IETF Logo Mail Archive

Re: [Sidrops] HTTPS in TALs

Geoff Huston <gih@apnic.net> Wed, 19 July 2017 18:14 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3673131AAF for <sidrops@ietfa.amsl.com>; Wed, 19 Jul 2017 11:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwDts1SSJ7-m for <sidrops@ietfa.amsl.com>; Wed, 19 Jul 2017 11:14:28 -0700 (PDT)
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (mail-ty1jpn01on0050.outbound.protection.outlook.com [104.47.93.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275B812EC18 for <sidrops@ietf.org>; Wed, 19 Jul 2017 11:14:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=T24gmqnW7r6ViSsmsAstw1N85EWOn/JpaEKGNta9CW4=; b=ZQt2tFsHQD5aOwlBFyrkabmkrd1AIO9/hE++2fJ9I4u1jLRos71Clj3gzyfEqevbyzofyi6u/F6uLlnN2w/qEhoWHUWbRM+KdqGBnZotfHNCmMdh/GtkjNk4fDxkhv4mdcg53zf76WN7w2PSBeHwd5zOHtn+YwCQ2p2JTWdJBeg=
Authentication-Results: ripe.net; dkim=none (message not signed) header.d=none;ripe.net; dmarc=none action=none header.from=apnic.net;
Received: from [IPv6:2001:67c:370:128:38e7:168d:b987:9b13] (2001:67c:370:128:38e7:168d:b987:9b13) by TY1PR04MB0703.apcprd04.prod.outlook.com (10.163.246.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Wed, 19 Jul 2017 18:14:22 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <F3B9CD28-7643-43B9-B210-805687297D9E@ripe.net>
Date: Wed, 19 Jul 2017 20:14:00 +0200
CC: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-ID: <0428C22A-4D93-4961-92FA-968B4E177BC5@apnic.net>
References: <F3B9CD28-7643-43B9-B210-805687297D9E@ripe.net>
To: Tim Bruijnzeels <tim@ripe.net>
X-Mailer: Apple Mail (2.3273)
X-Originating-IP: [2001:67c:370:128:38e7:168d:b987:9b13]
X-ClientProxiedBy: VI1P193CA0011.EURP193.PROD.OUTLOOK.COM (10.175.177.149) To TY1PR04MB0703.apcprd04.prod.outlook.com (10.163.246.25)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6e0022ff-8e0c-44e5-f49e-08d4ced1fc18
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(300000503095)(300135400095)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:TY1PR04MB0703;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 3:3IR2K7Q98laSTYhcLzVjB8J8cUlrHkPnCKGVHgByOee/KSVpQoF2poiDigrGbOKvh5AYNY9mrFmbjAs9OTezgEKLV3XkPdUGMHenek7+m+UivrjQPu95C+hBbINkKRKhS7VBRdQl9OWSfpg+3rSCOeW4wvY6zVMjAX/CQZAlPld0VKTG3xVpbYdJg7CLkd9aehMtgXGA9XwQVR8Kry2RdeRw6k9OlESOUmx0Oy/UmTfGhHeg5R6qq0tgrfuia/lBvQhLcfHIqGBnH+Zd+EYq8aLKB0BtwWC0Wgzz8MAZc8fzGRnS5MtvGxstH5mn/AVbfVfQTeU+xgTF/ciEz4Bu12pu+0HYWB8h8qcppNJgyWvuXvkaMNAii2H7EFyJXPp/CbPJ3uW6UUdZOTxmcSqx7cToiXnrH//2jfOfn48zZqXSdDwnEs7p7L+pxuLdTRIJunKXHKDnZV5UlxOf2CKhNNdbdiFZ1WauwCMsk68oD0FdBXzjLpQryGuBDT/6+I6CLTeJuPiTILyKeCbeQmXzLPoSUp/UCcisejvIEK2McifF2dRPo0zz7BBubtgLp/kE0jxDVnRuh16hdSrxwSE4nhI38QtzoH8PKUUz/RElkSR/3Ed0D720rdaduyZASnjb54OavxClWftRqI/tsb9udfit0fvSg1nGKb4yMTACOurOloQmFKFj0XH4TNcnHtfRnLlafjSGTNl+RY4193ZSamED5GDuE+dekI24Ez03WW4=
X-MS-TrafficTypeDiagnostic: TY1PR04MB0703:
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 25:2n1xDnYdtGEV8GTk7vjS4wa1U7fKaydIDOotH/1XZaqAka4LpRNYX8+qdberzJT7Ox8lV2n9DrA+C26EVT8WGzbHo6fx6EqlRUwll0Jcza1dNOs7RTxUKWsURqPpGbnmCG+y5hvAIUkv6lF6+VjaSbX+9Xqf8HlujsWNGZ1SyBHYY8mPTooLUUqZL90fDL/LQVY7HTWYhRc09RBPw8QoituEKVYnCwGNeg0qJ/B1uyZz+8ZzC4Rgu0vA1UlRJZGXTl3enFtie4TGvT4UMwDNlshRGYat1erDQXgoLdxwWR8ugG/ptnpEYM0g785tpvUJ1mYwQyh4+5xHaNNVOWM5nebiGp8tEcztpY/qQCVOJB3fIb5D2NVKd8TzJh2WeV6oB42upeJOAv93TWg2HOSvx40lRTcW3R0d7q8qA7hDrMGFq+VaJNfLg/yhyUfMPdiY93G2fyXXTJInxIl6Bj/ZZmlxjFN6x6lAZxzxNcYOuo/ykz6x/bWM8XySQOcAObrg08j7ExJFZDn11VXF73pKYgnq7BJJt/TrjLF9QPEEK9b6IJ5vEJOPiC9d/BKqcPBZRhBTcb8R4E53GKVjYm2lNmbBaixH4aNodbt+bKr3lbmtN2++R/nG3Gzr//jgRCuBfv/aXXeCcQcUfai+BJXQWDkqDJy0KsZxdgzkHA2hTLc89z7UpAPgMVUc9A6R9z2W4VFNyDxBPeVxsz2aBGztfeVvke+bzhSK46s121FezQw4F/OZ5FQWzvHAK7R3BaTj9XBnFLGpEd5OCLvzl8HZjl1bxNPgIbIp1DQK1b+5eGfGcbITSmVD0It08DNpEEj9gyD2LOmLLsjXk3jsMjetup1I0CVBx+x8JZcpexEPU6DVVigWUn1m/joPR9EZMlFKhtyuUuVtxdRmvf7NWiiSxttzqlQKYLPhnlxM6lBOADc=
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 31:uyeHHLtRmLryx0F8jQylNHlmP8tzfTR4HMKnTs9gsXSIO4EQS+C7GH/IJkPyWf8BbqxfHs4A4qmU/1yBISAV3NznuIOtNlks14N2Va/dayBsPPSj7LvoMjyb40ropuP9w8eIKdNSY1mR3zzI17j1NErgEZ5OofnXpluzb/ZSQTAgkAychsp0Helphv+9PMuJURT1wCzJ2BZIq7qPK29bfN/GPrM8La4RlEjNQsoPtxEq5H8OvY5Cm5/HALT/wgYp3E6HUv2muqTJssWUD6BxJAcqaLUBJTJCiWsbHjnACokrpa2/at9KphS0bPuz24DiuEfsgGy/dpKpYyrykh7WmjamiHLcweclgp019bdVSFMZglD10+2C/pkqNExs1e+bLNkXRQv25HiyOtCYAH15UnxsgcQVPKDq1vjufibg/49IS3+entUJO89PcmfowV3LffEhTPBKgiHw4YH5hFFN5ayGevW9DYx8Ph+Gj2Xtf1qv9fVVI5wCZMIbY/w7PPI+3/nLBRgpPKIP6cR4b3BEkIeS3o7BY1WuLOk4sol6u+7neo+wKrSJqJc8JYQPFDz/wfmg/56LpVUiO3dem7i5mgyEjLQ3QPSw+Sms+d6EZBRNdJAge7H7SMknBF6s+ko2l/zm2HYxmIFP+G/c55IQndW66jCmq6TygcHiwlPFHvrAokPYj/riMj1SV3si0/N2juaxeB3tfq4i6PlGHbXdgQ==
X-Exchange-Antispam-Report-Test: UriScan:(133145235818549)(236129657087228)(100405760836317)(148574349560750)(92977632026198)(167848164394848)(247924648384137);
X-Microsoft-Antispam-PRVS: <TY1PR04MB0703B2DC8B5E4D34E3C184F2B8A60@TY1PR04MB0703.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(2017060910075)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(6041248)(20161123555025)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:TY1PR04MB0703; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:TY1PR04MB0703;
X-Microsoft-Exchange-Diagnostics: 1;TY1PR04MB0703;4:7wWnUf9BEkZE9R7Tq32s1dMyT5HYxHLEN+O0E3UxhPSh87l9J2+BBnVDMbPYoDJ4+yboB8PP/F/v9Kwpib6hf0L8Hj4qy/Ii2rXG0+MZkacr752P55AZhW7hfpMaPVFeyT57DAZ6mzAoGUnaiIBOMsLkUdaogllOlqrVNq9f+RjNOAA3tkZheTLkZ0Y7rI1Ljz8AVXqvSCnVQ/nKMCuCthNHPk/jQrFnWjRei1GdIvFx/ma4TNCZGieE0tmMl5+HGrCog05iaXHpaV0CXJDG7u5whU9Rm1q6LoAe00XX+Iki8qOmpvom/mqzrqzpd4ch7YT9LVFBSm/lUQb51LabSSuwyZEr7utQ8NagrHz26oPXZZVcB7kteYj39dDOXMUSMO75o/wKOOCEILoiOLHXDAdXAihkvixgIsD4/6SW5g40CTkc1IWSlifocAfcO1VwBWoLwsTG0P5hJ+f24UtrWqpd1bmCVrzJFYanbbq8N3sNIRkzSR8hZMRQRBdwzhOl45eNDhoEXTr1n1oZQ9BCbcBH6hAEPb8Hq9zseMSCAs/tVRIf4ffLC4kadQV5pZuKybRPiUmBv8WOed5/U9DOt2eSzJGsokQWwTCI67aM/cZMRLCRANTr3jSs2nax7KsQV9SwxUkm6o1CwXItljoKQ8Kw2oZUU+1Bf5whCEPg/Y/MCBOE4kCU6adqKpJ0EgjOc8/+z1WbKcyJ0oMRyaqM1Oyy4mGldD3QBmFqBQ05PA+D5kxdHcnoxUX8ATxupz1uhfB1Cg5gtmfUFuFSa64yuhx6NXpJtdzNVoLr/Xi3TnBMzcULqbvnPOWPRuH+IY44OL3aCQOIG3bjnbHC+UQzaLyIaNMUgO9e4f2wSRMzTgG0Nkabm1qJYrqnlowEiyK9xXwf1JQrvORdRrHPXdrjrIUwP8d7OcmHBeeHg9Feen3NppxdUFA0dT2d0eiGDYZjnrstOZuIaknxtmznCiGY5Z1LjsF913elVxRoGUJYncvgcdg73hgZUo5oGCjLvDxGPup53ZULrORrQrJLYm+kL3b+k+VJQIzOASQpYZAnD5SIN3FrPFASOEU8Uh1b7m7OnPD+siuiUxhYX0hy9qzYqU2PCeZvcGvRBSCi/JXngmX4zPRUO6YQm+Fj55cJnp9YV9oZOb0Iz0doWb0farTb1+7GI2awMHsnWUuLYA3t8283cHYK7uQN0Uq/Op10R8DWtin+OXnW+XLVvTNh2nrYpqzv/KVmaRGZgbhHmKJBRMtWMOigVYNK/KAc6KX4LnnhvEOi+XPUDV46iDP/83qW61rqFFDM/N46RKbQkWkV+PfMSqV1xrtJxdHsdUz9+p2EXZ+bGX/27/eKDHmdRtFiY2Nb2WOU50bqIUdLKgYf0e2f+x8W5jTf4nSpulFGdhj/o9l+Tg5URvMc7xW1tP5Ip4h5dQ1vRJIn+BKdZV9fbJQ=
X-Forefront-PRVS: 0373D94D15
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(7370300001)(4630300001)(6009001)(39410400002)(39450400003)(39400400002)(39830400002)(377454003)(24454002)(53936002)(42186005)(50466002)(189998001)(38730400002)(110136004)(47776003)(478600001)(6246003)(53546010)(57306001)(50986999)(86362001)(76176999)(6306002)(966005)(6116002)(36756003)(305945005)(4326008)(6916009)(6666003)(25786009)(7736002)(2950100002)(8746002)(2906002)(8676002)(7350300001)(81166006)(33656002)(6486002)(50226002)(23676002)(83716003)(82746002)(229853002)(5660300001)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR04MB0703; H:[IPv6:2001:67c:370:128:38e7:168d:b987:9b13]; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;TY1PR04MB0703;23:sqnJ7HVYSf4okfuxCBRsQ0VNwMT+78SDcwz2v+hmxBS7vrUcl5rL0b+JSHgrgC8/78JS2jG/2Gdw9TOgEOH+OZPHLYfRHKcES5ll+ccYBxyBJamaxwWJsno0Jc3IdtYWqeTnY9ZJGix4lBehLl1uFEE20zHB0OqRdADo1CZrzdHy7F1nv1XFChYrprbzqUArMtiznMxt2r0MCNGPo79Dr9mAFHmpcF2PI99siZrgg2WkFHRd5V4RGFnuZI3Cp6Tt39bUo1SLarC7h1FZ/eG2nKSq/fzE4LEE3xfpWXJvldf0D9wDTVYXB20m73FK/b73hREPJCRuLDPkcGacTok8471t4IMW0nCYebkbBVIH1YjdDQn0H1NQl7SN8DWgRDsTmxnfB0duJCA/ckZZJKSI3Qqps+mFQwVqAuaLtfsKfLqUU8/kEDaVxMmvb8RaqS6xBh/nGamRdI4L7Mgj4vfdOgZj4lpGIg5JCCUecBMeDbvi6Dekd4kPHAjvO4iEiHDHbGsh/8gqUaaQR6yxjZP3VRjKzoFtPRpcILmFOVVS3mT6Au1R2CcJDhjsuPChS9/eD558+o1532iFwz9i7bb1Of7n/sNBiSk6vD+ltSKFWL37/IWU/YLfOmlJ8YXMnbwYL4QUBbQea4sSyN04Z9VhPqC+AfUuPj8EcmEPOZw6kzyMrADS36dtOde2MOl6ToCtI8c35Rv7qPfnJaJL+TOeWtWoQt2q6WpWH//Y7yHFuHdqz4GY8BAxRIP3HIDWQ12eKTeWYRCz8SuEA68H7dYrySDQNaVr8PdYy1dlsdPdv5uYymiSGVFTYI8f8RfSJNrp0xCkRz/oDvNwwWxccoDVg7NfGyzCfHlJJCC8CXKY6d9sOWMJcS6b3sLPY34TS1V36inN/iphSSLSGikkeDYdFPP5XS20uvPXThQ09czvtBoN/xF2eliWEkMOcK3O8yCi7FshxFbn2YZpF3g38PxsjZYbryzTwrRnMd685lmUDTGAcuEJbfawqO/ghSOblEc21FsZpHUAapnc2uUTNGACJwUP+cnTwqCT87kQGXkrZtHA/bd9NV9ZcxkDOo9JkP1vKzyUGsc6mJdIG3OWdlPimgRRkNebUXQ/vLxe8bLtTZheRpvyo0A/0pLj2WuRIVkxNMnH825Mf1Z8TwSI17HGr6q9ZLp5BISww159W5XPhVk=
X-Microsoft-Exchange-Diagnostics: 1;TY1PR04MB0703;6:rcynxoFq6L52qkVDH4sJUD49fi2Y2okXzwvBLWX6CbDhWKxU13MuFZr12A4k1+lBqR2zxrKBCh+sAlKTNCxvwxQAVDl0t8zDsubnI8VG/fbA/wWBEp8ifar9Tc2Riyk3J/6TtQM7RYu2/wgmVgoUrbkveFKNYsfClFKN6YDfScePjkkLQSmpkPiLmvwlNyv4te2uVbgN+pcwhspkVaZdovvegpdEDcxbUrYD/l2s85/9x1DiiagEKmDfVJ9/M+yXd7SRPCtaNqkagmvtbugkualv6qIrNiNQogSsXRjPqXJn2Xuq2lR8G/xFgKEqGpaDMMWdvObVyS/hmUCTCK4OFy1Q5DzvA8TR3Yd/ZiHfbu4W2dMcOO9ChAqgbr2JFNp1yWCHzRGAMt2H5UVyRrWBolBKT/Bf3+XTpRO/6hwX4UJ/66exJcGGTwKPTzBfIq8UkImO9hejhfM3QGoL0MfG4TbviYiFf+hY3NQtEmSWPA8fAPkKFGxs6u4rfVG0krA9oTbTz9BwTmxkrn+3IA4vhgbVazDkSR68EeyZVxgTMnZQfOKhl1NKBgIBpHOYYmLC8TpOxMX7auI06BCagn1BHSQ1V0sZGi9a3uKDfGJmRPEw7YXbeHxHkUD0j1YiT5jH9qDClsZh77UNrZQk9p2GxCFoq7Pt+R36NOMW/aiosRPHZXM8isEPw0HLuDl000Rsmca51JLm4ZnKzkXTanDbQ/kgD/SB5xcM5Dowmntj8LPfSiMuFXX4/anL6vMHe6H4E5Gw7rrs3fnJsOPMH/2gHOkd2+8AoeZTw9/kQ+uuaFj2eRnTkjQLojOGysACy6dnCAx6vIJry8qboYzc7nurpY3nedCzrgcIse4N7JXExN3kLkGuccbSXCglALr6lfrzWJt8T5ugwqxDL6lwmJ2UmHos6smzYqUYpYKlgS+/UqL0I8wJbmjCjWWL1ex79kbZBEqvxpEO0CBlRt2Z4mxSRGVe2gbqKY2gdW/Tw7BObbE=
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 5:9NCt8JYX2Yf9uXMSZemA4xmAl3zdcI4HyOdOHPx6BnrEDuSVQ9b/ZgHNJNbr41DwAhD/FX1SsJ9J/8neSa9y4k67iT789pe+TSaWpppsKZ0m457ADrN1ZV/rIAUpZx7ijcXWAlB6K1xWkhdah4XmhnmCGC6+TbhS4vG1zd+hWir495nk5kGmPK3BVwBVUiwXKPO+/R3+6vmxpEGWbwHRCAgm+9OmgRgynLEm1C3uw2LHexJLVgwhmFkwhXtr7tezmXCfWgIww+O6y6rvZ+w2RR9tj/zYSIiaYVq7+QS2Nrdle+lxa/oJ5eDkn07Hyyoni9tqVeM3+26hKtxD2AsFk10l6HHp4G9hlyxStZCf+z2p6FE8CRTL+zLoftqnfNlpSgQaTOntHfAVUncYnMDwvOwCb8wxUQthJh1WuVTMmkQvCQOkGbr9M1OGhJ5StCm4vP/dKjnR+25Jli3ijJ+oP+8bml9ZlBVJ/GtcUamweSsilFv1C6XNuq3isd4CD0n7; 24:FBtjg0sW92Qj7QbFGliE4u81Xy1mk9P140jpfY1m+yh4fihfSLYdAuP5buuAGsfb55ceUAbk0hqAx1v/iawRJ2PgnpMx7G9pLwe1moX58nY=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 7:L4bcIQyCGjuupcYylGE456JgJ59tZ+gRQ7wOekrVMQlTbOR+FNs9p0jC1Jy2PJ4Dr7umsW1YjXBErTSyGNy5+aOw9xDEiKQOz0KQtQpfvylbcFOHX2j9nvGzIEkcHD0+6Ko4cLq0e/GFNMcLm/DQBCXI6Ai4c9toGHNF7ejRBFd2Jvc4ziQPvsPcKMGz5555y90muzEtCSU2jIZ8K63Yk69jK0jgxKW0fDWhR1yqzIRlkGgtqjmuNSZOJY6fUVQXgy+IJBxttGtzWka+IJ3fyaR74M4t8GVfND8+KXxd67SEiU9b/WyaPm7m+KLURB/lKOserJNXJ3MT+XQa5iazo8eq+H0+udPcQDBsit7vNU45emxF6H2Hcnp0Snz1AW0baa+EkbHkzuWwvWYoWYY+JQERYeRkV23CjIsYs01dSje3Lt41suddss5iUKfwITSYXkhwCjHABSQ8WG3lTiooYPqnmvCpo/rKNnV4Myf2i3McjlyMI5DR+UB37EEXONsRYqoz6mChiQWYQ7pmYUivu0J64Gw7195EP6V4j/gyEC7DEZy4i9tFPzOOSGFRDVNt64CInnEXm3XVgJ/NQXEoRIjF3qsAY2qis7/nX12fpm5Jgwm+JpiqJjjxqwAwcKTZzLwiOBj0/xsAjg+d4FVLk3bHGG4jAIgPXvzrivGUjjpcWwiFVxZTMMNSxRc+WvntsG9OiogFgs7PvJN8djkxNWS3YWbBR4WD9GXPdBXoe2I9YW6F+PoAv0xGI0i7Og27niL+fcfbkqU5tEd3a+TQqo9wTAi+ZJD+yKYNCFrAueM=
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2017 18:14:22.8594 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR04MB0703
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Iw44zCWZZDw_FlpH0Zjj_RaV-Gc>
Subject: Re: [Sidrops] HTTPS in TALs
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 18:14:32 -0000

This particular author of RFC7730 is more than happy to apply s/rsync/https/g on RFC7730, but will only do so if the chairs can gather the consensus of the WG to proceed in this direction, of course

regards,

  Geoff


> On 19 Jul 2017, at 10:59 am, Tim Bruijnzeels <tim@ripe.net> wrote:
> 
> Dear WG,
> 
> As presented I want to propose a change to RFC7730 to move to HTTPS URIs, rather than RSYNC.
> 
> The reasons why I want this change are:
> - As a TA operator I feel more confident assuring the availability of a TA certificate over HTTPS compared to RSYNC
> - As an RP implementer I want to reduce the dependency on rsync in the validator. Especially if RRDP is also used, this would mean we don’t need to call rsync at all anymore.
> 
> Conventional wisdom would be to first allow HTTPS in addition to RSYNC (and make it preferred if available), then mandate it, and then deprecate RSYNC.
> 
> However, I feel that in this case it would be perfectly safe, and much simpler to go for the end-stage immediately for the following reasons:
> - step 1 of allowing HTTPS already forces RP software to support HTTPS
> - nothing stops us from having a mix of RFC7730 style TALs and ‘HTTPS’ TALs for a while:
> — TAs can create new TALs when they are ready to publish their certificate using an HTTPS URI
> — TAs can continue to have their certificate available under RSYNC for those RPs unaware of the updated TAL
> — We can pursue parallel efforts (other thread) to have a way for TAs to pro-actively communicate an updated TAL to RPs
> - and, of course, updating/replacing 7730 in one step rather than 3 is a lot less work
> 
> So, updating 7730 to use HTTPS this way is almost as simple as 's/rsync/https/g’, and updating the references.
> 
> In addition I would advocate an HTTPS consideration section, similar to:
> https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-08#section-4.3
> 
> Essentially, TLS certificate or host name validation issues found are worth logging about, but since the RP can verify that the retrieved TA certificate matches the “subjectPublicKeyInfo” in the TAL, and is newer than previously obtained certificate, it should be safe to process. We should probably also advocate that in cases where multiple HTTPS URIs are present, and TLS certificate or host name validation issues are found, other URIs are also followed to see if there is no newer TA certificate. This may be left to local policy, but I believe this will help against replay attacks where RPs are presented an outdated TA certificate.
> 
> So, questions to the WG:
> = Can we adopt this work?
> = What is the best path? Are the 7730 authors willing to update? Should I start work on a -bis?
> 
> 
> Thanks
> 
> Tim
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email