Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-03.txt

Tim Bruijnzeels <> Mon, 08 July 2019 13:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C651B120189 for <>; Mon, 8 Jul 2019 06:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vZEPq-pkOYy4 for <>; Mon, 8 Jul 2019 06:26:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C2792120044 for <>; Mon, 8 Jul 2019 06:26:02 -0700 (PDT)
Received: from (unknown [IPv6:2001:981:4b52:1:5811:df63:8dca:2399]) by (Postfix) with ESMTPSA id C01DF1B18A; Mon, 8 Jul 2019 15:26:00 +0200 (CEST)
Authentication-Results:; dmarc=fail (p=none dis=none)
Authentication-Results:; spf=fail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1562592360; bh=zKXz/bZIqGZnICxx5CfVKU+cL0O3MdBrGK/bblw5PCA=; h=Subject:From:In-Reply-To:Date:References:To; b=or+603GL4UdcgwhVEo2m5vWPMl/k0EsDPdiS6QWG43NbvkOYQVAtepXfp9M4tDyJ0 f0d1ALB8neQmC7vpANNZu5q/wyF9wcpn0iDhB/1RYnRNIlUtrrRknF5L55ggPBgJEM qt/9sFvdADnjkUYZFv31G1+25MpaCkSsoOqDOY4U=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Tim Bruijnzeels <>
In-Reply-To: <>
Date: Mon, 8 Jul 2019 15:25:45 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: SIDR Operations WG <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-signed-tal-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jul 2019 13:26:06 -0000

Dear WG, chairs,

@chairs: I noticed this has WG last call on the datatracker. I think this is in error and the last call was meant for https in TALs, which is now in Auth48.
@chiars: 10 minutes on the agenda?

The TL;DR is:
- Now using unique URIs in TAK objects to track if RPs are capable and learn the new keys, before retiring the old (comment Wes in Bangkok).
- I still plan to do an actual implementation, but I haven't had the time yet.
- This version is still a discussion document.. 

In fact.. I haven't even been able to discuss this version with my co-authors as I needed to post before cut-off.

Time permitting I would like to talk about this in Montreal for 10 minutes. If there is no official agenda time, then I encourage anyone interested in this to have a chat if you are going to be in Montreal. And of course, if you care to read it and provide feedback on list that is also greatly appreciated!


> On 8 Jul 2019, at 15:08, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the SIDR Operations WG of the IETF.
>        Title           : RPKI Signed Object for Trust Anchor Keys
>        Authors         : Tim Bruijnzeels
>                          Carlos Martinez
>                          Rob Austein
> 	Filename        : draft-ietf-sidrops-signed-tal-03.txt
> 	Pages           : 15
> 	Date            : 2019-07-08
> Abstract:
>   Trust Anchor Locators (TALs) [I-D.ietf-sidrops-https-tal] are used by
>   Relying Parties in the RPKI to locate and validate Trust Anchor
>   certificates used in RPKI validation.  This document defines an RPKI
>   signed object for Trust Anchor Keys (TAK), that can be used by Trust
>   Anchors to signal their set of current keys and the location(s) of
>   the accompanying CA certiifcates to Relying Parties, as well as
>   changes to this set in the form of revoked keys and new keys, in
>   order to support both planned and unplanned key rolls without
>   impacting RPKI validation.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> Sidrops mailing list