Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-identity-00
Randy Bush <randy@psg.com> Tue, 11 May 2021 21:43 UTC
Return-Path: <randy@psg.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3625D3A278F for <sidrops@ietfa.amsl.com>; Tue, 11 May 2021 14:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyh45gTuzwzC for <sidrops@ietfa.amsl.com>; Tue, 11 May 2021 14:43:29 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 120123A278C for <sidrops@ietf.org>; Tue, 11 May 2021 14:43:29 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1lga9r-0000Rr-Rx; Tue, 11 May 2021 21:43:16 +0000
Date: Tue, 11 May 2021 14:43:15 -0700
Message-ID: <m2mtt1t098.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Tim Bruijnzeels <tim@nlnetlabs.nl>
Cc: Russ Housley <housley@vigilsec.com>, George Michaelson <ggm@algebras.org>, SIDR Operations WG <sidrops@ietf.org>
In-Reply-To: <2D988AA2-7860-4F5E-B9D4-87A747A39FD2@nlnetlabs.nl>
References: <m2k0o6uqot.wl-randy@psg.com> <CAKr6gn3oCZBOP3L8AQWvH9Nk4fum-ycZCnHO_DUtgdx5M=z_+A@mail.gmail.com> <m2fsyuuofa.wl-randy@psg.com> <CAKr6gn18yGTrAiqPA2P+kc+JBt2Tf8D-G4Gf5WCnASm8vk1Fvg@mail.gmail.com> <4455A207-2637-444B-BDA0-1209425C2EF2@vigilsec.com> <2D988AA2-7860-4F5E-B9D4-87A747A39FD2@nlnetlabs.nl>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/p8_AobF7KPH5DpAQBVx6nMVpKRQ>
Subject: Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-identity-00
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 21:43:34 -0000
> However, with RSC/RTA the operator of that child CA could then sign an > attestation containing anything else, including a public B-PKI key > that they may wish to associate with their INRs in specific use cases. is your intent to authorize the non-rpki identity to act in all matters for the INR? i.e. how would one constrain the use cases? e.g. may the non-rpki identity write to the RPKI parent, e.g. ripe, and order the transfer of the INR? and don't tell me about administrative procedures; this is a PKI discussion. so the real-world identity system would sign the rpki INR which then signs the LOA? but why is the rpki INR even needed if the real world identity can simply sign the LOA? i thought that, way back when, ggm was trying to do the inverse. using the rpki private key to authorize some action in the real world. the example i remember was a letter of authorization to run a circuit, aka an LOA for a PNI. and what also confuses me; well i guess many things about this do; is that i am not seeing/understanding where CA cross-certification, in the normal up-the-tree sense, fits. but i am not an expert on this. and can we try to reduce use of long complex erudite seeming text designed to impress rather than explain? randy
- [Sidrops] draft-ietf-sidrops-rpki-has-no-identity… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… George Michaelson
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… George Michaelson
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Russ Housley
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Tim Bruijnzeels
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Russ Housley
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Tim Bruijnzeels
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Tim Bruijnzeels
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Job Snijders
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… George Michaelson
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Russ Housley
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… George Michaelson
- Re: [Sidrops] draft-ietf-sidrops-rpki-has-no-iden… Randy Bush