Re: [Sidrops] Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Thu, 11 April 2019 19:32 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42FAF120682; Thu, 11 Apr 2019 12:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YiJwHASYlti; Thu, 11 Apr 2019 12:32:10 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 717A0120677; Thu, 11 Apr 2019 12:32:10 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x3BJW2gV000644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Apr 2019 15:32:04 -0400
Date: Thu, 11 Apr 2019 14:32:02 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Borchert, Oliver (Fed)" <oliver.borchert@nist.gov>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-sidrops-bgpsec-algs-rfc8208-bis@ietf.org" <draft-ietf-sidrops-bgpsec-algs-rfc8208-bis@ietf.org>, Chris Morrow <morrowc@ops-netman.net>, "sidrops-chairs@ietf.org" <sidrops-chairs@ietf.org>, "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <20190411193202.GT18549@kduck.mit.edu>
References: <155477430291.30201.17132123731441062502.idtracker@ietfa.amsl.com> <SN6PR09MB3167A30C40919240CC87A6AE982E0@SN6PR09MB3167.namprd09.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <SN6PR09MB3167A30C40919240CC87A6AE982E0@SN6PR09MB3167.namprd09.prod.outlook.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/bitmPMa6OiP0rjMORzxmhmV5wwc>
Subject: Re: [Sidrops] Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 19:32:13 -0000

On Wed, Apr 10, 2019 at 07:40:48PM +0000, Borchert, Oliver (Fed) wrote:
> Hi Benjamin,
> Regarding your comments below:
> 
> * Comment to 2.2.1
> Are we trying to talk about both?
> 
> oliver: I believe so, the certificate request maps the algorithm with the OID whereas certificates and BGPsec update only reference the OID. 
>             Maybe Sean has a better answer?

Okay.  Maybe we want to say "certificates or certificate request" (or
similar) in a couple places, but let's see what Sean says.

> * Comment to Section 7:
> 
> IANA has registered a single algorithm suite
> identifier for the digest algorithm SHA-256 [SHS] and for the
> signature algorithm ECDSA on the P-256 curve [RFC6090] [DSS].
> 
> oliver: I added "Originally for RFC8208, " so it reads:
> 
> Originally for RFC8208,  IANA has registered a single algorithm suite
> identifier for the digest algorithm SHA-256 [SHS] and for the
> signature algorithm ECDSA on the P-256 curve [RFC6090] [DSS].

I'd suggest something like:

   [RFC8208] directed IANA to register a single algorithm suite identifier for the
   digest algorithm SHA-256 [SHS] and for the signature algorithm ECDSA
   on the P-256 curve [RFC6090] [DSS].  This identifier is still valid, and
   IANA has updated its registration to refer to this document.

But this is a non-blocking-comment, so do what you think is best.


> 
> * Comment to Appendix A:
> 
> oliver: I added the following wording as 3rd sentence under A.2. Keys
> 
> Note: Even though the certificates below are expired, they are still useful
> within the constraint of this example.

Thanks!

-Ben

> Thanks,
> Oliver
> 
> 
> 
> -----Original Message-----
> From: Benjamin Kaduk via Datatracker <noreply@ietf.org> 
> Sent: Monday, April 08, 2019 9:45 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-sidrops-bgpsec-algs-rfc8208-bis@ietf.org; Chris Morrow <morrowc@ops-netman.net>; sidrops-chairs@ietf.org; morrowc@ops-netman.net; sidrops@ietf.org
> Subject: Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)
> Importance: High
> 
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: No Objection
> 
> When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
> 
> 
> Please refer to https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fiesg%2Fstatement%2Fdiscuss-criteria.html&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7C0b38a8038df546710b0808d6bc8d01c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636903711146734052&amp;sdata=9l9LzM53uxCn0vK%2FR5NT4vwqWJImDTHqVRz0fzgO3k4%3D&amp;reserved=0
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-sidrops-bgpsec-algs-rfc8208-bis%2F&amp;data=02%7C01%7Coliver.borchert%40nist.gov%7C0b38a8038df546710b0808d6bc8d01c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C636903711146734052&amp;sdata=idOS%2BTmG1ubvRHm11vQ3alVBUitXf59KzK1%2B1UmBqr0%3D&amp;reserved=0
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Section 2.2.1
> 
>    Hash algorithms are not identified by themselves in certificates or
>    BGPsec UPDATE messages.  They are represented by an OID that combines
>    the hash algorithm with the digital signature algorithm as follows:
> 
>    o  The ecdsa-with-SHA256 OID [RFC5480] MUST appear in the Public-Key
>       Cryptography Standards #10 (PKCS #10) signatureAlgorithm field
>       [RFC2986] or in the Certificate Request Message Format (CRMF)
>       POPOSigningKey algorithm field [RFC4211]; where the OID is placed
>       depends on the certificate request format generated.
> 
> The first paragraph talks of "certificates" but this last sentence talks about "certificate request"s.  Are we trying to talk about both?
> 
> Section 7
> 
> The IANA considerations are perhaps not as accurate as they could be.
> For example, we could say that the BGPsec Algorithm Suite Registry was originally created by RFC 8208 and has been updated to refer to this document, and similarly for the P256-SHA256 codepoint.
> (Just moving the references over would seem to be even more appropriate if this document were fully Obsoleting 8208.)
> 
> Appendix A
> 
> Do we want to note that the certificates are expired but the examples are still useful within that constraint?  (They were valid at the time RFC 8208 was published but it seems imprudent to try to assume that the examples would always be valid, when writing a document such as this.)
> 
>