IETF Logo Mail Archive

[Sidrops] Re: Call for WG Adoption of draft-snij-sidrops-constraining-rpki-trust-anchors

Job Snijders <job@bsd.nl> Tue, 20 January 2026 11:01 UTC

Return-Path: <job@instituut.net>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 452D3AA53DBA for <sidrops@mail2.ietf.org>; Tue, 20 Jan 2026 03:01:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.478
X-Spam-Level:
X-Spam-Status: No, score=-0.478 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HEADER_FROM_DIFFERENT_DOMAINS=0.017, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ID9V0v8IozEi for <sidrops@mail2.ietf.org>; Tue, 20 Jan 2026 03:01:08 -0800 (PST)
Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E9917AA53DB5 for <sidrops@ietf.org>; Tue, 20 Jan 2026 03:01:08 -0800 (PST)
Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-64dfb22c7e4so10969894a12.1 for <sidrops@ietf.org>; Tue, 20 Jan 2026 03:01:08 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768906861; x=1769511661; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=tjdHr/EpkCqhIUNMekUBOo1BfVRmfl1T377FfqTv0fA=; b=XUUiFZ5SPy6pPSJ6NtVF69RI20jIt0grrK4p+HSQSUUlwiqJw43F1ZZI+3EeJSBzxe OhIxCLAPOEscf+I+Bq4obeBAjIXFfOo9sJQprJhkGpe9vcKkpv2zaw/puDrFC2jvEv2Q vAsZikngAIluGTToR/8yKUR81tNVlN7NjqRfbzhTUDfC3tETKxhtW2XWpTHAXyToL3a+ EVJdh1ocOSEAFyUZHCvs6B38WNGMNdda/Thvroi9cReDECRo+ztYgcUn/SutFLoQvCCy LsQ63lhMLvLG4eibF2gdSh+b3MIeOYPpDU6+dp4ygF4LPGTZksnTZex8H6dz5Z8BUC2j KmzA==
X-Gm-Message-State: AOJu0YynHKqi/WbsiY8nO8cjjC6U5YBPFBEVI11rW8Xbpd+cvrfp917r g1x5qWUbmaAZFzcpCh5w+HMzIE8eh2vofd8VMP9RIRgY+gnS5pUlnoGS8vDl+mK5QctRvRpsR1j YYBtVxGY=
X-Gm-Gg: AZuq6aJhzamHtK2U8comNV+8bdXt1r5hDFYDmDaF25NK9CTGTIZkYjcpsoB1EXas0nb w5xHMnE7zP53NY/NHos7NE7W2vpkt4+cSdmm8QReDdt6EnpfaszWpT31Zc3NBiNRobaFCIhF5so bZvwp+ntaOboLeHIHnMyZ2Ugoeyg0+RuTSImSFEcloiAwRd4rsqrlev6os9otakc6WtkIuE55aH fw2EnoOC8IT2Rd4TMNOhyMQ+x6GvRIXc4/sEusk5nLLowxs/puw5ZKZF1JQM54opfsuHOhnGtay w7T+pFZDizfWoojM6WXbtglNfsx78REP6+07/JTB1PdM9e/eifsfFMUQxEKKLJmqjMRF3NXju8M /E0a7V55fgR6D7WgXVqqA1DzzNDvTgKj6Pb5172PRubwr5e2ST5G2L5t6l4eWlb6pNxpVTM8few hGYGHFaWJkQD3fsGSGo6b6zsZXOx300RQDdoW4hje/HI7YubpHGCLtc8+rMYRWfMW2B4IgT3AOF 8RAKNdSBt3leraFPhD9F+fTl9OY79753thDGlCvSJthVjWiSNRSclW6o8maP/ee1E3EIwRH
X-Received: by 2002:a17:906:7309:b0:b80:16:850b with SMTP id a640c23a62f3a-b879347fe78mr1687110666b.0.1768906860586; Tue, 20 Jan 2026 03:01:00 -0800 (PST)
Received: from feather.sobornost.net ([192.147.168.2]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b879513e8d1sm1407034066b.2.2026.01.20.03.00.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 03:00:59 -0800 (PST)
Date: Tue, 20 Jan 2026 11:00:58 +0000
From: Job Snijders <job@bsd.nl>
To: sidrops@ietf.org
Message-ID: <aW9gagMfsO6CIZYO@feather.sobornost.net>
References: <5C5B8F40-6E19-4082-89C0-3DDC0AB6364A@gigix.net> <cb0ac244-0844-e518-db88-bb85ae39c133@foobar.org> <CAC93g0QWpFPbJ68i8v1uQPhBsEHGyj=ZFpSpVNktdK+oRRc=8g@mail.gmail.com> <1D49D5EE-5E24-4CA4-AF0A-6B42056E3BFE@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1D49D5EE-5E24-4CA4-AF0A-6B42056E3BFE@ripe.net>
X-Clacks-Overhead: GNU Erik Bais
Message-ID-Hash: O7VESIDCCERFNO4EI3LXVQIA2XJFA2JK
X-Message-ID-Hash: O7VESIDCCERFNO4EI3LXVQIA2XJFA2JK
X-MailFrom: job@instituut.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: Call for WG Adoption of draft-snij-sidrops-constraining-rpki-trust-anchors
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/RdLg-mEnazMQIa-gznjRMsl511g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

Hi Tim, WG,

On Tue, Jan 20, 2026 at 10:52:53AM +0100, Tim Bruijnzeels wrote:
> I agree that this needs discussing and I support adopting it for that.
> 
> I understand the need. I have some issues with trust put into the
> inputs of the constraints. 

You raise a good point - perhaps the draft at hand should adapt some
language from the SLURM specification (RFC8416, section 6), along the
lines of: "These mechanisms are only applied locally; they do not
influence how other network operators interpret RPKI data." and
additionally, "The mechanism to update trust anchor constraints to
guarantee authenticity and integrity is out of the scope of this
document."

> The RIRs have a responsibility here. As presented at the last IETF the
> RIRs are committed to give better, signed, inputs with regards to
> resources managed under each RIR. This is still in its early stages.
> An updated document incorporating feedback is in the making. It may
> well turn out that that effort can serve as validatable input to the
> approach outlined in this document.  It may also be that ultimately
> that effort removes the need for this, but only time and discussion
> will tell. So, in the meantime I think it's good to discuss this
> approach.

Indeed. My hope is that draft-snij-sidrops-constraining-rpki-trust-anchors
can provide a building block for the NRO draft about constraints (and
other initiatives). Whether RIRs end up proposing to publish
JSON-formatted-GPG-signed listings, or cross-signed-CMS-messages, or
something else entirely, it would be nice if those concepts can
(programatically) be transformed into the 'policy structure' specified
in this draft (and in turn, this 'structure' was consciously designed to
align with RFC 3779 containment checks).

I'd like to:

1) make the concept of trust anchor-specific constraints tangible by
   publishing a specification
2) formalize a structure how to express constraints (note: this is not
   encoding - whether it is plain ASCII or JSON or XML is irrelevant)
3) specify an attachment point in the validation process for these
   expressions, in order to achieve interoperability

In short - I consider where the "constraints content" actually
originates out-of-scope for this specification, there definitely is more
work to be done in the space of automating distribution & verification
of constraints content.

Another use case for TA constraints would be to facilitate
narrow-purpose trust anchors, for example, a trust anchor specific to
the DNS root zone servers. It doesn't seem entirely unreasonable for the
Internet community to wish for more redundancy in terms of route origin
authorizations for certain routing attestations (redundancy through
multiple Trust Anchors), and at the same time the Internet community may
desire to restrict such a DNS-root-specific trust anchor to a very
limited set of resources.

Kind regards,

Job

v2.39.1 | Report a Bug | By Email | System Status