Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00

marcelo bagnulo braun <marcelo@it.uc3m.es> Tue, 06 October 2009 18:30 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 51CDB3A6853 for <cga-ext@core3.amsl.com>; Tue, 6 Oct 2009 11:30:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.533
X-Spam-Level:
X-Spam-Status: No, score=-6.533 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9OzqUGmOR3u for <cga-ext@core3.amsl.com>; Tue, 6 Oct 2009 11:30:34 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by core3.amsl.com (Postfix) with ESMTP id 157F83A676A for <cga-ext@ietf.org>; Tue, 6 Oct 2009 11:30:34 -0700 (PDT)
Received: from marcelo-bagnulos-macbook-pro.local (54.pool85-53-139.dynamic.orange.es [85.53.139.54]) by smtp03.uc3m.es (Postfix) with ESMTP id 8540B7F3BAB; Tue, 6 Oct 2009 20:32:10 +0200 (CEST)
Message-ID: <4ACB8D2A.9010208@it.uc3m.es>
Date: Tue, 06 Oct 2009 20:32:10 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Roque Gagliano <roque@lacnic.net>
References: <20091006112313.4514728C167@core3.amsl.com> <3459FB4F-F275-4436-ADBE-B35EF8FD88F7@lacnic.net> <4ACB4BF5.8090102@it.uc3m.es> <6ADE5FD5-0981-44C2-ACA6-C943F1466AAC@lacnic.net>
In-Reply-To: <6ADE5FD5-0981-44C2-ACA6-C943F1466AAC@lacnic.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-5.6.0.1016-16930.003
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 18:30:35 -0000

ah, perfect then!

I guess i got confused by the title of the section that reads:

3.  SEND SKI trust anchor identifier option

But you are not defining a SEND SKI trust anchor identifier option but 
you are defining a SKI NAME TYPE, correct?

If so, i don't think we need to update rfc3971, we just need to publish 
this document as STD RFC, correct?

Regards, marcelo



Roque Gagliano escribió:
> Marcelo,
>
> What is being propossed is exactly that, a new Name Type of the Trust 
> anchor Option:
>
> Name Type  
> TBD SHA-1 Subject Key Identifier (SKI)
> To be added to the ones already defined in RFC 3971in sectin 6.4.3
> "The type of the name included in the Name field.  This
>       specification defines two legal values for this field: 
>  1        DER Encoded X.501 Name 
>  2        FQDN"
>
> Regards,
> Roque
>
> On Oct 6, 2009, at 2:53 PM, marcelo bagnulo braun wrote:
>
>> Hi,
>>
>> My take on this one.
>> I think we need a way to distinguish TAs across different CAs. I 
>> think that using the Hash of the public key is a reasonable option.
>>
>> Now, what i am not sure i understand is why do we need a new option.
>> I mean, wouldn't be possible to define a new Name Type of the Trust 
>> anchor Option defined in section 6.4.3 of RFC3971, the new Name type 
>> being the SKI?
>>
>> People that are using multiple Tas should use this Name Type to be 
>> certain that they identify the right TA accors multiple TAs.
>>
>> Regards, marcelo
>>
>>
>> Roque Gagliano escribió:
>>> Dear WG,
>>>
>>> At the "cert" team we have identify a problem with RFC 3971 and the 
>>> trust anchor name types defined there. The RFC defines as possible 
>>> name types a X501 subject name or a FQDN. The problem we have is 
>>> that subject name may not be unique across CAs in a PKI.
>>> As we decided to adopt SIDR WG certificate profile, the Subject Key 
>>> Identifier extension is mandatory now. Consequently, we can use this 
>>> hash of the subject public key to identify the host TAs even if we 
>>> need to search across several CAs.
>>>
>>> We are issuing this draft to document the problem. However, RFC 3971 
>>> did not set a Registry for name types in the TA ICMP option, which 
>>> means that the only way to implement this new name type is to modify 
>>> RFC 3971 that I understand was already part of the plans for this WG.
>>> How do the group feels about taking this path?
>>>
>>> Regards,
>>>
>>> Roque, Suresh, Ana.
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> *From: *IETF I-D Submission Tool <idsubmission@ietf.org 
>>>> <mailto:idsubmission@ietf.org>>
>>>> *Date: *October 6, 2009 12:23:13 PM GMT+01:00
>>>> *To: *roque@lacnic.net <mailto:roque@lacnic.net>
>>>> *Cc: *suresh.krishnan@ericsson.com 
>>>> <mailto:suresh.krishnan@ericsson.com>,ana.kukec@fer.hr 
>>>> <mailto:ana.kukec@fer.hr>
>>>> *Subject: **New Version Notification for 
>>>>  draft-rgaglian-csi-send-ski-ta-nametype-00 *
>>>>
>>>>
>>>> A new version of I-D, 
>>>> draft-rgaglian-csi-send-ski-ta-nametype-00.txt has been successfuly 
>>>> submitted by Roque Gagliano and posted to the IETF repository.
>>>>
>>>> Filename: draft-rgaglian-csi-send-ski-ta-nametype
>>>> Revision: 00
>>>> Title: Subject Key Identifier (SKI) name type for SEND TA option
>>>> Creation_date: 2009-10-06
>>>> WG ID: Independent Submission
>>>> Number_of_pages: 10
>>>>
>>>> Abstract:
>>>> SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
>>>> performing router authorization.  This document specifies a SEND name
>>>> type to identify trust anchor X.509v3 certificates based on its
>>>> Subject Key Identifier.
>>>>
>>>>
>>>>
>>>> The IETF Secretariat.
>>>>
>>>
>>> -------------------------------------------------------------
>>> Roque Gagliano
>>> LACNIC
>>> roque@lacnic.net <mailto:roque@lacnic.net>
>>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> CGA-EXT mailing list
>>> CGA-EXT@ietf.org <mailto:CGA-EXT@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/cga-ext
>>>  
>
> -------------------------------------------------------------
> Roque Gagliano
> LACNIC
> roque@lacnic.net <mailto:roque@lacnic.net>
> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>