Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00

Roque Gagliano <roque@lacnic.net> Tue, 06 October 2009 18:10 UTC

Return-Path: <roque@lacnic.net>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2302F3A68B8 for <cga-ext@core3.amsl.com>; Tue, 6 Oct 2009 11:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n+eco43e+WoY for <cga-ext@core3.amsl.com>; Tue, 6 Oct 2009 11:10:46 -0700 (PDT)
Received: from mail.lacnic.net.uy (mail.lacnic.net.uy [IPv6:2001:13c7:7001:4000::3]) by core3.amsl.com (Postfix) with ESMTP id 5A0023A6783 for <cga-ext@ietf.org>; Tue, 6 Oct 2009 11:10:45 -0700 (PDT)
Received: from [IPv6:2001:67c:64:42:225:ff:fe4b:94a8] (unknown [IPv6:2001:67c:64:42:225:ff:fe4b:94a8]) by mail.lacnic.net.uy (Postfix) with ESMTP id 427FF308502; Tue, 6 Oct 2009 16:12:09 -0200 (UYST)
Message-Id: <6ADE5FD5-0981-44C2-ACA6-C943F1466AAC@lacnic.net>
From: Roque Gagliano <roque@lacnic.net>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
In-Reply-To: <4ACB4BF5.8090102@it.uc3m.es>
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-16--479863460"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 6 Oct 2009 19:12:06 +0100
References: <20091006112313.4514728C167@core3.amsl.com> <3459FB4F-F275-4436-ADBE-B35EF8FD88F7@lacnic.net> <4ACB4BF5.8090102@it.uc3m.es>
X-Pgp-Agent: GPGMail d55 (v55, Leopard)
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.936)
X-LACNIC.uy-MailScanner-Information: Please contact the ISP for more information
X-LACNIC.uy-MailScanner: Found to be clean
X-LACNIC.uy-MailScanner-SpamCheck:
X-LACNIC.uy-MailScanner-From: roque@lacnic.net
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 18:10:48 -0000

Marcelo,

What is being propossed is exactly that, a new Name Type of the Trust  
anchor Option:

Name Type
TBD SHA-1 Subject Key Identifier (SKI)
To be added to the ones already defined in RFC 3971in sectin 6.4.3
"The type of the name included in the Name field. This specification  
defines two legal values for this field:
  1 DER Encoded X.501 Name
  2 FQDN"

Regards,
Roque

On Oct 6, 2009, at 2:53 PM, marcelo bagnulo braun wrote:

> Hi,
>
> My take on this one.
> I think we need a way to distinguish TAs across different CAs. I  
> think that using the Hash of the public key is a reasonable option.
>
> Now, what i am not sure i understand is why do we need a new option.
> I mean, wouldn't be possible to define a new Name Type of the Trust  
> anchor Option defined in section 6.4.3 of RFC3971, the new Name type  
> being the SKI?
>
> People that are using multiple Tas should use this Name Type to be  
> certain that they identify the right TA accors multiple TAs.
>
> Regards, marcelo
>
>
> Roque Gagliano escribió:
>> Dear WG,
>>
>> At the "cert" team we have identify a problem with RFC 3971 and the  
>> trust anchor name types defined there. The RFC defines as possible  
>> name types a X501 subject name or a FQDN. The problem we have is  
>> that subject name may not be unique across CAs in a PKI.
>> As we decided to adopt SIDR WG certificate profile, the Subject Key  
>> Identifier extension is mandatory now. Consequently, we can use  
>> this hash of the subject public key to identify the host TAs even  
>> if we need to search across several CAs.
>>
>> We are issuing this draft to document the problem. However, RFC  
>> 3971 did not set a Registry for name types in the TA ICMP option,  
>> which means that the only way to implement this new name type is to  
>> modify RFC 3971 that I understand was already part of the plans for  
>> this WG.
>> How do the group feels about taking this path?
>>
>> Regards,
>>
>> Roque, Suresh, Ana.
>>
>>
>> Begin forwarded message:
>>
>>> *From: *IETF I-D Submission Tool <idsubmission@ietf.org <mailto:idsubmission@ietf.org 
>>> >>
>>> *Date: *October 6, 2009 12:23:13 PM GMT+01:00
>>> *To: *roque@lacnic.net <mailto:roque@lacnic.net>
>>> *Cc: *suresh.krishnan@ericsson.com <mailto:suresh.krishnan@ericsson.com 
>>> >,ana.kukec@fer.hr <mailto:ana.kukec@fer.hr>
>>> *Subject: **New Version Notification for  draft-rgaglian-csi-send- 
>>> ski-ta-nametype-00 *
>>>
>>>
>>> A new version of I-D, draft-rgaglian-csi-send-ski-ta- 
>>> nametype-00.txt has been successfuly submitted by Roque Gagliano  
>>> and posted to the IETF repository.
>>>
>>> Filename: draft-rgaglian-csi-send-ski-ta-nametype
>>> Revision: 00
>>> Title: Subject Key Identifier (SKI) name type for SEND TA option
>>> Creation_date: 2009-10-06
>>> WG ID: Independent Submission
>>> Number_of_pages: 10
>>>
>>> Abstract:
>>> SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
>>> performing router authorization.  This document specifies a SEND  
>>> name
>>> type to identify trust anchor X.509v3 certificates based on its
>>> Subject Key Identifier.
>>>
>>>
>>>
>>> The IETF Secretariat.
>>>
>>
>> -------------------------------------------------------------
>> Roque Gagliano
>> LACNIC
>> roque@lacnic.net <mailto:roque@lacnic.net>
>> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> CGA-EXT mailing list
>> CGA-EXT@ietf.org
>> https://www.ietf.org/mailman/listinfo/cga-ext
>>

-------------------------------------------------------------
Roque Gagliano
LACNIC
roque@lacnic.net
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE