Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

Sam Hartman <> Tue, 03 May 2011 22:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 599B3E07BD; Tue, 3 May 2011 15:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.504
X-Spam-Status: No, score=-103.504 tagged_above=-999 required=5 tests=[AWL=-1.239, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bILJ3sLu+Uyv; Tue, 3 May 2011 15:08:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CEA63E0747; Tue, 3 May 2011 15:08:03 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by (Postfix) with ESMTPS id DFF9F20228; Tue, 3 May 2011 18:04:16 -0400 (EDT)
Received: by (Postfix, from userid 8042) id C0F0A41F4; Tue, 3 May 2011 18:07:59 -0400 (EDT)
From: Sam Hartman <>
To: Stephen Kent <>
References: <> <> <> <> <> <p06240801c9ce424e70b1@[]> <> <p06240808c9e45144c8f9@[]> <> <p06240800c9e604898d1c@[]>
Date: Tue, 03 May 2011 18:07:59 -0400
In-Reply-To: <p06240800c9e604898d1c@[]> (Stephen Kent's message of "Tue\, 3 May 2011 15\:16\:28 -0400")
Message-ID: <>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc:, Sam Hartman <>,,
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 May 2011 22:08:04 -0000

>>>>> "Stephen" == Stephen Kent <> writes:

    >> I guess the only question I'd have remaining is whether ROAs or
    >> other signed objects are intended to be used in other protocols
    >> besides simply living in the SIDR repository?

    Stephen> The RPKI repository is designed to support a specific,
    Stephen> narrow set of apps. That's what the CP says, and we try to
    Stephen> make these certs unattractive for other apps, e.g., by use
    Stephen> of the non-meaningful names.

You had mentioned that about the PKI before.  Now, though I'm focusing
on the ROAs and other signed objects, not the certificates and CRLs.  Do
these narrow applications involve simply storing these objects in the
repository, or are there plans to use ROAs or other signed objects as
elements in protocols?  At least years ago, for example, there was
discussion of carrying signatures of objects in BGP. I understand that's
not within SIDR's current charter, but is SIDR intended to support that
style of use, or have things been narrowed to a point where that would
require reworking details of the repository and PKI?

If the answer is that those sorts of uses are not in scope for the SIDR
architecture, then I think you've basically resolved my concerns.