Re: [Sidrops] 6486bis: Failed Fetches

Jay Borkenhagen <jayb@braeburn.org> Fri, 28 August 2020 20:00 UTC

Return-Path: <jayb@oz.mt.att.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 760963A0B5F for <sidrops@ietfa.amsl.com>; Fri, 28 Aug 2020 13:00:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bi3OGRkYIMv for <sidrops@ietfa.amsl.com>; Fri, 28 Aug 2020 13:00:38 -0700 (PDT)
Received: from hrabosky.cbbtier3.att.net (braeburn.org [12.0.1.25]) by ietfa.amsl.com (Postfix) with ESMTP id 276E03A091F for <sidrops@ietf.org>; Fri, 28 Aug 2020 13:00:38 -0700 (PDT)
Received: from oz.mt.att.com (zoe.cbbtier3.att.net [12.0.1.45]) by hrabosky.cbbtier3.att.net (Postfix) with ESMTP id BED722B6AD; Fri, 28 Aug 2020 20:00:35 +0000 (UTC)
Received: by oz.mt.att.com (Postfix, from userid 1000) id 9B8FE5640A9A; Fri, 28 Aug 2020 16:00:35 -0400 (EDT)
X-Mailer: emacs 25.2.2 (via feedmail 11-beta-1 I); VM 8.2.0b under 25.2.2 (x86_64-pc-linux-gnu)
Message-ID: <24393.25181.84151.476185@oz.mt.att.com>
Date: Fri, 28 Aug 2020 16:00:29 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Jay Borkenhagen <jayb@braeburn.org>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: sidrops@ietf.org
In-Reply-To: <cf7030be-adc4-dde4-7eda-516339fd6c91@verizon.net>
References: <20200817163134.29aa1a6b@glaurung.nlnetlabs.nl> <c1a8fffb-9106-d08e-4254-44ddf1a0115a@verizon.net> <20200818083659.1922a98c@grisu.home.partim.org> <6cebcc89-3e07-8a85-3813-b4ae9887d119@verizon.net> <20200826122539.52493813@glaurung.nlnetlabs.nl> <b71c9c88-fb10-b037-d06a-910711e51e04@verizon.net> <cf7030be-adc4-dde4-7eda-516339fd6c91@verizon.net>
Reply-To: Jay Borkenhagen <jayb@braeburn.org>
X-GPG-Fingerprint: DDDB 542E D988 94D0 82D3 D198 7DED 6648 2308 D3C0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/u9SXo28C0WNNKjQcHqEf2b5f8Ns>
Subject: Re: [Sidrops] 6486bis: Failed Fetches
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 20:00:40 -0000

Steve,

I would like to comment on two things you recently wrote to this list: 

Stephen Kent writes:
 > When I the WG chairs tell me that I misunderstood the WG consensus re:
 > strict correctness then I will revisit this topic. However, the recent
 > messages from Mikael and Job suggest that your perception of WG
 > consensus is not accurate. This issue is one that needs to be decided by
 > network operators, not by developers of RP software. I agree with the
 > observations made by Mikael and Job, i.e., that requiring strict
 > conformance with manifest rules is the preferred approach.

I don't think viewing this as "network operators" vs "developers of RP
software" is a productive approach.

I am a professional network operator -- somebody pays me to do that.
I also happen to have some opinions on how a successful PKI should
operate, but so far no one has offered to pay me for those opinions.
If asked to use only the network operator part of my brain to say
whether strict conformance is the best approach here, I would answer
"Honestly, I don't care.  As a network operator I care only that the
VRPs I use in my network are as trustable and reliable as possible."
I certainly have opinions how _how_ to make the system as trustable
and reliable as possible, but I know others have thought about such
aspects far more than I have -- in particular folks who have
implemented RP software.

At the risk of making my comments here too personal (they are not
intended that way), my friend Job wears both of these hats: he is a
network operator, and he is involved in developing an RP
implementation.  That's great!  I value his opinions, and I am happy
to hear that you do, too.  But it would be fruitless to attempt to
determine which parts of Job's psyche most inform his opinions voiced
in this WG.  So rather than attempting to do so, I would like to ask
you to also value the opinions and contributions of other RP
implementors, particularly those who have been active in this
discussion.  Many network operators do not participate here in
SIDROPS, but presumably all RP implementors do.



 > >> You absolutely have to deal with this issue in 6486bis in its current
 > >> strict form. Any introduction of a new object type will permanently
 > >> break CAs that use these objects when validated with a relying party
 > >> software that is not aware of this type. I don’t think this is
 > >> acceptable, as it effectively blocks the introduction of new types
 > >> pretty much forever.

 > No, it does not. What I suggested is that when a new object is proposed,
 > it is the responsibility of the those proposing the new object to
 > explain how it will be incrementally deployed. That explanation belongs
 > in the RFC defining the new object, and in an updated version of 6486
 > will need to be generated. We have no good examples of new objects that
 > provide a basis for describing how to accommodate incremental
 > deployment, and thus no basis for defining such mechanisms at this time.
 > It might be the case that a new object will be defined that requires the
 > CA to maintain a separate pub point using some newly-defined SIA
 > pointer, indicting that the new pub point contains the new object and
 > thus RPs that don't know how to process the object MUST NOT follow that
 > pointer. There will need to be agreement on how long a CA MUST maintain
 > the old pub point, etc. But, absent a concrete example of a new object
 > type that warrants this sort of effort it is premature to write a spec.


The situation you describe here sounds horrible, trying to keep older
RPs from seeing newer objects they're not equipped to fully
understand.  A much more robust system would be one where RPs are not
thrown off by unknown object types retrieved from known publication
points and listed in manifests.  Clearly older RPs would not know what
use to make of newer objects, and thus would ignore them.  Network
operators interested in taking advantage of the new objects would
first need to upgrade their RPs in order to do so, but that's BAU.

Thank you.

						Jay B.