Re: [sidr] Validation Reconsidered (again/again) question

Geoff, Happy new year. ... Consider a cert path from a trust anchor TA, to CA1 to CA2 to an EE cert for a ROA. TA->CA 1->CA 2->ROA Assume the TA cert contains address space T, U, V, W, X, Y and Z. Assume the CA 1 cert contains address space T, U, V, and W. Assume the CA 2 cert

Re: [sidr] Validation Reconsidered (again/again) question

Hi Steve, Without going into every detail. I understand this is not what the current text says. I provided an alternative description to illustrate how I would propose to re-write text. The current text takes a bottom-up view of the process w.r.t. verifying the presence of resources looking

Re: [sidr] Validation Reconsidered (again/again) question

Tim, ... I believe the draft is being precise, but in the process has become difficult to parse. Let me attempt once more to explain the proposal in a different way: "When doing top-down validation of resource certificates in the RPKI we propose that rather than rejecting a certificate that

Re: [sidr] Validation Reconsidered (again/again) question

Just fyi... Steve was out of the country last week and this. He should be back next week... On 11/25/15 8:11 PM, Geoff Huston wrote: Hi, I’m working through this example and I can’t help but observe that its "ill-defined and, the most likely interpretation doesn't seem to work” to borrow

Re: [sidr] Validation Reconsidered (again/again) question

Sandra Murphy wrote on 02/12/15 19:28: > Under validation-reconsidered, I would say that the ROA should be valid if > the IP addresses it contains are contained within the *valid* resources among > the resources specified in the EE cert. > > We need to say that because the valid resources

Re: [sidr] Validation Reconsidered (again/again) question

On Dec 2, 2015, at 5:23 AM, Geoff Huston wrote: > >> On 2 Dec 2015, at 11:32 AM, Sandra Murphy wrote: >> >> Speaking as regular ol’ member: >> >> On Dec 1, 2015, at 9:42 AM, Andrei Robachevsky >> wrote: >> >> >> In

Re: [sidr] Validation Reconsidered (again/again) question

> On 3 Dec 2015, at 5:28 AM, Sandra Murphy wrote: > > > On Dec 2, 2015, at 5:23 AM, Geoff Huston wrote: > >> >>> On 2 Dec 2015, at 11:32 AM, Sandra Murphy wrote: >>> >>> Speaking as regular ol’ member: >>> >>> On Dec 1, 2015, at

Re: [sidr] Validation Reconsidered (again/again) question

> 在 2015年12月2日，18:23，Geoff Huston 写道： > > > > Example 2: > > A CA Cert: 1.0.0.0/24, 2.0.0.0/24 > > issues: > > B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24 > > issues: > > C EE Cert: 1.0.0.0/24, 2.0.0.0/24 > > and signs > > ROA: 1.0.0.0/24 AS1 > > still all good

Re: [sidr] Validation Reconsidered (again/again) question

> 在 2015年12月3日，14:32，Geoff Huston 写道： > > >> On 3 Dec 2015, at 5:24 PM, Declan Ma wrote: >> >> >>> 在 2015年12月2日，18:23，Geoff Huston 写道： >>> >>> >>> >>> Example 2: >>> >>> A CA Cert: 1.0.0.0/24, 2.0.0.0/24 >>> >>> issues: >>> >>> B CA

Re: [sidr] Validation Reconsidered (again/again) question

> On 3 Dec 2015, at 5:24 PM, Declan Ma wrote: > > > > > >> 在 2015年12月2日，18:23，Geoff Huston 写道： >> >> >> >> Example 2: >> >> A CA Cert: 1.0.0.0/24, 2.0.0.0/24 >> >> issues: >> >> B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24 >> >> issues: >> >> C EE

Re: [sidr] Validation Reconsidered (again/again) question

> On 2 Dec 2015, at 11:32 AM, Sandra Murphy wrote: > > Speaking as regular ol’ member: > > On Dec 1, 2015, at 9:42 AM, Andrei Robachevsky > wrote: > >> Tim Bruijnzeels wrote on 01/12/15 14:55: Tim, I am not sure I understand this.

Re: [sidr] Validation Reconsidered (again/again) question

Speaking as regular ol’ member: On Dec 1, 2015, at 9:42 AM, Andrei Robachevsky wrote: > Tim Bruijnzeels wrote on 01/12/15 14:55: >>> >>> Tim, I am not sure I understand this. If the parent of the EE cert has a >>> shrunken set of resources, will it invalidate the

Re: [sidr] Validation Reconsidered (again/again) question

> 在 2015年12月2日，08:32，Sandra Murphy 写道： > > (We’ve overloaded “Valid” a couple of different ways valid certs, valid ROAs, > valid origins, valid Signature_Blocks, …) - it might be nice to readers and > users to come up with a different adjective here for the subset of the

Re: [sidr] Validation Reconsidered (again/again) question

Tim Bruijnzeels wrote on 26/11/15 13:29: > Please note that for ROAs there is a requirement that all ROA > prefixes are included on the EE certificate of the (ROA) signed > object CMS. This proposal does not change this. A ROA that has > prefixes that were removed for whatever reason higher in the

Re: [sidr] Validation Reconsidered (again/again) question

Tim Bruijnzeels wrote on 01/12/15 14:55: > Hi Andrei > >> On 01 Dec 2015, at 12:04, Andrei Robachevsky >> wrote: >> >> Tim Bruijnzeels wrote on 26/11/15 13:29: >>> Please note that for ROAs there is a requirement that all ROA >>> prefixes are included on the EE

Re: [sidr] Validation Reconsidered (again/again) question

Hi Andrei > On 01 Dec 2015, at 12:04, Andrei Robachevsky > wrote: > > Tim Bruijnzeels wrote on 26/11/15 13:29: >> Please note that for ROAs there is a requirement that all ROA >> prefixes are included on the EE certificate of the (ROA) signed >> object CMS. This

Re: [sidr] Validation Reconsidered (again/again) question

Geoff, Thanks for your responses. Please see below for my further comments. >> 2. How do you perform the validation of a CRL? >RFC6487 provided no guidance, and referred to RFC5280, so that is still the >case. >nothing changes herre. >> How is it similar to or different from how you validate

Re: [sidr] Validation Reconsidered (again/again) question

> On 30 Nov 2015, at 8:58 AM, Sriram, Kotikalapudi > wrote: > > Geoff, > > Thanks for your responses. Please see below for my further comments. > >>> 2. How do you perform the validation of a CRL? > >> RFC6487 provided no guidance, and referred to RFC5280, so

Re: [sidr] Validation Reconsidered (again/again) question

t again just to be sure: CRLs have no resources. > I think this should be explicitly explained/clarified in the document. I disagree. Geoff > > Sriram > > ____________ > From: sidr <sidr-boun...@ietf.org> on behalf of Tim Bruijnzeels >

Re: [sidr] Validation Reconsidered (again/again) question

> I find it equally challenging to then reach the conclusion that you > appear to be providing that that somehow all this is dependant on a > draft relating to certificate mediated resource transfer. Again I see > what appears to be another leap of faith going on here. well, not that i makes a

Re: [sidr] Validation Reconsidered (again/again) question

Hi, > On 25 Nov 2015, at 21:19, Stephen Kent wrote: > > None of those who believe that this draft is a good thing seem to have > addressed > an issue I raised a while ago; the proposed solution is ill-defined and, the > most > likely interpretation doesn't seem to work, in

Re: [sidr] Validation Reconsidered (again/again) question

Tim, Thanks for your explanations. Yet since the very draft keeps talking about Resource Transfer and deems it as one of the “Operational Considerations” in Section 3, we might pay attention to Steve’s statement as below: So, when folks claim that this alg allows for transfers to not have

Re: [sidr] Validation Reconsidered (again/again) question

Declan, I’d pay more attention to this statement you are quoting if and only if the justification for this statement made any sense. As far as I can tell the example used to build to this point is confused and imprecise, so its a leap of faith that I’m not perform to then hold the conclusions as

Re: [sidr] Validation Reconsidered (again/again) question

Hi, I’m working through this example and I can’t help but observe that its "ill-defined and, the most likely interpretation doesn't seem to work” to borrow your words…. > > Consider a cert path from a trust anchor TA, to CA1 to CA2 to an EE cert for > a ROA. > > TA->CA 1->CA 2->ROA > > >

Re: [sidr] Validation Reconsidered (again/again) question

None of those who believe that this draft is a good thing seem to have addressed an issue I raised a while ago; the proposed solution is ill-defined and, the most likely interpretation doesn't seem to work, in general. I'll try to explain this reasoning, again, and provide an example. Section

Re: [sidr] Validation Reconsidered (again/again) question

On 2015-11-24 23:35, Randy Bush wrote: >> Every public/private working group that I have been part of that >> discusses potential incremental roll out of RPKI based origin >> validation gets hung up on FUD about the brittleness of the system. > > universally, the brittleness that seems to concern

Re: [sidr] Validation Reconsidered (again/again) question

On Tue, Nov 24, 2015 at 12:58 PM Wes Hardaker wrote: > Christopher Morrow writes: > > > Pinging this thread to catch anyone who didn't reply but had thoughts > > I'd like to close this out tomorrow before 5pm EST (10pm UTC). > > I've been

Re: [sidr] Validation Reconsidered (again/again) question

On Mon, Nov 23, 2015 at 5:13 PM, Christopher Morrow wrote: > Pinging this thread to catch anyone who didn't reply but had thoughts > I'd like to close this out tomorrow before 5pm EST (10pm UTC). > Damn my lack of date specificity!! To be clear, I'd like to make the

Re: [sidr] Validation Reconsidered (again/again) question

Christopher Morrow writes: > Pinging this thread to catch anyone who didn't reply but had thoughts > I'd like to close this out tomorrow before 5pm EST (10pm UTC). I've been considering the concept behind this document and whether the concept should be carried forward

Re: [sidr] Validation Reconsidered (again/again) question

> Every public/private working group that I have been part of that > discusses potential incremental roll out of RPKI based origin > validation gets hung up on FUD about the brittleness of the system. universally, the brittleness that seems to concern operators is the hierarchy and the 'dutch

Re: [sidr] Validation Reconsidered (again/again) question

I would like to see this work continue. Every public/private working group that I have been part of that discusses potential incremental roll out of RPKI based origin validation gets hung up on FUD about the brittleness of the system. While validation reconsidered does not solve all potential

Re: [sidr] Validation Reconsidered (again/again) question

Pinging this thread to catch anyone who didn't reply but had thoughts I'd like to close this out tomorrow before 5pm EST (10pm UTC). thanks! -chris On Sat, Nov 21, 2015 at 9:24 AM, Randy Bush wrote: >> the intent is an appropriate change to improve robustness of the >> system. >

Re: [sidr] Validation Reconsidered (again/again) question

> the intent is an appropriate change to improve robustness of the > system. i think it changes the robustness, not necessarily improves it. the loss of congruent hierarchic validation is exchanged for accepting some failures we have yet to see. being a bit of a naggumite, accepting errors is

Re: [sidr] Validation Reconsidered (again/again) question

Sam, On Fri, 6 Nov 2015, Stephen Kent wrote: So, unless the folks who volunteered to assume responsibility for the doc (all of whom were already listed as co-authors) are prepared to do a much better job in addressing these shortcomings, I object to continuing with this work. It sounds

Re: [sidr] Validation Reconsidered (again/again) question

On Fri, 6 Nov 2015, Stephen Kent wrote: So, unless the folks who volunteered to assume responsibility for the doc (all of whom were already listed as co-authors) are prepared to do a much better job in addressing these shortcomings, I object to continuing with this work. It sounds like

Re: [sidr] Validation Reconsidered (again/again) question

"This document was adopted as a WG work item, should we accept this change and complete the work or not?" Yes. I believe this change in the validation algorithm improves the operational robustness of the RPKI. If the WG chairs find themselves uncertain about the consensus on this quesiton,

Re: [sidr] Validation Reconsidered (again/again) question

On Fri, Nov 06, 2015 at 12:52:13PM +1100, Christopher Morrow wrote: > Please take 2 weeks time to consider: > > "This document was adopted as a WG work item, should we accept this > change and complete the work or not?" Yes, we should. > > where: > 'this document' is: >

Re: [sidr] Validation Reconsidered (again/again) question

I am opposed to this document for the reasons stated by Steve Kent and others. ___ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] Validation Reconsidered (again/again) question

+ 1 for adoption. And hopefully somebody would say "I take this". Regards as On Thu, 5 Nov 2015 at 23:04 Geoff Huston wrote: > > > On 6 Nov 2015, at 12:52 PM, Christopher Morrow < > christopher.mor...@gmail.com> wrote: > > > > Please take 2 weeks time to consider: > > > >

Re: [sidr] Validation Reconsidered (again/again) question

Please take 2 weeks time to consider: "This document was adopted as a WG work item, should we accept this change and complete the work or not?" Adopting a doc as a WG item does not mean that it is acceptable "as is" at the time it was adopted. The intent is that the author(s) will cooperate

Re: [sidr] Validation Reconsidered (again/again) question

> On 6 Nov 2015, at 12:52 PM, Christopher Morrow > wrote: > > Please take 2 weeks time to consider: > > "This document was adopted as a WG work item, should we accept this > change and complete the work or not?” > I say “Yes," for some value of somebody/some

[sidr] Validation Reconsidered (again/again) question

Please take 2 weeks time to consider: "This document was adopted as a WG work item, should we accept this change and complete the work or not?" where: 'this document' is: I'll close the mic line on: 11/20/2015

Re: [sidr] Validation Reconsidered (again/again) question

Aside from process questions (whether should the draft update a standard or nor), I definitely believe the WG should continue working on this. -Carlos On 11/6/15 10:52 AM, Christopher Morrow wrote: > Please take 2 weeks time to consider: > > "This document was adopted as a WG work item, should

Re: [sidr] Validation Reconsidered (again/again) question

> On 06 Nov 2015, at 10:56, Carlos M. Martinez wrote: > > Aside from process questions (whether should the draft update a standard > or nor), I definitely believe the WG should continue working on this. +1 Tim > > -Carlos > > On 11/6/15 10:52 AM, Christopher Morrow