Re: [sidr] Origin Ops, TALs and Local TAs
Christopher Morrow <morrowc.lists@gmail.com> Tue, 15 November 2011 03:07 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8D71F0C98 for <sidr@ietfa.amsl.com>; Mon, 14 Nov 2011 19:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.543
X-Spam-Level:
X-Spam-Status: No, score=-103.543 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3WTqO-ojYNs for <sidr@ietfa.amsl.com>; Mon, 14 Nov 2011 19:07:04 -0800 (PST)
Received: from mail-pz0-f50.google.com (mail-pz0-f50.google.com [209.85.210.50]) by ietfa.amsl.com (Postfix) with ESMTP id 525E71F0C92 for <sidr@ietf.org>; Mon, 14 Nov 2011 19:07:04 -0800 (PST)
Received: by pzk5 with SMTP id 5so11528900pzk.9 for <sidr@ietf.org>; Mon, 14 Nov 2011 19:07:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=eah/UpdEXYy+NMfY/cCHMlPDPB3n20yJ9hG2VtjQulY=; b=uw63ALYKxdDiYRiGZ+cxT99w4zHfHsdtm6WSwXd5EGvehQW4roc6wcHK9CVDqgv5e3 Nrcan09y50lGjIi0bqmBF0o9E/7L8JwR9zHjLTm9x6OB3vCfQbndrSN2u3N/S/O/lmb2 gAY5rRVXM2lA/fw4Oh2VpYb+X8tw83sp/pWwc=
MIME-Version: 1.0
Received: by 10.68.5.162 with SMTP id t2mr56237948pbt.73.1321326423849; Mon, 14 Nov 2011 19:07:03 -0800 (PST)
Sender: christopher.morrow@gmail.com
Received: by 10.68.63.230 with HTTP; Mon, 14 Nov 2011 19:07:03 -0800 (PST)
In-Reply-To: <87819BD9-1829-438C-A479-A315819943D0@tcb.net>
References: <80D9C12A-354E-4A90-8E97-946519E499D0@tcb.net> <20111114234754.33CA96550DD@minas-ithil.hactrn.net> <87819BD9-1829-438C-A479-A315819943D0@tcb.net>
Date: Mon, 14 Nov 2011 22:07:03 -0500
X-Google-Sender-Auth: LE919rvclnPaNz6YcgDdY7wEMkk
Message-ID: <CAL9jLaZvdPbzxUe096GCZnSkneMipFdWKtdWKeZt5_x4hFNdxA@mail.gmail.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Danny McPherson <danny@tcb.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Rob Austein <sra@hactrn.net>, sidr@ietf.org
Subject: Re: [sidr] Origin Ops, TALs and Local TAs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 03:07:05 -0000
On Mon, Nov 14, 2011 at 7:02 PM, Danny McPherson <danny@tcb.net> wrote: > > On Nov 14, 2011, at 6:47 PM, Rob Austein wrote: > >> Layers 8+ are mostly out of scope for this list, so let me just say >> that I am really hoping that IANA and the RIRs will get their >> collective act together and issue a single TA before this becomes a >> serious problem. They say that they intend to do so. As somebody (KC >> Claffy?) said a few years ago, relying parties should not have to sort >> out this mess, that's what the industry pays the RIRs to do. For the >> moment I'm willing to take the RIRs' word that they intend to do their >> job and just need a bit more time. YMMV. > > Until then (or even after in the event of a CA compromise), it's a > technical issue and the capability for RPs to determine who holds > what resources, or at least to constrain who they trust with what > resources, and intersect that with the LTA 'federation' issue is very > much an operational issue. This is back to your (danny) point about: If someone[1] removes a Resource Certification (ROA, for instance) and that resource is actually critical[2] (or in use), all parties between the resource (server) and the service-requestor (user) are bound to need to know that the resource is still there, and valid. These parties all need to populate their LTA (Local Trust Anchor) with the right certification data. This seems like it will be messy, telling everyone via some phone-tree, and potentially confusing. On top of that if the resource is then re-certified (to the same or different end entity) how do the intermediate parties know which is the 'right' thing to do? -chris [1]: This is the nominal 'black helicopters' problem, also seen today via ICE or PROTECT-IP [2]: The netblock, for instance, for the .cx ccTLD (presuming that .cx is doing/permitting-some-actions that a third party finds objectionable) b: I made up the example, and the 2 'black helicopter' examples are certainly USA-centric, we could make up many more, but ... that's not horribly relevant. The problem could also be triggered by someone mistakenly missing their payment window to the RIR.
- [sidr] Origin Ops, TALs and Local TAs Danny McPherson
- Re: [sidr] Origin Ops, TALs and Local TAs Rob Austein
- Re: [sidr] Origin Ops, TALs and Local TAs Danny McPherson
- Re: [sidr] Origin Ops, TALs and Local TAs Christopher Morrow
- Re: [sidr] Origin Ops, TALs and Local TAs Danny McPherson
- Re: [sidr] Origin Ops, TALs and Local TAs Christopher Morrow
- Re: [sidr] Origin Ops, TALs and Local TAs Stephen Kent
- Re: [sidr] Origin Ops, TALs and Local TAs Danny McPherson
- Re: [sidr] Origin Ops, TALs and Local TAs Stephen Kent
- Re: [sidr] Origin Ops, TALs and Local TAs Christopher Morrow
- Re: [sidr] Origin Ops, TALs and Local TAs Stephen Kent
- Re: [sidr] Origin Ops, TALs and Local TAs Christopher Morrow
- Re: [sidr] Origin Ops, TALs and Local TAs Danny McPherson
- Re: [sidr] Origin Ops, TALs and Local TAs Stephen Kent