IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-06.txt

Stephen Kent <stkent@verizon.net> Mon, 27 September 2021 00:57 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3C2A3A1A7E for <sidrops@ietfa.amsl.com>; Sun, 26 Sep 2021 17:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuUqrwFlweHG for <sidrops@ietfa.amsl.com>; Sun, 26 Sep 2021 17:57:44 -0700 (PDT)
Received: from sonic304-22.consmr.mail.ne1.yahoo.com (sonic304-22.consmr.mail.ne1.yahoo.com [66.163.191.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46E83A1A7D for <sidrops@ietf.org>; Sun, 26 Sep 2021 17:57:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1632704263; bh=Y0r08L3ldBw636NQHoi82mBXtWEKsA9l9p5qjLz/6eE=; h=Subject:From:To:Cc:References:Date:In-Reply-To:From:Subject:Reply-To; b=gxa9dsoYhGfurXbiWfnk6ov758OXx6O7ahCp0luGqXm5W2Zc4AulZoqmzKrUOF+MuYU+3L0HqsnDhnBPrXTTugJUOezUEw554Zpfgvu8bZxyqe71QhhMxUvcCU5eZKsmQDmLrC0LO5zjtpSH84B3oFl/1g1lC3I2Dd3GokmOYXGO21tZJo8XZ6R4JYXduK68M0QyuMrBirq7+Fad1wjQ1rENgz9PEQJIXJLRtC5mC2uUxC+tlXZn074/uLmAPoPpFvtj2D4n+3gZq3vKZAQNciimWZXxRJZqqOez9qtwMimoAvyuoxqzrHOo94s0qu5TW0Z934aWBWFhRlrN+J9LkA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1632704263; bh=lHrD5EaffGK0DsMRZzoLOAGvtwkgvcUIwM1+DDoxBQ/=; h=X-Sonic-MF:Subject:From:To:Date:From:Subject; b=bbTXGnj9WGNKvbhDS/IvmvOlPYpjikWWSHQ+R9PLGhf1Zb0BkxaXpgTJwYGA5hjrx2OWdyWmZsyXWZ1qIBv8cYeu5TA5wMDZoHfn+zQbVwbmchfDoGabeJk1bb4BDLqcV0iU2kqziDrEfE2Y5PzzF9DO4zQWPgqqKYSGNii79ue09Zmf/nm8gPR8DfyvPm/rvnEm2ZYq1NJzRgd00hNLeBqhPhsiVE8m+ckGa/p+XPq7FzBRnw9PuFFmR/6svY+bxSpPa3VwhvI+pcCjgiamBCnDitlzwhU/rcm1CjqwWyW/YFcRreJY2cIchQ0rnNfHLMCVmqcV9Zt+Ny54loJI4g==
X-YMail-OSG: 6RK6ZGkVM1l2ssg5zc0qtxY2YU16GTCo7UgeUHXvwraY6HofVnrOk184jYP_2C. 5sH7zYOfmj_cQ7koJ6h1R82zjjiFb2XXNJochV8tqxtNBExPcUlPkeDbqb779SF_qNN9jcKBd.yE 93zyRuffEzmY5YH.UTwJlwufHI0KGAWkVbdOe87mB6z1NsDQ2g820_0AggfmZLK3fF6th4X7jjHr z1zYt5dFgx1orBuMmGpC72jrbccjqymvK.sVLzYmpC3U0OP32g_7kKjKMBqViymsPLo448VLbm0W aBXvrYKUPtbz5EhL7yPb_o2S45TFpHINlqBveOd7VgfWYGL3Oq1Zia_fyMwoUYK27NzmYXWqLzhf 0kcBHjIa23myzFgCRMP6WDj1pJIChxeBVx9AUp737iY5pDKxqRaPw3pO13ONDgGHDyPwbYjz4YgI rvLnE0WD8Z2sdqeVQ3FR5yTYgE7RKsSuYKaZzP.O9J7gNJLQgwwXwzvVz6j19h_XvsWfcVu_dZkA K65rokdbJ5otivRuF23b_B9SH4y1BbkXG9IwfiA0nuBFBupSBL8aelrG7dHis3MQNgr0qnbU9dAr D0c2VmiE3lgPp6ISyTrcQ4wt08YMQhbOwdMHyGKS2D3cW6JSJmXfsd20znA6OeN2h32x_dD5qYUI rHWsUBDDxtsKYg7Y84LDUxVkgmqPGj3eh43wRuV6wh72rscX1.L8IYPtXmMl.wjxXXTH1Ad4syNe D7ccG.yZaoIcm_RCo9cley_.kW63eN6uHrCvClqbEcpbSg9GplsenRYn7lghSSOgND.Kz44Uv0rf iWbYQEtFEo2fSaBxR40GZpznjDb1DRpwedAF4K8wFlp7YdOLfBTjO4QK9NVJZn90EppuT77ir7Kf uLLzC.OlRShE3scoUpoYF_W_1ibaFK1yjfaEZLHhddIs24W_b3cMmRASVy_z4K9YZWTdirSzWjhx DV1uB9oiFAXTpoMohQ1GxogSGIOmwL6IwkBL9PDQqWKS4QEOdcx3JoiKaR0Px8w17sQOyZYqtc.9 Wkw7zOdLpRV0.P9suvJNBLiZ_GPmoMU.a86UrLSbkLYZrgNtXeBwbjxwaB8a12asdRrZsbpsiHp5 p.X2hodzDQO95jBJ55oz6m95QexsJsgsCsZjJy3PUWxzog4p6IYtYL_ipZwCw_FOqHzeAF_Jrj3V Zc4MxqapLptetPjSUGpGk_7.NeR5VvFga9icwpQLpu2TaLsgGbS.a4jwms_Alaizvb_x8pljN8_. .7MwMgymEr8cQwhOGxyVVotUo44s9R4q3G1xI4q38EfSDe6qBxMjfbOQMkM7f3grJqjaniXfv8aY 76m7sBt6xwYm8Xp6bCf7nN1jHPX7t2xQFRaCKP6rWZPkvgIfsXbD6hD0hgMuuKgteSCeke3AGez5 3pNerKFOTpsvRGNO_V2tOCEvUHdYExhNncyH0RR6veLHfkEItd6XGDPbnfm0a8.ONxP9HFzSky1a TA.B68aiRItiLV8Cv9lfFd2WM_stcrQ1qTROk_otxw2uV5kklfJdBqqAMHyA3Xl1fZj_mux0pBxR 0Ct7KhUnQegUw4.ZxYwFr1GFK0LrpULrTmjwntfuHfn6HIpFBSr4opiee6vcGhRrwAgalBz7VXEb yK.MLy9.XQZdK1ZmRaGyGa.lKrJFus8AMNX63g9H6Tdg.tfZMGKPSy5UmPxoULBxgylYV0xbJOMB S2RZE7xILlon23Ft99wv1fVpszlXuCypRYwNMsKceCz9WheBOwF9YjZAxXl.wAawhKdFLb65kGPb xWP5XCTorqi2n2vL5ePMLilmeoaYQwoomXbkNiGt7bwHsUJEvH5_Xe_Rd6YCbvZLGLuel4ZQRbOc 2u6RQ9I0kbnxHLitE96X13XrmR4gIExhQAUAao.TwCRZAsyLpODOzDI0TZwmqHjQAPF1ov5hv14n LWoK3PlR8Hf220OEQ3KJMfLg.L6JcpDk1POo79L14sbj7h11sSz2.0iA62cdRaD4DuakVCgvEOlc q93xeoEH4_7U1gWNE_lKuB4JN5HTAuU9aoJNiXDUwNAzsa8KhwKM_Q.jyR8aPfoEluKpieJdCifF nP.qhwwNBPc4mzqcuILaWb0YqT_0tXyDPZuy.H2dn4OL1YecDf.prmqiSu0U5bnygLpMqEuOHe5L 0hAWTRdEFDCUZM44MLRw4B5uXgzToHWxgIs6kHPUbB90BTptk6y_ryQFNbAgd9ojjdOPL3HaevYw k3feCMvvxXaLKGxb_RRlZ_9WqnXpRUTtzvXxRGpos4VaGQz9mEBTJqQ--
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 27 Sep 2021 00:57:43 +0000
Received: by kubenode587.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d54141f5381fd810e9d72e70f810f215; Mon, 27 Sep 2021 00:57:40 +0000 (UTC)
From: Stephen Kent <stkent@verizon.net>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: SIDR Operations WG <sidrops@ietf.org>
References: <162730591845.29690.12178353991713962835@ietfa.amsl.com> <2457bdd2-de07-241f-b8e4-87206dabcf16@verizon.net> <28F0ACCE-4D0C-4D80-B4C5-4E8B9D05760F@nlnetlabs.nl> <51acd845-d937-34a1-359b-7379b45e3fe3@verizon.net>
Message-ID: <49e73d37-6d26-7715-da60-c2411020d595@verizon.net>
Date: Sun, 26 Sep 2021 20:57:39 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <51acd845-d937-34a1-359b-7379b45e3fe3@verizon.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Mailer: WebService/1.1.19043 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/V_wVFGPMFhyi7yeFco6GB9usgas>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-06.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2021 00:57:49 -0000

Tim,

I'll wait to see what other WG members suggest before making this 
change, but I do not see a problem with replacing the current test with 
your proposed revision.


Steve

>> Hi,
>>
>>> On 24 Sep 2021, at 13:54, Stephen Kent<stkent=40verizon.net@dmarc.ietf.org>  wrote:
>>>
>>> This version of the ID was published during the last IETF meeting, and has received no comments since then.
>> Steve, thank you for your perseverance.
>>
>> I reviewed this once more. My apologies for not responding earlier.
>>
>> Thank you for clarifying (in -05) that the previous manifest MUST be revoked.
>>
>> What is still missing, I believe, is similar normative language when it comes to
>> replacing existing other named files (ROA, certificates etc).
>>
>> If the working group feels that any replaced (non-CRL) files defined in the
>> manifest scope MUST also be revoked if they are not expired then I think it
>> would be good to include a sentence to this effect. Perhaps we could amend the
>> start of the second paragraph of section 5.2:
>>
>> CURRENT:
>>   
>>     An authority MUST issue a new manifest in conjunction with the
>>     finalization of changes made to objects in the publication point.
>>
>> SUGGESTED:
>>
>>     An authority MUST issue a new manifest in conjunction with the
>>     finalization of changes made to objects in the publication point.
>>     If any named objects in the publication point were replaced then
>>     the authority MUST ensure that the file hash is updated accordingly
>>     in the new manifest. In addition to this the authority MUST revoke
>>     the previous object, if it is of a type that can be revoked (i.e. not
>>     a CRL) and it is not expired.
>>
>> Note that I made an argument earlier in favour of not revoking objects which
>> section 6 now says MUST NOT be used anyway. But rather than trying to re-ignite,
>> I have accepted people want redundancy, I am looking for clarity on all
>> revocations so we don't end up with different interpretations again in future.
>>
>> Kind regards,
>> Tim
>>
>>> I'd like to initiate WGLC at this time.
>>>
>>> Steve
>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>> This draft is a work item of the SIDR Operations WG of the IETF.
>>>>
>>>>          Title           : Manifests for the Resource Public Key Infrastructure (RPKI)
>>>>          Authors         : Rob Austein
>>>>                            Geoff Huston
>>>>                            Stephen Kent
>>>>                            Matt Lepinski
>>>> 	Filename        : draft-ietf-sidrops-6486bis-06.txt
>>>> 	Pages           : 17
>>>> 	Date            : 2021-07-26
>>>>
>>>> Abstract:
>>>>     This document defines a "manifest" for use in the Resource Public Key
>>>>     Infrastructure (RPKI).  A manifest is a signed object (file) that
>>>>     contains a listing of all the signed objects (files) in the
>>>>     repository publication point (directory) associated with an authority
>>>>     responsible for publishing in the repository.  For each certificate,
>>>>     Certificate Revocation List (CRL), or other type of signed objects
>>>>     issued by the authority that are published at this repository
>>>>     publication point, the manifest contains both the name of the file
>>>>     containing the object and a hash of the file content.  Manifests are
>>>>     intended to enable a relying party (RP) to detect certain forms of
>>>>     attacks against a repository.  Specifically, if an RP checks a
>>>>     manifest's contents against the signed objects retrieved from a
>>>>     repository publication point, then the RP can detect "stale" (valid)
>>>>     data and deletion of signed objects.
>>>>
>>>>
>>>> The IETF datatracker status page for this draft is:
>>>> https://datatracker.ietf.org/doc/draft-ietf-sidrops-6486bis/
>>>>
>>>> There is also an htmlized version available at:
>>>> https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-6486bis-06
>>>>
>>>> A diff from the previous version is available at:
>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-sidrops-6486bis-06
>>>>
>>>>
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>
>>>>
>>>> _______________________________________________
>>>> Sidrops mailing list
>>>> Sidrops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/sidrops
>>> _______________________________________________
>>> Sidrops mailing list
>>> Sidrops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidrops
>
>

v2.23.0 | Report a Bug | By Email