Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
John Curran <jcurran@arin.net> Sun, 14 July 2013 07:15 UTC
Return-Path: <jcurran@arin.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB26121F9A05 for <sidr@ietfa.amsl.com>; Sun, 14 Jul 2013 00:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3baUd4zCFxyT for <sidr@ietfa.amsl.com>; Sun, 14 Jul 2013 00:15:54 -0700 (PDT)
Received: from smtp1.arin.net (smtp1.arin.net [IPv6:2001:500:4:13::33]) by ietfa.amsl.com (Postfix) with ESMTP id D40BA21F9CF5 for <sidr@ietf.org>; Sun, 14 Jul 2013 00:15:53 -0700 (PDT)
Received: by smtp1.arin.net (Postfix, from userid 323) id 0278F16516C; Sun, 14 Jul 2013 03:15:53 -0400 (EDT)
Received: from ASHXCH01.corp.arin.net (ashxch01.corp.arin.net [199.43.0.17]) by smtp1.arin.net (Postfix) with ESMTP id 536B1165169; Sun, 14 Jul 2013 03:15:52 -0400 (EDT)
Received: from CHAXCH04.corp.arin.net (10.1.30.19) by ASHXCH01.corp.arin.net (199.43.0.17) with Microsoft SMTP Server (TLS) id 14.1.421.2; Sun, 14 Jul 2013 03:15:39 -0400
Received: from CHAXCH02.corp.arin.net ([169.254.2.236]) by CHAXCH04.corp.arin.net ([10.1.30.19]) with mapi id 14.02.0328.009; Sun, 14 Jul 2013 03:15:37 -0400
From: John Curran <jcurran@arin.net>
To: Melinda Shore <melinda.shore@gmail.com>
Thread-Topic: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
Thread-Index: AQHOgFHSYdjl7AtLxEeu76auZ5BeJQ==
Date: Sun, 14 Jul 2013 07:15:15 +0000
Message-ID: <B14D9B95-4F0C-4B75-BE3D-20BAD39F48F8@arin.net>
References: <24B20D14B2CD29478C8D5D6E9CBB29F6749A84D9@CVA-MB001.centreville.ads.sparta.com> <m2r4f3whgd.wl%randy@psg.com> <95789E5C-80B0-4307-9471-C116DB8219A5@arin.net> <51E2481E.7060103@gmail.com>
In-Reply-To: <51E2481E.7060103@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.149.252.96]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9CE3F41D8814844684A4DBBD18BCE104@corp.arin.net>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2013 07:15:59 -0000
On Jul 14, 2013, at 2:41 AM, Melinda Shore <melinda.shore@gmail.com> wrote: > On 7/13/13 9:20 PM, John Curran wrote: >> If that's the case for you, then don't use it on your certs. However, your >> requirements don't necessarily encompass all RPKI users, and overall system >> robustness is improved by having the policy qualifier language in RFC6487 >> more clearly line up with RFC5280 since they are going to be in use by others. > > I think I'm coming down in largely the same place Randy is (with some > fuzz around the edges). I'm not sure I understand the consequences of > not publishing this. There are really two issues here: - RFC 6487 does not specifically allow or disallow a policy qualifiers; one may read the preface in section 4 as implying it is disallowed, but the document is much more explicit regarding allowed/disallowed fields in other extensions. As RFC 5280 specifically defines the certificate policies extension as containing a sequence of policy information terms (each of which has object identifier (OID) and optional qualifiers), inclusion of "exactly one policy" doesn't necessarily mean with or without optional qualifiers. A validator shouldn't have to guess at what it allowed in the specification, so RFC 6487 should be clarified (one way or the other) on the matter of policy qualifiers. - If we're going to clarify RFC 6487, then it can be disallowing the policy qualifiers already defined in RFC 5280 or by allowing them. Some of the users of RPKI specifications (ARIN) would like to allow them (in particular, the CPS pointer policy qualifier) and hence the reason for draft-ietf-sidr-policy-qualifiers-00. You may not see a need to include policy qualifier on the certificates that you issue, but providing a reference to CPS in the certificate may be useful for both CA operators and certificate users on occasion. Thanks, /John
- [sidr] wglc draft-ietf-sidr-policy-qualifiers-00 Murphy, Sandra
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Randy Bush
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… George Michaelson
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Randy Bush
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Melinda Shore
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… John Curran
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Melinda Shore
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… John Curran
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Randy Bush
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… John Curran
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Robert Loomans
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Stephen Kent
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Roque Gagliano (rogaglia)
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Tim Bruijnzeels
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Tim Bruijnzeels
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Andy Newton
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Andy Newton
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Tim Bruijnzeels
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Roque Gagliano (rogaglia)
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Andy Newton
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Rob Austein
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Sean Turner
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Danny McPherson
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Murphy, Sandra
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Geoff Huston
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Andy Newton
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Geoff Huston
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Roque Gagliano (rogaglia)
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Murphy, Sandra
- Re: [sidr] wglc draft-ietf-sidr-policy-qualifiers… Christopher Morrow