Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

Roque Gagliano escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Marcelo,
>
> On Oct 6, 2009, at 7:32 PM, marcelo bagnulo braun wrote:
>
>> ah, perfect then!
>>
>> I guess i got confused by the title of the section that reads:
>>
>> 3.  SEND SKI trust anchor identifier option
>>
>> But you are not defining a SEND SKI trust anchor identifier option 
>> but you are defining a SKI NAME TYPE, correct?
>>
>
> correct.
>
>> If so, i don't think we need to update rfc3971, we just need to 
>> publish this document as STD RFC, correct?
>>
>
> The problem that I described in the original email was that RFC 3971 
> does not define a registry for name type. We issue this document just 
> to point out that we believe that this new name type is needed. What 
> we could do is to modify the draft to create this registry and add the 
> SKY name type to the ones defined in RFC 3971.
>
> What does the group feel about this?

this seems a reasonable option to me

could you update the document and include a iana considerations section?

Regards, marcelo

>
> Roque.
>
>> Regards, marcelo
>>
>>
>>
>> Roque Gagliano escribió:
>>> Marcelo,
>>>
>>> What is being propossed is exactly that, a new Name Type of the 
>>> Trust anchor Option:
>>>
>>> Name Type  TBD SHA-1 Subject Key Identifier (SKI)
>>> To be added to the ones already defined in RFC 3971in sectin 6.4.3
>>> "The type of the name included in the Name field.  This
>>>      specification defines two legal values for this field:  
>>> 1        DER Encoded X.501 Name  2        FQDN"
>>>
>>> Regards,
>>> Roque
>>>
>>> On Oct 6, 2009, at 2:53 PM, marcelo bagnulo braun wrote:
>>>
>>>> Hi,
>>>>
>>>> My take on this one.
>>>> I think we need a way to distinguish TAs across different CAs. I 
>>>> think that using the Hash of the public key is a reasonable option.
>>>>
>>>> Now, what i am not sure i understand is why do we need a new option.
>>>> I mean, wouldn't be possible to define a new Name Type of the Trust 
>>>> anchor Option defined in section 6.4.3 of RFC3971, the new Name 
>>>> type being the SKI?
>>>>
>>>> People that are using multiple Tas should use this Name Type to be 
>>>> certain that they identify the right TA accors multiple TAs.
>>>>
>>>> Regards, marcelo
>>>>
>>>>
>>>> Roque Gagliano escribió:
>>>>> Dear WG,
>>>>>
>>>>> At the "cert" team we have identify a problem with RFC 3971 and 
>>>>> the trust anchor name types defined there. The RFC defines as 
>>>>> possible name types a X501 subject name or a FQDN. The problem we 
>>>>> have is that subject name may not be unique across CAs in a PKI.
>>>>> As we decided to adopt SIDR WG certificate profile, the Subject 
>>>>> Key Identifier extension is mandatory now. Consequently, we can 
>>>>> use this hash of the subject public key to identify the host TAs 
>>>>> even if we need to search across several CAs.
>>>>>
>>>>> We are issuing this draft to document the problem. However, RFC 
>>>>> 3971 did not set a Registry for name types in the TA ICMP option, 
>>>>> which means that the only way to implement this new name type is 
>>>>> to modify RFC 3971 that I understand was already part of the plans 
>>>>> for this WG.
>>>>> How do the group feels about taking this path?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Roque, Suresh, Ana.
>>>>>
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> *From: *IETF I-D Submission Tool <idsubmission@ietf.org 
>>>>>> <mailto:idsubmission@ietf.org>>
>>>>>> *Date: *October 6, 2009 12:23:13 PM GMT+01:00
>>>>>> *To: *roque@lacnic.net <mailto:roque@lacnic.net>
>>>>>> *Cc: *suresh.krishnan@ericsson.com 
>>>>>> <mailto:suresh.krishnan@ericsson.com>,ana.kukec@fer.hr 
>>>>>> <mailto:ana.kukec@fer.hr>
>>>>>> *Subject: **New Version Notification for  
>>>>>> draft-rgaglian-csi-send-ski-ta-nametype-00 *
>>>>>>
>>>>>>
>>>>>> A new version of I-D, 
>>>>>> draft-rgaglian-csi-send-ski-ta-nametype-00.txt has been 
>>>>>> successfuly submitted by Roque Gagliano and posted to the IETF 
>>>>>> repository.
>>>>>>
>>>>>> Filename: draft-rgaglian-csi-send-ski-ta-nametype
>>>>>> Revision: 00
>>>>>> Title: Subject Key Identifier (SKI) name type for SEND TA option
>>>>>> Creation_date: 2009-10-06
>>>>>> WG ID: Independent Submission
>>>>>> Number_of_pages: 10
>>>>>>
>>>>>> Abstract:
>>>>>> SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
>>>>>> performing router authorization.  This document specifies a SEND 
>>>>>> name
>>>>>> type to identify trust anchor X.509v3 certificates based on its
>>>>>> Subject Key Identifier.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The IETF Secretariat.
>>>>>>
>>>>>
>>>>> -------------------------------------------------------------
>>>>> Roque Gagliano
>>>>> LACNIC
>>>>> roque@lacnic.net <mailto:roque@lacnic.net>
>>>>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>>>>
>>>>> ------------------------------------------------------------------------ 
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> CGA-EXT mailing list
>>>>> CGA-EXT@ietf.org <mailto:CGA-EXT@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/cga-ext
>>>>>
>>>
>>> -------------------------------------------------------------
>>> Roque Gagliano
>>> LACNIC
>>> roque@lacnic.net <mailto:roque@lacnic.net>
>>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>>
>
> - -------------------------------------------------------------
> Roque Gagliano
> LACNIC
> roque@lacnic.net
> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
>
> iEYEARECAAYFAkrLl/gACgkQnk+WSgHpbO5GRQCfQnc72yzvMDbwj+Sd5kRfu1PD
> CBMAoKgpH6jz9UbiMcfzAJ/SVzjDWaUR
> =Qwfu
> -----END PGP SIGNATURE-----
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext
>