[Sidrops] Re: Deb Cooley's No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)

Russ Housley <housley@vigilsec.com> Wed, 15 May 2024 14:54 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF0CC14F6EF; Wed, 15 May 2024 07:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v08YpFb7Nf2K; Wed, 15 May 2024 07:54:19 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 071B6C14F610; Wed, 15 May 2024 07:54:19 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 0BF791890EC; Wed, 15 May 2024 10:54:18 -0400 (EDT)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id ED536188B62; Wed, 15 May 2024 10:54:17 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <171568759189.40367.7885327637125706120@ietfa.amsl.com>
Date: Wed, 15 May 2024 10:54:07 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F21EAC72-B187-4FA8-808D-7CD872BBE709@vigilsec.com>
References: <171568759189.40367.7885327637125706120@ietfa.amsl.com>
To: draft-ietf-sidrops-signed-tal@ietf.org
X-Mailer: Apple Mail (2.3731.700.6.1.1)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=pair-202402141609; bh=mJgE8UeU3ftjiGV9UorZS2hYoHtBkkyO8juJqowwWEg=; b=PAByIVBxr9ATRrHxLpI79CR0YfBmd3pJCEtQIExuXY7jeIsx6GyFs0nPQZowQ2ZpPJE0bp2eoQqCfP4ZoJA4e2Bi0SvFEHjU0nSWRsAZu1QR0QL4j9DMXwJCZ96D+OEr1IftVu1RbmpiEa4BLdj02CT0Bc24Yl7Jb1keX1HB2T51s96YDe3SeAK8ZNQhLnXyyeKG5FY5DpOKYIwqsdwtFdp/vwLpeibMhHAiYaZ2LQekqiX/LY72zpqQ6nQjJ1xYjnGrAfbMgivu3HmK9EvMH/0hKnBI5oxNjY121MsMQRKnLpcklII1Nxc9KVipcbhLAMyiMDHkaHFIJwWrjQxFmQ==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Message-ID-Hash: KUX626VR36W4YHPKS5JQBNSCZPPUZQVF
X-Message-ID-Hash: KUX626VR36W4YHPKS5JQBNSCZPPUZQVF
X-MailFrom: housley@vigilsec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SIDRops Chairs <sidrops-chairs@ietf.org>, IETF SIDRops <sidrops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Sidrops] Re: Deb Cooley's No Objection on draft-ietf-sidrops-signed-tal-15: (with COMMENT)
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/n785CuXkEy5NS_S5Gkkq5D8w478>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>

I was not confused when I read this document and implemented the ASN.1 module.  However, I do think that we will be more clear to a broader audience by distinguishing "public key" and "private key"' in all of our documents.

Not wearing any hats,
  Russ

> On May 14, 2024, at 7:53 AM, Deb Cooley via Datatracker <noreply@ietf.org> wrote:
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks to Linda Dunbar for her valuable secdir review.
> 
> Nits, or just observations:
> 
> General:  This is just me, no action required (I am a PKI person, so I am
> pedantic on occasion).  I find the use of 'key' vice 'public key' to be a bit
> confusing.  There should be a distinction between 'private keys' and 'public
> keys' and the generic us of 'key' doesn't do that (in fact, I think most people
> think of 'key' as synonymous with 'private key').  I gather from reading this
> draft and poking around at the RPKI RFCs that the use of 'Key' is common
> terminology, so it would be confusing to change that now.  If there was ever an
> opportunity to clarify, it would be nice (maybe in the intro, para 2?).
> 
> Section 2, para 3:  This is confusing?  "... will first validate the TAK
> object, if present. ... If the TAK object lists only a current key....continues
> processing as it would in the absence of a TAK object.... if the TAK object
> includes a successor key... continues processing as it would in the absence of
> a TAK object."  Does processing of the TAK object happen elsewhere?  While
> other processing occurs?  If there is a TAK object, then why do you need the
> phrase 'continues processing as it would in the absence of a TAK object'?
> 
> Section 7:  Thanks for this.  It wasn't clear to me just how many TAK objects
> would have to exist to move from a current to successor key.   This section
> helps clarify.