Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00

John Curran <jcurran@arin.net> Sun, 14 July 2013 07:15 UTC

Return-Path: <jcurran@arin.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB26121F9A05 for <sidr@ietfa.amsl.com>; Sun, 14 Jul 2013 00:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3baUd4zCFxyT for <sidr@ietfa.amsl.com>; Sun, 14 Jul 2013 00:15:54 -0700 (PDT)
Received: from smtp1.arin.net (smtp1.arin.net [IPv6:2001:500:4:13::33]) by ietfa.amsl.com (Postfix) with ESMTP id D40BA21F9CF5 for <sidr@ietf.org>; Sun, 14 Jul 2013 00:15:53 -0700 (PDT)
Received: by smtp1.arin.net (Postfix, from userid 323) id 0278F16516C; Sun, 14 Jul 2013 03:15:53 -0400 (EDT)
Received: from ASHXCH01.corp.arin.net (ashxch01.corp.arin.net [199.43.0.17]) by smtp1.arin.net (Postfix) with ESMTP id 536B1165169; Sun, 14 Jul 2013 03:15:52 -0400 (EDT)
Received: from CHAXCH04.corp.arin.net (10.1.30.19) by ASHXCH01.corp.arin.net (199.43.0.17) with Microsoft SMTP Server (TLS) id 14.1.421.2; Sun, 14 Jul 2013 03:15:39 -0400
Received: from CHAXCH02.corp.arin.net ([169.254.2.236]) by CHAXCH04.corp.arin.net ([10.1.30.19]) with mapi id 14.02.0328.009; Sun, 14 Jul 2013 03:15:37 -0400
From: John Curran <jcurran@arin.net>
To: Melinda Shore <melinda.shore@gmail.com>
Thread-Topic: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
Thread-Index: AQHOgFHSYdjl7AtLxEeu76auZ5BeJQ==
Date: Sun, 14 Jul 2013 07:15:15 +0000
Message-ID: <B14D9B95-4F0C-4B75-BE3D-20BAD39F48F8@arin.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F6749A84D9@CVA-MB001.centreville.ads.sparta.com> <m2r4f3whgd.wl%randy@psg.com> <95789E5C-80B0-4307-9471-C116DB8219A5@arin.net> <51E2481E.7060103@gmail.com>
In-Reply-To: <51E2481E.7060103@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.149.252.96]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9CE3F41D8814844684A4DBBD18BCE104@corp.arin.net>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2013 07:15:59 -0000

On Jul 14, 2013, at 2:41 AM, Melinda Shore <melinda.shore@gmail.com> wrote:

> On 7/13/13 9:20 PM, John Curran wrote:
>> If that's the case for you, then don't use it on your certs.  However, your 
>> requirements don't necessarily encompass all RPKI users, and overall system
>> robustness is improved by having the policy qualifier language in RFC6487 
>> more clearly line up with RFC5280 since they are going to be in use by others.
> 
> I think I'm coming down in largely the same place Randy is (with some
> fuzz around the edges).  I'm not sure I understand the consequences of
> not publishing this.


There are really two issues here:

- RFC 6487 does not specifically allow or disallow a policy qualifiers;
  one may read the preface in section 4 as implying it is disallowed, but 
  the document is much more explicit regarding allowed/disallowed fields 
  in other extensions.  As RFC 5280 specifically defines the certificate 
  policies extension as containing a sequence of policy information terms 
  (each of which has object identifier (OID) and optional qualifiers), 
  inclusion of "exactly one policy" doesn't necessarily mean with or 
  without optional qualifiers.  A validator shouldn't have to guess at
  what it allowed in the specification, so RFC 6487 should be clarified
  (one way or the other) on the matter of policy qualifiers.

- If we're going to clarify RFC 6487, then it can be disallowing the 
  policy qualifiers already defined in RFC 5280 or by allowing them.
  Some of the users of RPKI specifications (ARIN) would like to allow
  them (in particular, the CPS pointer policy qualifier) and hence
  the reason for draft-ietf-sidr-policy-qualifiers-00.  You may not 
  see a need to include policy qualifier on the certificates that you
  issue, but providing a reference to CPS in the certificate may be 
  useful for both CA operators and certificate users on occasion.

Thanks,
/John