Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))

["Osterweil, Eric" <eosterweil@verisign.com>]

Well, when u compared the key mgmt that is done today w/ the key mgmt that will need to be done with bgpsec keys on routers, I think there was an strained analogy. I'm talking about the latter, but I was trying to indulge the discussion. ;) 

Eric

----- Original Message -----
From: Chris Morrow [mailto:morrowc@ops-netman.net]
Sent: Friday, May 04, 2012 10:18 PM
To: Osterweil, Eric
Cc: 'morrowc.lists@gmail.com' <morrowc.lists@gmail.com>; 'Sandra.Murphy@sparta.com' <Sandra.Murphy@sparta.com>; 'danny@tcb.net' <danny@tcb.net>; 'sidr@ietf.org' <sidr@ietf.org>; 'sidr-chairs@tools.ietf.org' <sidr-chairs@tools.ietf.org>; 'sidr-ads@tools.ietf.org' <sidr-ads@tools.ietf.org>
Subject: Re: [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda: 04-30-2012 (April 30, 2012)))



On 05/04/2012 10:06 PM, Osterweil, Eric wrote:
> Hey Chris,
>
> The implications of putting signatures on updates that are both
> globally visible/verifiable and implicitly give object-level security
> to updates is WAY different than the semantics of the keying done
> today.  The implications of the scope of these keys puts them in a
> much different role.  I was assuming that was clear, but maybe not?

I think we're talking about 2 different (at least) things...

> Eric
>
>
> ----- Original Message ----- From: Christopher Morrow
> [mailto:morrowc.lists@gmail.com] Sent: Friday, May 04, 2012 09:54 PM
> To: Osterweil, Eric Cc:
> morrowc@ops-netman.net<morrowc@ops-netman.net>;
> Sandra.Murphy@sparta.com<Sandra.Murphy@sparta.com>;
> danny@tcb.net<danny@tcb.net>; sidr@ietf.org<sidr@ietf.org>;
> sidr-chairs@tools.ietf.org<sidr-chairs@tools.ietf.org>;
> sidr-ads@tools.ietf.org<sidr-ads@tools.ietf.org> Subject: Re: [sidr]
> RPKI and private keys (was RE: Interim Meeting Draft Agenda:
> 04-30-2012 (April 30, 2012)))
>
> On Fri, May 4, 2012 at 9:37 PM, Osterweil,
> Eric<eosterweil@verisign.com>  wrote:
>> Hey Chris,
>>
>> Yeah, I read that. I know there's a tendency for some people to
>> want to talk about bath houses on this list, but I was going to
>> pass on that.
>>
>> As for draft-ymbk-bgpsec-rtr-rekeying-00.txt, that draft just
>> points out the inadequacies of either approach and that there is no
>> good solution. My take is that this is indicative of a misalignment
>> between a given architecture and implicit requirements. Sometimes
>> you can't patch the holes in a leaky ship, you need to reassess the
>> requirements. I think the evidence illustrates that this is the
>> case here.
>>
>
> it seems to me that putting key-material on a distant router is done
> today... isn't it? or are you saying that how you do it today leaves
> you feeling icky, and you'd rather another method be devised?
>
> Could you outline a possible method? (provide a solution, for
> instance)
>
>> Eric
>>
>>
>> ----- Original Message ----- From: Chris Morrow
>> [mailto:morrowc@ops-netman.net] Sent: Friday, May 04, 2012 09:28
>> PM To: Osterweil, Eric Cc:
>> 'Sandra.Murphy@sparta.com'<Sandra.Murphy@sparta.com>;
>> 'danny@tcb.net'<danny@tcb.net>;
>> 'morrowc.lists@gmail.com'<morrowc.lists@gmail.com>;
>> 'sidr@ietf.org'<sidr@ietf.org>;
>> 'sidr-chairs@tools.ietf.org'<sidr-chairs@tools.ietf.org>;
>> 'sidr-ads@tools.ietf.org'<sidr-ads@tools.ietf.org> Subject: Re:
>> [sidr] RPKI and private keys (was RE: Interim Meeting Draft Agenda:
>> 04-30-2012 (April 30, 2012)))
>>
>>
>>
>> On 05/04/2012 08:59 PM, Osterweil, Eric wrote:
>>
>>> His point is NOT addressed by any draft in the wg (since you
>>> asked).
>>
>> read randy's mentioned draft?