IETF Logo Mail Archive

Re: [Sidrops] HTTPS in TALs

Tim Bruijnzeels <tim@ripe.net> Mon, 24 July 2017 10:39 UTC

Return-Path: <tim@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D92F131C83 for <sidrops@ietfa.amsl.com>; Mon, 24 Jul 2017 03:39:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Id3TUTIihNV for <sidrops@ietfa.amsl.com>; Mon, 24 Jul 2017 03:39:31 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80753131C81 for <sidrops@ietf.org>; Mon, 24 Jul 2017 03:39:31 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1dZalq-00020V-Jy; Mon, 24 Jul 2017 12:39:27 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-212.ripe.net) by titi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <tim@ripe.net>) id 1dZalq-0004L5-Fq; Mon, 24 Jul 2017 12:39:26 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Tim Bruijnzeels <tim@ripe.net>
In-Reply-To: <20170723184719.6F85CA32091@minas-ithil.hactrn.net>
Date: Mon, 24 Jul 2017 12:39:25 +0200
Cc: sidrops@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3FB724F-4674-443F-9656-D45508D8FC78@ripe.net>
References: <F3B9CD28-7643-43B9-B210-805687297D9E@ripe.net> <20170723184719.6F85CA32091@minas-ithil.hactrn.net>
To: Rob Austein <sra@hactrn.net>
X-Mailer: Apple Mail (2.3273)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: -------
X-RIPE-Spam-Report: Spam Total Points: -7.5 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07199ba95d8bee254c255bffafa1b4a9d135
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/KpIE16Fb4NeQfxNtQDE8ry_HzuY>
Subject: Re: [Sidrops] HTTPS in TALs
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 10:39:33 -0000

> On 23 Jul 2017, at 20:47, Rob Austein <sra@hactrn.net> wrote:
> 
> I think we should move from rsync to HTTPS for fetching TALs, yes, so
> I think the WG should be doing something of this general nature.

At this point agreeing on the direction is the most important point to me.

> How many stages...I think at this point I would be most comfortable
> with making HTTPS mandatory and rsync optional.

That said, I can’t help myself ;)

Why? If HTTPS is mandatory to implement for both CAs and RPs, what operational concern is addressed by allowing optional rsync in the same TAL in addition?

Again, I sympathise that CAs and RPs (including ours) need to time to move, but to me it’s much simpler to address that by having RFC7730 and 7730-bis (HTTPS only) TALs defined, and agreeing on a strategy to allow the use of -bis by CAs, support them in RPs, and once the 5 RIR TAs and 3 RPs have moved, discontinuing 7730 (rsync only). Guiding this process in subsequent RFC updates seems like unnecessary overhead to me. Still, I would rather have that, and progress, if I am alone in this.. To me the end goal is what counts here.

> My own RP implementation has supported both schemes for years (albeit
> only on a development branch until about a year ago).  I don't know
> the status of the other RP implementations, but the authors of those
> can speak for themselves.

We don’t yet support in production I believe, but I think we had code on a development branch when working on RRDP - in any case this will be trivial to add for us.

(And beneficial even because it will make automated scenario testing easier of our CA code publishing with our Publication Server, and RP validating and expecting specific results - without the need for rsync)

> Regarding Job's request that we change format to JSON or XML or ...,
> I must respectfully disagree.  The current format was deliberately
> chosen to be as simple as possible, no presentation-layer-du-jour
> parsing library required.  ASN.1 is enough fun for somebody who has to
> implement an RP in an embedded environment, but that is required,
> because all of the objects being validated are ASN.1.  Let's please
> not add a requirement for another whole parser just for TALs when the
> trivial line-oriented thing we have now will suffice.

While I would have been happier with JSON or XML in the first place I don’t see a need to change the general format now.

We already know how to parse the current TALs - the only change is in the scheme used in URIs - leaving the format as-is will be least intrusive for existing deployment at this point.



> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops
>

v2.23.0 | Report a Bug | By Email