IETF Logo Mail Archive

Re: [sidr] IPv4 examples for draft-ietf-sidr-bgpsec-pki-algs

Randy Bush <randy@psg.com> Thu, 12 January 2017 22:33 UTC

Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B3CF129546 for <sidr@ietfa.amsl.com>; Thu, 12 Jan 2017 14:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.1
X-Spam-Level:
X-Spam-Status: No, score=-10.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJf5EOlnpeca for <sidr@ietfa.amsl.com>; Thu, 12 Jan 2017 14:33:11 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A42FA129536 for <sidr@ietf.org>; Thu, 12 Jan 2017 14:33:11 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1cRnvh-0000CB-TY; Thu, 12 Jan 2017 22:33:10 +0000
Date: Fri, 13 Jan 2017 07:33:07 +0900
Message-ID: <m24m13j4d8.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
In-Reply-To: <DCCE4A71-87F8-4A8A-A561-202F6331DC93@nist.gov>
References: <2459DA8D-593F-4B75-9C74-619DDBA907E4@nist.gov> <m27f60ie53.wl-randy@psg.com> <DCCE4A71-87F8-4A8A-A561-202F6331DC93@nist.gov>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="ISO-2022-JP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/bmrbcrbX7J6RAhcsgnVs5V-9B90>
Cc: sidr list <sidr@ietf.org>
Subject: Re: [sidr] IPv4 examples for draft-ietf-sidr-bgpsec-pki-algs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2017 22:33:14 -0000

mornin' oliver,

> This most likely would set a bad example for others that might start
> issuing certificates with “infinite” life spans.

'zactly

> In this regards what about a Validity of 365 days within the
> example. This seems feasible to me.

>> of course that leaves open what lifetime to recommend.  we're not
>> gonna do oscp, but rather withdraw from the rpki.  so to keep from
>> making too much bgp noise, let me toss out O(year) to start the
>> discussion.

i can live with a year.  i will be interested if others comment.

i have a vague memory of talking about this before.  one needs to deploy
the replacement key in advance, as it can take some time to propagate to
the far corners of the internet.  and one probably does not want to
reannounce all one's routes at once.

a small i-d may be in order.

randy

v2.23.0 | Report a Bug | By Email