Reviewer: Shucheng LIU
Review result: Ready
Hi all,
Sorry that it seems I missed this review request. I guess it's the
first one assigned to me via the new review system.
I have reviewed draft-ietf-sidr-bgpsec-pki-profiles-21 as part of the
Operational directorate's ongoing effort to review all IETF documents
being processed by the IESG. These comments were written with the
intent of improving the operational aspects of the IETF drafts.
Comments that are not addressed in last call may be included in AD
reviews during the IESG review. Document editors and WG chairs should
treat these comments just like any other last call comments.
“This document defines a standard profile for X.509 certificates used
to enable validation of Autonomous System (AS) paths in the Border
Gateway Protocol (BGP), as part of an extension to that protocol
known as BGPsec. BGP is the standard for inter-domain routing in
the
Internet; it is the "glue" that holds the Internet together.
BGPsec
is being developed as one component of a solution that addresses
the
requirement to provide security for BGP. The goal of BGPsec is to
provide full AS path validation based on the use of strong
cryptographic primitives. The end-entity (EE) certificates
specified
by this profile are issued to routers within an Autonomous System.
Each of these certificates is issued under a Resource Public Key
Infrastructure (RPKI) Certification Authority (CA) certificate.
These CA certificates and EE certificates both contain the AS
Identifier Delegation extension. An EE certificate of this type
asserts that the router(s) holding the corresponding private key
are
authorized to emit secure route advertisements on behalf of the
AS(es) specified in the certificate. This document also profiles
the
format of certification requests, and specifies Relying Party (RP)
certificate path validation procedures for these EE certificates.
This document extends the RPKI; therefore, this documents updates
the
RPKI Resource Certificates Profile (RFC 6487).”
My overall view of the document is 'Ready' for publication.
** Technical **
No.
** Editorial **
*Section 4
BGPsec Router Certificates always include the BGPsec Rouer EKU
value; therefore, request without the value result in
certificates
with the value; and,
s/Rouer/Router