Re: [Sidrops] Document on HTTPS on TALs (update to RFC7730) - seeking adoption
"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Thu, 30 November 2017 13:31 UTC
Return-Path: <rogaglia@cisco.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15945129461 for <sidrops@ietfa.amsl.com>; Thu, 30 Nov 2017 05:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HrvbCTgup2wb for <sidrops@ietfa.amsl.com>; Thu, 30 Nov 2017 05:31:38 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2F4A12945A for <sidrops@ietf.org>; Thu, 30 Nov 2017 05:31:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3598; q=dns/txt; s=iport; t=1512048697; x=1513258297; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=g3A7wEdLeMpEJxmOkwoikaFuiIZqZhbycC7KN3DxbYM=; b=ZLF3X3C6NhcTNLNZtHtEaeaziHeYSioUyVW8kAYMRxXsvF4K/2StEnXJ DITk6kR8IF4AWrgO7R7kljFdljqtiVt0Ojf0f4dssct/geYl4IgqLzA13 euu0q8FHgN2Zyg/bKNfdRUaX27ZH3Vt5R2XRBAzwJK0eDQ2EwfmjFXm9b 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DHAwDiBiBa/4wNJK1cGQEBAQEBAQEBAQEBAQcBAQEBAYM8Zm4nB4N4mRGBV5ccEIIBChgLhElPAhqFB0EWAQEBAQEBAQEBayiFIAIBAwEBIRE6GwIBCBoCJgICAiULFRACBAESiiIQplGCJ4pkAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBD4IyggmBVoFpKQuCd4FJgx84F4J+MYISIAWiWAKHco0cghaGD4stijmCQYkdAhEZAYE5ASYDL4FRbxU6KgGBfoJegXd3AYc6LIEFgRQBAQE
X-IronPort-AV: E=Sophos;i="5.45,341,1508803200"; d="scan'208";a="329836033"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Nov 2017 13:31:36 +0000
Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id vAUDVaOS005266 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 30 Nov 2017 13:31:36 GMT
Received: from xch-rtp-011.cisco.com (64.101.220.151) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 30 Nov 2017 08:31:35 -0500
Received: from xch-rtp-011.cisco.com ([64.101.220.151]) by XCH-RTP-011.cisco.com ([64.101.220.151]) with mapi id 15.00.1320.000; Thu, 30 Nov 2017 08:31:35 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Tim Bruijnzeels <tim@ripe.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Document on HTTPS on TALs (update to RFC7730) - seeking adoption
Thread-Index: AQHTadt+Ip97gZ2vkUaTty9WIyRhXKMtPy4A
Date: Thu, 30 Nov 2017 13:31:35 +0000
Message-ID: <2545F8AE-022A-4824-9F55-A589144BFAA9@cisco.com>
References: <56EB3EEC-A49A-41FE-84FD-42DEF814D333@ripe.net>
In-Reply-To: <56EB3EEC-A49A-41FE-84FD-42DEF814D333@ripe.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.228.88.138]
Content-Type: text/plain; charset="utf-8"
Content-ID: <319F07205BD25C46A30E924A618055B3@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/_eohcXDLUp3m6AFieda5zvsVsmQ>
Subject: Re: [Sidrops] Document on HTTPS on TALs (update to RFC7730) - seeking adoption
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2017 13:31:41 -0000
Hi Tim, Not sure I understand why you are “updates” RFC 7730 and not “obsoletes” RFC7730. Could you please elaborate on this decision? Regards, Roque On 30/11/17 14:02, "Sidrops on behalf of Tim Bruijnzeels" <sidrops-bounces@ietf.org on behalf of tim@ripe.net> wrote: Dear working group, As discussed at IETF99, and in informal talks with some of you, we would like to update the TAL format (RFC7730) to allow HTTPS. I worked with George Michaelson on an update. Because RFC7730 contains quite a few references to ‘rsync’ we felt that a new document updating 7730 would be more readable and appropriate then document updating many small bits of text. The -00 version of this document is here: https://tools.ietf.org/id/draft-tbruijnzeels-sidrops-https-tal-00.txt We would like to ask the co-chairs to make a call to the working group for adoption. In short this update will allow the use of HTTPS instead of, or in addition to, rsync on TALs. Other than that it contains a section on TLS verification similar to the one that is included in the delta protocol (RFC8182) - essentially saying that TLS verification is done on a best effort basis - and warnings should be uttered in case of issues - but because the TA certificate can still be validated cryptographically it MUST still be downloaded. Note that it is a matter of local policy whether an RP chooses to use different locations if they are present, but we may want to add some text here recommending the use of HTTPS URIs that have no TLS verification issues over ones that do - at this point I am not sure that this is needed, or would need to be normative text, but I think it would be good to have some discussion on this. For the record, I am not sure what is customary in these cases of relatively small updates to existing standards. But, I tried to approach the other authors of RFC7730 (George is already one of them) and ask them whether they want to remain authors on this new document. Geoff Huston indicated that he does not need to be on the list, but has no objections to us doing this work. I have not seen responses from Sam Weiler or Stephen Kent - it is also possible that they missed my message. In any case we have no objections if they do wish to stay on as authors, but for now they are not on the list of the document linked above. Kind regards, Tim _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] Document on HTTPS on TALs (update to RF… Tim Bruijnzeels
- Re: [Sidrops] Document on HTTPS on TALs (update t… Roque Gagliano (rogaglia)
- Re: [Sidrops] Document on HTTPS on TALs (update t… Tim Bruijnzeels
- Re: [Sidrops] Document on HTTPS on TALs (update t… Roque Gagliano (rogaglia)
- Re: [Sidrops] Document on HTTPS on TALs (update t… Tim Bruijnzeels
- Re: [Sidrops] Document on HTTPS on TALs (update t… Roque Gagliano (rogaglia)
- Re: [Sidrops] Document on HTTPS on TALs (update t… Tim Bruijnzeels