Re: [Sidrops] Opsdir last call review of draft-ietf-sidrops-https-tal-07

Tim Bruijnzeels <> Mon, 08 April 2019 15:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 411391201C1; Mon, 8 Apr 2019 08:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yY9v-ujPlBh9; Mon, 8 Apr 2019 08:09:24 -0700 (PDT)
Received: from ( [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4FC7412009A; Mon, 8 Apr 2019 08:09:21 -0700 (PDT)
Received: from [IPv6:2001:981:4b52:1:d19f:f9de:ae50:f74e] (unknown [IPv6:2001:981:4b52:1:d19f:f9de:ae50:f74e]) by (Postfix) with ESMTPSA id DD09E2019B; Mon, 8 Apr 2019 17:09:18 +0200 (CEST)
Authentication-Results:; dmarc=fail (p=none dis=none)
Authentication-Results:; spf=fail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1554736158; bh=x6nrrr84lPBco33f+RWp9bf0PGb9D5Igt7pWDUks2Ew=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=nsgcjmCJUQFt5DboLK0ss8PMFAy1aZcyLciutYyV+j6o5eBBTXDycgcHViBm6nqcx cSnze3LtnWTryGcMQ74Mst2SAHoMH8seYkt57iTXstcUD9lxk0a2zyYGNB2VXizyKd Bv2J3Yud9Rt9vWuJpNwa8OP0R/zEW39P7XINpVf8=
Content-Type: multipart/alternative; boundary="Apple-Mail=_4328B7A7-1094-4E1A-B7A8-6C20E307C4D1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Tim Bruijnzeels <>
In-Reply-To: <>
Date: Mon, 08 Apr 2019 17:09:18 +0200
Message-Id: <>
References: <>
To: Linda Dunbar <>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <>
Subject: Re: [Sidrops] Opsdir last call review of draft-ietf-sidrops-https-tal-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Apr 2019 15:09:28 -0000

Dear Linda,

Thank you for the review and my apologies for the late reply (I have been moving house).

Replies in-line.

> On 18 Mar 2019, at 22:37, Linda Dunbar via Datatracker <> wrote:
> Reviewer: Linda Dunbar
> Review result: Has Nits
> Reviewer: Linda Dunbar
> Review result: Ready with Comments & Nits
> I have reviewed this document as part of the Operational directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written with the intent of improving the operational aspects of
> the IETF drafts. Comments that are not addressed in last call may be included
> in AD reviews during the IESG review.  Document editors and WG chairs should
> treat these comments just like any other last call comments.
> This document defines the syntax of Trust Anchor Locator (TAL) for Replying
> Parties to retrieve the Trust Anchor, to avoid repeating the distribution
> procedure when Trust Anchor changes.
> My question: if the Trust Anchor changes, does the URI in the TAL changes?

Not typically. The idea is that the TA certificate can be updated w.r.t. its content - contained resources in particular, and Relying Parties can find this certificate at the listed URIs.

> Another questions: Section 2.4 Example: is the Public Key listed there for both
> URI?

Yes, both.

There is another draft currently being in the working group that is concerned with changing TALs - i.e. rolling keys and modifying locations where they may be found: <>

This document (https-tals) is concerned only with allowing HTTPS as an additional scheme for URIs in TALs

> Typo: Section 2.1 second paragraph:  "without needing to effect..", do you mean
> "without needing to affect ..??

"effect" is correct in this context. I think it could be more clearly written as: "without needing to redistribute". If no one objects I am fine with changing this.

Note that this text comes from RFC7730. I tried to keep the changes limited to the addition of HTTPS.


> Cheers,
> Linda Dunbar
> _______________________________________________
> Sidrops mailing list