IETF Logo Mail Archive

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt

Stephen Kent <kent@bbn.com> Fri, 15 July 2016 17:28 UTC

Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E0512D0E9 for <sidr@ietfa.amsl.com>; Fri, 15 Jul 2016 10:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level:
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AALWMqzhBkyx for <sidr@ietfa.amsl.com>; Fri, 15 Jul 2016 10:28:36 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D57B12B04D for <sidr@ietf.org>; Fri, 15 Jul 2016 10:28:36 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:54094 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1bO6ud-00065k-0U for sidr@ietf.org; Fri, 15 Jul 2016 13:28:31 -0400
To: sidr@ietf.org
References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> <C570AE8F-A764-43ED-B273-005DABBDC836@ripe.net>
From: Stephen Kent <kent@bbn.com>
Message-ID: <a7252aa1-c522-ff42-979c-1b09c6c06406@bbn.com>
Date: Fri, 15 Jul 2016 13:28:30 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <C570AE8F-A764-43ED-B273-005DABBDC836@ripe.net>
Content-Type: multipart/mixed; boundary="------------77B09798B26354C6D8BF2334"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/bgYfeunPjt_-f_jpFTyeCHhz8ZQ>
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2016 17:28:38 -0000

Tim,

I reviewed the -06 version and am attaching a pdf of the MS Word file 
with suggested edits. I can send you the word file itself if you wish.

I have provided text to my co-author, Sean, to include in the 
bgpsec-pki-profile doc to address your concern. I suggested the 
following text at the beginning of section 3 :

    The validation procedure used for BGPsec Router Certificates is
    identical to the validation procedure described in Section 7 of
    [RFC6487](and any RFC that updates this procedure), but using the
    constraints applied come from this specification.

Sean added an implementation considerations section which I suggest will 
say:

    Operators MAY choose to issue separate BGPsec Router Certificates for
    different ASNs. Doing so may prevent a BGPsec Router Certificate from
    becoming invalid if one of the ASNs is removed from any superior CA certificate
    along the path to a trust anchor.


I hope these changes avoid the need to say anything about router certs 
in your doc.

I'm not sure there is a need to change the ROA spec. If we agree that 
all prefixes in the ROA MUST be contained in the EE cert for that ROA, 
then the current text in the ROA spec does not need to change.

Steve

v2.19.0 | Report a Bug | By Email