Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-01.txt
Di Ma <madi@rpstir.net> Sun, 10 June 2018 07:52 UTC
Return-Path: <madi@rpstir.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9B0130E20 for <sidrops@ietfa.amsl.com>; Sun, 10 Jun 2018 00:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Y1P8FNErep4 for <sidrops@ietfa.amsl.com>; Sun, 10 Jun 2018 00:52:16 -0700 (PDT)
Received: from out20-39.mail.aliyun.com (out20-39.mail.aliyun.com [115.124.20.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6261E130DDA for <sidrops@ietf.org>; Sun, 10 Jun 2018 00:52:15 -0700 (PDT)
X-Alimail-AntiSpam: AC=CONTINUE; BC=0.0751539|-1; CH=green; FP=0|0|0|0|0|-1|-1|-1; HT=e01l01425; MF=madi@rpstir.net; NM=1; PH=DS; RN=2; RT=2; SR=0; TI=SMTPD_---.CB19yxp_1528617127;
Received: from 192.168.3.3(mailfrom:madi@rpstir.net fp:SMTPD_---.CB19yxp_1528617127) by smtp.aliyun-inc.com(10.147.41.158); Sun, 10 Jun 2018 15:52:09 +0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Di Ma <madi@rpstir.net>
In-Reply-To: <0EF21785-2C8B-4148-90DB-13C528FAFB40@ripe.net>
Date: Sun, 10 Jun 2018 15:52:07 +0800
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <92C4B82E-FD84-4278-B423-4F0D12D533F5@rpstir.net>
References: <152846464123.15396.14579027912013078144@ietfa.amsl.com> <0EF21785-2C8B-4148-90DB-13C528FAFB40@ripe.net>
To: Tim Bruijnzeels <tim@ripe.net>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/APi2CN6yHkZmUVX7rQWiIyvioPo>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-01.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jun 2018 07:52:21 -0000
Tim, I think you might as well leave ‘activationTime’ as OPTIONAL element since it is sorta an operational strategy in this document intended to be a BCP. If so, the first MUST in the following text should be change to MAY. The Signed TAL MUST have an "activationTime" that reflects when Relying Parties MUST use use this new TAL in place of any previously known TAL for this Trust Anchor. Besides, it is lovely to see ‘deployment considerations’ included in this version and I am in favor of what is stated in it. Di P.S. I found a nit in Section 6.1 that The sentence ‘The Trust Anchors MUST a new key pair and generate a new TA Certificate. ‘ just missed a verb ‘generate’. > 在 2018年6月8日,21:37,Tim Bruijnzeels <tim@ripe.net> 写道: > > Dear WG, > > This a new version of the “Signed TAL” document that I presented on at IETF101. > > The main changes in this version are: > - Now supporting planned rolls only! > - MAJOR change here: > — No staging time! > — BUT: Added steps for the TA to be sure that things work BEFORE publishing the new Signed TAL (I think this is better). > - Included deployment considerations - essentially: once RPs support, roll often! > - Do changes in URIs as planned rolls.. - included consideration section on this > - No unplanned rolls, they are too complex and introduce a new key that can be compromised (now you have two problems) - included consideration section on this > - Changed the structure of the object to have a version (definitely needed) and use ASN.1 structure rather than plain text or XML - inline with other RPKI Signed Objects > - I included a “activationTime” element in the object to allow for future planned rolls, but I am not convinced that it’s really needed given the proposed procedure to set up the new key and test it first, and only then publish the Signed TAL - But, I don’t object strongly either. > > As I said in London. I don’t think that we are close to the final word on this.. so I really would like to invite all of you to give this a good read and speak your mind. > > I do want to keep the ball rolling. I think the experience with 5011 has shown that this should be addressed before there are too many implementations. So, I see urgency to address this. > > Kind regards, > > Tim > > > >> On 8 Jun 2018, at 15:30, internet-drafts@ietf.org wrote: >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the SIDR Operations WG of the IETF. >> >> Title : RPKI signed object for TAL >> Authors : Tim Bruijnzeels >> Carlos Martinez >> Filename : draft-ietf-sidrops-signed-tal-01.txt >> Pages : 12 >> Date : 2018-06-08 >> >> Abstract: >> Trust Anchor Locators (TALs) [I-D.ietf-sidrops-https-tal] are used by >> Relying Parties in the RPKI to locate and validate Trust Anchor >> certificates used in RPKI validation. This document defines an RPKI >> signed object [RFC6488] for a Trust Anchor Locator (TAL) that can be >> used by Trust Anchors to perform a planned migration to a new key, >> allowing Relying Parties to discover the new key up to one year after >> the migration occurred. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-sidrops-signed-tal/ >> >> There are also htmlized versions available at: >> https://tools.ietf.org/html/draft-ietf-sidrops-signed-tal-01 >> https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-signed-tal-01 >> >> A diff from the previous version is available at: >> https://www.ietf.org/rfcdiff?url2=draft-ietf-sidrops-signed-tal-01 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> Sidrops mailing list >> Sidrops@ietf.org >> https://www.ietf.org/mailman/listinfo/sidrops >> > > _______________________________________________ > Sidrops mailing list > Sidrops@ietf.org > https://www.ietf.org/mailman/listinfo/sidrops
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Di Ma
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tim Bruijnzeels
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tim Bruijnzeels
- [Sidrops] I-D Action: draft-ietf-sidrops-signed-t… internet-drafts
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Di Ma
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tom Harrison
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tim Bruijnzeels
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Christopher Morrow
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tim Bruijnzeels
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Christopher Morrow
- Re: [Sidrops] I-D Action: draft-ietf-sidrops-sign… Tim Bruijnzeels