[Sidrops] Re: Call for WG Adoption of draft-snij-sidrops-constraining-rpki-trust-anchors
Tony Tauber <ttauber@1-4-5.net> Wed, 21 January 2026 22:35 UTC
Return-Path: <ttauber@1-4-5.net>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3C887AB2FAAA for <sidrops@mail2.ietf.org>; Wed, 21 Jan 2026 14:35:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=1-4-5-net.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wxharulAD15m for <sidrops@mail2.ietf.org>; Wed, 21 Jan 2026 14:35:38 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7CAF8AB2FA9A for <sidrops@ietf.org>; Wed, 21 Jan 2026 14:35:38 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-64b92abe63aso733706a12.0 for <sidrops@ietf.org>; Wed, 21 Jan 2026 14:35:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769034937; cv=none; d=google.com; s=arc-20240605; b=Um7XHnpMO385cNuNQsjCB/OpqPiY1CIpw8V6e6cJ+D3zXBnRGrXiCh1DirjK0sjQse Q43qG6bnL3CrDComHqXiJUkpwSpzm7xKTdhwGJ8euCX4p7YBGjnqScCSb4msDnR1t9Rl Yhsx1WZqwzMXrjtJZls0C5lQV7zo8zOuJ3xnfFF2cScaCgNno8zCmZUmfRWL/zC6bpkG KHHehOucgRjX3GobXtKDcaLdccMIvYshNUDCu4Sjr/I/7K108L4UBtfQuDG9yHgivJpa THAT3njcE5fbERXMhhHBaRzi4F2zwVRX89PLtfslmAqyzK2wYNguKWAW6BlX1rUDrT/Q tn2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=lwTwoNxA9qNsYUscTwTBgK8ZjT6mXPHyjrA8cFnTSts=; fh=Sto1t1mSQwwtgGIK+tQGJJo8jcPypMLmkbfQpDjRPgg=; b=PDhQBsT+Gq60Sa9AaCPxazC6C1s1ylvW5n8xxyovE4Qyis+WotrxhTQnnXnG5FljKK 4jZWBoU3r5akL5fmf7W96FQwcW81FIR+YCoTWQJoF9AXKs+fLAz2DWbozWs9XpOkKuzp YUUNTTObYztQT81gBAu3hG2IJ11KZy5zBY3RJ6H1aS6wKGcmgWa4FGdSD09WQmhh4qly nfz+WgZJ4ob/+c6BtKx10XRx6VOdKBNJj6C5+tAArtMV1oXaST5ZPr+N+8NFc4oM8QP2 pxUUcfp2DsVgqt9iSPKtM4iBuKo1r7H/dLbc7LDmXO+ToMw2y52JEtH9jtekQKZE8vnB I6pA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1-4-5-net.20230601.gappssmtp.com; s=20230601; t=1769034937; x=1769639737; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lwTwoNxA9qNsYUscTwTBgK8ZjT6mXPHyjrA8cFnTSts=; b=vH1f8DBbKgxytJ3fkG64/RRcfkng8H6Sdl0YYf5h5WffH58YCR6kQen9LQWhShGfKi gEFF9ytXcQpvjd0BCOohilvRyrjPrOB3LiRolX7aclEc4Ovaa3ocuL5jQ+2MCfr+ga4I cSb+Beagx7MtZ9+2g7eDgWbyGM8spgzDjMvOyj13mZ9o1XOPjaza+bdgaWDAI0gNwdUw rTm853I8Gq9yyPldA3DOluX6/s3TgbH+vU4fYPFNQUua2igIy0LW684+8Y7Z2m78CQ+b NzMT4tBsfPZae4gY3PVhzsWMq4xEBIJ4E9hZWo/RFhlPe0BmCvfYWr3G3v9LcSdGhLxo 38tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769034937; x=1769639737; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=lwTwoNxA9qNsYUscTwTBgK8ZjT6mXPHyjrA8cFnTSts=; b=UN0mGqPZGt5TBZRYI35od0lAzM4sIrGVOCoC8RnAbS0B9tM030Wp2wbHVTYMk5gHjE jqniuvgWYXAL9m4Igqkw2IJgyCfNqON9pKN2l7WD1hitABuEZu6LH+cITOChRF6Tm+cl vTQe2zr1JXyufezYo5xzeShyoBstSJHQ6hCHQ7pa+u0HLCDzZI7AH3noG3q32ZH0awf0 vJ5goBhChRXXci/7ITjf3I6hKay721iGSBxrQ33KJa+/CWdPVeejCzIVONF0q8mpvqb4 kAYVWZTwsTlofHNXKKp8rLDm6vb0HDKXXuczIgUjE6GAXCIxENSAy8opMN03ue+SAGOA 1M2Q==
X-Gm-Message-State: AOJu0Yz7uXhkm7A36BgbMjfioENqNasHpGHUT+n74/sqZxCpvQb10LvZ BjBSs2xKPiRaosu1osQ6Ce8NnkzP/RbhD0631pZuJ1TtgVJ/5c7pu5l9s/+M8jjchHaFNaTW+cA SFY7rHCZAydavBUYWRNQoZo/IXJFHXpjzc4+LVyFp+Wizawe3W8wK
X-Gm-Gg: AZuq6aIMOuKmMp7Rsc8QomOAwYBO5+ndPEhZijljVDEeqBfg+TEDGTxrTsGqBtF6F8N opdnBKgklyK4NJMD8UDtWf0WCtwwm0VMZSkPSg0cWXyyP9Lask02cArHjZVOoA8pVtIB+c2Syhv RQLL16Uq+BWvrIFDp65MHBng95BO/SfFPUZvAnHpFebbOtLsT0qdYSfpLv4oW5a2Ea0bl3kccRr ZbeEOCOYxt8Knb9LjW04Ly630rj9w2NtjxRdTlWhkrcuOAJ2luMcw2/LqI9e7IRqp/1ZrM0YAEG OaCOeFUUqIKEIB6zDv/ZQPUHt4++
X-Received: by 2002:a17:907:94c2:b0:b80:3fff:336a with SMTP id a640c23a62f3a-b8792f5f5f0mr1768383466b.21.1769034936740; Wed, 21 Jan 2026 14:35:36 -0800 (PST)
MIME-Version: 1.0
References: <5C5B8F40-6E19-4082-89C0-3DDC0AB6364A@gigix.net> <20260120113200.41fa116e@dataplane.org> <CACWOCC-aCvYhYSvp7Sea5h1N=+Y4sezcTXqE07pFVd6waRtaSQ@mail.gmail.com>
In-Reply-To: <CACWOCC-aCvYhYSvp7Sea5h1N=+Y4sezcTXqE07pFVd6waRtaSQ@mail.gmail.com>
From: Tony Tauber <ttauber@1-4-5.net>
Date: Wed, 21 Jan 2026 17:35:25 -0500
X-Gm-Features: AZwV_QgQkSEQr_4P-nIiBA-M4YasM0EWEsxtiQq3B9sTY10gAE-32jdpwMIVVyk
Message-ID: <CAGQUKceGhjBC0U4CGer=+6HF5hg5T-m-MkaTGLyo4HphMz=a_g@mail.gmail.com>
To: Job Snijders <job@sobornost.net>
Content-Type: multipart/alternative; boundary="000000000000fffc2b0648ed8a47"
Message-ID-Hash: GCN2DZTNZID52EG4ZQFM6A3AH4WTVWGB
X-Message-ID-Hash: GCN2DZTNZID52EG4ZQFM6A3AH4WTVWGB
X-MailFrom: ttauber@1-4-5.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: sidrops@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: Call for WG Adoption of draft-snij-sidrops-constraining-rpki-trust-anchors
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/jsrxsc-oaoQcuoORUIAzDowqwQ0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
I appreciate the problem and the proposed solution as well as the evolutionary vision that is expressed. I support adoption. Thanks, Tony On Wed, Jan 21, 2026 at 1:36 PM Job Snijders <job@sobornost.net> wrote: > Hi John, > > On Tue, 20 Jan 2026 at 18:32, John Kristoff <jtk= > 40dataplane.org@dmarc.ietf.org> wrote: > > On Mon, 19 Jan 2026 13:46:55 +0100 > > Luigi Iannone <ggx@gigix.net> wrote: > > > > > Title: Constraining RPKI Trust Anchors > > > > Are there risks of stale or divergent, to the point of being > > operationally problematic, constraints at the RPs? In other words, > > could this lead to something akin to statically deployed bogon > > filters? If I'm interpreting the text correctly, this depends on how > > and where the EE certificates are maintained? > > https://datatracker.ietf.org/doc/html/rfc8416.html#section-6 > > The constraints content is controlled by the RP operator. What those > entities configure their constraints to be is up to them. In this sense > the concept is not so different from /etc/pf.conf, /etc/nftables.conf or > /etc/rpki/skiplist, or the selection of TALs an RP instance uses. > > I've seen some operators prefer to deploy by hand, and some automate via > apt update, some sysupgrade, some fetch updates via EPEL. I imagine > implementers could offer the operators knobs to configure self-expiry of > constraints content. > > The goal of this document primarily is to specify where in the RPKI > validation process constraints are attached as information policy, and > as secondary goal is an standard format for interexchange to express > constraints and make communication about constraints monitoring easier. > > Kind regards, > > Job > > _______________________________________________ > Sidrops mailing list -- sidrops@ietf.org > To unsubscribe send an email to sidrops-leave@ietf.org >
- [Sidrops] Call for WG Adoption of draft-snij-sidr… Luigi Iannone
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Nick Hilliard
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tom Strickx
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tim Bruijnzeels
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Job Snijders
- [Sidrops] Re: Call for WG Adoption of draft-snij-… John Kristoff
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tony Tauber
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Tobias Fiebig
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Loganaden Velvindron
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Teun Vink
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Job Snijders
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Marco Marzetti
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Carlos Martinez-Cagnazzo
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Bob Beck
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Carlos Martinez-Cagnazzo
- [Sidrops] Re: Call for WG Adoption of draft-snij-… Luigi Iannone