[secdir] Review of draft-ietf-sidr-bgpsec-pki-profiles-19

Yaron Sheffer <yaronf@gmx.com> Sun, 01 January 2017 16:26 UTC

Return-Path: <yaronf@gmx.com>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D85B71293F4; Sun, 1 Jan 2017 08:26:34 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Yaron Sheffer <yaronf@gmx.com>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.40.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com>
Date: Sun, 01 Jan 2017 08:26:34 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/O9wZVNZcjQcRhOnBuf1iTnYneH8>
Cc: draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, sidr@ietf.org
Subject: [secdir] Review of draft-ietf-sidr-bgpsec-pki-profiles-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jan 2017 16:26:35 -0000

Reviewer: Yaron Sheffer
Review result: Has Nits

* 3.1.1: The serial number in RFC 6487 is still a real, unique serial
number that uniquely identifies the certificate. Here it is used as
something other than a serial number, which is explicitly NOT unique,
and the CA is left to decide how to make it unique in the face of
potentially repeating BGP IDs. If this is not a real issue (e.g.
because duplicate IDs are rare and never within a RIR), please say

* 3.2: earlier we said that Basic Constraints must not be included in
the EE cert. Now we are saying that only a particular boolean flag
must not be honored when processing the Cert Request. What happens if
Basic Constraints is included in the Cert Request but with other

* 3.3: ID.sidr-rfc6485bis -> RFC 7935

* 6: in the paragraph that discusses hash functions, please spell out
the names of the two key identifiers, because I cannot determine what
they are from the document.