded in Base64 (see Section 4 of [RFC4648].
to:
3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509],
encoded in Base64 (see Section 4 of [RFC4648]). To avoid
long lines, <CRLF> or <LF> line breaks MAY be inserted into
the Base64 encoded string.
3. Require line breaks in the Base64 string. For example, change
Section 2.1 item #3 from:
3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509],
encoded in Base64 (see Section 4 of [RFC4648].
to:
3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509],
encoded in Base64 (see Section 4 of [RFC4648]). To avoid
long lines, a <CRLF> or <LF> line break MUST be inserted into
the Base64 encoded string every 75 or fewer characters.
I prefer option #3. If I understand correctly, OpenSSL's Base64 BIO
filter has two modes: no newlines permitted or newlines must be
inserted every 79 or fewer characters. The mode is not automatically
detected; the programmer must choose which mode to use. If the standard
guarantees that all lines will be shorter than 79 characters, then
OpenSSL's Base64 BIO filter can be used without any preprocessing. (The
choice of 75 is more-or-less arbitrary. Keeping it less than 80 is
important for OpenSSL compatibility. MIME (RFC2045) and vCard (RFC6350)
both require Base64 strings to be broken up every 75 or fewer
characters, and I figured it might be good to match.)
My second choice is option #2. It still requires preprocessing before
OpenSSL's Base64 BIO filter can be used, but it permits existing practice.
Option #1 is my least favorite. It is the least disruptive to the
document, but it still requires modifying the document so we might as
well modify it to permit existing practice. (Also, getting all of the
RIRs to fix their TALs is probably more work than changing the
specification.)
Nits:
* section 2.1, item 3: missing close parenthesis
* section 2.1: "comprised of" should be "composed of"
* section 2.1: "one of more" should be "one or more"
* section 3, item 4: "These test" should be "These tests"
* regressions of comma changes made by the RFC Editor before RFC6490
was published
-Richard
On 2015-07-09 09:46, The IESG wrote:
>
> The IESG has received a request from the Secure Inter-Domain Routing WG
> (sidr) to consider the following document:
> - 'Resource Public Key Infrastructure (RPKI) Trust Anchor Locator'
> <draft-ietf-sidr-rfc6490-bis-04.txt> as Proposed Standard
>
> The IESG plans to make a decision in the next few weeks, and solicits
> final comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2015-07-23. Exceptionally, comments may be
> sent to iesg@ietf.org instead. In either case, please retain the
> beginning of the Subject line to allow automated sorting.
>
> Abstract
>
>
> This document defines a Trust Anchor Locator (TAL) for the Resource
> Public Key Infrastructure (RPKI). This document obsoletes RFC6490 by
> adding support for multiple URIs in a TAL.
>
>
> A down reference exists in this document by using RFC5781 as a Normative
> Reference. RFC5781 has already been accepted by the community as a down
> reference and is properly documented in the DOWNREF Registry.
>
> The DOWNREF Registry can be accessed via
> https://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-sidr-rfc6490-bis/
>
> IESG discussion can be tracked via
> https://datatracker.ietf.org/doc/draft-ietf-sidr-rfc6490-bis/ballot/
>
>
> No IPR declarations have been submitted directly on this I-D.
- [sidr] Last Call: <draft-ietf-sidr-rfc6490-bis-04… The IESG
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Richard Hansen
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Tim Bruijnzeels
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Richard Hansen
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Rob Austein
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… David Mandelberg
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Sandra Murphy
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Rob Austein