Re: [sidr] FW: I-D Action: draft-huston-rpki-validation-00.txt
David Mandelberg <david@mandelberg.org> Tue, 16 July 2013 22:23 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57FB721F9DED for <sidr@ietfa.amsl.com>; Tue, 16 Jul 2013 15:23:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FB-2FeVzJUtR for <sidr@ietfa.amsl.com>; Tue, 16 Jul 2013 15:23:05 -0700 (PDT)
Received: from qmta02.westchester.pa.mail.comcast.net (qmta02.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:43:76:96:62:24]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA8B21F9302 for <sidr@ietf.org>; Tue, 16 Jul 2013 15:23:05 -0700 (PDT)
Received: from omta24.westchester.pa.mail.comcast.net ([76.96.62.76]) by qmta02.westchester.pa.mail.comcast.net with comcast id 19ta1m0071ei1Bg51AP4e3; Tue, 16 Jul 2013 22:23:04 +0000
Received: from uriel.mandelberg.org ([IPv6:2001:4830:11a7:2:216:3eff:fe0e:b38c]) by omta24.westchester.pa.mail.comcast.net with comcast id 1AP21m00C1djk4J3kAP4sC; Tue, 16 Jul 2013 22:23:04 +0000
Received: from secure.mandelberg.org (unknown [10.1.2.3]) by uriel.mandelberg.org (Postfix) with ESMTP id 4E0921C603B for <sidr@ietf.org>; Tue, 16 Jul 2013 18:25:53 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Tue, 16 Jul 2013 18:25:53 -0400
From: David Mandelberg <david@mandelberg.org>
To: sidr@ietf.org
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6749A6807@CVA-MB001.centreville.ads.sparta.com>
References: <20130708201239.8056.871.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6749A6807@CVA-MB001.centreville.ads.sparta.com>
Message-ID: <24080cf1575abd4b5e3a409a98baa88f@mail.mandelberg.org>
X-Sender: david@mandelberg.org
User-Agent: Roundcube Webmail/0.7.2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1374013384; bh=NZePuZ18ddtn0o1md6R/OXBq3eGFgYCwwrMbTcNOIs4=; h=Received:Received:Received:MIME-Version:Content-Type:Date:From:To: Subject:Message-ID; b=GK/9WvyOOPaICUBCSdIuWXSydgqt2+7Oi4COzVD5rbPH7LxdyIw++427vgFaLXuDq QWwpeeWTMnZwPgN2paoCiv5rDRvTMTmMKSMnaZY3A9YuN4ChK5xHtxd6nIMSGKvAW6 4oTpCcyAwtYqKYh9bQM3etZCISfBfeCYUXNxgqy2XN1ia5/OqvZdQkUBs3dbBW/XgS v8EXU5S/8MJFDQ/I+8f08DoU3DpUzFb6HPTKSyNfj+NcQ8cS76GvK3+plTkhq4oXg8 9SH8apAx7O0bjifBVLoD08w2gDaWn1QztLnBY6uopLeXVrPp0bU0h/+Wueenno3O/W FPXXpWNhEzKdA==
Subject: Re: [sidr] FW: I-D Action: draft-huston-rpki-validation-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 22:23:09 -0000
Hi, I took a look at this draft, but haven't read it in depth yet. One potential issue I see is that it removes the possibility of an optimization technique that could significantly decrease the processing time needed for RPKI validation. It's currently possible to optimize validation for CA certs that don't inherit resources by validating each parent-child link independently of the parent's parent or the child's children. One benefit of this is that links can be verified in parallel on a multi-core machine. If the validation status of each link is stored in a database, then another benefit is that adding a new leaf node certificate only requires validating the leaf against its parent and checking the database for the validity of the parent. Also, if the resources of a TA change, the children and affected grandchildren need to be re-validated but the unaffected grandchildren don't need any additional processing. If I understand this document's proposal correctly, all of these optimizations would become invalid. On 2013-07-11 06:20, Murphy, Sandra wrote: > I just saw this. Looks interesting. > > --Sandy, speaking as regular ol' member > > ________________________________________ > From: i-d-announce-bounces@ietf.org [i-d-announce-bounces@ietf.org] > on behalf of internet-drafts@ietf.org [internet-drafts@ietf.org] > Sent: Monday, July 08, 2013 4:12 PM > To: i-d-announce@ietf.org > Subject: I-D Action: draft-huston-rpki-validation-00.txt > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : RPKI Validation Reconsidered > Author(s) : Geoff Huston > George Michaelson > Filename : draft-huston-rpki-validation-00.txt > Pages : 12 > Date : 2013-07-08 > > Abstract: > This document reviews the certificate validation procedure > specified > in RFC6487 and highlights aspects of operational management of > certificates in the RPKI in response to the movement of resources > across registries, and the associated actions of Certification > Authorities to maintain certification of resources during this > movement. The document describes an alternative validation > procedure > that reduces the operational impact of certificate management > during > resource movement. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-huston-rpki-validation > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-huston-rpki-validation-00 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr -- David Eric Mandelberg / dseomn http://david.mandelberg.org/
- [sidr] FW: I-D Action: draft-huston-rpki-validati… Murphy, Sandra
- Re: [sidr] FW: I-D Action: draft-huston-rpki-vali… David Mandelberg