SlideShare a Scribd company logo

IETF 103: Deploying validation reconsidered

APNIC
APNIC

Senior Research and Development Scientist George Mchaelson presents on 'Deploying validation reconsidered' at IETf 103 in in Bangkok, Thailand from 3 to 9 November 2018.

Internet
1 of 9
Download to read offline
1 Deploying Validation Reconsidered George Michaelson ggm@apnic.net Tim Bruijnzeels tim@opennetlabs.nl
2 Deploying Validation Reconsidered George Michaelson ggm@apnic.net Tim Bruijnzeels tim@opennetlabs.nl ”three or four slides smaller than last time”
3 Problem Statement • Deployment requires three things in coordination [*] 1. Available code to sign and validate objects under the new OID 2. Agreement to move to the new model by relying parties and signers 3. A decision about how to move – Either it’s like a flag-day as in RFC6916 – Or it’s a mixed-mode operation in one tree [*] In no implied order
4 Available code to sign and verify • Code changes for signers are minimal – If it’s a flag-day. Its “one line” to move to the new OID in the code which mints certificates with the private key – If it’s mixed-mode, it’s the option to choose the OID, and UI or protocol changes to support specification of which OID is to be used in the specific moment of signing • Code changes for verifiers are less easy – Can minimally change to permit new OID, for ‘fully covered’ case • Change to handle oversign properly requires more work – Parse out and hold the valids, flag the overclaim, move on – Transition moments through intermediate objects. New data structures…
5 Agreement to move to the new model by relying parties and signers • There has been no active engagement to discuss a timeline. • We (the RIR) wish to propose some future date, TBD, as a ”flag day” to give one year to prepare to migrate • We want to go into the *-NOG and other forums to seek consensus to move from operators and related parties
6 What kind of deployment? • “there can only be one” (OID) demands flag day – Analogous to RFC6916 – All or nothing, but simple – Transition happens through a staged window of dual state • “we can mix it up” – Operate mixed-mode, signing CA determines setting over child – RIRs seek flag-day to release TAL which bear the new OID – Still requires acceptance of the new OID to deploy TAL so still carries the need for consensus in code and userbase
7 Tri-partite deployment deadlock • Can’t move without code • Can’t move without consent/agreement by RPs and Cas • Can’t deploy new TAL without either of the above
8 It doesn’t get easier by waiting • Present at *NOG to seek consensus to deploy at a TBD • As it stands, we’re talking a moment of change for < 500 entities (more downstream affected parties, IP coverage not measured) – It’s already a distributed problem • Flag day move to new OID is logistically simpler – Hack: simply recognize but reject overclaim == current model – In either case, deployment of TAL with new OID would be fatal to RP if validators don’t implement
9 Where to from here? • Seeking WG adoption: – Pick a method – Discuss a timeline • Gauge Operations community engagement at NOG – Assuming we get traction/consensus to proceed in the operations community… • Define the TBD date – Coordinate with s/w developers to support new OID

Recommended

[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
Basics of networking and demo on vpc
Basics of networking and demo on vpcBasics of networking and demo on vpc
Basics of networking and demo on vpc
Jai Prakash Dave
 
Bit coin
Bit coinBit coin
Bit coin
Paramesh Devarasetty
 
Ibp technical introduction
Ibp technical introductionIbp technical introduction
Ibp technical introduction
LennartF
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the Mainstream
Nick Sullivan
 
Fibo proof of concept for blockchain applications
Fibo proof of concept for blockchain applicationsFibo proof of concept for blockchain applications
Fibo proof of concept for blockchain applications
Mike Bennett
 
IBM Blockchain Platform - Architectural Good Practices v1.0
IBM Blockchain Platform - Architectural Good Practices v1.0IBM Blockchain Platform - Architectural Good Practices v1.0
IBM Blockchain Platform - Architectural Good Practices v1.0
Matt Lucas
 
Hyperledger fabric 3
Hyperledger fabric 3Hyperledger fabric 3
Hyperledger fabric 3
Arvind Sridharan
 

Recommended

[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
Basics of networking and demo on vpc
Basics of networking and demo on vpcBasics of networking and demo on vpc
Basics of networking and demo on vpc
Jai Prakash Dave
 
Bit coin
Bit coinBit coin
Bit coin
Paramesh Devarasetty
 
Ibp technical introduction
Ibp technical introductionIbp technical introduction
Ibp technical introduction
LennartF
 
Bringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the MainstreamBringing Elliptic Curve Cryptography into the Mainstream
Bringing Elliptic Curve Cryptography into the Mainstream
Nick Sullivan
 
Fibo proof of concept for blockchain applications
Fibo proof of concept for blockchain applicationsFibo proof of concept for blockchain applications
Fibo proof of concept for blockchain applications
Mike Bennett
 
IBM Blockchain Platform - Architectural Good Practices v1.0
IBM Blockchain Platform - Architectural Good Practices v1.0IBM Blockchain Platform - Architectural Good Practices v1.0
IBM Blockchain Platform - Architectural Good Practices v1.0
Matt Lucas
 
Hyperledger fabric 3
Hyperledger fabric 3Hyperledger fabric 3
Hyperledger fabric 3
Arvind Sridharan
 
New gTLDs are coming! - ResellerClub Webinar
New gTLDs are coming! - ResellerClub WebinarNew gTLDs are coming! - ResellerClub Webinar
New gTLDs are coming! - ResellerClub Webinar
ResellerClub
 
Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009
Register.it
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 
FIWARE Global Summit - Developing New IoT Agents
FIWARE Global Summit - Developing New IoT AgentsFIWARE Global Summit - Developing New IoT Agents
FIWARE Global Summit - Developing New IoT Agents
FIWARE
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
Shane Coughlan
 
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger WorkshopIBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM France Lab
 
StarkNet ERC20 + ERC721
StarkNet ERC20 + ERC721StarkNet ERC20 + ERC721
StarkNet ERC20 + ERC721
TinaBregovi
 
Blockchain on the oracle cloud, the next big thing
Blockchain on the oracle cloud, the next big thingBlockchain on the oracle cloud, the next big thing
Blockchain on the oracle cloud, the next big thing
Robert van Mölken
 
Ergo Hong Kong meetup
Ergo Hong Kong meetupErgo Hong Kong meetup
Ergo Hong Kong meetup
Dmitry Meshkov
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49
ICANN
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
Jaime Martin Losa
 
Algorand Technical Workshop 2021
Algorand Technical Workshop 2021Algorand Technical Workshop 2021
Algorand Technical Workshop 2021
DanielBohnemann
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
Ryan Koop
 
What's New In Blockchain For Business Technology (October 2019)
What's New In Blockchain For Business Technology (October 2019)What's New In Blockchain For Business Technology (October 2019)
What's New In Blockchain For Business Technology (October 2019)
Matt Lucas
 
TLD Launch Process Experiences & Registry Onboarding from ICANN 49
TLD Launch Process Experiences & Registry Onboarding from ICANN 49TLD Launch Process Experiences & Registry Onboarding from ICANN 49
TLD Launch Process Experiences & Registry Onboarding from ICANN 49
ICANN
 
Transforge v2.0, ukiua 2011
Transforge v2.0, ukiua 2011Transforge v2.0, ukiua 2011
Transforge v2.0, ukiua 2011
roydealsimon
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
 
blockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutionsblockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutions
Juarez Junior
 
Modeling Blockchain Applications v1.02
Modeling Blockchain Applications v1.02Modeling Blockchain Applications v1.02
Modeling Blockchain Applications v1.02
Matt Lucas
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
OnBoard Security, Inc. - a Qualcomm Company
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 

More Related Content

Similar to IETF 103: Deploying validation reconsidered

Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009
Register.it
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
Vishwas Manral
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
Ryan Koop
 
Transforge v2.0, ukiua 2011
Transforge v2.0, ukiua 2011Transforge v2.0, ukiua 2011
Transforge v2.0, ukiua 2011
roydealsimon
 

Similar to IETF 103: Deploying validation reconsidered (20)

New gTLDs are coming! - ResellerClub Webinar
New gTLDs are coming! - ResellerClub WebinarNew gTLDs are coming! - ResellerClub Webinar
New gTLDs are coming! - ResellerClub Webinar
 
Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009
 
Blockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel AbiodunBlockchain & Security in Oracle by Emmanuel Abiodun
Blockchain & Security in Oracle by Emmanuel Abiodun
 
FIWARE Global Summit - Developing New IoT Agents
FIWARE Global Summit - Developing New IoT AgentsFIWARE Global Summit - Developing New IoT Agents
FIWARE Global Summit - Developing New IoT Agents
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
 
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger WorkshopIBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
 
StarkNet ERC20 + ERC721
StarkNet ERC20 + ERC721StarkNet ERC20 + ERC721
StarkNet ERC20 + ERC721
 
Blockchain on the oracle cloud, the next big thing
Blockchain on the oracle cloud, the next big thingBlockchain on the oracle cloud, the next big thing
Blockchain on the oracle cloud, the next big thing
 
Ergo Hong Kong meetup
Ergo Hong Kong meetupErgo Hong Kong meetup
Ergo Hong Kong meetup
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
 
Algorand Technical Workshop 2021
Algorand Technical Workshop 2021Algorand Technical Workshop 2021
Algorand Technical Workshop 2021
 
"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013"How overlay networks can make public clouds your global WAN" from LASCON 2013
"How overlay networks can make public clouds your global WAN" from LASCON 2013
 
What's New In Blockchain For Business Technology (October 2019)
What's New In Blockchain For Business Technology (October 2019)What's New In Blockchain For Business Technology (October 2019)
What's New In Blockchain For Business Technology (October 2019)
 
TLD Launch Process Experiences & Registry Onboarding from ICANN 49
TLD Launch Process Experiences & Registry Onboarding from ICANN 49TLD Launch Process Experiences & Registry Onboarding from ICANN 49
TLD Launch Process Experiences & Registry Onboarding from ICANN 49
 
Transforge v2.0, ukiua 2011
Transforge v2.0, ukiua 2011Transforge v2.0, ukiua 2011
Transforge v2.0, ukiua 2011
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
blockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutionsblockchain workshop - blockchain and oabcs - solutions
blockchain workshop - blockchain and oabcs - solutions
 
Modeling Blockchain Applications v1.02
Modeling Blockchain Applications v1.02Modeling Blockchain Applications v1.02
Modeling Blockchain Applications v1.02
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 

More from APNIC

More from APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
ChloeMeadows1
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
lolsDocherty
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 

Recently uploaded (16)

Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of apps
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
 
Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
Topology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdfTopology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdf
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 

IETF 103: Deploying validation reconsidered

  • 1. 1 Deploying Validation Reconsidered George Michaelson ggm@apnic.net Tim Bruijnzeels tim@opennetlabs.nl
  • 2. 2 Deploying Validation Reconsidered George Michaelson ggm@apnic.net Tim Bruijnzeels tim@opennetlabs.nl ”three or four slides smaller than last time”
  • 3. 3 Problem Statement • Deployment requires three things in coordination [*] 1. Available code to sign and validate objects under the new OID 2. Agreement to move to the new model by relying parties and signers 3. A decision about how to move – Either it’s like a flag-day as in RFC6916 – Or it’s a mixed-mode operation in one tree [*] In no implied order
  • 4. 4 Available code to sign and verify • Code changes for signers are minimal – If it’s a flag-day. Its “one line” to move to the new OID in the code which mints certificates with the private key – If it’s mixed-mode, it’s the option to choose the OID, and UI or protocol changes to support specification of which OID is to be used in the specific moment of signing • Code changes for verifiers are less easy – Can minimally change to permit new OID, for ‘fully covered’ case • Change to handle oversign properly requires more work – Parse out and hold the valids, flag the overclaim, move on – Transition moments through intermediate objects. New data structures…
  • 5. 5 Agreement to move to the new model by relying parties and signers • There has been no active engagement to discuss a timeline. • We (the RIR) wish to propose some future date, TBD, as a ”flag day” to give one year to prepare to migrate • We want to go into the *-NOG and other forums to seek consensus to move from operators and related parties
  • 6. 6 What kind of deployment? • “there can only be one” (OID) demands flag day – Analogous to RFC6916 – All or nothing, but simple – Transition happens through a staged window of dual state • “we can mix it up” – Operate mixed-mode, signing CA determines setting over child – RIRs seek flag-day to release TAL which bear the new OID – Still requires acceptance of the new OID to deploy TAL so still carries the need for consensus in code and userbase
  • 7. 7 Tri-partite deployment deadlock • Can’t move without code • Can’t move without consent/agreement by RPs and Cas • Can’t deploy new TAL without either of the above
  • 8. 8 It doesn’t get easier by waiting • Present at *NOG to seek consensus to deploy at a TBD • As it stands, we’re talking a moment of change for < 500 entities (more downstream affected parties, IP coverage not measured) – It’s already a distributed problem • Flag day move to new OID is logistically simpler – Hack: simply recognize but reject overclaim == current model – In either case, deployment of TAL with new OID would be fatal to RP if validators don’t implement
  • 9. 9 Where to from here? • Seeking WG adoption: – Pick a method – Discuss a timeline • Gauge Operations community engagement at NOG – Assuming we get traction/consensus to proceed in the operations community… • Define the TBD date – Coordinate with s/w developers to support new OID