Re: [sidr] Ben Campbell's Discuss on draft-ietf-sidr-rpki-validation-reconsidered-08: (with DISCUSS and COMMENT)

"Alvaro Retana (aretana)" <aretana@cisco.com> Wed, 13 September 2017 15:57 UTC

Return-Path: <aretana@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E161132949; Wed, 13 Sep 2017 08:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2BhnA-hsdiV; Wed, 13 Sep 2017 08:57:48 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65AE1132D3F; Wed, 13 Sep 2017 08:57:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3166; q=dns/txt; s=iport; t=1505318267; x=1506527867; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=sXK8wVVP/99+kK9E3/CcCeB1NW6jefJCF1fF02Z8oJk=; b=CbWi6IHB8oV6caJgey6SxDyrNpS5WiSaRHkoOjlu9eh4geHmjwSUqud8 it0jrhp9aHM05QrTMBo57Dwi4Uj9u6xsSTiOOHF7KJQ2zUaLtBbe3W+U6 ve4KWF6Cn1gOektIcEGifsaqB5ZIF0uVwhw0NsDJXh4EUgEgP88YaBa4Z I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AJAgB0VLlZ/5BdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1qBeQeDcJpGgVKWSoISCoU+AhqEO0EWAQIBAQEBAQEBayiFGQY?= =?us-ascii?q?jEUUQAgEIGgIfBwICAjAVEAIEAQ0FijGtOoIniywBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEdgQ6CHYICgVCCDguCcoR4gxMwgjEBBIoGjjGIQgKUUYITiWaGe5UDAhE?= =?us-ascii?q?ZAYE4ASYCL4ENdxVcAYUGHBmBTnaJICuBBYEPAQEB?=
X-IronPort-AV: E=Sophos;i="5.42,388,1500940800"; d="scan'208";a="294943410"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Sep 2017 15:57:46 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id v8DFvkbg025071 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Sep 2017 15:57:46 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 13 Sep 2017 10:57:45 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1263.000; Wed, 13 Sep 2017 10:57:45 -0500
From: "Alvaro Retana (aretana)" <aretana@cisco.com>
To: Tim Bruijnzeels <tim@ripe.net>, Ben Campbell <ben@nostrum.com>, "Terry Manderson" <terry.manderson@icann.org>
CC: Chris Morrow <morrowc@ops-netman.net>, sidr chairs <sidr-chairs@ietf.org>, "sidr@ietf.org" <sidr@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-sidr-rpki-validation-reconsidered@ietf.org" <draft-ietf-sidr-rpki-validation-reconsidered@ietf.org>
Thread-Topic: [sidr] Ben Campbell's Discuss on draft-ietf-sidr-rpki-validation-reconsidered-08: (with DISCUSS and COMMENT)
Thread-Index: AQHTLJt75GQp8nYBi0GeTHtaF/g3J6KzCaCA
Date: Wed, 13 Sep 2017 15:57:45 +0000
Message-ID: <49091FA6-029F-4B40-9405-9EA8A31C4948@cisco.com>
References: <150397418491.13284.10399723034989597495.idtracker@ietfa.amsl.com> <631F9DFE-B24F-4263-949F-3DACA89A53DC@ripe.net>
In-Reply-To: <631F9DFE-B24F-4263-949F-3DACA89A53DC@ripe.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.25.0.170815
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.117.15.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B2B089E183818440BAE96842FBE72C58@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/tC89Lf4u4NbhqtGuYGpUgLvmy4w>
Subject: Re: [sidr] Ben Campbell's Discuss on draft-ietf-sidr-rpki-validation-reconsidered-08: (with DISCUSS and COMMENT)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 15:57:50 -0000

[Explicitly adding Terry…]

Tim:

Hi!

As I think you understand from the response below, there are two parts to consider when deploying: what can be done, and what will be done.  Interpreting what Ben and Terry wrote…what I think they are asking is for you to clarify in this document the considerations around mixing policies.  For example (to borrow from Terry), if a “TA has a particular OID and down the tree an issued certificate has a different OID”, what are the implications/problems/etc.?

Note that this question is different from the document defining how things may end up being deployed later (“whether this is an acceptable deployment model”).  The actual deployment discussions (as in, this is what we’re going to do and when) should happen in sidrops.

Thanks!

Alvaro.


On 9/13/17, 10:20 AM, "sidr on behalf of Tim Bruijnzeels" <sidr-bounces@ietf.org on behalf of tim@ripe.net> wrote:

>----------------------------------------------------------------------
>DISCUSS:
>----------------------------------------------------------------------
>This is probably just a matter of me being dense, but I'd like to understand
>what I am missing:
>Is it legal to mix certificate policies in a given cert path? The last
>paragraph of section 5 implies that you can, but doesn't say so explicitly. If
>you _can_ mix policies, what happens if you do? If I read the rules in 4.2.4.4.
>correctly (and it's likely that I am not), if you run into a cert in the chain
>that does not follow this profile, it's likely to give a null VRS-IP or VRS-AS
>value, which would seem to invalidate an certificate further down the chain
>that _does_ follow this policy?
>So, I guess it comes down to the following: If mixed policies are allowed, how
>does that work? If mixed policies are not allowed, there needs to be text that
>says that. It's quite possible such text exists (here or elsewhere), and I
>missed it.

First of all it was my understanding that there was an agreement with the AD that actual deployment should be discussed in sidrops. So this document serves as a benchmark to describe the alternative algorithm. In my opinion a mix is supported by this document, but the choice whether this is an acceptable deployment model can be discussed later.