Re: [Sidrops] Robert Wilton's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
Job Snijders <job@fastly.com> Fri, 11 February 2022 13:18 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C43753A1083 for <sidrops@ietfa.amsl.com>; Fri, 11 Feb 2022 05:18:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNbfzpMbvMad for <sidrops@ietfa.amsl.com>; Fri, 11 Feb 2022 05:18:27 -0800 (PST)
Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA8403A106F for <sidrops@ietf.org>; Fri, 11 Feb 2022 05:18:26 -0800 (PST)
Received: by mail-ej1-f51.google.com with SMTP id fy20so22733344ejc.0 for <sidrops@ietf.org>; Fri, 11 Feb 2022 05:18:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=koRoXPWPaFwB763Z3QM4xs0oBqyflt1ylwyI8b0G9nE=; b=jZAj5hlo7X4O9D3FiCg13RPTLRJvAho2DuGEc8gPgeHBUYcSYy9n3cnjwJqeQFlOrZ AncI5O/K3mzP3vqLK2mUz7xUAzqVw4GeTILMiC1s1/Sj5xl8a02ITHZFkTtr+VuOTGle nTwlIIJiMIjqotBRBF7sWvggd8aOvtFsUWS0s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=koRoXPWPaFwB763Z3QM4xs0oBqyflt1ylwyI8b0G9nE=; b=tzVFBFsdYY09h5+nrHL3xQbO3e0fSXVU/EcN7leR8RrU60QxjdiSr9NOHjDtVU6pZF BimdTVQTtkCg0ikzozfVu6j6pzj49gGwPROfmKJKzzsQJlGm51YgsbcA5gxP6Wg40GFR QNzm4U+7wOOzFYefm+61QVQ78HiLZ9YR0EpoV9E+MBozUZvj/xVJ2zwWa0myjGXVKlZl 8HdzD4Iw6nk44z/nRkVSVLVpApT2dE6o1oTvaaRh6RctvufyI2ZSyq4ED3jiMvlGbT45 iZp6MFEeGK3mxjo4VVpYS/FlNWW1Np8dqUv4OqR5UKqEvaaHpsIR7cIK+hZFQWch1/7l dgSA==
X-Gm-Message-State: AOAM532nhO974L+tJ6DsHEhV7r8R1mF/crAKugqjARRK9QaHbmPDmYWR PQVhmHA4wV9+y3vF1odUfKcNwA==
X-Google-Smtp-Source: ABdhPJzXIPF3p55YxqLloeD6jURHmv2CN7WNvztP+FPS97MW0eCmAhnLEdR/qc9PT1CBhwWn724sSQ==
X-Received: by 2002:a17:906:14c:: with SMTP id 12mr1005214ejh.222.1644585503217; Fri, 11 Feb 2022 05:18:23 -0800 (PST)
Received: from snel ([2a10:3781:276:2:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id v14sm5216634edq.13.2022.02.11.05.18.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Feb 2022 05:18:20 -0800 (PST)
Date: Fri, 11 Feb 2022 14:18:19 +0100
From: Job Snijders <job@fastly.com>
To: Robert Wilton <rwilton@cisco.com>
Cc: The IESG <iesg@ietf.org>, sidrops-chairs@ietf.org, morrowc@ops-netman.net, sidrops@ietf.org, draft-ietf-sidrops-6486bis@ietf.org
Message-ID: <YgZiG2jo/0ph6u+F@snel>
References: <164388976597.15129.830524103308089518@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <164388976597.15129.830524103308089518@ietfa.amsl.com>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/S2boXt7FGq8M2tQ5xVasvyGwON4>
Subject: Re: [Sidrops] Robert Wilton's No Objection on draft-ietf-sidrops-6486bis-09: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Feb 2022 13:18:39 -0000
Dear Robert, Thank you for you review and comments. On Thu, Feb 03, 2022 at 04:02:45AM -0800, Robert Wilton via Datatracker wrote: > ---------------------------------------------------------------------- > > Thanks for this document, just a couple of minor comments: > > 1) Section 4.2.1. Manifest > > nextUpdate: > This field contains the time at which the next scheduled manifest > will be issued. The value of nextUpdate MUST be later than the > value of thisUpdate. The specification of the GeneralizedTime > value is the same as required for the thisUpdate field. > > If the authority alters any of the items that it has published in > the repository publication point, then the authority MUST issue a > new manifest. Even if no changes are made to objects at a > publication point, a new manifest MUST be issued before the > nextUpdate time. Each manifest encompasses a CRL, and the > nextUpdate field of the manifest SHOULD match that of the CRL's > nextUpdate field, as the manifest will be re-issued when a new CRL > is published. When a new manifest is issued before the time > specified in nextUpdate of the current manifest, the CA MUST also > issue a new CRL that revokes the EE certificate corresponding to > the old manifest. > > Although this last sentence is not wrong, am I right in thinking that this > sentence isn't specific to when the manifest is issued, i.e., isn't it the case > that that CA MUST issue a new CRL whenever a new manifest is issues for any > reason (e.g., as per 5.1, step 2)? If so, perhaps this sentence could be > tweaked to make that clearer. Do you have a suggestion? > 2) 5.2. Considerations for Manifest Generation > > A new manifest MUST be issued and published before the nextUpdate > time. > > Should any guidance be given about how far before the nextUpdate time > a new manifest should be issued. E.g., is publishing right at the > nextUpdate time (e.g., 1 millisecond before) sufficient , or does it > make sense to publish it a bit earlier than the nextUpdate time? Such guidance is perhaps better provided through the "Timing Parameters" internet-draft effort which is currently being progressed through the working group: https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-rov-timing Compared to RFC 6486, the -bis guidance provides clarity on the aspect that a new version of the manifest must be issued *before* nextUpdate, and not on the collapse of the event horizon. CA operators understand that takes it takes anywhere between 10 minutes and 2 hours to distribute newly generated signed information to RPs; but this is still an area of study and active research by R. Bush et al. > Nits: > > 4.1. eContentType > > The eContentType for a manifest is defined as id-ct-rpkiManifest and > has the numerical value of 1.2.840.113549.1.9.16.1.26. > > Would numerical object identifier, or numerical OID, be better than numerical > value here? OK! thanks, changed. > 4.2. eContent > > I would have preferred for "file" to be "filename" in the structure, but I > presume that this can't be changed at this stage anyway ... I too would've preferred that, however... https://sobornost.net/~job/ship.gif ;-) Kind regards, Job
- [Sidrops] Robert Wilton's No Objection on draft-i… Robert Wilton via Datatracker
- Re: [Sidrops] Robert Wilton's No Objection on dra… Job Snijders
- Re: [Sidrops] Robert Wilton's No Objection on dra… Rob Wilton (rwilton)