[Sidrops] Re: John Scudder's No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)
Tom Harrison <tomh@apnic.net> Thu, 16 May 2024 04:00 UTC
Return-Path: <tomh@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63074C1CAF36; Wed, 15 May 2024 21:00:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.572
X-Spam-Level:
X-Spam-Status: No, score=0.572 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuGvfkVlGrYa; Wed, 15 May 2024 21:00:36 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01on2100.outbound.protection.outlook.com [40.107.107.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13DF4C1CAE1C; Wed, 15 May 2024 21:00:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JToWfPn6fqqxAdjlINRq2rPppqZNSDR9yo4EcFHNZOC/OLkghu1yrOncTu0Lx7iCYwdFewSwtvUtFQmDQ2PDNlKSXdzbMslj39pJ3JR/zuVkbws3dbLOPzlIy5Qgt+SKHD+EdBi+vi5TCjaS+IwOE+hKXLi7PQkf/YFX3JiXN6rwJrlYIVUoygdMcJdGz89/yZ3QwYTv89KSfPX9I59PZKYiAWKdTwfVwqA28IrlfIeY8M9wrkyrTMLaNzS3KSvzkQxqJHTQ30Xs2r0yTndZVwX66CL7V7iBYQe6qMzvkT7JYD0Nua2BA5LohkzCP1j/yLCMbq3SooJib95WZdyHVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eR+X/K37UkzGEDCoSHw9/5bWKrbecbQFBACwXoVoJho=; b=EwVnELLMVpZ+ffv+9ojRjLGH2gzNd8VwdmKlnv9IT6Ir+yZH7r75dSFLCtcNDSXKok0RExsgMBHXpoVWkxAgSlvIMUAefctnGJuT18tPT1BEHWBivGVGB049wwsv6oJ/kqJDzIC5YbHU6MaK0DMIU4PZXctvy5jENdTczzXB1LMrkViC4epOU6fhOhMJguoimtLyQbW4NsG6D4PaXwNPAo2jb09INXpSsOUepDE9njlUFM9CwY9mJO5tWp4LFtqfHZ0W6quvV+8oZ8ChUuxHqmkIdOlbUfpb/EFh+xZwUtWtVEqKwny9fFrj16KH8RPcb/fB8vR/cCzO4+SOMb455w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eR+X/K37UkzGEDCoSHw9/5bWKrbecbQFBACwXoVoJho=; b=cELhRrCPNsbgp6oRGjOGTXesP1CAyyB9djXzqiI7LUwYeKOVB76WEXRVSIcIDuRoWP8kpqajjZxz5flRgliUf9gCVaecNZA8A1M1dpBkN7pa7bEjlPvJvSe20kGimC5DGGYsjn7jdf0LDAxFACMLUg+yDfMRHIKqe5a/FvuH3lQ=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
Received: from SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:273::5) by ME0P282MB4833.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:224::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.26; Thu, 16 May 2024 04:00:29 +0000
Received: from SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM ([fe80::9551:44e2:c0cb:9c49]) by SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM ([fe80::9551:44e2:c0cb:9c49%7]) with mapi id 15.20.7386.017; Thu, 16 May 2024 04:00:29 +0000
Date: Thu, 16 May 2024 14:00:29 +1000
From: Tom Harrison <tomh@apnic.net>
To: John Scudder <jgs@juniper.net>
Message-ID: <ZkWE3Vt9NIX5OQ5O@TomH-498551.lan>
Mail-Followup-To: John Scudder <jgs@juniper.net>, The IESG <iesg@ietf.org>, draft-ietf-sidrops-signed-tal@ietf.org, sidrops-chairs@ietf.org, sidrops@ietf.org, keyur@arrcus.com, housley@vigilsec.com
References: <171579652168.58708.10062785636959401163@ietfa.amsl.com>
Content-Type: multipart/mixed; boundary="rQbEyiJe6XyvY2Db"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <171579652168.58708.10062785636959401163@ietfa.amsl.com>
X-ClientProxiedBy: SY5P282CA0020.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:202::17) To SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:273::5)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SY7P282MB4761:EE_|ME0P282MB4833:EE_
X-MS-Office365-Filtering-Correlation-Id: 0042dea0-650a-42ad-aa5d-08dc755cb983
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|1800799015|376005;
X-Microsoft-Antispam-Message-Info: 1cjwhc/we/cdVZtf2aisS9/G7fqWRI6ysAVhvJbpI7f+xKUxw4/Ss6nZHPQ42JMP6AVVxrooq9uTAeYpRnar+jEv1wr8C6Pdh4S/MumXysXGqDRrfd/zpOfVJCiNES3Bp5XUiJ4VxROhhl/GoSeZMS8YFbzkbGuURvslNUW83qV+In0wrH11NzO2SgGmDSLXP7QLI9NXsBHleZOnvOVGUenTWMh9dOdC9jUOymLMmx7iYESNyAk2a3RkkrWu09IYuGdbj1GzUApA04QDRsN6TeHDRnwPSUMsr0QPIYvBJVIYXcm6oEwPVusMYsEWo6pdW7r2VWjLfsoKjP08PnwLwY5Ok0hGoYOFFbqmhnHbMMkA/oFbGK3zbBoNZMMVxgIhtRy1hIP0Xtf6gT5FZK2oWpTifxD4oTQCQFRQYwuGQvz2p+RZrwiFnXHpX8PL1Y9PTG91C9zYRvbKjrlmTsUMKxP2XYIhcysCdIOaqGBVs+m2Byb74O3lra71P/aKtyhzXGuljprQjtL4svjri+ctMLCgPD0R/Nt4uaBAbbQsF0+CFw2ZLAizEw8TmktX8DCG66Zr+OXnBM7DgS1IVE3STFWPPCl81PesM7y5IsUHhuDnbVbWD8Q35urdDiYtBTFYyre9x0R6NeuRrW+Woj/6yC7+2m2gs+IDvj1SJ1ubE3Dsh4q5OEsaI0z7XUR2da4K8F31uIcGsNs/gzOm8ve5EbaE6sYr9oH9Wpxy0krlApT+L7QiIxB6H6UHPMBXR5gPTaDK5Abw54LwVnqRglwXKSIwMM8LfpEkFRqwrin7nVMVThUH6zbWspzhuQAxVydjn71j47Os/sNPsFTTcEiVt9wKOaA3QyBHp6wSn5f93zNwq0/TYSv2aJNYIw+82XKO2L30c1zjCnUIOlTBtx5xbtb0BwMetn7ziImWNrjkmC8n4PKzDLEMXtNifv46SG10aABYEXTO9QJBOjoe9QVST3a3mthjMHaL8yE0NEGaw5ExLeSSnA7IfvTalOWrguKc9xzSOxwND8+3Y0fxfdVadTghUMZtceaIRJGnq+3rCjnRM7A9VrSQXNWyESm8O/QZ31kcgElqTOdUxFX7744da6Y2M+SooLI0cAyLSVydM5tqXvoAN2Z37VXOpd02iYi6SUqtmMbEnLSGRJCFib1Ciy9dke2EiIwTZOBx/6PKH9I=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(366007)(1800799015)(376005);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 59y+nJzZLQCOF4tnfPyKq780cB6jAt8j13BNji6nQyqZWcHM/1S31KnB+dlBo/E2rQpq8Dah/cLw+dpJHglWt95wOHWn6VR8CJSq3vQF0qvpzAp1w4huIfpvSip2S1e5ntsicAIPlhgi6qglVdcA6bRQGP1SerbOzPYE+dZNMZXbojc5DsTVb8QgGi4rB2BY2IkdiBL+VDwRblUf5Hjli33s+rukpyAP16C297ItELvtdYf1oXHDohnvAy2mAIRZmSPwT5rit5PFVukfrv9RXlvB5SEo8f3mjy1lRaVmWHj850/PwRyyY578wjH3rWALm6skRazjXBJuQndBERtJ78L5d1tx4KKw1RuLcJuxQaglfE8YoxY8u3i1sPTmTjMYWjreSuk+ZyuWUOx4DnlH8ESPxYkghxFNgzDPTn7Cn/tFCMGQiDfDdz0O2dAn3C5E1mZy2yPBUZeH/0Pzd0IlMvIwWdFFZ30vgeASiUJb8WpXNooz99WAGRw3LTHQww+DT2KX8DtOIp8ybIZ5OYL0FqaSnPN8nmnxx7clcirgTzT2iW9rcsRJ3bRHVDS+5dbO9WAqv0PE0FUkzYQbit9e8FPuKxgPRvqihHC4S2kTOwdddk12O2YQWnRRW7UY4G7j9IYQngInDojniu7zQ+qdAsDFShuF4AaEIvcptltfMk87ao1IJhbwUTGNBZDJdJ7tdzac081u6hh9z5lDfovs4NmMMS26nJnRLixCA0DP7y/oEYC8D53h2kr6u4vgxHQxWGa6DmD7H18DYXRtoV6saxbZursbCdc06TyAccAddvrbRUu1e1qEa27fdBYQFl4FO6OxyDBNDz+ECBPlNjTkOXqDSnIE9ZuZg7AV/t/6twcrIxN9ez/b2Ey13uVd/g6uvDbTP+tI+c31z5EB5S+YxLhoCiDgPBPe+bs04qp68ZlJMmDK0mHEuCHk0kAUAOUENDUz6Qd72GIzU4XGJc9x8AEg8P2QtjOQwPf02klRkh0jLt6ZWESfBml7Jnpb7UBICRT1HRAgWyNhp4cEXgJQ7en+ccPumoLucXS7eM+S1HpiyaiRk3aqItgTNAIxTq+p8E2UNJ/9vAQJCmipApp64bgsj+IZ82rq1wd8eNXsTvlBY1P4UpHPFiInoQvYAomUdDqqUNT8Z4r5WolQ7Auatb/JYtz2TT9kIsPsSnkxxapZl4eymHMsyy37JuBrtbeOrCCpv4HhsBcNt1GRK/MrNVatQnRLf/vY+tc8bXQ0xuFXtqksREw/rTSULQ6i+cFvMsilR3L/W6YtlF2w5EITeFdNTBdu4WUF2fkcURdVf2LpH8j6imbBGGmhakLvF369XYkDcv8Z/wEBLqYkOYGrKsUTdceWOMrzjqDnzdrp+7aXi0a4F1qqjY6dpzIuQGRB38tvtu90lhyODWOui2kbm6txy49y2ffPcXRD0SjVWtNaFX2q/VqaAentn2FTCnyOwTRsHppB5ISSChpOqju8febVC+AhdT6bAaLaImXzZHfwV8MQvVeAY8rChNv+W6oUUjeQisjfuLuQSx5QqfWkayxXYkGRCBEk3tkVnjR3P0hDdZ1BOmcJOnnqM76U3We9KNeD6H+UodjyD/Z/enJ2N/59A1Ln4CYASdDKefrdNVz5ozcc4DI16ojnwgetUCCA
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 0042dea0-650a-42ad-aa5d-08dc755cb983
X-MS-Exchange-CrossTenant-AuthSource: SY7P282MB4761.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2024 04:00:29.6776 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Um3ZoefhtofboQDjcfEUgrjjOkdxjZhWOcSEQ5kmE4KBdCU5o/nRUQByRozlkwAV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME0P282MB4833
Message-ID-Hash: JFBSUF3LBTNFAEITILWAIIQML62YT74M
X-Message-ID-Hash: JFBSUF3LBTNFAEITILWAIIQML62YT74M
X-MailFrom: tomh@apnic.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-sidrops-signed-tal@ietf.org, sidrops-chairs@ietf.org, sidrops@ietf.org, keyur@arrcus.com, housley@vigilsec.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: John Scudder's No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/dJWZhfGvR98kxjb0tooLW93O18s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Hi John, Thanks for your review. On Wed, May 15, 2024 at 11:08:41AM -0700, John Scudder via Datatracker wrote: > ### Section 3.2.1.1, octothorpe, equivalence > > This field is equivalent to the comment section defined in section > 2.2 of [RFC8630]. Each comment is human-readable informational UTF-8 > text [RFC3629], conforming to the restrictions defined in Section 2 > of [RFC5198]. The leading "#" character is omitted. > > What does the final sentence, about the omission of the octothorpe > character, mean? Do you mean that the comment section varies from > the referenced definition in RFC 8630, in that the octothorpe is not > required? Do you mean something different? Maybe rephrase this to > make it less ambiguous. The current state of the document after the other IESG reviews has the following: * comments: This field is equivalent to the comment section defined in section 2.2 of [RFC8630]. Each comment is human-readable informational UTF-8 text [RFC3629], conforming to the restrictions defined in Section 2 of [RFC5198]. The leading "#" character that is used to denote a comment in [RFC8630] is omitted here. Does that help to clarify the meaning? > Also, when you write “is equivalent to”, do you mean semantically > equivalent? Do you mean syntactically identical? The same question > applies to section 3.2.1.2. I think in both cases it's both syntactically and semantically equivalent, putting aside the translation from plain text to ASN.1, but since the syntax is defined here anyway, both instances have been updated from 'equivalent' to 'semantically equivalent'. > ### Section 3.2.2.4. successor > > This field contains the TA key to be used in place of the current > key, after expiry of the relevant acceptance timer. > > Shouldn’t this be “if applicable“, as in 3.2.2.3? Section 7.2 > implies it's optional, “It also issues a TAK object under key 'B', > with key 'B' as the current key for that object, key 'A' as the > predecessor key, **and no successor key**.” (emphasis added) What's > more, it’s marked “optional” in the ASN.1. Yep, that's right. The relevant text here has been updated like so: successor: This field contains the TA public key to be used in place of the current public key, if applicable, after expiry of the relevant acceptance timer. > ### Section 6 > > This section includes language such as “... ensure that they will > reflect the same content at all times.” The clause “at all times” > appears to offer a strong consistency guarantee, forbidding even > vanishingly short windows of inconsistency during the staging of new > content. Is it the authors' intent that even low-probability race > conditions should be precluded? Is it the case that existing > implementations already take whatever steps are necessary to prevent > these? > > (In light of the “multiple publication servers“ paragraph, I suspect > the answer is "no".) Yep, you are right. The text has been updated like so: If a TA uses a single remote publication server for its key pairs, per [RFC8181], then it MUST include all <publish/> and <withdraw/> Protocol Data Units (PDUs) for the products of each of its key pairs in a single query, in order to reduce the risk of RPs seeing inconsistent data in the TA's RPKI repositories. An updated version of the document is attached for reference (includes updates from secdir review and other IESG review), along with a diff from the previous version (-15). -Tom
- [Sidrops] John Scudder's No Objection on draft-ie… John Scudder via Datatracker
- [Sidrops] Re: John Scudder's No Objection on draf… Tom Harrison