Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00

marcelo bagnulo braun <marcelo@it.uc3m.es> Tue, 06 October 2009 21:03 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F4F928C108 for <cga-ext@core3.amsl.com>; Tue, 6 Oct 2009 14:03:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.523
X-Spam-Level:
X-Spam-Status: No, score=-6.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rUil0Jc2PmwH for <cga-ext@core3.amsl.com>; Tue, 6 Oct 2009 14:03:12 -0700 (PDT)
Received: from smtp01.uc3m.es (smtp01.uc3m.es [163.117.176.131]) by core3.amsl.com (Postfix) with ESMTP id C043F28C104 for <cga-ext@ietf.org>; Tue, 6 Oct 2009 14:03:11 -0700 (PDT)
Received: from marcelo-bagnulos-macbook-pro.local (54.pool85-53-139.dynamic.orange.es [85.53.139.54]) by smtp01.uc3m.es (Postfix) with ESMTP id 7A872B48A80; Tue, 6 Oct 2009 23:04:47 +0200 (CEST)
Message-ID: <4ACBB0EE.8050502@it.uc3m.es>
Date: Tue, 06 Oct 2009 23:04:46 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Roque Gagliano <roque@lacnic.net>
References: <20091006112313.4514728C167@core3.amsl.com> <3459FB4F-F275-4436-ADBE-B35EF8FD88F7@lacnic.net> <4ACB4BF5.8090102@it.uc3m.es> <6ADE5FD5-0981-44C2-ACA6-C943F1466AAC@lacnic.net> <4ACB8D2A.9010208@it.uc3m.es> <7113AD42-CE2D-442E-9DCC-28679E322633@lacnic.net>
In-Reply-To: <7113AD42-CE2D-442E-9DCC-28679E322633@lacnic.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-5.6.0.1016-16932.000
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 21:03:13 -0000

Roque Gagliano escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo,
>
> On Oct 6, 2009, at 7:32 PM, marcelo bagnulo braun wrote:
>
>> ah, perfect then!
>>
>> I guess i got confused by the title of the section that reads:
>>
>> 3.  SEND SKI trust anchor identifier option
>>
>> But you are not defining a SEND SKI trust anchor identifier option 
>> but you are defining a SKI NAME TYPE, correct?
>>
>
> correct.
>
>> If so, i don't think we need to update rfc3971, we just need to 
>> publish this document as STD RFC, correct?
>>
>
> The problem that I described in the original email was that RFC 3971 
> does not define a registry for name type. We issue this document just 
> to point out that we believe that this new name type is needed. What 
> we could do is to modify the draft to create this registry and add the 
> SKY name type to the ones defined in RFC 3971.
>
> What does the group feel about this?

this seems a reasonable option to me

could you update the document and include a iana considerations section?

Regards, marcelo

>
> Roque.
>
>> Regards, marcelo
>>
>>
>>
>> Roque Gagliano escribió:
>>> Marcelo,
>>>
>>> What is being propossed is exactly that, a new Name Type of the 
>>> Trust anchor Option:
>>>
>>> Name Type  TBD SHA-1 Subject Key Identifier (SKI)
>>> To be added to the ones already defined in RFC 3971in sectin 6.4.3
>>> "The type of the name included in the Name field.  This
>>>      specification defines two legal values for this field:  
>>> 1        DER Encoded X.501 Name  2        FQDN"
>>>
>>> Regards,
>>> Roque
>>>
>>> On Oct 6, 2009, at 2:53 PM, marcelo bagnulo braun wrote:
>>>
>>>> Hi,
>>>>
>>>> My take on this one.
>>>> I think we need a way to distinguish TAs across different CAs. I 
>>>> think that using the Hash of the public key is a reasonable option.
>>>>
>>>> Now, what i am not sure i understand is why do we need a new option.
>>>> I mean, wouldn't be possible to define a new Name Type of the Trust 
>>>> anchor Option defined in section 6.4.3 of RFC3971, the new Name 
>>>> type being the SKI?
>>>>
>>>> People that are using multiple Tas should use this Name Type to be 
>>>> certain that they identify the right TA accors multiple TAs.
>>>>
>>>> Regards, marcelo
>>>>
>>>>
>>>> Roque Gagliano escribió:
>>>>> Dear WG,
>>>>>
>>>>> At the "cert" team we have identify a problem with RFC 3971 and 
>>>>> the trust anchor name types defined there. The RFC defines as 
>>>>> possible name types a X501 subject name or a FQDN. The problem we 
>>>>> have is that subject name may not be unique across CAs in a PKI.
>>>>> As we decided to adopt SIDR WG certificate profile, the Subject 
>>>>> Key Identifier extension is mandatory now. Consequently, we can 
>>>>> use this hash of the subject public key to identify the host TAs 
>>>>> even if we need to search across several CAs.
>>>>>
>>>>> We are issuing this draft to document the problem. However, RFC 
>>>>> 3971 did not set a Registry for name types in the TA ICMP option, 
>>>>> which means that the only way to implement this new name type is 
>>>>> to modify RFC 3971 that I understand was already part of the plans 
>>>>> for this WG.
>>>>> How do the group feels about taking this path?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Roque, Suresh, Ana.
>>>>>
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> *From: *IETF I-D Submission Tool <idsubmission@ietf.org 
>>>>>> <mailto:idsubmission@ietf.org>>
>>>>>> *Date: *October 6, 2009 12:23:13 PM GMT+01:00
>>>>>> *To: *roque@lacnic.net <mailto:roque@lacnic.net>
>>>>>> *Cc: *suresh.krishnan@ericsson.com 
>>>>>> <mailto:suresh.krishnan@ericsson.com>,ana.kukec@fer.hr 
>>>>>> <mailto:ana.kukec@fer.hr>
>>>>>> *Subject: **New Version Notification for  
>>>>>> draft-rgaglian-csi-send-ski-ta-nametype-00 *
>>>>>>
>>>>>>
>>>>>> A new version of I-D, 
>>>>>> draft-rgaglian-csi-send-ski-ta-nametype-00.txt has been 
>>>>>> successfuly submitted by Roque Gagliano and posted to the IETF 
>>>>>> repository.
>>>>>>
>>>>>> Filename: draft-rgaglian-csi-send-ski-ta-nametype
>>>>>> Revision: 00
>>>>>> Title: Subject Key Identifier (SKI) name type for SEND TA option
>>>>>> Creation_date: 2009-10-06
>>>>>> WG ID: Independent Submission
>>>>>> Number_of_pages: 10
>>>>>>
>>>>>> Abstract:
>>>>>> SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
>>>>>> performing router authorization.  This document specifies a SEND 
>>>>>> name
>>>>>> type to identify trust anchor X.509v3 certificates based on its
>>>>>> Subject Key Identifier.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The IETF Secretariat.
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------
>>>>> Roque Gagliano
>>>>> LACNIC
>>>>> roque@lacnic.net <mailto:roque@lacnic.net>
>>>>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>>>>
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> CGA-EXT mailing list
>>>>> CGA-EXT@ietf.org <mailto:CGA-EXT@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/cga-ext
>>>>>
>>>
>>> -------------------------------------------------------------
>>> Roque Gagliano
>>> LACNIC
>>> roque@lacnic.net <mailto:roque@lacnic.net>
>>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>>
>
> - -------------------------------------------------------------
> Roque Gagliano
> LACNIC
> roque@lacnic.net
> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkrLl/gACgkQnk+WSgHpbO5GRQCfQnc72yzvMDbwj+Sd5kRfu1PD
> CBMAoKgpH6jz9UbiMcfzAJ/SVzjDWaUR
> =Qwfu
> -----END PGP SIGNATURE-----
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext
>