Alexey Melnikov has entered the following ballot position for draft-ietf-sidr-delta-protocol-07: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I would be happy to ballot Yes on this document, as it is well written and is a useful piece of work. However I have one issue (and a few minor comments) that I would like to DISCUSS before doing so: In Section 5.3 the document says: It is RECOMMENDED that Relying Parties and Publication Servers follow the Best Current Practices outlined in [RFC7525] on the use of HTTP over TLS (HTTPS) [RFC2818]. RFC 7525 is referencing RFC 6125 for server hostname validation. Unfortunately this is not detailed enough to perform hostname validation, because reference to RFC 6125 requires specifying answers to every question in section 3 of RFC 6125. (And there is no generic RFC that specifies how this is done for protocols using HTTP.) One example of how this might look like is in Section 9.2 of <https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-rtr-rfc6810-bis/?include_text=1>. For your convenience the relevant text is pasted below: Routers MUST also verify the cache's TLS server certificate, using subjectAltName dNSName identities as described in [RFC6125], to avoid man-in-the-middle attacks. The rules and guidelines defined in [RFC6125] apply here, with the following considerations: Support for DNS-ID identifier type (that is, the dNSName identity in the subjectAltName extension) is REQUIRED in rpki-rtr server and client implementations which use TLS. Certification authorities which issue rpki-rtr server certificates MUST support the DNS-ID identifier type, and the DNS-ID identifier type MUST be present in rpki-rtr server certificates. DNS names in rpki-rtr server certificates SHOULD NOT contain the wildcard character "*". rpki-rtr implementations which use TLS MUST NOT use CN-ID identifiers; a CN field may be present in the server certificate's subject name, but MUST NOT be used for authentication within the rules described in [RFC6125]. The only thing missing from the above is explicit mentioning that SRV-ID and URI-ID are not used. (I think the same should apply to your document.) ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- In 3.2: HTTPS reference is out-of-date. SHA-256 needs a reference. The shepherding write up says that the schema was not validated. Why not? _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr