Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

Stephen Kent <> Mon, 14 March 2011 15:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B35813A6D0F; Mon, 14 Mar 2011 08:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.496
X-Spam-Status: No, score=-102.496 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PcIyDx9tO04k; Mon, 14 Mar 2011 08:40:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8FC0C3A6D1C; Mon, 14 Mar 2011 08:40:03 -0700 (PDT)
Received: from ([]:49160) by with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <>) id 1Pz9td-000MNL-AW; Mon, 14 Mar 2011 11:41:25 -0400
Mime-Version: 1.0
Message-Id: <p06240801c99ff331d49e@[]>
In-Reply-To: <1299814571.28172.111.camel@destiny>
References: <> <> <> <> <1299814571.28172.111.camel@destiny>
Date: Mon, 14 Mar 2011 11:41:19 -0400
To: Jeffrey Hutzelman <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc:,, Sam Hartman <>, Paul Hoffman <>,
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Mar 2011 15:40:06 -0000

>Steve noted a desire to limit the liability of entities acting as CAs in
>the RPKI.  I agree that goal is desirable, and restrictions on what
>certificates issued by those CAs can contain help to do that (provided
>the CAs actually comply).  However, requiring compliant RPs to treat all
>extensions as critical does _not_ help, because an RP which incorrectly
>accepts an over-broad RPKI certificate for some other purpose is
>probably not an implementation of this profile and thus not bound by the

My comments also noted that part of the strategy to limit the utility of
resource certs in other contexts is to restrict their content. In principle,
establishing constraints on what RPKI C As issue would do this, but 
experience suggests otherwise :-).  Thus, in order to provide 
immediate feedback to a CA that the certs it is issuing are 
non-compliant, we would like to have RPs reject the certs (when used 
in the intended context). Thus having RPs be very strict in what they 
accept is important as well.



Sam noted that there are potentially lots of RPs.  In principle, 
there are just as many CAs, since every ISP is a CA as well as an RP. 
In reality we anticipate that many small ISPs will take advantage of 
managed CA services (the RIRs are already offering such services), so 
there should be many fewer distinct CAs vs. RPs.  Balancing that is 
the possibility that a number of ISPs, ones that rely on default 
routes, will also not be RPs. So, it's not clear whether we have more 
(distinct) CA or RPs.  I am hopeful that the RIRs will do a good job 
of generating compliant certs in their primary and managed service CA