IETF Logo Mail Archive

Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Mon, 26 August 2013 08:20 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4DD21E8050 for <sidr@ietfa.amsl.com>; Mon, 26 Aug 2013 01:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9CAW7na7ujy for <sidr@ietfa.amsl.com>; Mon, 26 Aug 2013 01:19:51 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF8D11E812D for <sidr@ietf.org>; Mon, 26 Aug 2013 01:19:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11186; q=dns/txt; s=iport; t=1377505152; x=1378714752; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=c0Qch9/17CHDxBGilv1PPMwydXHGonrzxcKYuSqJ4hE=; b=MeXwT0J+yqZueS6Sx6sSXwlGSKmyMGgJQX2OuOLDLiHZjBRJCZiCp0Mx Qip6812C/blfgE3sQ2jtXRkXs8Qddwq21uFFYNTgAcOXYMm3M+m9I2mE/ DGqUaZNKVzz9Bwtie/oVurV956hj57lM5o3Iv2FGFD0a+tZsIiUHxF0oN U=;
X-Files: smime.p7s : 4459
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhAFAOkOG1KtJXHB/2dsb2JhbABagwc1UcASgSEWdIIkAQEBAwEBAQEkRwsFCwIBCA4DBAEBAQokAiULHQgCBAENBQgGh20GDLc1BJBHMQcEgxh9A5AdgS6YBIMegWokHA
X-IronPort-AV: E=Sophos; i="4.89,956,1367971200"; d="p7s'?scan'208"; a="251657869"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 26 Aug 2013 08:18:57 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r7Q8Ivt0029203 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 26 Aug 2013 08:18:57 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.198]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0318.004; Mon, 26 Aug 2013 03:18:56 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Geoff Huston <gih@apnic.net>, Sandra Murphy <Sandra.Murphy@parsons.com>
Thread-Topic: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
Thread-Index: AQHOggI43ICaooFB+UuLQGBU0PP5qA==
Date: Mon, 26 Aug 2013 08:18:56 +0000
Message-ID: <EF4348D391D0334996EE9681630C83F02217BD61@xmb-rcd-x02.cisco.com>
References: <EF4348D391D0334996EE9681630C83F0221213C8@xmb-rcd-x02.cisco.com>, <CE0AC78A.26953%andy@arin.net> <24B20D14B2CD29478C8D5D6E9CBB29F6749E7607@CVA-MB002.centreville.ads.sparta.com> <973B0890-766F-4023-8F35-876936E470C6@apnic.net>
In-Reply-To: <973B0890-766F-4023-8F35-876936E470C6@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.147.19.59]
Content-Type: multipart/signed; boundary="Apple-Mail=_41E23C58-738A-4696-8151-047C8A6B1D8E"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "sidr@ietf.org list" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2013 08:20:33 -0000

Hi Geoff/Sandy,

Agree that we can void the mention on the current status of the known RP. As the due-diligence was done, I am fine.

I think your proposed text  from Geoff goes well with the intention of the original text (at least with the first sentence).It is just a matter of how explicit we want to be in the consequences of not implementing the changes on this document for RP parties. We and go with only his sentence or adding the two sentences:

"As an update to RFC6487, this document broadens the class of certificates that conform to the RPKI profile by explicitly including within the profile those certificates that contain a policy qualifier as described here. A relying party that performs a strict validation based on RFC6487 and fails to support the updates described in this document, would incorrectly invalidate RPKI objects that implements the changes in Section 2."

Roque



On Aug 24, 2013, at 12:03 AM, Geoff Huston <gih@apnic.net> wrote:

> Wouldn't it be better to note that: As an update to RFC6487, this document broadens the class of certificates that conform to the RPKI profile by explicitly including within the profile those certificates that contain a policy qualifier as described here.
> 
> Geoff
> 
> 
> 
> On 24/08/2013, at 4:09 AM, "Murphy, Sandra" <Sandra.Murphy@parsons.com> wrote:
> 
>> Speaking as working group chair:
>> 
>> I can't be certain that this indicates a promise to modify the draft or not.  Roque, Andy, could you comment?
>> 
>> If so, a new version is needed and I'll say so on the list.
>> If not, I'll have to ask for resolution on list.
>> 
>> Speaking as regular ol' member (and a bit as wg chair, as I'm not clear about the intent of the new text):
>> 
>> I don't think this text hurts anything, but I am puzzled about the intent.  If "all known" implementations comply, why mention the problem?  OTOH, it might serve to forestall AD/IESG questions.
>> 
>> So I agree with Andy's observation, though I'd say a heading "Backward Compatibility Considerations" rather than "Interoperability Considerations" suits the situation better. 
>> 
>> (Apologies - searching for the thread, I found these comments stuck in my draft folder from 17 July.)
>> 
>> --Sandy
>> 
>> P.S.  
>> 
>> "strick"->"strict" 
>> "RPKI signed objects" -> "RPKI objects" <because you mean CA certs as well and signed objects might be taken to mean only ROAs and ghostbusters and manifests etc>  
>> "implements"->"include" or "contain" or...
>> "RP"-> relying party (or you'll have to define the acronym somewhere)
>> Not sure what ""as in IDR" means.
>> 
>> ________________________________________
>> From: Andy Newton [andy@arin.net]
>> Sent: Tuesday, July 16, 2013 9:49 AM
>> To: Roque Gagliano (rogaglia)
>> Cc: Murphy, Sandra; sidr@ietf.org
>> Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
>> 
>> This sounds fine to me, though it is really an interoperability
>> considerations section thingy. The IETF does those now, right? :)
>> 
>> -andy
>> 
>> On 7/16/13 4:55 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com> wrote:
>> 
>>> Thanks Andy.
>>> 
>>> Do you think we need to add something in the security section about the
>>> transition?
>>> 
>>> Something like:
>>> 
>>> "A RP that performs a strick validation based on RFC6487 and fails to
>>> support the updates described in this document, would incorrectly
>>> invalidate RPKI signed objects that implements the changes in Section 2.
>>> At the time of this writing, all known RP software suites (you can
>>> mention them as in IDR) were tested and supported the updates on this
>>> document"
>>> 
>>> Roque
>>> 
>>> On Jul 15, 2013, at 7:07 PM, Andy Newton <andy@arin.net> wrote:
>>> 
>>>> On 7/15/13 10:22 AM, "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
>>>> wrote:
>>>> 
>>>>> Before sending my support to advance to the IESG, I wanted to ask the
>>>>> author if they have tested the effects of this change on existing RP
>>>>> tools. Do they really set the certificate as invalid?
>>>> 
>>>> Yes, we have tested against the three RP suites. One did not require a
>>>> change while the other two required simple one line changes. Current
>>>> releases of all three now accommodate it.
>>>> 
>>>> -andy
>>>> 
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>

v2.43.4 | Report a Bug | By Email | System Status