Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

Sam Hartman <> Mon, 25 April 2011 16:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0D9B8E075C; Mon, 25 Apr 2011 09:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.698
X-Spam-Status: No, score=-102.698 tagged_above=-999 required=5 tests=[AWL=-0.433, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AnCdoMwH5Jxp; Mon, 25 Apr 2011 09:02:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7F60EE0665; Mon, 25 Apr 2011 09:02:53 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by (Postfix) with ESMTPS id 7480920378; Mon, 25 Apr 2011 11:59:15 -0400 (EDT)
Received: by (Postfix, from userid 8042) id E821C4543; Mon, 25 Apr 2011 12:02:40 -0400 (EDT)
From: Sam Hartman <>
To: Stephen Kent <>
References: <> <> <> <> <> <p06240801c9ce424e70b1@[]>
Date: Mon, 25 Apr 2011 12:02:40 -0400
In-Reply-To: <p06240801c9ce424e70b1@[]> (Stephen Kent's message of "Fri\, 15 Apr 2011 14\:45\:46 -0400")
Message-ID: <>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc:, Sam Hartman <>,,
Subject: Re: [secdir] Secdir review of draft-ietf-sidr-res-certs
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Apr 2011 16:02:54 -0000

Steve, thanks for your note.
I realize the certificate resource profile document has been approved,
but I'd still like to understand what is happening here.

I'm having trouble reconciling the new text  you've added to the
document with draft-ietf-sidr-signed-object.

        2- During phase 2 CAs MUST issue certificates under the new profile,
and these certificates MUST co-exist with certificates issued under the old
format. (CAs will continue to issue certificates under the old OID/format as
well.) The old and new certificates MUST be identical, except for the policy
OID and any new extensions, encodings, etc. Relying parties MAY make use of the
old or the new certificate formats when processing signed objects retrieved
from the RPKI repository system. During this phase, a relying party that elects
to process both formats will acquire the same values for all certificate fields
that overlap between the old and new formats. Thus if either certificate format
is verifiable, the relying party accepts the data from that certificate. This
allows CAs to issue certificates under

However, when I look at section 2.1.4 in the signed-object document ,
the signer can only include one certificate.
How does that work during phase 2 when some of the RPs support the new
format and some only support the old format?
Your text above suggests that RPs grab the certificates from the RPKI
repository, but it seems at least for end entity certificates they are
included in the signed object.
What happens for end entity certificates during this form of upgrade?