IETF Logo Mail Archive

[Sidrops] Validation re-reconsidered [internet-drafts@ietf.org: New Version Notification for draft-spaghetti-sidrops-rpki-validation-update-03.txt]

Job Snijders <job@fastly.com> Tue, 07 November 2023 19:33 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50FC5C1C5F5D for <sidrops@ietfa.amsl.com>; Tue, 7 Nov 2023 11:33:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWg46EmcESmM for <sidrops@ietfa.amsl.com>; Tue, 7 Nov 2023 11:33:50 -0800 (PST)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAE0AC1C5F5C for <sidrops@ietf.org>; Tue, 7 Nov 2023 11:33:50 -0800 (PST)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-9bf86b77a2aso909338766b.0 for <sidrops@ietf.org>; Tue, 07 Nov 2023 11:33:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1699385628; x=1699990428; darn=ietf.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=aru8V1Ah80ECHcYzx9vx9UX81qkAQQFGXzIholKfLwA=; b=KSNjg9RwzrMyyGCuGK7RKOetEmVbzitkqJ6u71vSvFqj6/P7ZTL2/pN3JsIyUTWx6l mU35VxEO6NmP8RlKAFj3W26vE6ZztKuzG4PMG1j4O/IA9CBecFNmrD4vB0BNn0nlD0TK SfhVonkJD7kY+rKzea9DJFu0NY11VgqEeA4Vo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699385628; x=1699990428; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aru8V1Ah80ECHcYzx9vx9UX81qkAQQFGXzIholKfLwA=; b=i2p702xcNwfwRcem0xGFg0XojKatSjr/cxXFEoqdhigRiNU6PHtnq08BTAeaCzhSqG EhiU63MP/lhdrGILAuanoYhVCumtp1gQcQex5mN/7IjTUOREUQIL+9wIpKXBgDP3aKYL eqkvPUEzy36Iyqsb8l0a5pAYL/YnxCE2UXKfUIN6n/Arqcycs69XTEN+DsF+Wnj20kgF hx90+Z+3XweTlYJZF9SjInem/pjBgubYXdZa7ZnQbltOwSUF0uli/+M6VBS81oMMhdDg k3/yRAOwNPiNdyxPfZeIIaBnCu1BdeXqBNDohM0xoa/FAwZgrtqTIhEscB3U5AJovJyp iycQ==
X-Gm-Message-State: AOJu0Yy9T9/diR4FsmXIt266l3IcqZwVUhr7h4OxKiLyAK72P+80A3t8 z/x5ZudQOKB+oUeq4I3Ou5IZsEAvaAReI1OxfzMVcLUZJndFr8ELmwWWve7mMN9zgC2DD/3GCiO FZiy3zzxfjFVYbNy6rpJ52tJ+E4c0ptskv7RNV81Hg2RCw00/+XPpibIf4cHGfpQ=
X-Google-Smtp-Source: AGHT+IE89lA73yUvK6NQ30YymJhSo9HP9BfqXK4ez3348BYqCIS8Ysq7Ivn/U55wLngo0vBy6Zek1Q==
X-Received: by 2002:a17:907:2da8:b0:9de:2b93:cab9 with SMTP id gt40-20020a1709072da800b009de2b93cab9mr9276856ejc.8.1699385628118; Tue, 07 Nov 2023 11:33:48 -0800 (PST)
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id z7-20020a1709063a0700b00997cce73cc7sm1382849eje.29.2023.11.07.11.33.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Nov 2023 11:33:47 -0800 (PST)
Date: Tue, 07 Nov 2023 20:33:46 +0100
From: Job Snijders <job@fastly.com>
To: sidrops@ietf.org
Message-ID: <ZUqRGoTT/O1Q1bMO@snel>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/gnxOHptqAQvuxrxNyTVfFyrJ09c>
Subject: [Sidrops] Validation re-reconsidered [internet-drafts@ietf.org: New Version Notification for draft-spaghetti-sidrops-rpki-validation-update-03.txt]
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2023 19:33:54 -0000

Dear all,

I refreshed this draft.

The rpki-client team is preparing to implement Geoff Huston & George
Michaelson's 2014 validation algorithm and will report back on our
progress in 2024. Some notes:

- We do not expect or anticipate CAs to cooperate or coordinate: there
  are too many CAs. The solution must come from the RP developer
  community.

- X.509 policy identifiers & mappings are not the right tool for the
  job.

- A more robust (less rigid) validation algorithm is a prerequisite for
  unified single-source root(s), which I'd like to work towards.

- We are not concerned about different RP implementations behaving
  differently, as that's always been the case. Sure - it seems it would
  be nice if there was absolute deterministic behaviour across all
  implementations & versions, but all RP implementations are the result
  of progressive insight anyway.

I challenge people with a dissenting opinion to articulate in detail
what security issues the 2014 validation algorithm introduces. I only
see advantages, especially when rechaining existing PKI trees to a new
root.

Some Dutch wisdom: "Better to have turned half way, than completely gone
astray." :-)

Kind regards,

Job

----- Forwarded message from internet-drafts@ietf.org -----

Date: Tue, 07 Nov 2023 10:34:54 -0800
From: internet-drafts@ietf.org
To: Ben Maddison <benm@workonline.africa>, Job Snijders <job@fastly.com>
Subject: New Version Notification for
	draft-spaghetti-sidrops-rpki-validation-update-03.txt

A new version of Internet-Draft
draft-spaghetti-sidrops-rpki-validation-update-03.txt has been successfully
submitted by Job Snijders and posted to the
IETF repository.

Name:     draft-spaghetti-sidrops-rpki-validation-update
Revision: 03
Title:    RPKI Validation Re-reconsidered
Date:     2023-11-07
Group:    Individual Submission
Pages:    10
URL:      https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-validation-update-03.txt
Status:   https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-validation-update/
HTMLized: https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-validation-update
Diff:     https://author-tools.ietf.org/iddiff?url2=draft-spaghetti-sidrops-rpki-validation-update-03

Abstract:

   This document describes an improved validation procedure for Resource
   Public Key Infrastructure (RPKI) signed objects.  This document
   updates RFC 6482.  This document updates RFC 6487.  This document
   obsoletes RFC 8360.



The IETF Secretariat



----- End forwarded message -----

v2.23.0 | Report a Bug | By Email