Re: [sidr] about a router AS-related certificate (fwd)

[Sandra Murphy <Sandra.Murphy@sparta.com>]

Sorry, somehow did NOT reply all.

--Sandy


---------- Forwarded message ----------
Date: Fri, 14 Oct 2011 17:44:07 -0400 (Eastern Daylight Time)
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [sidr] about a router AS-related certificate


On Fri, 14 Oct 2011, Brian Dickson wrote:

> Hi, Sandy,
> 
> Would it be too much to ask, to get a brief summary email sent to the
> list, of recent last-calls or adoption-calls, and pro/con responses
> levels?

Not sure if you mean on a regular periodic basis or right now for the recent 
flurry of wg calls.

The summary of the recent flurry can be constructed well enough.  (If you want 
a rough immediate idea, the mail archive can display a thread index of the 
mail.)

A periodic message is also possible, if people would find that useful. You 
indicate that you just recently joined the list, so maybe you don't realize 
that this wg is particularly bursty, but obviously there's reasonable 
periodicity that could be used.

> 
> This would be to get an idea of whether some might have been missed,
> and which need support to progress?
>

Some care would be wise.  A message from the wg chairs to say "hey, wg, you 
haven't demonstrated support for draft X" might be construed as undue
chair influence on the wg consensus.

The periodic summary you suggest is objective enough that it could/might pass 
muster.

> And I'd suggest that if there were not-many pros, and none or much
> fewer than normal cons, that asking again to boost the pro responses,
> may be all that is needed.

IMHO, the wg chairs taking steps to boost the pro response would be truly 
skating too close to the edge of undue influence.  OVer the edge, maybe.

> 
> The inter-dependencies of some of these drafts, makes it pretty important.
> 
> BTW, I would be more than happy to contribute to the WG in whatever way I 
> can.
>

Great!

--Sandy

> Thanks,
> 
> Brian Dickson
> 
> On Fri, Oct 14, 2011 at 10:50 AM, Sandra Murphy
> <Sandra.Murphy@sparta.com> wrote:
>> The wg has just demonstrated a lack of support for adoption of a suggested
>> cert profile for routers in draft-turner-sidr-bgpsec-pki-profiles.
>> 
>> Unfortunately, a router certificate is already mentioned in existing wg
>> drafts.
>> 
>> 
>> The bgpsec-overview draft says:
>> 
>>   BGPSEC extends the RPKI by adding an additional type of certificate,
>>   referred to as a BGPSEC router certificate, that binds an AS number
>>   to a public signature verification key, the corresponding private key
>>   of which is held by one or more BGP speakers within this AS.
>> 
>> 
>> The bgpsec-ops drafts says:
>> 
>>   AS/Router Certificates
>> 
>> 
>>   A site/operator MAY use a single certificate/key in all their
>>   routers, one certificate/key per router, or any granularity in
>>   between.
>> 
>>   A large operator, concerned that a compromise of one router's key
>>   would make many routers vulnerable, MAY accept a more complex
>>   certificate/key distribution burden to reduce this exposure.
>> 
>>   On the other extreme, an edge site with one or two routers MAY use a
>>   single certificate/key.
>> 
>> 
>> Is there an alternative router certificate that the wg would like to adopt?
>> 
>> If the wg did not realize that the router certificate was needed to fulfill
>> existing wg drafts, please speak up.
>> 
>> At any rate, the wg needs to indicate how to proceed here.
>> 
>> --Sandy, speaking as wg chair
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>>