Re: [sidr] about the thread "Conflict between rtr-keying, bgpsec-pki-profile, and RFC 6487"
Sean Turner <TurnerS@ieca.com> Wed, 02 July 2014 14:50 UTC
Return-Path: <TurnerS@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828FE1A0240 for <sidr@ietfa.amsl.com>; Wed, 2 Jul 2014 07:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.557
X-Spam-Level:
X-Spam-Status: No, score=-1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FSL_HELO_BARE_IP_2=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wwv9qzyaV92m for <sidr@ietfa.amsl.com>; Wed, 2 Jul 2014 07:50:32 -0700 (PDT)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [69.56.236.19]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3F771A0331 for <sidr@ietf.org>; Wed, 2 Jul 2014 07:50:32 -0700 (PDT)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id 09CDA9B789C32; Wed, 2 Jul 2014 09:50:32 -0500 (CDT)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway01.websitewelcome.com (Postfix) with ESMTP id E16109B789C06 for <sidr@ietf.org>; Wed, 2 Jul 2014 09:50:31 -0500 (CDT)
Received: from [173.73.128.252] (port=51165 helo=192.168.1.10) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <TurnerS@ieca.com>) id 1X2Lrj-0004cG-7o; Wed, 02 Jul 2014 09:50:31 -0500
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <TurnerS@ieca.com>
In-Reply-To: <20140701222948.5E0D5F43767@minas-ithil.hactrn.net>
Date: Wed, 02 Jul 2014 10:50:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <FB0C94A3-1778-4A8B-999A-B438308F5B45@ieca.com>
References: <75C51A68-FEC3-40B0-BC6C-A8A2471FF4CD@tislabs.com> <20140701222948.5E0D5F43767@minas-ithil.hactrn.net>
To: Rob Austein <sra@hactrn.net>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 173.73.128.252
X-Exim-ID: 1X2Lrj-0004cG-7o
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (192.168.1.10) [173.73.128.252]:51165
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 2
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/7tVcK_akq0SuH1KtM7MRVvGoJBk
Cc: sidr@ietf.org
Subject: Re: [sidr] about the thread "Conflict between rtr-keying, bgpsec-pki-profile, and RFC 6487"
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2014 14:50:35 -0000
On Jul 01, 2014, at 18:29, Rob Austein <sra@hactrn.net> wrote: > At Fri, 27 Jun 2014 16:50:12 -0400, Sandra Murphy wrote: >> >> RFC6487 6.1.1 (how to send a cert request in PKCS) says >> >> Subject >> This field MAY be omitted. If present, the value of this field >> SHOULD be empty (i.e., NULL), in which case the CA MUST >> generate a subject name that is unique in the context of >> certificates issued by this CA. >> >> a) "This field MAY be omitted." is wrong. PKCS#10 does not say that >> the subject field is optional. So an implementation that did >> omit this field might not work with a CA's implementation. > > Right. I think it's reasonably clear that, on this point, RFC 6487 > just needs to be fixed, as it violates the base specification. +1 >> b) "If present, the value of this field SHOULD be empty" means that >> the rtr-keying draft was (at the time) non-compliant - rtr-keying >> said to put the "router number" in the subject field of a PKCS#10 >> cert request. >> >> The bgpsec-pki-profile draft says that the subject of a router cert >> has the router ID in it. > [...] > > I think the simplest approach is to allow router key PKCS #10 requests > to include both the router id and the ASN(s). The need to support > multiple ASNs (rare, but possible, if I understand correctly) means > that we can't just use the subject name hack for this, since the > proposed encoding of router ID and ASN into the subject name only > supports one ASN. > > So I think we should: > > - Allow a non-empty subject name in the router certificate PKCS #10, > said name to follow whatever we pick for the recommended form of the > expected resulting certificate (ROUTER-<asn>,<router-id> or > whatever), where the <asn> here is usually the one-and-only ASN but, > if there's more than one, is whichever ASN seems good to the router > operator. > > - Allow the ASIdentifiers extension in the router certificate PKCS > #10. I don't particularly care whether we require this to be > present in all cases or only in the multi-ASN case, but if it is > present at all, the ASN encoded in the subject name MUST also be > listed in the ASIdentifiers extension. +1 > The CA, of course, is free to reject this PKCS #10, or issue a > certificate using the public key from the PKCS #10, a different > subject name than proposed in the PKCS #10, or only certify a subset > of the ASNs requested in the PKCS #10. Final decision on what to > certify remains with the CA, the PKCS #10 is just a mechanism for > conveying data to the CA in a tidy package. Yep the CA is the one attesting to the binding so it gets the final say. > Note that the multi-ASN case could be construed as an argument for > dropping the ASN out of the router certificate name entirely, or > perhaps only dropping the ASN out of the name when dealing with a > multi-ASN certificate. I have no strong feelings on the matter. > > I do not particularly care whether the PKCS #10 profile for router > certificates is based on RFC 6487 or is a free-standing document; > whichever is easiest to get right in a reasonable period of time. Just le me know which route you want to take (no pun intended) wrt draft-ietf-sidr-rtr-keying and draft-ietf-sidr-bgpsec-pki-profiles. spt
- [sidr] about the thread "Conflict between rtr-key… Sandra Murphy
- Re: [sidr] about the thread "Conflict between rtr… Sandra Murphy
- Re: [sidr] about the thread "Conflict between rtr… Randy Bush
- Re: [sidr] about the thread "Conflict between rtr… Stephen Kent
- Re: [sidr] about the thread "Conflict between rtr… Sandra Murphy
- Re: [sidr] about the thread "Conflict between rtr… Sandra Murphy
- Re: [sidr] about the thread "Conflict between rtr… Stephen Kent
- Re: [sidr] about the thread "Conflict between rtr… Stephen Kent
- Re: [sidr] about the thread "Conflict between rtr… Rob Austein
- [sidr] EST (was Re: about the thread "Conflict be… Rob Austein
- Re: [sidr] EST (was Re: about the thread "Conflic… Stephen Kent
- Re: [sidr] about the thread "Conflict between rtr… Sean Turner
- Re: [sidr] EST (was Re: about the thread "Conflic… Sean Turner
- Re: [sidr] EST (was Re: about the thread "Conflic… Sean Turner