[sidr] about a router AS-related certificate
Sandra Murphy <Sandra.Murphy@sparta.com> Fri, 14 October 2011 14:50 UTC
Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08FB821F8CC9 for <sidr@ietfa.amsl.com>; Fri, 14 Oct 2011 07:50:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2cwshaFVKiKL for <sidr@ietfa.amsl.com>; Fri, 14 Oct 2011 07:50:13 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 630F321F8CC7 for <sidr@ietf.org>; Fri, 14 Oct 2011 07:50:13 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p9EEoC8j013695 for <sidr@ietf.org>; Fri, 14 Oct 2011 09:50:12 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p9EEoCWS005809 for <sidr@ietf.org>; Fri, 14 Oct 2011 09:50:12 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([199.187.222.67]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 14 Oct 2011 10:50:11 -0400
Date: Fri, 14 Oct 2011 10:50:20 -0400
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: sidr@ietf.org
Message-ID: <Pine.WNT.4.64.1110131917350.4820@SMURPHY-LT.columbia.ads.sparta.com>
X-X-Sender: sandy@mailbin.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 14 Oct 2011 14:50:11.0848 (UTC) FILETIME=[934A7880:01CC8A80]
Subject: [sidr] about a router AS-related certificate
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 14:50:14 -0000
The wg has just demonstrated a lack of support for adoption of a suggested
cert profile for routers in draft-turner-sidr-bgpsec-pki-profiles.
Unfortunately, a router certificate is already mentioned in existing wg
drafts.
The bgpsec-overview draft says:
BGPSEC extends the RPKI by adding an additional type of certificate,
referred to as a BGPSEC router certificate, that binds an AS number
to a public signature verification key, the corresponding private key
of which is held by one or more BGP speakers within this AS.
The bgpsec-ops drafts says:
AS/Router Certificates
A site/operator MAY use a single certificate/key in all their
routers, one certificate/key per router, or any granularity in
between.
A large operator, concerned that a compromise of one router's key
would make many routers vulnerable, MAY accept a more complex
certificate/key distribution burden to reduce this exposure.
On the other extreme, an edge site with one or two routers MAY use a
single certificate/key.
Is there an alternative router certificate that the wg would like to
adopt?
If the wg did not realize that the router certificate was needed to
fulfill existing wg drafts, please speak up.
At any rate, the wg needs to indicate how to proceed here.
--Sandy, speaking as wg chair
- [sidr] about a router AS-related certificate Sandra Murphy
- Re: [sidr] about a router AS-related certificate … Sandra Murphy
- Re: [sidr] about a router AS-related certificate Stephen Kent
- Re: [sidr] about a router AS-related certificate Warren Kumari