Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bis-04.txt> (Resource Public Key Infrastructure (RPKI) Trust Anchor Locator) to Proposed Standard
Richard Hansen <rhansen@bbn.com> Thu, 30 July 2015 00:52 UTC
Return-Path: <rhansen@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC561B313F; Wed, 29 Jul 2015 17:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsN9k-eScUUp; Wed, 29 Jul 2015 17:52:24 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82DE61B3121; Wed, 29 Jul 2015 17:52:24 -0700 (PDT)
Received: from socket.bbn.com ([192.1.120.102]:41375) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <rhansen@bbn.com>) id 1ZKc59-0007U7-4i; Wed, 29 Jul 2015 20:52:23 -0400
X-Submitted: to socket.bbn.com (Postfix) with ESMTPSA id CF2E940076
Message-ID: <55B97546.3060200@bbn.com>
Date: Wed, 29 Jul 2015 20:52:22 -0400
From: Richard Hansen <rhansen@bbn.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: sidr@ietf.org
References: <20150709134637.7120.70507.idtracker@ietfa.amsl.com> <55A5E727.7020605@bbn.com>
In-Reply-To: <55A5E727.7020605@bbn.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/FgoTFMQjGrNYCAkg8lnZIZ1bnZQ>
Cc: ietf@ietf.org
Subject: Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bis-04.txt> (Resource Public Key Infrastructure (RPKI) Trust Anchor Locator) to Proposed Standard
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 00:52:27 -0000
Hi all, I misread the MIME RFC; it requires line breaks every 76 characters, not every 75. So I think 76 is a better choice. My new proposal is to change Section 2.1 item #3 from: 3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded in Base64 (see Section 4 of [RFC4648]. to: 3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded in Base64 (see Section 4 of [RFC4648]). To avoid long lines, a <CRLF> or <LF> line break MUST be inserted into the Base64 encoded string every 76 or fewer characters. (This is the same as option #3 in my previous email but with 76 instead of 75.) -Richard On 2015-07-15 00:52, Richard Hansen wrote: > There is one substantive issue I noticed: embedded newlines in the > Base64 string. > > Section 2.1 refers to Base64 encoding, defined in RFC4648 Section 4. > RFC4648 Section 3.1 says: > > Implementations MUST NOT add line feeds to base-encoded data unless > the specification referring to this document explicitly directs base > encoders to add line feeds after a specific number of characters. > > This draft does not say anything about adding newlines to the Base64 > string, yet: > > * all published TALs (that I could find) contain embedded newlines at > regular intervals, in violation of this specification > * the example in Section 2.3 contains embedded newlines every 57 > characters > > All existing implementations support embedded newlines at arbitrary > places in the Base64 string, including multiple newlines in a row (if > I'm reading everyone's code correctly). > > I see three possible fixes: > > 1. Add a note next to the example in Section 2.3 that says that > newlines were added to the example due to line length limitations > in the RFC format. Encourage TAL publishers to fix their TALs by > removing the embedded newlines. > > 2. Permit but don't require newlines. For example, change Section 2.1 > item #3 from: > > 3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509], > encoded in Base64 (see Section 4 of [RFC4648]. > > to: > > 3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509], > encoded in Base64 (see Section 4 of [RFC4648]). To avoid > long lines, <CRLF> or <LF> line breaks MAY be inserted into > the Base64 encoded string. > > 3. Require line breaks in the Base64 string. For example, change > Section 2.1 item #3 from: > > 3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509], > encoded in Base64 (see Section 4 of [RFC4648]. > > to: > > 3) a subjectPublicKeyInfo [RFC5280] in DER format [X.509], > encoded in Base64 (see Section 4 of [RFC4648]). To avoid > long lines, a <CRLF> or <LF> line break MUST be inserted into > the Base64 encoded string every 75 or fewer characters. > > I prefer option #3. If I understand correctly, OpenSSL's Base64 BIO > filter has two modes: no newlines permitted or newlines must be > inserted every 79 or fewer characters. The mode is not automatically > detected; the programmer must choose which mode to use. If the standard > guarantees that all lines will be shorter than 79 characters, then > OpenSSL's Base64 BIO filter can be used without any preprocessing. (The > choice of 75 is more-or-less arbitrary. Keeping it less than 80 is > important for OpenSSL compatibility. MIME (RFC2045) and vCard (RFC6350) > both require Base64 strings to be broken up every 75 or fewer > characters, and I figured it might be good to match.) > > My second choice is option #2. It still requires preprocessing before > OpenSSL's Base64 BIO filter can be used, but it permits existing practice. > > Option #1 is my least favorite. It is the least disruptive to the > document, but it still requires modifying the document so we might as > well modify it to permit existing practice. (Also, getting all of the > RIRs to fix their TALs is probably more work than changing the > specification.) > > Nits: > * section 2.1, item 3: missing close parenthesis > * section 2.1: "comprised of" should be "composed of" > * section 2.1: "one of more" should be "one or more" > * section 3, item 4: "These test" should be "These tests" > * regressions of comma changes made by the RFC Editor before RFC6490 > was published > > -Richard > > > On 2015-07-09 09:46, The IESG wrote: >> >> The IESG has received a request from the Secure Inter-Domain Routing WG >> (sidr) to consider the following document: >> - 'Resource Public Key Infrastructure (RPKI) Trust Anchor Locator' >> <draft-ietf-sidr-rfc6490-bis-04.txt> as Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final comments on this action. Please send substantive comments to the >> ietf@ietf.org mailing lists by 2015-07-23. Exceptionally, comments may be >> sent to iesg@ietf.org instead. In either case, please retain the >> beginning of the Subject line to allow automated sorting. >> >> Abstract >> >> >> This document defines a Trust Anchor Locator (TAL) for the Resource >> Public Key Infrastructure (RPKI). This document obsoletes RFC6490 by >> adding support for multiple URIs in a TAL. >> >> >> A down reference exists in this document by using RFC5781 as a Normative >> Reference. RFC5781 has already been accepted by the community as a down >> reference and is properly documented in the DOWNREF Registry. >> >> The DOWNREF Registry can be accessed via >> https://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry >> >> The file can be obtained via >> https://datatracker.ietf.org/doc/draft-ietf-sidr-rfc6490-bis/ >> >> IESG discussion can be tracked via >> https://datatracker.ietf.org/doc/draft-ietf-sidr-rfc6490-bis/ballot/ >> >> >> No IPR declarations have been submitted directly on this I-D.
- [sidr] Last Call: <draft-ietf-sidr-rfc6490-bis-04… The IESG
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Richard Hansen
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Tim Bruijnzeels
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Richard Hansen
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Rob Austein
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… David Mandelberg
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Sandra Murphy
- Re: [sidr] Last Call: <draft-ietf-sidr-rfc6490-bi… Rob Austein