[Sidrops] Validation re-reconsidered [internet-drafts@ietf.org: New Version Notification for draft-spaghetti-sidrops-rpki-validation-update-03.txt]
Job Snijders <job@fastly.com> Tue, 07 November 2023 19:33 UTC
Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50FC5C1C5F5D for <sidrops@ietfa.amsl.com>; Tue, 7 Nov 2023 11:33:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWg46EmcESmM for <sidrops@ietfa.amsl.com>; Tue, 7 Nov 2023 11:33:50 -0800 (PST)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAE0AC1C5F5C for <sidrops@ietf.org>; Tue, 7 Nov 2023 11:33:50 -0800 (PST)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-9bf86b77a2aso909338766b.0 for <sidrops@ietf.org>; Tue, 07 Nov 2023 11:33:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1699385628; x=1699990428; darn=ietf.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=aru8V1Ah80ECHcYzx9vx9UX81qkAQQFGXzIholKfLwA=; b=KSNjg9RwzrMyyGCuGK7RKOetEmVbzitkqJ6u71vSvFqj6/P7ZTL2/pN3JsIyUTWx6l mU35VxEO6NmP8RlKAFj3W26vE6ZztKuzG4PMG1j4O/IA9CBecFNmrD4vB0BNn0nlD0TK SfhVonkJD7kY+rKzea9DJFu0NY11VgqEeA4Vo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699385628; x=1699990428; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aru8V1Ah80ECHcYzx9vx9UX81qkAQQFGXzIholKfLwA=; b=i2p702xcNwfwRcem0xGFg0XojKatSjr/cxXFEoqdhigRiNU6PHtnq08BTAeaCzhSqG EhiU63MP/lhdrGILAuanoYhVCumtp1gQcQex5mN/7IjTUOREUQIL+9wIpKXBgDP3aKYL eqkvPUEzy36Iyqsb8l0a5pAYL/YnxCE2UXKfUIN6n/Arqcycs69XTEN+DsF+Wnj20kgF hx90+Z+3XweTlYJZF9SjInem/pjBgubYXdZa7ZnQbltOwSUF0uli/+M6VBS81oMMhdDg k3/yRAOwNPiNdyxPfZeIIaBnCu1BdeXqBNDohM0xoa/FAwZgrtqTIhEscB3U5AJovJyp iycQ==
X-Gm-Message-State: AOJu0Yy9T9/diR4FsmXIt266l3IcqZwVUhr7h4OxKiLyAK72P+80A3t8 z/x5ZudQOKB+oUeq4I3Ou5IZsEAvaAReI1OxfzMVcLUZJndFr8ELmwWWve7mMN9zgC2DD/3GCiO FZiy3zzxfjFVYbNy6rpJ52tJ+E4c0ptskv7RNV81Hg2RCw00/+XPpibIf4cHGfpQ=
X-Google-Smtp-Source: AGHT+IE89lA73yUvK6NQ30YymJhSo9HP9BfqXK4ez3348BYqCIS8Ysq7Ivn/U55wLngo0vBy6Zek1Q==
X-Received: by 2002:a17:907:2da8:b0:9de:2b93:cab9 with SMTP id gt40-20020a1709072da800b009de2b93cab9mr9276856ejc.8.1699385628118; Tue, 07 Nov 2023 11:33:48 -0800 (PST)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id z7-20020a1709063a0700b00997cce73cc7sm1382849eje.29.2023.11.07.11.33.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Nov 2023 11:33:47 -0800 (PST)
Date: Tue, 07 Nov 2023 20:33:46 +0100
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <ZUqRGoTT/O1Q1bMO@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gnxOHptqAQvuxrxNyTVfFyrJ09c>
Subject: [Sidrops] Validation re-reconsidered [internet-drafts@ietf.org: New Version Notification for draft-spaghetti-sidrops-rpki-validation-update-03.txt]
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 19:33:54 -0000
Dear all, I refreshed this draft. The rpki-client team is preparing to implement Geoff Huston & George Michaelson's 2014 validation algorithm and will report back on our progress in 2024. Some notes: - We do not expect or anticipate CAs to cooperate or coordinate: there are too many CAs. The solution must come from the RP developer community. - X.509 policy identifiers & mappings are not the right tool for the job. - A more robust (less rigid) validation algorithm is a prerequisite for unified single-source root(s), which I'd like to work towards. - We are not concerned about different RP implementations behaving differently, as that's always been the case. Sure - it seems it would be nice if there was absolute deterministic behaviour across all implementations & versions, but all RP implementations are the result of progressive insight anyway. I challenge people with a dissenting opinion to articulate in detail what security issues the 2014 validation algorithm introduces. I only see advantages, especially when rechaining existing PKI trees to a new root. Some Dutch wisdom: "Better to have turned half way, than completely gone astray." :-) Kind regards, Job ----- Forwarded message from internet-drafts@ietf.org ----- Date: Tue, 07 Nov 2023 10:34:54 -0800 From: internet-drafts@ietf.org To: Ben Maddison <benm@workonline.africa>, Job Snijders <job@fastly.com> Subject: New Version Notification for draft-spaghetti-sidrops-rpki-validation-update-03.txt A new version of Internet-Draft draft-spaghetti-sidrops-rpki-validation-update-03.txt has been successfully submitted by Job Snijders and posted to the IETF repository. Name: draft-spaghetti-sidrops-rpki-validation-update Revision: 03 Title: RPKI Validation Re-reconsidered Date: 2023-11-07 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-validation-update-03.txt Status: https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-validation-update/ HTMLized: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-validation-update Diff: https://author-tools.ietf.org/iddiff?url2=draft-spaghetti-sidrops-rpki-validation-update-03 Abstract: This document describes an improved validation procedure for Resource Public Key Infrastructure (RPKI) signed objects. This document updates RFC 6482. This document updates RFC 6487. This document obsoletes RFC 8360. The IETF Secretariat ----- End forwarded message -----
- [Sidrops] Validation re-reconsidered [internet-dr… Job Snijders
- Re: [Sidrops] Validation re-reconsidered [interne… Russ Housley
- Re: [Sidrops] Validation re-reconsidered [interne… Ties de Kock
- Re: [Sidrops] Validation re-reconsidered [interne… Randy Bush
- Re: [Sidrops] Validation re-reconsidered [interne… Job Snijders
- Re: [Sidrops] Validation re-reconsidered [interne… Job Snijders
- Re: [Sidrops] Validation re-reconsidered [interne… Randy Bush
- Re: [Sidrops] Validation re-reconsidered [interne… Job Snijders
- Re: [Sidrops] Validation re-reconsidered [interne… Job Snijders