Re: [Sidrops] Fwd: New Version Notification for draft-ymbk-9020-update-00.txt
Theo Buehler <tb@theobuehler.org> Wed, 07 December 2022 20:30 UTC
Return-Path: <tb@theobuehler.org>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25817C14CF09 for <sidrops@ietfa.amsl.com>; Wed, 7 Dec 2022 12:30:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=theobuehler.org header.b=eKWQGa+B; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=UupCMSfA
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKs_viiYFk1a for <sidrops@ietfa.amsl.com>; Wed, 7 Dec 2022 12:30:16 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58A8DC14F725 for <sidrops@ietf.org>; Wed, 7 Dec 2022 12:30:16 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 360823200951; Wed, 7 Dec 2022 15:30:15 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Wed, 07 Dec 2022 15:30:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=theobuehler.org; h=cc:cc:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1670445014; x=1670531414; bh=3n D67g/oQnNlacALQSSSdpmX+gR2G7xyeeE/TOXi+I4=; b=eKWQGa+BoSiDfrsf8r Wkg94IeayDwnSFJ1HdU41vHDuBf/IFV7JOqBuI8TfF9hyFYqyaAuZA8Ial/AJtE7 9Xr5v8oY1MyldOq9uGaNSK/Ir6Kz3JtnSO2w4hfLHzhWhMyX4sNeO1diYbAYX9AN VL7bR5zvdX8/UsxyXOXaOMeCuEmSlZFDiAKUhF6sbrvuASJSfvuWkYZuR7Fg2t9F uKJwN7WSXDnXGgd4/SPXb8ewscus3M2K06wuIlVkYo48vKBvCBuHaOGZRZecxUdl DpjBbqsH/EmoxbaJMz1I3g0HfmmQ4uChnD5T22QVXohYObHKC7pOiivPKG9XJubd xxWg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1670445014; x=1670531414; bh=3nD67g/oQnNlacALQSSSdpmX+gR2 G7xyeeE/TOXi+I4=; b=UupCMSfAqY4Zxfb3/u154QG1Sd2inYDnDbCP0naC9sTY WRlMp2Oqa7d/g0Nsnw5qtE882IhQ02Dhw+hgfq3eYQo9N3hj5zVRioeaxk8jmnqW fZJ2Rsr2On+TPXxD5zEYZjdoNJ5I2sSs0oDF8ehqZ9gevXaiWPWHyt2l1NHWFImV bFBdZF4wGcTEZqOecG4r4zmzv+vU3FYVzjTgueSJ3st7kW4n1mmdEjBlG0QunW6o hIYEzUy+eTLUG6HAeNfALx+ak9nnciLNL6Cb+HpwIMwYSlUKc7PeIwANYB2dYGwR TA6yZMrSp0JiYrpVJCVl2Gal6orQ78JBg92lOrvtog==
X-ME-Sender: <xms:1veQYzPysQOYWqEGEDADQ1-CU6KhgWZgvcnRZLoFTo9rzc7CejNSSw> <xme:1veQY98NWDvGjpmmYTANKrjy9esRisJQtJIeH6XD1zHhi-_CxXvdBknse3w8GIVJc KuWGXGFEMlIhtiMVw>
X-ME-Received: <xmr:1veQYySa6IM8M61iNPkrBQyr0KwO6Zds7BACcNOaDy2i0eTsM2CLvaU9sllNJKtGeT9y0kL-m1QMq0f-SGJ3pqgdhxMR3knG2zd_ZQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrudekgddufeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdtredttddtvdenucfhrhhomhepvfhhvgho uceuuhgvhhhlvghruceothgssehthhgvohgsuhgvhhhlvghrrdhorhhgqeenucggtffrrg htthgvrhhnpeejkeefgfehjeelffekvdeifeefjeegffehhfdvteeukeeggfdtiedtudej vdejteenucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepthgssehthhgvohgsuhgvhhhlvghrrdhorhhg
X-ME-Proxy: <xmx:1veQY3tlmbrEl3_0xgd1Kn7Ogf1PFV9whrIyRRn-rSll7yJNi_xMfg> <xmx:1veQY7d7JLj6r1VIEJSSwsOuA5EMdloe_mCtWZYt8W6D-rELMd2DSA> <xmx:1veQYz2zSW5pEwLmW8kHUANfce2tOlLXkz8MF2wRGE7_5yhcdnu9_Q> <xmx:1veQY8qoyKxCx63oY-76rrdpCF6yXcyiSo-qkoEF-7PAm74J5bJH2A>
Feedback-ID: ie071425d:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 7 Dec 2022 15:30:13 -0500 (EST)
Received: from localhost (nell.theobuehler [local]) by nell.theobuehler (OpenSMTPD) with ESMTPA id 998b3f3f; Wed, 7 Dec 2022 21:30:12 +0100 (CET)
Date: Wed, 07 Dec 2022 21:30:12 +0100
From: Theo Buehler <tb@theobuehler.org>
To: Russ Housley <housley@vigilsec.com>
Cc: Job Snijders <job=40fastly.com@dmarc.ietf.org>, Randy Bush <randy@psg.com>, SIDR Operations WG <sidrops@ietf.org>
Message-ID: <Y5D31Fn8EbjHbkec@theobuehler.org>
References: <167034950072.33870.15369000849097187246@ietfa.amsl.com> <m2h6y89yz4.wl-randy@psg.com> <Y5Btw4hzJkXhPwBz@snel> <D7ED1B65-088E-49AC-B893-1A2143AE73CD@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D7ED1B65-088E-49AC-B893-1A2143AE73CD@vigilsec.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/HXIH0A_T4sRvLUPnHqpGviuR894>
Subject: Re: [Sidrops] Fwd: New Version Notification for draft-ymbk-9020-update-00.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Dec 2022 20:30:21 -0000
On Wed, Dec 07, 2022 at 01:49:10PM -0500, Russ Housley wrote: > > I reported on the issue of RFC9092 being underspecified > > https://mailarchive.ietf.org/arch/msg/opsawg/JXjxCA14BkW4DWyVoUMwqDvB17I/ > > and I'm happy to see this step forward to disallow 'inherit' elements. > > However, I'd like to see two additional constraints incorporated in an > > 9092-update: > > > > 1/ disallow AS Identifiers Delegation extensions in Geofeed EE certs. > > 2/ disallow SubjectInformationAccess extensions in Geofeed EE certs. > > I really do not see what we want to limit these aspects of the certificate. EE certs are tightly constrained which makes checking them easy. Job is working hard to keep the ecosystem clean with as little variability as needed and this is part of these efforts. Apart from the rpkiNotify issue in the SIA extension that was reported as an erratum for RFC 8182, I'm not aware of anything that was allowed that shouldn't have been. The ASID extension is critical. It should therefore only be used if it contains information that needs to be processed. As you wrote, there's nothing to do with it here, so clearly it doesn't belong here. Similarly, the SIA extension makes no sense here. Underspecification can lead to variances between implementations since absence of clear guidance means implementors may or may not decide to do something with these extensions and what they do may or may not make sense. Explicitly disallowing them provides clarity. What's the actual argument for implicitly allowing them? Please don't invoke Postel a third time.
- [Sidrops] Fwd: New Version Notification for draft… Randy Bush
- Re: [Sidrops] Fwd: New Version Notification for d… Job Snijders
- Re: [Sidrops] Fwd: New Version Notification for d… Russ Housley
- Re: [Sidrops] Fwd: New Version Notification for d… Theo Buehler
- Re: [Sidrops] Fwd: New Version Notification for d… Tom Harrison
- Re: [Sidrops] New Version Notification for draft-… Ties de Kock
- Re: [Sidrops] New Version Notification for draft-… Job Snijders