IETF Logo Mail Archive

Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

"Murphy, Sandra" <Sandra.Murphy@parsons.com> Wed, 18 September 2013 19:16 UTC

Return-Path: <prvs=2973a7c5e4=sandra.murphy@parsons.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27B4B11E8135 for <sidr@ietfa.amsl.com>; Wed, 18 Sep 2013 12:16:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sI+nQ6vRcapD for <sidr@ietfa.amsl.com>; Wed, 18 Sep 2013 12:16:33 -0700 (PDT)
Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id E8E8C11E8132 for <sidr@ietf.org>; Wed, 18 Sep 2013 12:16:32 -0700 (PDT)
Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id r8IJFnWM008721; Wed, 18 Sep 2013 14:16:13 -0500
Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1eye9y9rye-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Wed, 18 Sep 2013 14:16:12 -0500
Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id r8IJGAhb012038; Wed, 18 Sep 2013 14:16:10 -0500
Received: from CVA-HUB002.centreville.ads.sparta.com ([10.62.108.29]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id r8IJG8oP027482; Wed, 18 Sep 2013 14:16:08 -0500
Received: from CVA-MB001.centreville.ads.sparta.com ([fe80::58b4:c7c2:f9d:dff9]) by CVA-HUB002.centreville.ads.sparta.com ([fe80::9817:c0c5:e172:9d1c%11]) with mapi id 14.02.0342.003; Wed, 18 Sep 2013 15:16:02 -0400
From: "Murphy, Sandra" <Sandra.Murphy@parsons.com>
To: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>, Geoff Huston <gih@apnic.net>
Thread-Topic: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
Thread-Index: Ac5/P7KlsWW9gua6S/mEz+yRY2Jx6ACSJbqA///q8YCAAUv7gIAADzOAgDv5C7SAAIyLAIAD0JYAgCSPl7M=
Date: Wed, 18 Sep 2013 19:16:00 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F674A5C8EC@CVA-MB001.centreville.ads.sparta.com>
References: <EF4348D391D0334996EE9681630C83F0221213C8@xmb-rcd-x02.cisco.com>, <CE0AC78A.26953%andy@arin.net> <24B20D14B2CD29478C8D5D6E9CBB29F6749E7607@CVA-MB002.centreville.ads.sparta.com> <973B0890-766F-4023-8F35-876936E470C6@apnic.net>, <EF4348D391D0334996EE9681630C83F02217BD61@xmb-rcd-x02.cisco.com>
In-Reply-To: <EF4348D391D0334996EE9681630C83F02217BD61@xmb-rcd-x02.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.62.8.137]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-09-18_08:2013-09-18, 2013-09-18, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=14.3246112728525 compositescore=0.00820105449233881 urlsuspect_oldscore=0.23431234912671 suspectscore=0 recipient_domain_to_sender_totalscore=1933 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=4 recipient_domain_to_sender_domain_totalscore=8785 rbsscore=0.00820105449233881 spamscore=0 recipient_to_sender_domain_totalscore=4 urlsuspectscore=0.1 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1309180099
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2013 19:16:42 -0000

Looks like this is the final word.

Consensus of the wglc is that the document is good to go, with revisions.

Draft authors, could you please submit a new version with the wording suggested below?

As an update to RFC6487, this document broadens the class of certificates that conform to the RPKI profile by explicitly including within the profile those certificates that contain a policy qualifier as described here. A relying party that performs a strict validation based on RFC6487 and fails to support the updates described in this document, would incorrectly invalidate RPKI objects that implement the changes in Section 2.

Note this includes one nit change of "implements" to "implement".

Please also consider the nits mentioned in the message:
http://www.ietf.org/mail-archive/web/sidr/current/msg06124.html

--Sandy, speaking as wg co-chair


________________________________________
From: Roque Gagliano (rogaglia) [rogaglia@cisco.com]
Sent: Monday, August 26, 2013 4:18 AM
To: Geoff Huston; Murphy, Sandra
Cc: Andy Newton; sidr@ietf.org list
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

Hi Geoff/Sandy,

Agree that we can void the mention on the current status of the known RP. As the due-diligence was done, I am fine.

I think your proposed text  from Geoff goes well with the intention of the original text (at least with the first sentence).It is just a matter of how explicit we want to be in the consequences of not implementing the changes on this document for RP parties. We and go with only his sentence or adding the two sentences:

"As an update to RFC6487, this document broadens the class of certificates that conform to the RPKI profile by explicitly including within the profile those certificates that contain a policy qualifier as described here. A relying party that performs a strict validation based on RFC6487 and fails to support the updates described in this document, would incorrectly invalidate RPKI objects that implements the changes in Section 2."

Roque



On Aug 24, 2013, at 12:03 AM, Geoff Huston <gih@apnic.net> wrote:

> Wouldn't it be better to note that: As an update to RFC6487, this document broadens the class of certificates that conform to the RPKI profile by explicitly including within the profile those certificates that contain a policy qualifier as described here.
>
> Geoff
>
>
>
> On 24/08/2013, at 4:09 AM, "Murphy, Sandra" <Sandra.Murphy@parsons.com> wrote:
>
>> Speaking as working group chair:
>>
>> I can't be certain that this indicates a promise to modify the draft or not.  Roque, Andy, could you comment?
>>
>> If so, a new version is needed and I'll say so on the list.
>> If not, I'll have to ask for resolution on list.
>>
>> Speaking as regular ol' member (and a bit as wg chair, as I'm not clear about the intent of the new text):
>>
>> I don't think this text hurts anything, but I am puzzled about the intent.  If "all known" implementations comply, why mention the problem?  OTOH, it might serve to forestall AD/IESG questions.
>>
>> So I agree with Andy's observation, though I'd say a heading "Backward Compatibility Considerations" rather than "Interoperability Considerations" suits the situation better.
>>
>> (Apologies - searching for the thread, I found these comments stuck in my draft folder from 17 July.)
>>
>> --Sandy
>>
>> P.S.
>>
>> "strick"->"strict"
>> "RPKI signed objects" -> "RPKI objects" <because you mean CA certs as well and signed objects might be taken to mean only ROAs and ghostbusters and manifests etc>
>> "implements"->"include" or "contain" or...
>> "RP"-> relying party (or you'll have to define the acronym somewhere)
>> Not sure what ""as in IDR" means.
>>
>> ________________________________________
>> From: Andy Newton [andy@arin.net]
>> Sent: Tuesday, July 16, 2013 9:49 AM
>> To: Roque Gagliano (rogaglia)
>> Cc: Murphy, Sandra; sidr@ietf.org
>> Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
>>
>> This sounds fine to me, though it is really an interoperability
>> considerations section thingy. The IETF does those now, right? :)
>>
>> -andy
>>
>> On 7/16/13 4:55 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com> wrote:
>>
>>> Thanks Andy.
>>>
>>> Do you think we need to add something in the security section about the
>>> transition?
>>>
>>> Something like:
>>>
>>> "A RP that performs a strick validation based on RFC6487 and fails to
>>> support the updates described in this document, would incorrectly
>>> invalidate RPKI signed objects that implements the changes in Section 2.
>>> At the time of this writing, all known RP software suites (you can
>>> mention them as in IDR) were tested and supported the updates on this
>>> document"
>>>
>>> Roque
>>>
>>> On Jul 15, 2013, at 7:07 PM, Andy Newton <andy@arin.net> wrote:
>>>
>>>> On 7/15/13 10:22 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
>>>> wrote:
>>>>
>>>>> Before sending my support to advance to the IESG, I wanted to ask the
>>>>> author if they have tested the effects of this change on existing RP
>>>>> tools. Do they really set the certificate as invalid?
>>>>
>>>> Yes, we have tested against the three RP suites. One did not require a
>>>> change while the other two required simple one line changes. Current
>>>> releases of all three now accommodate it.
>>>>
>>>> -andy
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>

v2.43.4 | Report a Bug | By Email | System Status