IETF Logo Mail Archive

Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-identity-00

Russ Housley <housley@vigilsec.com> Tue, 11 May 2021 14:46 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6732B3A1A5A for <sidrops@ietfa.amsl.com>; Tue, 11 May 2021 07:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TI6g5c2iS_22 for <sidrops@ietfa.amsl.com>; Tue, 11 May 2021 07:45:58 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EA723A1A4C for <sidrops@ietf.org>; Tue, 11 May 2021 07:45:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B4483300BE3 for <sidrops@ietf.org>; Tue, 11 May 2021 10:45:56 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Xxi6-8Zpig6e for <sidrops@ietf.org>; Tue, 11 May 2021 10:45:51 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 067BA300B38; Tue, 11 May 2021 10:45:49 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <2D988AA2-7860-4F5E-B9D4-87A747A39FD2@nlnetlabs.nl>
Date: Tue, 11 May 2021 10:45:49 -0400
Cc: Randy Bush <randy@psg.com>, SIDR Operations WG <sidrops@ietf.org>, George Michaelson <ggm@algebras.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <41914016-4496-4FBC-A753-9481CAEDD231@vigilsec.com>
References: <m2k0o6uqot.wl-randy@psg.com> <CAKr6gn3oCZBOP3L8AQWvH9Nk4fum-ycZCnHO_DUtgdx5M=z_+A@mail.gmail.com> <m2fsyuuofa.wl-randy@psg.com> <CAKr6gn18yGTrAiqPA2P+kc+JBt2Tf8D-G4Gf5WCnASm8vk1Fvg@mail.gmail.com> <4455A207-2637-444B-BDA0-1209425C2EF2@vigilsec.com> <2D988AA2-7860-4F5E-B9D4-87A747A39FD2@nlnetlabs.nl>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
X-Mailer: Apple Mail (2.3445.104.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/bmmyRIapsSuiFqeuljm6JPJztfc>
Subject: Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-identity-00
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 14:46:12 -0000

Tim:

>> I am confused.  The RPKI design purposely avoids binding IIJ's identity to the resources assigned to IIJ. What kind of assertions need two signatures, one that ca be validated with an RPKI certificate and the other can be validated with a certificate from an identity-confirming PKI?
> 
> I believe that the main point here is that a parent RPKI CA does not attest to the identity of a child. It just associates INRs to $their public key.
> 
> However, with RSC/RTA the operator of that child CA could then sign an attestation containing anything else, including a public B-PKI key that they may wish to associate with their INRs in specific use cases.
> 
> At least that is how understood George's words. Please correct me if I misunderstood George :)

I think that RSC/RTA are saying that the holder of an INR has signed a statement.  The identity is not important in that context.  The fact that the are the holder of that INR is waht is important to validate the signed statement.

Russ

v2.23.0 | Report a Bug | By Email