IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

John C Klensin <john-ietf@jck.com> Sun, 17 April 2011 13:27 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: secdir@ietfc.amsl.com
Delivered-To: secdir@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 137E4E074A; Sun, 17 Apr 2011 06:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9b-w3dVw+l8; Sun, 17 Apr 2011 06:27:36 -0700 (PDT)
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by ietfc.amsl.com (Postfix) with ESMTP id 491F3E0694; Sun, 17 Apr 2011 06:27:36 -0700 (PDT)
Received: from [127.0.0.1] (helo=localhost) by bs.jck.com with esmtp (Exim 4.34) id 1QBS0j-000PXc-Lc; Sun, 17 Apr 2011 09:27:33 -0400
Date: Sun, 17 Apr 2011 09:27:32 -0400
From: John C Klensin <john-ietf@jck.com>
To: Stephen Kent <kent@bbn.com>, Sam Hartman <hartmans-ietf@mit.edu>
Message-ID: <1446DA6A65B664240D8AA4F9@PST.JCK.COM>
In-Reply-To: <p06240801c9ce424e70b1@[128.89.89.62]>
References: <tslhbbag9m1.fsf@mit.edu> <4D791B26.8020001@vpnc.org> <tsl4o7ag5fw.fsf@mit.edu> <4D79271E.6080707@vpnc.org> <tslzkp2elyf.fsf@mit.edu> <p06240801c9ce424e70b1@[128.89.89.62]>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: draft-ietf-sidr-res-certs@tools.ietf.org, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Apr 2011 13:27:37 -0000

Steve,
Two things:


(1) Given the variable amount of time it takes to get RFCs
issued/ published after IESG signoff, are you and the WG sure
that you want to tie the phases of the phase-in procedure to RFC
publication?

(2) There is an incomplete sentence at the end of (2): "This
allows CAs to issue certificates under" (more context below).

   john



--On Friday, April 15, 2011 14:45 -0400 Stephen Kent
<kent@bbn.com> wrote:

> 	2- During phase 2 CAs MUST issue certificates under the new
> profile, and these certificates MUST co-exist with
> certificates issued under the old format. (CAs will continue
> to issue certificates under the old OID/format as well.) The
> old and new certificates MUST be identical, except for the
> policy OID and any new extensions, encodings, etc. Relying
> parties MAY make use of the old or the new certificate formats
> when processing signed objects retrieved from the RPKI
> repository system. During this phase, a relying party that
> elects to process both formats will acquire the same values
> for all certificate fields that overlap between the old and
> new formats. Thus if either certificate format is verifiable,
> the relying party accepts the data from that certificate. This
> allows CAs to issue certificates under
> 
> 	3- At the beginning of phase 3, all relying parties MUST be
> capable of processing certificates under the new format.
>...

v2.23.0 | Report a Bug | By Email