speaking as one of the wg co-chairs
On May 11, 2016, at 9:08 AM, Brian Haberman
<brian(_at_)innovationslab(_dot_)net> wrote:
Hi Tom,
Thanks for the in-depth review and your efforts in creating another
implementation of this draft. Responses to your comments are below...
On 4/28/16 6:54 PM, Tom Harrison wrote:
Section 5 requires that an EE certificate be used for the signing of
the RPSL object. An EE certificate must contain an SIA extension that
points to an RPKI signed object (RFC 6487 [4.8.8.2]). The draft does
not define a profile for a new type of object, or specify an existing
one that may be used instead. There are a number of ways to deal with
this: for example, by defining a new profile and changing the
signature URL to suit, or by amending RFC 6487 such that object
pointers in EE certificates are optional.
I would propose adding some text to this draft (probably as a
sub-section in section 2) that says that the SIA defined in RFC 6487 is
omitted when a certificate is used to sign RPSL objects. Given the
single-use nature of the key-pair (section 3.2, point #1), omitting the
SIA is straightforward.
Speaking as one of the wg co chairs:
You are suggesting much the same as draft-ietf-sidr-bgpsec-pki-profiles -
defining a new EE cert profile.
This draft would have to say that it is updating RFC6485(bis).
Which means making clear what the additions/modification/deletions are.
So that implementations know how to interpret these new certs when they find
them in some repository, it must be possible to distinguish these new EE certs
from other EE certs.
Etc.
And the wg would have to agree on the changes.
—Sandy, speaking as one of the wg co-chairs
signature.asc
Description: Message signed with OpenPGP using GPGMail