IETF Logo Mail Archive

Re: [CGA-EXT] about draft-krishnan-cgaext-send-cert-eku-03.txt

Ana Kukec <anchie@fer.hr> Sat, 14 March 2009 21:24 UTC

Return-Path: <anchie@fer.hr>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAF4F3A695E for <cga-ext@core3.amsl.com>; Sat, 14 Mar 2009 14:24:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RY9abafY2B7f for <cga-ext@core3.amsl.com>; Sat, 14 Mar 2009 14:24:58 -0700 (PDT)
Received: from labs4.cc.fer.hr (labs4.cc.fer.hr [161.53.72.24]) by core3.amsl.com (Postfix) with ESMTP id 8DF8C3A6358 for <cga-ext@ietf.org>; Sat, 14 Mar 2009 14:24:58 -0700 (PDT)
Received: from sluga.fer.hr (sluga.cc.fer.hr [161.53.72.14]) by labs4.cc.fer.hr (8.14.2/8.14.2) with ESMTP id n2ELPxKE029369 for <cga-ext@ietf.org>; Sat, 14 Mar 2009 22:26:00 +0100 (CET)
Received: from ana-kukecs-macbook.local ([89.164.54.68]) by sluga.fer.hr with Microsoft SMTPSVC(6.0.3790.3959); Sat, 14 Mar 2009 22:25:33 +0100
Message-ID: <49BC20CD.7070206@fer.hr>
Date: Sat, 14 Mar 2009 22:25:33 +0100
From: Ana Kukec <anchie@fer.hr>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
References: <49BBC170.4010008@it.uc3m.es> <SLUGAkwu1BtWdWhkeLZ00000a3d@sluga.fer.hr> <49BC0627.9060509@it.uc3m.es> <49BC15D2.6060501@fer.hr> <49BC1A69.6000802@it.uc3m.es>
In-Reply-To: <49BC1A69.6000802@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Mar 2009 21:25:33.0871 (UTC) FILETIME=[68C3EBF0:01C9A4EB]
X-Scanned-By: MIMEDefang 2.64 on 161.53.72.24
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] about draft-krishnan-cgaext-send-cert-eku-03.txt
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2009 21:24:59 -0000

marcelo bagnulo braun wrote:
>>
>> The draft says that the EKU extension is a critical extension, i.e. 
>> if the receiving node does not recognize the extension, it must 
>> reject the certificate.
>>
> not really
>
> the draft says:
>
>   The extended key usage extension MAY, at the option of the
>   certificate issuer, be either critical or non-critical.
>
> So, if we do it as the draft says, it would be compatible with current 
> implementations, right?

Right, sorry. Yes, it would be, i.e. it is according to the current text 
in the draft.

>
>>
>> The TA option either helps the receivers to decide which 
>> advertisements are useful for them or denotes the TAs that the client 
>> is willing to accept (in the solicitation message). If the TA is 
>> represented as a FQDN, the FQDN must be equal to the subjectAltName 
>> in the TA's certificate.
>>
>> On the other hand, we can survive with using just the Subject name 
>> field and the DER Encoded X.501 Name Trust Anchor option..
>
> but wouldn't that be a different use of the semantics of the subject name?


No.. what do you mean? According to the send spec the TA option can be 
either of the type DER Encoded X.501 Name (matching the certificate 
Subject name) or the FQDN (matching the subjectAltName).


> So, afaiu from this, the currnet implementations would not accept 
> certs wihtout the TA and they would fial inthis case
> We may be able to tweak it in way that we can make this work, by 
> upating the send nodes
> the other options is to see how posible is for RPKI cert profile to 
> accept TA, is this correct?
>

Yes, we can specify the usage of the TA option only of the type X.501 
DN. The other option is to include the subjectAltName in the RPKI 
certificate profile, which is not likely to happen (see the section 3.5. 
in the draft-ietf-sidr-res-certs-16).

>
>>
>>
>> The RPKI uses the PKI revocation routines with pure CRLs, and if we 
>> accept the RPKI profile, IMO we should use and process the CRLs in 
>> SeND. Thus, yes, IMO we should specify messages for the CRL 
>> transportation and the processing routines for the receivers.
>>
> but if we don't do it, it would imply that we have current send 
> support, right?
>
> I mean, if we do it, it is an enhacement but we can not do it
> I guess it is up to the wg to decide what to do
>

Yes.


Ana

v2.23.0 | Report a Bug | By Email