Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agility-03
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 08 November 2011 06:27 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC14721F8CE9 for <sidr@ietfa.amsl.com>; Mon, 7 Nov 2011 22:27:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.29
X-Spam-Level:
X-Spam-Status: No, score=-3.29 tagged_above=-999 required=5 tests=[AWL=-0.291, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KHVOKx+ckyt for <sidr@ietfa.amsl.com>; Mon, 7 Nov 2011 22:27:44 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id E223F21F8CE8 for <sidr@ietf.org>; Mon, 7 Nov 2011 22:27:43 -0800 (PST)
Received: by faas12 with SMTP id s12so214661faa.31 for <sidr@ietf.org>; Mon, 07 Nov 2011 22:27:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NMrY5TMRtK3DlJYR2iZrW6bNwJpZuCEM2tf0bU3cpBU=; b=tzshjsHv/pex7UZUNuy1RwgQhT7BWLmfLbeDWUsB42TbEUSE5GooUQRurl6mZ5xvOX KuB7m/bi7IClh1+NZsVBUuGlYRiMW2GI6eEHvEykZTvrL2sKzga9xrmXu3WbAFRIPkRE kvUxRAZE0w75bgfm2JSEvROn79rpMrLL758Fw=
MIME-Version: 1.0
Received: by 10.223.58.8 with SMTP id e8mr14114568fah.27.1320733661737; Mon, 07 Nov 2011 22:27:41 -0800 (PST)
Received: by 10.223.54.15 with HTTP; Mon, 7 Nov 2011 22:27:41 -0800 (PST)
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6025FEE@Hermes.columbia.ads.sparta.com>
References: <Pine.WNT.4.64.1110201037470.4820@SMURPHY-LT.columbia.ads.sparta.com> <24B20D14B2CD29478C8D5D6E9CBB29F6025FEE@Hermes.columbia.ads.sparta.com>
Date: Tue, 08 Nov 2011 01:27:41 -0500
Message-ID: <CAH1iCipuaB=niUZY2WQdMX8REDVTWGjhosxTyq1AekkUiLZ=FQ@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: "Murphy, Sandra" <Sandra.Murphy@cobham.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agility-03
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 06:27:44 -0000
Sorry for the late reply. I have been following the discussion, and reviewing all the related items (normative/informative). I will note that the compartmentalized design of the ROA elements of SIDR mean it is possible to update pieces easily. However, on the mere mortal reviewer of component IDs, it puts a larger burden. It is well worth the cost, IMHO. I hope my comments aren't too late. Given the number of other items in the WG that had informally extended periods, I would appreciate leniency here. My main comment is as follows: I do not support adoption of this document in its current form. The main reasons have to do with fundamental aspects which at a high level have been addressed by my colleagues, especially with respect to timelines imposed by the IETF, or even IESG or IAB, whether directly in BCP or RFC, or indirectly via ICANN or IANA. More to the point - I am not sure if I understand the relationship between some of the elements involved, but I believe there is no strict requirement for all members of a CA hierarchy to maintain identical algorithms. Here's why: - everybody is a CA. Both the "root" of the INR tree (ICANN/IANA), plus the RIRs, etc., down to the publishers of EE certs. - each CA publishes its policy via a CPS (it's a SHOULD, but functionally a MUST for RPs to be able to understand what a CA publishes.) - Each CPS specifies the OID of the corresponding CP - Each CP refers to the corresponding policy for algorithms - Algorithms themselves have OIDs and are referenced as such in certs - Every cert also specifies the OID of the CP itself (which embodies the rules for allowed algorithms) So while the first revision of the CP insists on only one algorithm for pub/private keys, and one algorithm for hashes, it explicitly calls out that these are expected to change. In changing allowed algorithms, it can reasonably be inferred that CPs could be issued which increase the _number_ of allowed algoriths of both types beyond one. And similarly, the methodology demonstrated by key rollover has local scope. There is no requirement that children do anything at all when a parent executes a key roll. _This is by design_. So the analogous high-level design for agility SHOULD be as follows: - new CP documents may be published, with new OIDs - ONLY when a CA with a given CPS decides to change CP does that CA need to execute a locally-significant key+alg roll - The CA would issue new certs with the new CP which itself lists additional algorithms - The same procedure would be executed in multiple phases - issue new child certs published under the old main cert; move them to the new cert, rewriting/overwriting in the same location This could be handled gracefully by having two CPs - one CP having the additional algorithm(s), and subsequently another CP with the new but minus the old. This mechanism could be used to introduce new algorithms without requiring retiring specific old algorithms. The two actions - adding and removing - are in fact independent, beyond the requirement that there be at least one algorithm (which goes without saying, really). The only other requirement is that the issued certs have algorithms consistent with the specified CP (OID) attached to the cert. I may be completely off the mark, but this would seem to be much more in line with the whole manner in which algorithms, policies, resource objects, etc., have been separated out and linked by normative reference. Perhaps we could get Geoff Huston to comment on my interpretation of the CP/CPS/alg interaction and explicit/implicit rules? Is it intended that CAs have a uniform hierarchy using exactly one algorithm set, or is it intended that each CA be able to specify (via CPS + CP) the set of algorithms it supports, with the initial CP document being the minimum acceptable algorithm set? Modulo the interaction between parents/children, and requiring old algorithms to be retired, and having a set timeline, and having all global CAs on the same timetable, the general methodology for handling the phases seems pretty solid. IMHO. Brian
- [sidr] WGLC for draft-ietf-sidr-algorithm-agility… Sandra Murphy
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Murphy, Sandra
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Arturo Servin
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Paul Hoffman
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Terry Manderson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Terry Manderson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Terry Manderson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Terry Manderson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Terry Manderson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Roque Gagliano
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Roque Gagliano
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Samuel Weiler
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Danny McPherson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Roque Gagliano
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Murphy, Sandra
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Murphy, Sandra
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Randy Bush
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Stephen Kent
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Brian Dickson
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Sean Turner
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Christopher Morrow
- Re: [sidr] WGLC for draft-ietf-sidr-algorithm-agi… Eric Osterweil