Re: [sidr] key rollover and algorithm migration
Tim Bruijnzeels <tim@ripe.net> Thu, 15 July 2010 15:17 UTC
Return-Path: <tim@ripe.net>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 004DB3A6899 for <sidr@core3.amsl.com>; Thu, 15 Jul 2010 08:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.198
X-Spam-Level:
X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[AWL=0.401, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYTq87SyqlZ8 for <sidr@core3.amsl.com>; Thu, 15 Jul 2010 08:17:34 -0700 (PDT)
Received: from postlady.ripe.net (postlady.ipv6.ripe.net [IPv6:2001:610:240:11::c100:1341]) by core3.amsl.com (Postfix) with ESMTP id 9463B3A6B46 for <sidr@ietf.org>; Thu, 15 Jul 2010 08:17:33 -0700 (PDT)
Received: from ayeaye.ripe.net ([193.0.1.103]) by postlady.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <tim@ripe.net>) id 1OZQBt-0000P8-Af; Thu, 15 Jul 2010 17:17:42 +0200
Received: from vifa-1.office-lb-1.ripe.net ([193.0.1.5] helo=guest-96.ripe.net) by ayeaye.ripe.net with esmtp (Exim 4.63) (envelope-from <tim@ripe.net>) id 1OZQBt-0005Ds-7t; Thu, 15 Jul 2010 17:17:37 +0200
Message-ID: <4C3F2690.5070504@ripe.net>
Date: Thu, 15 Jul 2010 17:17:36 +0200
From: Tim Bruijnzeels <tim@ripe.net>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-GB; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>
References: <p06240801c8384b76c13e@[128.89.89.149]> <20100614152202.621B922808@thrintun.hactrn.net> <4C17D109.9070705@ieca.com> <4C17D82F.4080105@nist.gov> <p06240801c83ef8843b8a@[128.89.89.144]> <4C3332B2.802@ripe.net> <p0624080ac8627a9d0718@[128.89.89.136]> <4C3D90FD.1090301@ripe.net> <p06240811c8637d830fe8@[128.89.89.136]>
In-Reply-To: <p06240811c8637d830fe8@[128.89.89.136]>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719a0d787f7b54bd83e4c2480c8b5dee546
X-RIPE-Spam-Level: ----
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719a0d787f7b54bd83e4c2480c8b5dee546
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] key rollover and algorithm migration
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2010 15:17:35 -0000
Hi Steve, On 7/14/10 4:48 PM, Stephen Kent wrote: > At 12:27 PM +0200 7/14/10, Tim Bruijnzeels wrote: >> Hi Steve, >> >> Geoff already replied to you and the list. I agree with his points. >> >> I do have one remaining comment though. It seems to me that the >> algorithm described in section 8 of res-cert is targeting key roll overs >> for normal operational CAs. Not CAs that want to be used as TAs... > > are you referring to a CA that uses the WG-selected method to publish > info to make it accessible as a TA, or are you referring to the local TA > management mechanisms that are described in draft-reynolds-rpki-ltamgmt-00? > No, I was still referring to the remark made by Roque that the algorithm in section 8 (res-cert) would cause problems for RPs that choose to use a CA cert somewhere in this chain as their TA. Top-down will break for the old key's certificate. The extra time between step 3 and 4 was proposed to give these RPs a little more time to adjust. I believe that this extra time should be good enough. It's an algorithm that in my experience is implementable and I am very much in favour of preserving the AIA one level down. I regret proceeding to go into too much detail about possible other *TA* roll overs. I was thinking about 'draft-iets-sidr-ta' and 'draft-weiler-sidr-trust-anchor-format' as possible ways for any CA to publish their own certificate as TAs. I am afraid I confused the discussion by going into the how and why this is more difficult. My main point is that it is, in my mind, a different ball game and therefore I would suggest to not place additional constraints on normal key roll overs except for the extra time between step 3 and 4 already proposed. It may be interesting to discuss possible roll over scenarios for the two TA drafts I am referring to as well, but probably that should be done in its own thread. It may also be interesting to discuss this in Maastricht. I hope this makes my point more clear. Cheers Tim
- [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Geoff Huston - SIDR
- Re: [sidr] key rollover and algorithm migration Geoff Huston - SIDR
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Sean Turner
- Re: [sidr] key rollover and algorithm migration David A. Cooper
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Sean Turner
- Re: [sidr] key rollover and algorithm migration Sean Turner
- Re: [sidr] key rollover and algorithm migration Robert Kisteleki
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Randy Bush
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Roque Gagliano
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels
- Re: [sidr] key rollover and algorithm migration Stephen Kent
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Rob Austein
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Sandra Murphy
- Re: [sidr] key rollover and algorithm migration Geoff Huston
- Re: [sidr] key rollover and algorithm migration Tim Bruijnzeels