Re: [secdir] secdir review of draft-ietf-csi-send-cert-03

Suresh Krishnan <suresh.krishnan@ericsson.com> Wed, 02 June 2010 05:51 UTC

Return-Path: <suresh.krishnan@ericsson.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5D733A6850; Tue, 1 Jun 2010 22:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[AWL=-1.646, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9Zo1F9Ol6zQ; Tue, 1 Jun 2010 22:51:07 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by core3.amsl.com (Postfix) with ESMTP id 2A7553A69E2; Tue, 1 Jun 2010 22:50:29 -0700 (PDT)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id o525o08B025039 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 2 Jun 2010 00:50:00 -0500
Received: from [142.133.10.113] (147.117.20.212) by eusaamw0711.eamcs.ericsson.se (147.117.20.179) with Microsoft SMTP Server id 8.2.234.1; Wed, 2 Jun 2010 01:49:59 -0400
Message-ID: <4C05F076.7050303@ericsson.com>
Date: Wed, 2 Jun 2010 01:47:34 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <00CEF527-9674-47CF-BC3E-66A9FC7289F7@bbn.com> <4C034A8C.9020205@ericsson.com> <BB5520A2-B0B8-4585-9D40-45AB8C591C4B@bbn.com>
In-Reply-To: <BB5520A2-B0B8-4585-9D40-45AB8C591C4B@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Cc: The IETF <ietf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-csi-send-cert@tools.ietf.org" <draft-ietf-csi-send-cert@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-csi-send-cert-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2010 05:51:17 -0000

Hi Richard,
   Removing the stuff we agreed upon.

On 10-05-31 08:22 PM, Richard L. Barnes wrote:
> Hey Suresh,
> 
> Most of these comments look OK to me.  Couple of responses inline.
> 
> --Richard
> 
>>> Sec 6 Para 4
>>> The requirement for RFC 3779 extension seems to contradict the use of 
>>>  ETAs as Trust Anchor Material, i.e., the last sentence of the first 
>>>  paragraph in this section.
>>
>> Good catch. I am not sure how to resolve this. One way would be to 
>> specify that the ETA EE certificates are exempt from requiring the 
>> RFC3779 extensions. Do you have any suggestions?
> 
> I think the rest of the section is clear enough -- the TA material 
> either has to be a self-signed certificate or it has to be an ETA.  So 
> maybe you could just delete the phrase "and MUST always refer to a 
> certificate that includes a RFC 3779 address extension"?

Hmm. The ETA certificate itself does not need to have the RFC3779 
extension in it, but the relying party needs to fetch an RTA certificate 
which will contain a RFC3779 extension.

> 
> As an aside, do you want to specify that in the first case (the non-ETA 
> case), the self-signed TA cert MUST conform to the RPKI profile?

Will do.

Thanks
Suresh