IETF Logo Mail Archive

Re: [sidr] Questions about draft-huston-rpki-validation-01

Geoff Huston <gih@apnic.net> Wed, 21 May 2014 19:05 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA38D1A06C8 for <sidr@ietfa.amsl.com>; Wed, 21 May 2014 12:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.442
X-Spam-Level:
X-Spam-Status: No, score=-102.442 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TX7kD9W5Ny14 for <sidr@ietfa.amsl.com>; Wed, 21 May 2014 12:05:08 -0700 (PDT)
Received: from nx-mailgw.apnic.net (nx-mailgw.apnic.net [IPv6:2001:dd8:9:801::25]) by ietfa.amsl.com (Postfix) with SMTP id 54D371A0694 for <sidr@ietf.org>; Wed, 21 May 2014 12:05:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=c3po; h=received:received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer:return-path; bh=SJaCIFyI4+k0ZivCiT3nc+6jJJnjtnCYqJtIJAVKkmE=; b=U7/WfDwkLt5RVVcLiDqpdNSJia85aGmt7f8S6rYjGRUR166NVyXtQyiwzsjhAaxX9A3RxhWArkDr9 jrp8OCW7se189SJHS2uTYKS+uCC0uiB8iC4OI2q66vf9j3TjUPuREk5MOkw8VHY8g6Q6q7/19ksLgx keCZeHMs6yPHlank=
Received: from NXMDA1.org.apnic.net (unknown [203.119.101.249]) by nx-mailgw.apnic.net (Halon Mail Gateway) with ESMTP; Thu, 22 May 2014 05:05:58 +1000 (EST)
Received: from [10.121.124.61] (203.119.101.249) by NXMDA1.org.apnic.net (203.119.107.11) with Microsoft SMTP Server (TLS) id 14.1.218.12; Thu, 22 May 2014 05:05:04 +1000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <537CEB37.506@bbn.com>
Date: Thu, 22 May 2014 05:04:55 +1000
Content-Transfer-Encoding: quoted-printable
Message-ID: <02E084F0-C222-4753-ACCF-C239D6B6B29B@apnic.net>
References: <aa922cfa32d64b01ad85a472faa9356b@BLUPR09MB053.namprd09.prod.outlook.com> <F69C5324-C865-46FB-9B49-940B47F29ADD@apnic.net> <519729f8a8c549ec98496c22fc6025a6@BLUPR09MB053.namprd09.prod.outlook.com> <452C0EF8-8A6C-4E75-B7B3-DDF4FFD87691@apnic.net> <375b352964154d2eab003662a377c688@BLUPR09MB053.namprd09.prod.outlook.com> <88BC9DDD-0F93-4041-A0DD-527DB61CD7D5@apnic.net> <edb249d3311944af920e850d6c65e8b9@BLUPR09MB053.namprd09.prod.outlook.com> <6F99EFB3-6813-4D40-9AEA-B1A8557F06EA@apnic.net> <a7b10fad36e94680a2851d2c8a2bc692@BLUPR09MB053.namprd09.prod.outlook.com> <FB4FB863-1AE0-41DB-97B1-FB022150D29E@ripe.net> <CAL9jLaY3-dy7vA2=bd3dNGM8cL0jqzSZZgwWtx84H_AxiotXCA@mail.gmail.com> <FF3700A5-A766-49C1-B282-26E10B508929@gmail.com> <CAL9jLaauY6kHa+U=TKjW3rDawVAzNhL4ctvBONgey6inFBuT7A@mail.gmail.com> <537CEB37.506@bbn.com>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Y75XCftXEFsJYjgxxBgxyF0OvbA
Cc: sidr@ietf.org
Subject: Re: [sidr] Questions about draft-huston-rpki-validation-01
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 19:05:11 -0000

Hi Steve,

I appreciate the backlog of mail you are working from, as you note in your mail, but
I always think it useful to have carefully read a document before performing a critique. I'm sure
you would agree with that sentiment. I was therefore quite surprised to find you had said the
following:

> 2- A separate concern is that the candidate doc contains two separable cases: one relaxes
> path validation by not mandating that every subordinate cert contain only a subset
> of the resources in the parent cert. The other case introduces the notion of a join
> into the RPKI tree structure. This latter case was extensively criticized during the
> SIDR WG meeting, by a number of folks. I suggest that case not be part of a new WG
> doc at this time.


I would be grateful for the precise reference in the "candidate doc" you talk about
to the concept of a "join". I looked though draft-huston-rpki-validation-01.txt, and 
maybe I missed something incredibly obtuse and well buried in the whitespace, but I
couldn't find any such reference in this document. Are you perhaps performing a critique
of some other draft in this rather lengthy message and not in fact referring to 
draft-huston-rpki-validation-01.txt at all?

The description of the first case is also inappropriately informal - the alternative view
described in the draft is that a relying party can consider a certificate to be valid
with respect to only those resources that are contained in all certificates that form
the validation path. Perhaps the subtle difference in your description might be the
cause of your evident discomfort with what you believe is contained in this document.

I think a careful read of section 2 of this draft adequately addresses why your proposal for 
additional operational procedures in point 1 of your note seems to be well wide of addressing the issues
described in the draft. 

The assertion in point 3 that this is "not viable" I interpret as one opinion, most likely one held
by yourself. Obviously there are other opinions and perspectives on this matter, and this draft
describes such a different perspective and also includes the motivation behind it. I would recommend
that perhaps this conversation would benefit from such a careful reading of the draft in question.

regards,

Geoff

v2.23.0 | Report a Bug | By Email