Hi,
While thinking about RRDP (draft-ietf-sidr-delta-protocol-00), I
realized that there's a minor conflict between RRDP's push to transition
from rsync to http(s), and the TAL format's requirement to use only
rsync URIs. I propose the below changes to
draft-ietf-sidr-rfc6490-bis-03 to make RRDP's work easier in the future
without causing any harm now. Sorry to bring this up so late in the
process for draft-ietf-sidr-rfc6490-bis.
In the abstract, change:
This document obsoletes RFC 6490 by adding support for multiple URIs
in a TAL.
to:
This document obsoletes RFC 6490 by adding support for multiple URIs
in a TAL, and allowing URI schemes other than rsync.
In section 2.1, change:
where the URI section is comprised of one of more of the ordered
sequence of:
1.1) an rsync URI [RFC5781],
1.2) a <CRLF> or <LF> line break.
to:
where the URI section is comprised of one of more of the ordered
sequence of:
1.1) a URI [RFC3986],
1.2) a <CRLF> or <LF> line break.
The URI section MUST include one or more rsync URIs [RFC5781].
Non-rsync URIs MAY be present.
I assume that an rfc3986 URI cannot include either <CRLF> or <LF>, but
if I'm wrong then I'd like to add a MUST NOT somewhere in this text.
In section 2.2, change:
Each rsync URI in the TAL MUST reference a single object.
to:
Each URI in the TAL MUST reference a single object.
and:
Where the TAL contains two or more rsync URIs, then the same self-
signed CA certificate MUST be found at each referenced location. In
order to operational increase resilience, it is RECOMMENDED that the
domain name parts of each of these URIs resolve to distinct IP
addresses that are used by a diverse set of repository publication
points, and these IP addresses be included in distinct Route
Origination Authorizations (ROAs) objects signed by different CAs.
to:
Where the TAL contains two or more URIs, then the same self-
signed CA certificate MUST be found at each referenced object. In
order to increase operational resilience, it is RECOMMENDED that
no two URLs which share a scheme have domain name parts that can
resolve to the same IP address. Additionally, it is RECOMMENDED that
these IP addresses be included in distinct Route
Origination Authorizations (ROAs) objects signed by different CAs.
In section 3, add this paragraph at the beginning:
An RP MUST support the rsync URI scheme and MAY support additional
URI schemes. An RP SHOULD ignore all URIs with unsupported schemes.
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
