Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024

Job Snijders <job@fastly.com> Tue, 06 February 2024 10:12 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E1BBC1CAF48 for <sidrops@ietfa.amsl.com>; Tue, 6 Feb 2024 02:12:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGaaZpEf1QfI for <sidrops@ietfa.amsl.com>; Tue, 6 Feb 2024 02:12:18 -0800 (PST)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E6B2C1CAF46 for <sidrops@ietf.org>; Tue, 6 Feb 2024 02:12:18 -0800 (PST)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a359e6fde44so70556466b.3 for <sidrops@ietf.org>; Tue, 06 Feb 2024 02:12:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1707214336; x=1707819136; darn=ietf.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=Zg8xsEgfbhIi7DbIC2bCQHXEvl5WGz4HTL6MjJEWPro=; b=oZwrtU86bWsLiuB43vKt6XJwExUdi/nDdn+NbCM0QX/r/+LrGQlbifE2DG6th9CeBS 40x8wOe5sx66YDqoUhypRGQ5rDxFjbBmAajcHWX6yXLhdgGqiJy+NWKOin/ybQHv/J5p i/godogNPYI3x0c65YcLuB7k7QW5pZIZfFKXk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707214336; x=1707819136; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Zg8xsEgfbhIi7DbIC2bCQHXEvl5WGz4HTL6MjJEWPro=; b=mlsPiLDNdoVTWOSHSRDCCJTH2hXWo5+57JqOzTtFnKvOa3sMcozyC1GdiVlWlk3LZu t/Oc0P1Zx9wC4WwoJQ924oft9vqgTi250VG1cxnX8/YQcSDSQTUxO0GbR/IuUZkc2E5p AADaF2XIGZpPHbINtl3dqnpiCL/tu4JnJsWNmxoWvfUSq9dYLQ18qsovo7RICzrZ8e1t fcC+NBYv+2IQNVmPAH7tbxWLUcfdL+AaD+0VMunrpOaOEG08pIPj6hziesii1YljwSk8 NJzCAQMHH0IsufBNdkrPBfRJoKvaDt85/Kyxc0pOGzTp7r2RAtvJxuhxzOMJLZTFdzXz wW9g==
X-Gm-Message-State: AOJu0Yy3MQ5jdYkruSf6nuAddVwHFbQxL0OLZKKVhWnWxHLSn01q8tNy +OkhNEW4gB0NVTeVXYVrknwxuEvwB7JphV4NhJexeLGrJtTzBfqA7JdrIbANb5U=
X-Google-Smtp-Source: AGHT+IFH6ZKdjg2aovliSqeuEaNHIT+VB1AfLELeyHMq1e5LBWH87rX/0V3A3ww/OeyEzvUNEBkV7Q==
X-Received: by 2002:a17:906:bc5b:b0:a2f:46c7:4658 with SMTP id s27-20020a170906bc5b00b00a2f46c74658mr1712609ejv.28.1707214336387; Tue, 06 Feb 2024 02:12:16 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCXh1rztEINqZwKusLAq+9TcKnV6ZgjX34TG5CcAX7g94T2ng9CDRoVqcpxv8Q0KDPBcnS4EL/75tEuZEF3MwzY4H8NfOB+4NnXGpQNI+TwS07AboRJDlZ5i9BhK5cOnAtfr/0GpSe+I9CGBORvjqlrY8NCmIhrFl8juL2WofWiQBe7mwBSODLrdupqzJ6HhQpkP
Received: from snel ([2a10:3781:276:3:16f6:d8ff:fe47:2eb7]) by smtp.gmail.com with ESMTPSA id q23-20020a170906a09700b00a377e9e1425sm976061ejy.87.2024.02.06.02.12.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Feb 2024 02:12:16 -0800 (PST)
Date: Tue, 06 Feb 2024 11:12:14 +0100
From: Job Snijders <job@fastly.com>
To: Tim Bruijnzeels <tbruijnzeels@ripe.net>
Cc: Russ Housley <housley@vigilsec.com>, IETF SIDRops <sidrops@ietf.org>, IETF SIDRops Chairs <sidrops-chairs@ietf.org>, sidrops-ads@ietf.org, Keyur Patel <keyur@arrcus.com>
Message-ID: <ZcIF_v6ygLbVM57h@snel>
References: <87h6j1kug1.wl-morrowc@ops-netman.net> <B60D7B39-FA81-45AF-BCBD-2784F91B43C3@vigilsec.com> <ZcFNNfrkMFxKf5hN@snel> <A8E04A04-D270-4E31-B72D-AB048398712E@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <A8E04A04-D270-4E31-B72D-AB048398712E@ripe.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/mSFUUN1ZrkP_Uhn7AoAzOZHn9Ho>
Subject: Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 10:12:22 -0000

On Tue, Feb 06, 2024 at 10:57:22AM +0100, Tim Bruijnzeels wrote:
> Job, thank you for your feedback. I will go over some of your other
> points later, but wanted to respond to this point now:
> 
> > On Feb 5, 2024, at 22:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote:
> > 
> > - Section 6 could perhaps (in addition to the phrase 'consistent')
> >  describe the desired outcome using the phrase 'atomic'. I think within
> >  our community we often describe the cause of 'failed fetches' as the
> >  repository being updated in a non-atomic fashion. 
> 
> This section is really about having a consistent, unchanging, view in
> rsync.
> 
> There is another, related, issue though that CAs need to publish all
> their content in a consistent way, using a multi-element RFC 8181
> publication, to ensure that their Manifest, CRL and all signed
> certificates and RPKI objects are published atomically. I thought of
> including some text on this, but technically it’s a BCP for a CA,
> rather than a Publication Server. I don’t mind extending this document
> with CA concerns, but if preferred we could consider having a separate
> BCP for CAs.

I think you are right to focus the draft BCP at hand on just the
publication side of the house, but I was getting at this: 

The "Publisher" must signal updates in an atomic fashion using
multi-element RFC 8181, and additionally, the Publication Point must
signal updates in an atomic fashion (be it rsync symlink pivoting, or
grouping the RFC 8181 multi-element publication in a single RRDP delta).

E.g. the publication point must not unravel the publisher's atomicity.

Kind regards,

Job