IETF Logo Mail Archive

Re: [sidr] once more with feeling! WGLC for draft-ietf-sidr-slurm-04

Tim Bruijnzeels <tim@ripe.net> Tue, 27 June 2017 11:04 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55ADF12955F; Tue, 27 Jun 2017 04:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jc-JsYTsfpg; Tue, 27 Jun 2017 04:04:12 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C521126B6E; Tue, 27 Jun 2017 04:04:12 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1dPoHw-0002ti-KX; Tue, 27 Jun 2017 13:04:09 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-35.ripe.net) by nene.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1dPoHw-0003UY-D2; Tue, 27 Jun 2017 13:04:08 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <9ACE1099-C5F3-48A3-BE97-649BDA8123BC@zdns.cn>
Date: Tue, 27 Jun 2017 13:04:07 +0200
Cc: Mehmet Adalier <madalier@antarateknik.com>, sidr <sidr@ietf.org>, sidr chairs <sidr-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <184B0473-C763-495C-92F2-8C93B303E4B5@ripe.net>
References: <801A5228-4DF6-4882-A2A9-77B9BAD58871@tislabs.com> <FE73D619-1368-4A22-8FB1-D310F277D731@ripe.net> <CAL9jLaYv-RZz8rzDy9XpjAsuVV4tFtxO33-0OjLQo2J00R60GA@mail.gmail.com> <87ACB275-5A80-427B-A6D6-D888CC72E03C@tislabs.com> <5D93CE9B-B802-4014-A3B8-F8B3A2F42456@antarateknik.com> <9ACE1099-C5F3-48A3-BE97-649BDA8123BC@zdns.cn>
To: Declan Ma <madi@zdns.cn>
X-Mailer: Apple Mail (2.3273)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: -------
X-RIPE-Spam-Report: Spam Total Points: -7.5 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719c3295e58993c5384debde18958d38759
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/eBGhCTiDqEE4Pgbk-SN17_BerdI>
Subject: Re: [sidr] once more with feeling! WGLC for draft-ietf-sidr-slurm-04
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 11:04:14 -0000

> On 27 Jun 2017, at 06:19, Declan Ma <madi@zdns.cn> wrote:
> 
>> 2)  Regarding keys, “only in combination with an asserted ASN for that key,” not on the key alone
> 
> 
> I think it’s reasonable to make it obliged to do filtering on the SKI in combination with an asserted ASN. 
> 
> We authors will be figuring out how to get this done after WGLC.

Or.. should we only allow filtering on asserted ASN? Is there a good use case for saying: “I know *this* key is bad for *this* ASN, but I am willing to accept assertions by this same ASN for other keys?”

I kind of suspect that if you don’t trust one of the assertions made by the ASN (for whatever reason), you probably don’t want to trust any of their assertions.

Tim

v2.23.0 | Report a Bug | By Email