IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-07.txt

Stephen Kent <stkent@verizon.net> Thu, 14 October 2021 16:15 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964933A171A for <sidrops@ietfa.amsl.com>; Thu, 14 Oct 2021 09:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2lLvtQKzitx for <sidrops@ietfa.amsl.com>; Thu, 14 Oct 2021 09:15:15 -0700 (PDT)
Received: from sonic312-24.consmr.mail.ne1.yahoo.com (sonic312-24.consmr.mail.ne1.yahoo.com [66.163.191.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87B03A1726 for <sidrops@ietf.org>; Thu, 14 Oct 2021 09:15:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.net; s=a2048; t=1634228112; bh=wLbh76Kdupn+LtctpnfZX0Q4qb3QrplmRA1eoCBpx28=; h=Date:Subject:To:References:From:In-Reply-To:From:Subject:Reply-To; b=TvexBSSSYqIs0Y1Z75JXWiUqvPNk8wMBQ1FNPXDZHGCq8gVGoIeI0jI184FXXr6A3H0e6v/GPKrDeBPbsqn+dq4vY5IjFmR20SuAFeu0YTNOfjITIl+bJNSPHCL5ooJtXgcDW0i1G7OmD+igKZgW1RL+/oYUBiR/JLwI58rE/pOeer2X8svfdvtTCqu71SIbxVvrBDkOEHVAbYWmDox6dLjgKfiHy2osfa+xqUWHIOh8dgGnobko7p85K6KMjOXXuLZ0U8zR5xInkZS6twxZnM5SWf/Yx8EsN34fdWU78nMu71+9zBFj9fAcyEB38f3NLf/EEWU77K5hSvdTDJ1aug==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1634228112; bh=YGI7j3q21fVeRmp281ZQaW7hltjkC2bcb3Me5WM8HKw=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=TPWYzTjq+7tcpdco8ezVLHFBIxonefaILLOTMYRIAvSxh0xtvTpr384JjqWwb2tFGc1yllmlAcNVjKXqFrRDxQhaIaWNYeQFZh4uZPhQfOj3QXlR1T7FikffqV+6FMpzp0SceSwhdxY/k1x7rTWtGM5CpibZIuSItTknZ5FW/yxNvnQWWA2a/d3nrg9QwLvhblq/+LZ+xEBzHniIfopniyDCh8ZO4MhyIYmm3blOAAJsgSAC+B+TM990AKCjdO2d9twZDI3eoWgFUIDf2flSV6iWiC56/Jpk49EFiq8mcsZHeGxTfYsx5ULQNjBHH2ROR+5lgSOJQhTqtBd++63fBQ==
X-YMail-OSG: KFvbxE8VM1mpJL7sLJEEiIycMXe0sMg.7J.dFG496qDUyblmhJUusYv8Ber2vny T5xFSI3uJS9V1EEjgjjHQBTOjNRVlTkvPS78PV382pHujS54SqDVeSD_yd_i4KpIRYLbJgqPl2Ek laAOZ3090eFjHdxLLd8zz4djAhoZWrjah1tfTiib.lxOnoxUtCx19FGe6_OU1Rq7qQlHLDEPt3jW x9qJNhPGKrELbD6nsszsjq_fk0Vm3GMz8q0PR69Yt9ALnodlISaCCdyvXC0dt4CgS0QZ7lfjReuQ 5cARMTVgW7V1UNFDg3EYfgDiDf.YAU0zY5.BGETF.mAqryr3lSFuP4NCTvbrk5KuTz_PMGQn5ODG _hhX5a1iCFcIbFKhM.vOmLP1SC7GKrunRQa1E7gAaYG2lLtpBK0hKhv0e_5wFHau90BeVL8j_amV DgbAa8thQahO7bL3CVMkEtrPZLdIr7jNT0N783F3t1YNPn4SnG_w8e5Z03MdrlZcnkWZtTa5D1io Tf6dfuPYArZLgKoAW4nYbYEcZDOjCEeMt5UxTZTySpiUTDN77uhF.0Lm8YlGYEzsm8a8VnFTC5BU sw1HPlnGak2JHiUz1odtuqqDtGXAcVETkqruSGq1hHpFg5b6MIV5Ry3YR1jTphwsrHBjzj.FRD3I 7Jpvj7iXIrhZi7Ub11gEmWG8iXmkPObPELszb5lh9V4WkRD0DTHwSFMEULL_dBxOgIv4gWT7m3.K TMO9ZmjgV7QA.BcRaCxc7.PdWEFV7I0TXtDG0HgHLFQHl4VeU_ovBvR.Igk0e1ib5ozkwbJVNK7f k0Nlx1nffpcOf0ghkWoQtFsi77CPLvxeegt8yAuHnupTVmncm.FYkT.hfdHitiUEtZOx4z0A4HNI _4enY9UKu5ACiKbKfBDLWpWyFM5VaoLFtTHy7.XyIU5W8V4Cv0Q71ihV6r4LB6Nkls6S9EPkNtqu HHPceTvQ8KPOLb4ukb3UJWeu0hvRJ_G2uhFi7XzihMETFuSfDdqEpd950J3mP2teqipmrHlH2cBK t7H8gHxPCGSzzySS04js_EkBmch0z7u68fAm6j9suwnTfKOyOWYaDNljeaYk8fhhEXHsw5dRaz9Z iGLjQSBIm02GMfmzPUPASAiX5NyamofUjCXaH.u.B6CoEPd52o.Azsq8f00Chv2wV1bC6KjyGk3y nCydGDRwBc_DsJFIYkvUkMHZ2Z4pDIDhQL3Dvupx8oajAoTjyFaxm8VZcwYebW13tphZh8c9xWHw hch2KrSrw8KTxVxaaQMGkd4A4FDw8Y82uYPR2FGHA8t9ARqzPyFOrWAWiRcxA18OzlyG8aDB_BFb XNTS.wH2TY1X8IYzLXMwMWTHw8Qy.UJPI0KIj8LvUdmyy54IL1.cAJnOHQGg62jZA3oCWjDeAjku .CFDNt3zZ7jwnBNOIbnVVj1lGjBIDocRV.YEJXDFZ4K9roQVSa75_Rj4LwQm01J6DjK0WULuUTlI HB0G4.QYTZdJ9OPH8HxkjmQMhsJJD6wkhOzRv7Qj5ZeA_BLhl4hUmul1uKq2QluU6o1qUguksvke 60ao5O00gMM2CNtrOym_z8uST1tL6SE_JaSl0EKvk21v.raSdk8XONg3WWOL.9wf4_ojaHwGmxRv wnH6Bn8cfzsqFtihrYLxulPzQuJogdO55H91WhQyISMYPO8Uef82b5Nt_jo4qlQcrl4a7Ob8uuBp w.0GhBK5LUYq9t3bP5LCGFqqOmBIxqX3kqiONtIIFJHP4srzGgcsTLhxr06gznMxvTBMCLA2f2Ms bsihtA1X_aEFXOR_Mxf_SPsemo5eHCRQZ05Q2cMRCZDHsiu_1DvrI596PM8uQADn0Ul11j5_B826 VNvIgbwYom41KYrwWmY6AWZskzFuV._VrMxZUitQq4A6v39f40VZkPNyrHBBwFFv9bhaOq_Kdc6R fnbPDa5YQnnvoMRwfO06hkp_OQ0EN5U40mnxnjMt7IAxaoM5swDBM58srXuKH6BjkaQAryiII5WA W0gOa0y4hNr.zDfvQOPeQdv7jtxAF4ARtu0_HVLtkFTvMhFTpPq9MIMkyxKFMwrub8WeAjvouZZE ZUn2J5ccOsUpScT_nD_zNTYzVh7hw5ghM8tStoyshwK5Mr33VtyCe745CbQceRWfReeiBW18CHnn mJXZHRHPPHrOOcBZT7nAQcCKe8FDZFcEvJyzfrYAI8SglICXnpQGXvgLqVhWm_jIIXcoPa_zfQVA DQXOWtso_FKj57Y4y
X-Sonic-MF: <stkent@verizon.net>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.ne1.yahoo.com with HTTP; Thu, 14 Oct 2021 16:15:12 +0000
Received: by kubenode550.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID da71ecd6fc0cb7d68f03568ba211eec6; Thu, 14 Oct 2021 16:15:11 +0000 (UTC)
Message-ID: <32d38c02-0a6f-a5cf-6160-71748e97a453@verizon.net>
Date: Thu, 14 Oct 2021 12:15:10 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
Content-Language: en-US
To: sidrops@ietf.org
References: <163422093055.5218.7049827726010929590@ietfa.amsl.com> <C368116D-179F-4A2D-A9D9-613A422F0AE1@ripe.net>
From: Stephen Kent <stkent@verizon.net>
In-Reply-To: <C368116D-179F-4A2D-A9D9-613A422F0AE1@ripe.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailer: WebService/1.1.19116 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/tUU2jV1nVu18RepnXgKeWgXEvhs>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-07.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 16:15:17 -0000

Ties,
> While reading the diff I thought it would be good to discuss this on 
> list:
>> 4.2.1:
>>
>>        This field is an integer that is incremented (by 1) each time a
>>        new manifest is issued for a given publication point.  This field
>>        allows an RP to detect gaps in a sequence of published manifests.
> I would really like it if we could leave this open and allow arbitrary
> increments. It's what is out there in the wild, and RPs can not check anything
> against manifestnumber either: Not all of them are guaranteed to be visible.
> Strict incrementing counters are also a point of contention in implementations
> due to database locking on the parent CA.
>
> Existence/absense of manifests of a compliant CA is visible through the CRL. And
> it does not make behaviour of a sloppy CA invisible.

I made this change in response to a request from Ben Madison on 9/30. 
You did not comment on his suggestion then, or over the next 13 days. 
Why are arbitrary increments a "good thing?" Why are they out there now? 
Which CA's don't know how to count by 1?

The text does not require that an RP verify that the increment is 
monotonic, just that the new manifest has a nigher number than any 
previously-validated manifests from the same issuer. I don't see a need 
to change this.

>
> I would also like to revisit 4.2.2.
>
>>    letter extension.  The extension MUST be one of those enumerated in
>>    the "RPKI Repository Naming Scheme" registry maintained by IANA
>>    [IANA-NAMING].
> Since the content of the registry is dynamic, I think it would be good to
> clarify that encountering an unknown extension must not result in a failed fetch.
> If RPs become intolerant to new filenames using an extension not in the
> registry (for example .asa) would require a flag day.
>
> While reducing ambiguity in the results that RPs have when processing manifests
> is good I don't think rejecting unknown types is worth the downside.

This text has not changed since version 4, posted in May of this year. 
It's way too late in this process to comment on this now, almost 6 
months later.

Steve

v2.23.0 | Report a Bug | By Email