IETF Logo Mail Archive

Re: [CGA-EXT] about draft-krishnan-cgaext-send-cert-eku-03.txt

Ana Kukec <anchie@fer.hr> Sat, 14 March 2009 20:38 UTC

Return-Path: <anchie@fer.hr>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 359553A684D for <cga-ext@core3.amsl.com>; Sat, 14 Mar 2009 13:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mrHSRAxzQBhd for <cga-ext@core3.amsl.com>; Sat, 14 Mar 2009 13:38:10 -0700 (PDT)
Received: from labs4.cc.fer.hr (labs4.cc.fer.hr [161.53.72.24]) by core3.amsl.com (Postfix) with ESMTP id EF2C23A69DD for <cga-ext@ietf.org>; Sat, 14 Mar 2009 13:38:09 -0700 (PDT)
Received: from sluga.fer.hr (sluga.cc.fer.hr [161.53.72.14]) by labs4.cc.fer.hr (8.14.2/8.14.2) with ESMTP id n2EKd9ea029237 for <cga-ext@ietf.org>; Sat, 14 Mar 2009 21:39:10 +0100 (CET)
Received: from ana-kukecs-macbook.local ([89.164.54.68]) by sluga.fer.hr with Microsoft SMTPSVC(6.0.3790.3959); Sat, 14 Mar 2009 21:38:43 +0100
Message-ID: <49BC15D2.6060501@fer.hr>
Date: Sat, 14 Mar 2009 21:38:42 +0100
From: Ana Kukec <anchie@fer.hr>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
References: <49BBC170.4010008@it.uc3m.es> <SLUGAkwu1BtWdWhkeLZ00000a3d@sluga.fer.hr> <49BC0627.9060509@it.uc3m.es>
In-Reply-To: <49BC0627.9060509@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Mar 2009 20:38:43.0214 (UTC) FILETIME=[DD7BB2E0:01C9A4E4]
X-Scanned-By: MIMEDefang 2.64 on 161.53.72.24
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] about draft-krishnan-cgaext-send-cert-eku-03.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2009 20:38:11 -0000

marcelo bagnulo braun wrote:
>>
>>
>> The incompliances between the RPKI and SEND are related to the X.509 
>> extensions profile and their validation. Regarding the acception of 
>> the RPKI certificate profile into SeND, there are two problematic 
>> extensions, the EKU extension (as we already discussed)
>
> right, but my question is what happens when a current send node 
> receives a cert with the EKU? does it fails, or does it just skipe the 
> option takes the cert as valid?

The draft says that the EKU extension is a critical extension, i.e. if 
the receiving node does not recognize the extension, it must reject the 
certificate.

>
> So, this seems to psoe two problems:
> - first, that a current send node will not accept as valid a cert 
> without the subjectAltname, right? While this is not optimal, we may 
> be able to live with that
> - second, how does a send node uses the subjectAltName? i mean does 
> the send node needs this information to validate the anchor point? If 
> so, how do we deal with this?


The TA option either helps the receivers to decide which advertisements 
are useful for them or denotes the TAs that the client is willing to 
accept (in the solicitation message). If the TA is represented as a 
FQDN, the FQDN must be equal to the subjectAltName in the TA's certificate.

On the other hand, we can survive with using just the Subject name field 
and the DER Encoded X.501 Name Trust Anchor option..

>>
>>
>> Regarding the validation routines, the rfc3779 extension validation 
>> routine conflicts with the one described in the send spec. But 
>> together with the RPKI certificate profile we can accept the rfc3779 
>> extension validation routine.
>
> not sure waht do you mean here... can we still use the send validation 
> routing? Or we need to change the send nodes to do the new validation 
> routine?


The RPKI uses the validation described in rfc3779 (section 2.3). The 
validation described in the send spec is compliant with that one, but 
more detailed. So, we can just point out that despite using the RPKI 
profile, nodes have to take into account the send validation as well.


>>
>> Contrary to the X.509 extensions and the validation routines, the 
>> revocation is not a conflicting thing, it is just that the SeND lacks 
>> the text describing how to incorporate the RPKI revocation into SeND. 
>> With carefully chosen validity intervals for the RPKI certificates on 
>> the lower tiers, i.e. at the SEND level,  the CRL is not expected to 
>> grow to large sizes, and it can fit well into the SEND messages.
> right, but do we need to specify the revocation routines as well?


The RPKI uses the PKI revocation routines with pure CRLs, and if we 
accept the RPKI profile, IMO we should use and process the CRLs in SeND. 
Thus, yes, IMO we should specify messages for the CRL transportation and 
the processing routines for the receivers.

>
> I would like to understnad if we need to update rfc3971 to support 
> this, i understnad we do. I am not sure i fully understnad what are 
> the updates that are needed to rfc3971... could you elaborate on this?

Afaiu, we should update the part about the revocation, and decide what 
exactly to do with the subjectAltName extension, and update that part as 
well.

Ana

v2.23.0 | Report a Bug | By Email