[sidr] about a router AS-related certificate

Sandra Murphy <Sandra.Murphy@sparta.com> Fri, 14 October 2011 14:50 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 08FB821F8CC9 for <sidr@ietfa.amsl.com>; Fri, 14 Oct 2011 07:50:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2cwshaFVKiKL for <sidr@ietfa.amsl.com>; Fri, 14 Oct 2011 07:50:13 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com []) by ietfa.amsl.com (Postfix) with ESMTP id 630F321F8CC7 for <sidr@ietf.org>; Fri, 14 Oct 2011 07:50:13 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com []) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p9EEoC8j013695 for <sidr@ietf.org>; Fri, 14 Oct 2011 09:50:12 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com []) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p9EEoCWS005809 for <sidr@ietf.org>; Fri, 14 Oct 2011 09:50:12 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 14 Oct 2011 10:50:11 -0400
Date: Fri, 14 Oct 2011 10:50:20 -0400
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: sidr@ietf.org
Message-ID: <Pine.WNT.4.64.1110131917350.4820@SMURPHY-LT.columbia.ads.sparta.com>
X-X-Sender: sandy@mailbin.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 14 Oct 2011 14:50:11.0848 (UTC) FILETIME=[934A7880:01CC8A80]
Subject: [sidr] about a router AS-related certificate
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 14:50:14 -0000

The wg has just demonstrated a lack of support for adoption of a suggested 
cert profile for routers in draft-turner-sidr-bgpsec-pki-profiles.

Unfortunately, a router certificate is already mentioned in existing wg 

The bgpsec-overview draft says:

    BGPSEC extends the RPKI by adding an additional type of certificate,
    referred to as a BGPSEC router certificate, that binds an AS number
    to a public signature verification key, the corresponding private key
    of which is held by one or more BGP speakers within this AS.

The bgpsec-ops drafts says:

    AS/Router Certificates

    A site/operator MAY use a single certificate/key in all their
    routers, one certificate/key per router, or any granularity in

    A large operator, concerned that a compromise of one router's key
    would make many routers vulnerable, MAY accept a more complex
    certificate/key distribution burden to reduce this exposure.

    On the other extreme, an edge site with one or two routers MAY use a
    single certificate/key.

Is there an alternative router certificate that the wg would like to 

If the wg did not realize that the router certificate was needed to 
fulfill existing wg drafts, please speak up.

At any rate, the wg needs to indicate how to proceed here.

--Sandy, speaking as wg chair