Terry,
Can you elaborate on what you'd like to see in section 3 of the document?
My interpretation of your comment is that you would like to see a
prescribed (or recommended) order for the checks performed in ROA
validation. I am reluctant to put in such a prescribed ordering in this
document for two reasons: (1) It doesn't affect ROA semantics or the
interoperation of relying party software with ROA producing software;
(2) I don't think there is an obviously correct order (in particular,
there exist multiple relying party implementations today and I do not
believe that they all perform the checks in the same order).
With regards to number (2) above, to minimize the time to process a set
of ROAs one must consider both the probability that a check succeeds (in
general, checks that are likely to fail should be performed sooner) and
the cost of performing a given check at a given point in the processing
(in general, inexpensive checks should be performed before expensive
ones). The former probability depends on the population of invalid ROAs
(e.g., what will be the greatest source of invalid ROAs in the system?
... perhaps expired/revoked end-entity certificates?) The latter cost is
highly implementation dependent (e.g., the cost to validate the
end-entity certificate will greatly depend on the data structures that
are used to store and process certificates).
In any case, if the working group feels that there is a clear
recommended processing order that we can provide in Section 3 that will
increase the likelihood the implementors produce efficient software,
then please send some text and I'd be happy to insert it.
- Matt Lepinski
Terry Manderson wrote:
I support this document going forward.
the only comment I have is that I'd prefer to see a preference order in
validation (section 3) to help relying party S/W writers to make efficient
choices in the validation path - but that isn't a stopping block for me.
Cheers
Terry
On 28/10/09 12:48 PM, "Geoff Huston" <[email protected]> wrote:
The WG chairs have received a Working Group Last Call request from the
authors of draft-ietf-sidr-roa-format-06.txt.
The document (and the draft history) is at
http://tools.ietf.org/html/draft-ietf-sidr-roa-format-06
The Last Call will end as of the close of business on Monday 23rd
November - this is a longer period than a conventional 2 week last
call period in order to include the forthcoming SIDR WG meeting at
IETF 76.
The intended status of this document is proposed standard.
As usual, please address all comments to the WG mailing list, and
please be clear in your comments to this last call if you are
supporting the document's submission to the IESG or if you are
opposed, or if you are not expressing a view either way. As there are
a number of documents that are being last-called at this point in time
it would be appreciated if responses could clearly identify which
document is being referred to.
Also with this note I would like to request the document's authors to
prepare an interoperability report.
Thanks,
Geoff
WG Co-CHair hat ON
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
