IETF Logo Mail Archive

Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

Geoff Huston <gih@apnic.net> Sun, 25 August 2013 21:22 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D349C21F8267 for <sidr@ietfa.amsl.com>; Sun, 25 Aug 2013 14:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.443
X-Spam-Level:
X-Spam-Status: No, score=-99.443 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, RELAY_IS_203=0.994, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oWdfg1HSU+0 for <sidr@ietfa.amsl.com>; Sun, 25 Aug 2013 14:22:54 -0700 (PDT)
Received: from ia-mailgw.apnic.net (ia-mailgw.apnic.net [IPv6:2001:dd8:a:3::243]) by ietfa.amsl.com (Postfix) with SMTP id 02DE011E80AD for <sidr@ietf.org>; Sun, 25 Aug 2013 14:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:received:content-type:mime-version:subject:from:in-reply-to: date:cc:content-transfer-encoding:message-id:references:to:x-mailer: return-path; bh=j7XkwfAEDBbt/7x3HcIYqYeoXO3ZpxpQ+hvc1GkOFbs=; b=cvhll9bcWnp1Ar5Oj+MiorpGGm8zCuM3Z3ymr/66fCMirJWy6bmpmG87mZzzjL1oGCkzUW49NZAkx LfSc7HWZnRNSRHUtT3vQocdKV7bJlCZJLEjnkGuX912BngvfRNHvi/gF+U8yWf7k1x8IX36HJzVkBb 3r4aqXd0z1BT96lY=
Received: from NXMDA1.org.apnic.net (unknown [203.119.93.247]) by ia-mailgw.apnic.net (Halon Mail Gateway) with ESMTP; Mon, 26 Aug 2013 07:22:46 +1000 (EST)
Received: from IAMDA2.org.apnic.net (2001:dd8:a:852::21) by NXMDA1.org.apnic.net (2001:dd8:9:802::11) with Microsoft SMTP Server (TLS) id 14.1.218.12; Mon, 26 Aug 2013 07:22:46 +1000
Received: from [172.31.8.33] (203.119.101.249) by IAMDA2.org.apnic.net (203.119.111.21) with Microsoft SMTP Server (TLS) id 14.1.438.0; Mon, 26 Aug 2013 07:22:46 +1000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <CE3F8DF3.27D2A%andy@arin.net>
Date: Mon, 26 Aug 2013 07:22:41 +1000
Content-Transfer-Encoding: quoted-printable
Message-ID: <744A78E4-41D6-4189-8FDB-75AA00F1F677@apnic.net>
References: <CE3F8DF3.27D2A%andy@arin.net>
To: Andy Newton <andy@arin.net>
X-Mailer: Apple Mail (2.1508)
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Aug 2013 21:22:59 -0000

yes, but whats "old" and "new" is relative to when this draft is read. If you want it to read logically 3, 5 or 10 years from now I'd gently suggest that we generalise the text. After all its not the daily news, its an update to a technical spec that is supposed to last a little longer than just today. Or are we really just writing postit notes that folk are supposed to forget the day after tomorrow? (3/4 :-))

Geoff

On 26/08/2013, at 12:40 AM, Andy Newton <andy@arin.net> wrote:

> You are exactly right, but I think Rogue's text connects the dots on using
> old RP software.
> 
> -andy
> 
> On 8/23/13 6:03 PM, "Geoff Huston" <gih@apnic.net> wrote:
> 
>> Wouldn't it be better to note that: As an update to RFC6487, this
>> document broadens the class of certificates that conform to the RPKI
>> profile by explicitly including within the profile those certificates
>> that contain a policy qualifier as described here.
>> 
>> Geoff
>> 
>> 
>> 
>> On 24/08/2013, at 4:09 AM, "Murphy, Sandra" <Sandra.Murphy@parsons.com>
>> wrote:
>> 
>>> Speaking as working group chair:
>>> 
>>> I can't be certain that this indicates a promise to modify the draft or
>>> not.  Roque, Andy, could you comment?
>>> 
>>> If so, a new version is needed and I'll say so on the list.
>>> If not, I'll have to ask for resolution on list.
>>> 
>>> Speaking as regular ol' member (and a bit as wg chair, as I'm not clear
>>> about the intent of the new text):
>>> 
>>> I don't think this text hurts anything, but I am puzzled about the
>>> intent.  If "all known" implementations comply, why mention the problem?
>>> OTOH, it might serve to forestall AD/IESG questions.
>>> 
>>> So I agree with Andy's observation, though I'd say a heading "Backward
>>> Compatibility Considerations" rather than "Interoperability
>>> Considerations" suits the situation better.
>>> 
>>> (Apologies - searching for the thread, I found these comments stuck in
>>> my draft folder from 17 July.)
>>> 
>>> --Sandy
>>> 
>>> P.S.  
>>> 
>>> "strick"->"strict"
>>> "RPKI signed objects" -> "RPKI objects" <because you mean CA certs as
>>> well and signed objects might be taken to mean only ROAs and
>>> ghostbusters and manifests etc>
>>> "implements"->"include" or "contain" or...
>>> "RP"-> relying party (or you'll have to define the acronym somewhere)
>>> Not sure what ""as in IDR" means.
>>> 
>>> ________________________________________
>>> From: Andy Newton [andy@arin.net]
>>> Sent: Tuesday, July 16, 2013 9:49 AM
>>> To: Roque Gagliano (rogaglia)
>>> Cc: Murphy, Sandra; sidr@ietf.org
>>> Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
>>> 
>>> This sounds fine to me, though it is really an interoperability
>>> considerations section thingy. The IETF does those now, right? :)
>>> 
>>> -andy
>>> 
>>> On 7/16/13 4:55 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
>>> wrote:
>>> 
>>>> Thanks Andy.
>>>> 
>>>> Do you think we need to add something in the security section about the
>>>> transition?
>>>> 
>>>> Something like:
>>>> 
>>>> "A RP that performs a strick validation based on RFC6487 and fails to
>>>> support the updates described in this document, would incorrectly
>>>> invalidate RPKI signed objects that implements the changes in Section
>>>> 2.
>>>> At the time of this writing, all known RP software suites (you can
>>>> mention them as in IDR) were tested and supported the updates on this
>>>> document"
>>>> 
>>>> Roque
>>>> 
>>>> On Jul 15, 2013, at 7:07 PM, Andy Newton <andy@arin.net> wrote:
>>>> 
>>>>> On 7/15/13 10:22 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
>>>>> wrote:
>>>>> 
>>>>>> Before sending my support to advance to the IESG, I wanted to ask the
>>>>>> author if they have tested the effects of this change on existing RP
>>>>>> tools. Do they really set the certificate as invalid?
>>>>> 
>>>>> Yes, we have tested against the three RP suites. One did not require a
>>>>> change while the other two required simple one line changes. Current
>>>>> releases of all three now accommodate it.
>>>>> 
>>>>> -andy
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> _______________________________________________
>>> sidr mailing list
>>> sidr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>> 
>> 
> 
>

v2.43.4 | Report a Bug | By Email | System Status