Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-setup-04
Rob Austein <sra@hactrn.net> Tue, 20 December 2016 17:34 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7E9129BB8; Tue, 20 Dec 2016 09:34:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Level:
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-HglI168UEL; Tue, 20 Dec 2016 09:34:43 -0800 (PST)
Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [IPv6:2001:418:1::19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0ABB1294FD; Tue, 20 Dec 2016 09:34:40 -0800 (PST)
Received: from minas-ithil.hactrn.net (c-73-47-197-23.hsd1.ma.comcast.net [73.47.197.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by adrilankha.hactrn.net (Postfix) with ESMTPS id AFBA83983C; Tue, 20 Dec 2016 17:34:39 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id DD3B64469FFE; Tue, 20 Dec 2016 12:33:36 -0500 (EST)
Date: Tue, 20 Dec 2016 12:33:36 -0500
From: Rob Austein <sra@hactrn.net>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>
In-Reply-To: <C219759D-6DE4-4B23-95C3-E39156FEAFC2@cisco.com>
References: <C219759D-6DE4-4B23-95C3-E39156FEAFC2@cisco.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20161220173336.DD3B64469FFE@minas-ithil.hactrn.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/UKukLFyEE9gVjDbOIkajVuh5pQc>
Cc: Chris Morrow <morrowc@ops-netman.net>, "sidr-chairs@ietf.org" <sidr-chairs@ietf.org>, "draft-ietf-sidr-rpki-oob-setup@ietf.org" <draft-ietf-sidr-rpki-oob-setup@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-setup-04
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 17:34:45 -0000
At Tue, 20 Dec 2016 14:24:27 +0000, Alvaro Retana (aretana) wrote: > > C1. Why isn?t an IETF namespace [RFC3688] used in the XML schema? I > would strongly suggest that you use one and request it in the IANA > Considerations Section. Unlike the publication protocol, this > document specifies version 1 ? which of course doesn?t mean there > isn?t a longer history behind it, so I?m open to keeping a non-IETF > namespace if that is the case. There's a longer history behind it :) This protocol started out circa 2010 as part of another non-IETF protocol ("myrpki", which long since went to the big bit-bucket in the sky). So this is a revised protocol with semantics identical to the useful subset of the "myrpki" protocol, with some syntax changes to make the protocol operation clearer (some of the "myrpki" syntax choices were obscure, to put it mildly, mea culpa). All that said, this protocol in its current form has been in use for years now, so there's deployed code which I'd really rather not break if we can avoid it. > C2. Section 4.1. (Common Protocol Elements) says that ?The first XML > attribute in each message is a version field.?, and Appendix > A. (RelaxNG Schema) reflects that. However, the examples > (throughout the document) don?t reflect the same ordering. > > C2.1. It would be very nice if the description of the fields was in > the same order as what the schema defines. For example, the schema > says that for a child_request the order is: version, child_handle, > tag and child_bpki_ta, but the text in 4.2.1. (<child_request/>) > reverses the tag and child_handle. Good catch(es). If I recall correctly, XML attributes are an unordered set, so "first" doesn't really make sense for attributes (elements are a different story). So my text cited in 4.1 is wrong. That said, I agree that having attribute order in the examples agree with attribute order in the text would be clearer. Order in the examples is arbitrary because the examples are produced by a program which doesn't preserve ordering, but I think I know how to convince the lxml library to use a particular order, so this is probably just a small tweak to the example generator. > C3. In 4.2.2. (<parent_response/>), are the offer and referral > elements mutually exclusive? What happens if the client receives a > parent_response with both? If it is an error, is it considered a > syntax-error or something else? Section 5. (Protocol Walk-Through) > offers a hint (?Bob doesn't have to accept Alice's offer, but may > choose to do so.?), but the specification is still not clear. A <parent_response/> containing both an offer and referrals would be unusual, but I don't think it's illegal, nor can I think of any reason why we should make it illegal. > C4. The Shepherd?s write-up doesn?t mention any XML checks done, but > I suspect this step has in fact happened. Please provide details so > the Shepherd can complete the writeup. Yep, libxml2 RelaxNG, examples validated during compilation, same as with the publication protocol. > C5. The example in Section 4.4. (<error/>) doesn?t include the > complete child_request message which presumably caused the error. Good catch. Guess that should have been "syntax-error" rather than "refused" :(. Schema validation doesn't help here, as the schema deliberately allows encapsulation of a non-compliant PDU (otherwise "syntax-error" would be problematic). Root cause is a bug in the way the example generator constructs the error examples, will fix. > C6. I think the following references can be made Informative: > RFC5280, RFC5652. Grey area, since one can't generate some of the PDUs unless one can generate X.509 and CMS, but I have no objection to changing these to Informative if you prefer.
- [sidr] AD Review of draft-ietf-sidr-rpki-oob-setu… Alvaro Retana (aretana)
- Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-… Rob Austein
- Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-… Alvaro Retana (aretana)
- Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-… Rob Austein
- Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-… Alvaro Retana (aretana)
- Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-… Rob Austein
- Re: [sidr] AD Review of draft-ietf-sidr-rpki-oob-… Alvaro Retana (aretana)