Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt

Sean Turner <sean@sn3rd.com> Fri, 08 July 2016 13:00 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E35412D68F for <sidr@ietfa.amsl.com>; Fri, 8 Jul 2016 06:00:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-eFKADsmipg for <sidr@ietfa.amsl.com>; Fri, 8 Jul 2016 06:00:37 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD62C12D62F for <sidr@ietf.org>; Fri, 8 Jul 2016 06:00:36 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id p74so3374167qka.0 for <sidr@ietf.org>; Fri, 08 Jul 2016 06:00:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vIk743bS8PDz7eCBjLS6WQqzPfwcv+ZNJZsKcC299RE=; b=VPpTwM9gAIK6OHZ4Fg4NKwpGvaGLH9l6DAonG5Bnt9IdkHQ0lu9vFckVZQJdX2In+h /2lkve7Tz4VJDZmZsDKGOhILXGEGWVrEtY3j3I3zR2iqloZrROo19JQvTC5vH/0TasuE 2fG0f9e+ZkRmrc6VAZY5AJ67yTbE5yI1WkvWY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vIk743bS8PDz7eCBjLS6WQqzPfwcv+ZNJZsKcC299RE=; b=Q4Wf5hxjL2hO+0L0QYGMLWALm70wJWWX06zXQ/fk+90o2eHGS0IlFySEEdm2Jf/1Bf LcNKlgz95s536cHDE6ga0HZGKIm+C5lt/gCNYrgi+Hbef3K8jvHcKr9IANwRUa0Jko38 hqyiprqKH3k7Njby3hurEIZvq4kW64k8gTZskHfGqFjATm2tswwCmQZvxIOzr39smv4U q77lCLt8FLD3LAZBnRHHLESO+CMxiSGAm5HUlyTjhjvIT0vcprcrZJ4cnZWznMqRh1ye UW1I6obla6bUSb5VClWSEoJKgE8JEwYADzUcRYVFAgYpmKxE9RTZqC+DPl8Hr3MihEA4 zSug==
X-Gm-Message-State: ALyK8tLU2Xx4OdE1YR195Xtvo2AhZJSzraIN8exSboKsjDb2ZRf5raXnpK0mocdmy22V8Q==
X-Received: by 10.55.4.23 with SMTP id 23mr6940055qke.179.1467982835807; Fri, 08 Jul 2016 06:00:35 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id u1sm2203194qtu.43.2016.07.08.06.00.34 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 08 Jul 2016 06:00:35 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <C570AE8F-A764-43ED-B273-005DABBDC836@ripe.net>
Date: Fri, 8 Jul 2016 09:00:34 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <793C1123-0398-455C-A316-A2DADB1F400A@sn3rd.com>
References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> <C570AE8F-A764-43ED-B273-005DABBDC836@ripe.net>
To: Tim Bruijnzeels <tim@ripe.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/a_gs_UDmXfdGdOsnLoAd7wzXOo0>
Cc: sidr <sidr@ietf.org>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 13:00:39 -0000

> On Jul 08, 2016, at 05:35, Tim Bruijnzeels <tim@ripe.net> wrote:
> 
> Stephen Kent comment on -04 of this document saying that it should not attempt to update the BGPSec Router Certificate I-D because it's not an RFC, just yet. It's currently in IESG Processing. The current document therefore has a request and some suggestion to the authors to change the document (in which case the section can be deleted in the next (hopefully final) version of this document.
> 
> I don't mind either way. Maybe the chairs have an idea about what the best process is. But in either case we would like to ask the BGPSec Router Certificate authors to review the included text.

Tim,

Just so I’m following along:

- This draft replaces the text in RFC 6487 s7.2 so should rpki-validation-reconsidered draft include the “Updates: 6487 (if approved)” header?  My understanding is that the proposal is that all RPKI validators follow these new steps so that would make sense process wise.

- bgpsec-pki-profiles s3.3 currently refers to RFC 6487 s7 for validation procedures and technically if rpki-validation-reconsidered updates RFC 6487 when bgpsec-pki-profiles refers to RFC 6487 it includes those references so I wouldn’t necessarily have to add a explicit reference to rpki-validation-reconsidered … but people will forget this and miss the update and I know Wes hates chasing references ;)  So, to drive this point home we could do the following tweak in addition to adding your suggested bullet and separate-certificate per ASN suggestion:

OLD:

  The validation procedure used for BGPsec Router Certificates is
  identical to the validation procedure described in Section 7 of
  [RFC6487], but using the constraints applied come from this
  specification.

NEW:

  The validation procedure used for BGPsec Router Certificates is
  identical to the validation procedure described in Section 7 of
  [ID.sidr-rpki-validation-reconsidered], but using the constraints
  applied come from this specification.

Note I’d probably also add ID.idr-rpki-validation-reconsidered to the required reading list in the terminology section :/

spt