Re: [Sidrops] Orie Steele's No Objection on draft-ietf-sidrops-cms-signing-time-06: (with COMMENT)
Job Snijders <job@fastly.com> Tue, 09 April 2024 14:32 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2B8C14F693 for <sidrops@ietfa.amsl.com>; Tue, 9 Apr 2024 07:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmE0qjYTQS1w for <sidrops@ietfa.amsl.com>; Tue, 9 Apr 2024 07:32:29 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78121C14F605 for <sidrops@ietf.org>; Tue, 9 Apr 2024 07:32:29 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-56e48d0a632so5037042a12.2 for <sidrops@ietf.org>; Tue, 09 Apr 2024 07:32:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1712673147; x=1713277947; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=7ZixyCAIdAAg+CyuxVBd2ZCGfwsJaE6BZO39kws2evM=; b=Vfs++XTmeuUtwUi9TsH8AiKz6EYIQ5px2DSs1dVBKCckKUupyRNM00YrA4R1gnMFPu ZqnUUH95O+my8OpwXejimsMcwetdIkvd77Cbz8hynPp7woBJQKRgLqwZFgeWRTFM2nqO TZdt9HNLbkgLzexQOfu41vjCIBSFcSnNzTtt4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712673147; x=1713277947; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7ZixyCAIdAAg+CyuxVBd2ZCGfwsJaE6BZO39kws2evM=; b=kcbruJJdpgVqsdtjzKVUphz447o32HLnfLbrA7Wph59/Oc8rh7+05mMmE3FUWCvTdK noAt0b9SY48QW3BAXQtACeefjpgQ7Cmc6fnXnUmxEBeWMXq0H/wvxQp63b1Pj4VPx8/C s6fNxGm01vkbrcbUgTAuOceXMfPlTc5YXU4zqbXZV3g10+xTfs7TjWSJT2Yb5xqo9NMa 8TDf3P+Sn0fvW4RrZDlTtEM+SYATyKda2Jp8rFAkWaOp7PKuj+ema1Krh63HZByYyckv r0Wawr1TjgEajCxhuHpWBmowGd8+YqGZs59erJk7H/A+borxBJYU25t/+IMORqcaR1iS Aryg==
X-Forwarded-Encrypted: i=1; AJvYcCVZhBmifycZVRIglpnhulT3xU8jkBeLa6v34bkqzZmZ730Z4KZcUlHSPExbRZMcIZx3mfNPx5UsXxsfiReba3Cq
X-Gm-Message-State: AOJu0Yz3MKrcS68SuBpn3VKB7FqbkGphl8BWNXBf52kGM0QLQbgStEqx IsrqchrMFYOsqTmAfvHWfI+kJomrl0UMfb59V8tTVfneRANaNxlnJZ3Tc8A+8HVFnoS2sDSdA2V g
X-Google-Smtp-Source: AGHT+IG8Xgu//N0DKEt6SASLg10IB/lHegmidTUASughoRSuWqfskUIoe2cI7s2W+wf//Oj2H864dw==
X-Received: by 2002:a17:907:96a8:b0:a51:8656:326f with SMTP id hd40-20020a17090796a800b00a518656326fmr10667328ejc.74.1712673144802; Tue, 09 Apr 2024 07:32:24 -0700 (PDT)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id j5-20020a170906830500b00a4734125fd2sm5755495ejx.31.2024.04.09.07.32.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Apr 2024 07:32:23 -0700 (PDT)
Date: Tue, 09 Apr 2024 16:32:22 +0200
From: Job Snijders <job@fastly.com>
To: Orie Steele <orie@transmute.industries>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sidrops-cms-signing-time@ietf.org, sidrops-chairs@ietf.org, sidrops@ietf.org, housley@vigilsec.com
Message-ID: <ZhVRdtcdUwCqX03j@snel>
References: <171260858688.49397.2189518988804934513@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <171260858688.49397.2189518988804934513@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/-j14430-d08lFtfCUz7MmdCl6Zk>
Subject: Re: [Sidrops] Orie Steele's No Objection on draft-ietf-sidrops-cms-signing-time-06: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2024 14:32:33 -0000
Dear Orie Steel, Thank you for taking the time to read and review this internet-draft! On Mon, Apr 08, 2024 at 01:36:26PM -0700, Orie Steele via Datatracker wrote: > ## Comments > > ``` > 129 Publishers SHOULD ensure that the last modification timestamp of the > 130 file remains unchanged as well. > ``` > > Why not MUST? What happens if they do not? If publishers do not ensure the last modification timestamp of the file remains unchanged, the file might be needlessly re-transmitted. This potentially results some waste of bandwidth, but but does not impact the validity of the Signed Objects. The internet-draft outlines an optimization, it does not describe a 'without this, RPKI wont work'-concept > ``` > 156 In order to reduce the burden of the rsync synchronization (following > 157 an RRDP failure), Publishers and RPs SHOULD adhere to the following > 158 guidelines. > ``` > > Why not MUST? Perhaps this sentence is not needed. The authors thought it might be helpful to explain why the guidelines are useful to implement, what the benefits are if advantage of the optimization is taken. But again, if publishers don't follow this guidance the end result is inefficient, but still functional transfers of RPKI data. > ``` > 162 When serializing RPKI Signed Objects to a filesystem hierarchy for > 163 publication via rsync, the mod-time of the file containing the Signed > 164 Object SHOULD be set to the value of the CMS signing-time attribute > 165 contained within the Signed Object. > ``` > > Why not MUST? What happens if the mod-time is set to something else? > Does this guidance also apply to publishers that support RRDP in > addition to rsync? if the mod-time is set to something else, the data might needlessly be retransferred. The guidance applies to all publishers, including the ones that support RRDP. Every publisher MUST support rsync, which is where these guidelines are recommended. > ``` > 169 When serializing RPKI Signed Objects retrieved via RRDP to a > 170 filesystem hierarchy, the mod-time of the file containing the Signed > 171 Object SHOULD be set to the value of the CMS signing-time attribute > 172 contained within the Signed Object. > ``` > > Why not MUST? > > The amount of redundancy between this section and previous section, is > confusing. I would assume publishing and consuming would both need guidance on > CMS signing-time, regardless of if rsync or RRDP was used. The above section is for Relying Party implementers (the counterpart to the publisher side). I made an attempt by splitting the different instructions for publishers and relying parties into 2 sections: "2.1 Guidance for Publishers" and "2.2 Guidance for Relying Parties". Do you have suggestions to resolve the potential for confusion? As to your question about MUST, if Relying Party implementers ignore this internet-draft, those implementations might be more wasteful in terms of bandwidth, but still will be functional. So softer guidance seemed appropriate. All in all this document is "do X if you want maximum efficiency", but if publishers or relying parties don't read this draft, it's not the end of the world. Hope this clarifies where we're coming from! Thanks & kind regards, Job
- [Sidrops] Orie Steele's No Objection on draft-iet… Orie Steele via Datatracker
- Re: [Sidrops] Orie Steele's No Objection on draft… Job Snijders
- Re: [Sidrops] Orie Steele's No Objection on draft… Orie Steele