Re: [Sidrops] Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)

"Borchert, Oliver (Fed)" <> Thu, 11 April 2019 20:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 666D0120310; Thu, 11 Apr 2019 13:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rd3gXOM1s4K0; Thu, 11 Apr 2019 13:42:44 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D5375120174; Thu, 11 Apr 2019 13:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kjpmrmGxfqhVqJP7PJNMsIGEqcnJW26yt5aRM9AlvXw=; b=VnCbYNE+SCNHExSjQV++u84r+rP2AZ6sa+NHM+R7m/k4sphLqMutCDmc2jCzM3SJV/SlaorUZOGaGyYj2T29FdY+ssfXh2y7cB2HyI0ITj9D6XjRUyBYNjwEZWwGzwW5XVAi05Dtt3GRDOnPgLqF99ElHEnOjqVB1kFAQsocf0U=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.14; Thu, 11 Apr 2019 20:42:42 +0000
Received: from ([fe80::694c:8a72:b9a7:5832]) by ([fe80::694c:8a72:b9a7:5832%2]) with mapi id 15.20.1771.021; Thu, 11 Apr 2019 20:42:42 +0000
From: "Borchert, Oliver (Fed)" <>
To: Benjamin Kaduk <>
CC: The IESG <>, "" <>, Chris Morrow <>, "" <>, "" <>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)
Thread-Index: AQHU7nXgQI4Urnu4Ok+oIXvgvm0Y7qY1xJMAgAGY+gD//9CvgA==
Date: Thu, 11 Apr 2019 20:42:41 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: [2610:20:6222:140:60e8:7040:b5a2:4046]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 668eefef-2fb5-4ac6-9efe-08d6bebe3e86
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:SN6PR09MB3166;
x-ms-traffictypediagnostic: SN6PR09MB3166:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-forefront-prvs: 00046D390F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(366004)(136003)(376002)(39860400002)(13464003)(199004)(189003)(229853002)(81156014)(54906003)(83716004)(82746002)(5660300002)(316002)(71200400001)(33656002)(58126008)(99286004)(71190400001)(2171002)(6916009)(45080400002)(6246003)(14444005)(25786009)(2616005)(11346002)(486006)(256004)(46003)(446003)(476003)(36756003)(6116002)(7736002)(478600001)(53936002)(105586002)(106356001)(68736007)(81166006)(966005)(305945005)(6486002)(186003)(97736004)(4326008)(102836004)(8676002)(6306002)(6506007)(76176011)(14454004)(86362001)(53546011)(6512007)(8936002)(2906002)(6436002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR09MB3166;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: kRPHljv/+O9Z20qrDhzpt97ah4jdLMTVMSmRS28kAOkBmxfNZpHoiAX+pXxp6ZL9nIl1RRzT1mXOddTp/AkpR1BTZkzBythf90QyaCrddhjGxe66HE5K6w1CSH2LUS1KnY+p/Q5yjL+le2MVQBdZ7Evvo5DtM7pkhxH/zZ4Xd6yPYpmgMrkUfq5F/YlGGJqfb7qOgelNn57ahIT2StNxUoAtcP5jjemKgP7g827X14XlhdCpg5E8xNHKA3vttOMkDSniKdRS7rfQWjsBD1xDDKTbEOD2Kdp9Ouh4k/pQWOHE8mbaICFPC4BNny7igDhJppkKN6AhAC6sNqczKQC1FvdrzKkuyQIZ918mFYihcFlEqJtlVRP3SYRLSpDP0JaNMxjifs/vPyEzyoMxmBzp/2TgUeVAdFex4wRpyCcb2G0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 668eefef-2fb5-4ac6-9efe-08d6bebe3e86
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2019 20:42:41.9445 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR09MB3166
Archived-At: <>
Subject: Re: [Sidrops] Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Apr 2019 20:42:47 -0000

I agree and applied your suggestion,

"[RFC8208] directed...."


On 4/11/19, 3:32 PM, "Benjamin Kaduk" <> wrote:

    On Wed, Apr 10, 2019 at 07:40:48PM +0000, Borchert, Oliver (Fed) wrote:
    > Hi Benjamin,
    > Regarding your comments below:
    > * Comment to 2.2.1
    > Are we trying to talk about both?
    > oliver: I believe so, the certificate request maps the algorithm with the OID whereas certificates and BGPsec update only reference the OID. 
    >             Maybe Sean has a better answer?
    Okay.  Maybe we want to say "certificates or certificate request" (or
    similar) in a couple places, but let's see what Sean says.
    > * Comment to Section 7:
    > IANA has registered a single algorithm suite
    > identifier for the digest algorithm SHA-256 [SHS] and for the
    > signature algorithm ECDSA on the P-256 curve [RFC6090] [DSS].
    > oliver: I added "Originally for RFC8208, " so it reads:
    > Originally for RFC8208,  IANA has registered a single algorithm suite
    > identifier for the digest algorithm SHA-256 [SHS] and for the
    > signature algorithm ECDSA on the P-256 curve [RFC6090] [DSS].
    I'd suggest something like:
       [RFC8208] directed IANA to register a single algorithm suite identifier for the
       digest algorithm SHA-256 [SHS] and for the signature algorithm ECDSA
       on the P-256 curve [RFC6090] [DSS].  This identifier is still valid, and
       IANA has updated its registration to refer to this document.
    But this is a non-blocking-comment, so do what you think is best.
    > * Comment to Appendix A:
    > oliver: I added the following wording as 3rd sentence under A.2. Keys
    > Note: Even though the certificates below are expired, they are still useful
    > within the constraint of this example.
    > Thanks,
    > Oliver
    > -----Original Message-----
    > From: Benjamin Kaduk via Datatracker <> 
    > Sent: Monday, April 08, 2019 9:45 PM
    > To: The IESG <>
    > Cc:; Chris Morrow <>;;;
    > Subject: Benjamin Kaduk's No Objection on draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: (with COMMENT)
    > Importance: High
    > Benjamin Kaduk has entered the following ballot position for
    > draft-ietf-sidrops-bgpsec-algs-rfc8208-bis-04: No Objection
    > When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)
    > Please refer to;;sdata=fuC2JnJrGeQvzJt2PvS1LsJjIeDuBij%2BGqDlsciMKWw%3D&amp;reserved=0
    > for more information about IESG DISCUSS and COMMENT positions.
    > The document, along with other ballot positions, can be found here:
    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------
    > Section 2.2.1
    >    Hash algorithms are not identified by themselves in certificates or
    >    BGPsec UPDATE messages.  They are represented by an OID that combines
    >    the hash algorithm with the digital signature algorithm as follows:
    >    o  The ecdsa-with-SHA256 OID [RFC5480] MUST appear in the Public-Key
    >       Cryptography Standards #10 (PKCS #10) signatureAlgorithm field
    >       [RFC2986] or in the Certificate Request Message Format (CRMF)
    >       POPOSigningKey algorithm field [RFC4211]; where the OID is placed
    >       depends on the certificate request format generated.
    > The first paragraph talks of "certificates" but this last sentence talks about "certificate request"s.  Are we trying to talk about both?
    > Section 7
    > The IANA considerations are perhaps not as accurate as they could be.
    > For example, we could say that the BGPsec Algorithm Suite Registry was originally created by RFC 8208 and has been updated to refer to this document, and similarly for the P256-SHA256 codepoint.
    > (Just moving the references over would seem to be even more appropriate if this document were fully Obsoleting 8208.)
    > Appendix A
    > Do we want to note that the certificates are expired but the examples are still useful within that constraint?  (They were valid at the time RFC 8208 was published but it seems imprudent to try to assume that the examples would always be valid, when writing a document such as this.)