IETF Logo Mail Archive

Re: [sidr] Fwd: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt

Sandra Murphy <Sandra.Murphy@sparta.com> Tue, 02 August 2011 22:16 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F8021F8565 for <sidr@ietfa.amsl.com>; Tue, 2 Aug 2011 15:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.06
X-Spam-Level:
X-Spam-Status: No, score=-102.06 tagged_above=-999 required=5 tests=[AWL=0.539, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ge0KhrRpslJL for <sidr@ietfa.amsl.com>; Tue, 2 Aug 2011 15:16:33 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 2D06721F8563 for <sidr@ietf.org>; Tue, 2 Aug 2011 15:16:32 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p72MGf9T026770; Tue, 2 Aug 2011 17:16:41 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p72MGfmo030671; Tue, 2 Aug 2011 17:16:41 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.128]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 2 Aug 2011 18:16:40 -0400
Date: Tue, 02 Aug 2011 18:16:39 -0400
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: Roque Gagliano <rogaglia@cisco.com>
In-Reply-To: <1C1A5E2A-1C8A-4023-B2BA-A2D340470649@cisco.com>
Message-ID: <Pine.WNT.4.64.1108021731050.8260@SMURPHY-LT.columbia.ads.sparta.com>
References: <20110802092022.13671.96567.idtracker@ietfa.amsl.com> <1C1A5E2A-1C8A-4023-B2BA-A2D340470649@cisco.com>
X-X-Sender: sandy@mailbin.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 02 Aug 2011 22:16:40.0580 (UTC) FILETIME=[DA76D440:01CC5161]
Cc: sidr wg list <sidr@ietf.org>
Subject: Re: [sidr] Fwd: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 22:16:33 -0000

Speaking only as a regular ol' wg member:

The draft does not say why the mixed certificate prohibition was needed 
in the first place.

The new text says:

              This exception to the mixed algorithm suite certificate
    rule is allowed because an EE certificate that is not used to verify
    repository objects does not interfere with the ability of RPs to
    download and verify repository content.

There's a hint there that mixed certificates for CAs signing CA certs 
might cause a problem for RPs.

I think it would be good to describe the problems RPs would see if CAs 
could sign CA certs with a mix of algorithms.

And it might be good to say why the mixed certificate case for some EE 
certs was desirable.

YMMV.

Also, the draft says:

                                                  In the RPKI, a CA MUST
    NOT sign a CA certificate carrying a subject key that corresponds to
    an algorithm suite that differs from the one used to sign the
    certificate.

It used to say that

                                                  In RPKI an algorithm
    suite MUST NOT sign a certificate carrying a subject key that
    corresponds to another algorithm suite.

To me, the old text sounded like issuance of any mixed certificate was 
prohibited.

The new prohibition applies only to CAs issuing a CA cert and the new
exception applies only to EE certs that are not used to verify repository 
objects.  The new text sounds to me like it leaves open the case of EE 
certs that *are* used to verify repository objects.


--Sandy, regular ol' wg member


On Tue, 2 Aug 2011, Roque Gagliano wrote:

> Dear WG,
>
> I uploaded a new version of the draft preparing it for WGLC.
>
> The only change is a requirement from the BGPSEC team to include a paragraph in section 4.2 that clarifies that "mixed" certs are not allowed only for CA certs but may be possible for EE certs that do not validate repository objects (i.e. BGPSEC certs).
>
>
> Regards,
> Roque
>
>
> Begin forwarded message:
>
>> From: internet-drafts@ietf.org
>> Date: August 2, 2011 11:20:22 AM GMT+02:00
>> To: rogaglia@cisco.com
>> Cc: turners@ieca.com, rogaglia@cisco.com, kent@bbn.com
>> Subject: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt
>>
>> A new version of I-D, draft-ietf-sidr-algorithm-agility-03.txt has been successfully submitted by Roque Gagliano and posted to the IETF repository.
>>
>> Filename:	 draft-ietf-sidr-algorithm-agility
>> Revision:	 03
>> Title:		 Algorithm Agility Procedure for RPKI.
>> Creation date:	 2011-08-02
>> WG ID:		 sidr
>> Number of pages: 25
>>
>> Abstract:
>>   This document specifies the process that Certification Authorities
>>   (CAs) and Relying Parties (RP) participating in the Resource Public
>>   Key Infrastructure (RPKI) will need to follow to transition to a new
>>   (and probably cryptographically stronger) algorithm set.  The process
>>   is expected to be completed in a time scale of months or years.
>>   Consequently, no emergency transition is specified.  The transition
>>   procedure defined in this document supports only a top-down migration
>>   (parent migrates before children).
>>
>>
>>
>>
>> The IETF Secretariat
>
>

v2.14.0 | Report a Bug | By Email