Re: [sidr] [Technical Errata Reported] RFC6487 (3174)

Geoff Huston <gih@apnic.net> Tue, 03 April 2012 23:27 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC08321F860E for <sidr@ietfa.amsl.com>; Tue, 3 Apr 2012 16:27:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.929
X-Spam-Level:
X-Spam-Status: No, score=-99.929 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_IP_ADDR=1.119, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G+eXiquAOsn4 for <sidr@ietfa.amsl.com>; Tue, 3 Apr 2012 16:27:34 -0700 (PDT)
Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id 0214B21F85D0 for <sidr@ietf.org>; Tue, 3 Apr 2012 16:27:29 -0700 (PDT)
Received: from [202.158.221.120] (unknown [202.158.221.120]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id A860EB67A2; Wed, 4 Apr 2012 09:27:27 +1000 (EST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <20120403182631.92C0072E004@rfc-editor.org>
Date: Wed, 4 Apr 2012 09:27:25 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B52207B-078C-4651-BEB2-3A667934E6B7@apnic.net>
References: <20120403182631.92C0072E004@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.1257)
Cc: Sandra.Murphy@sparta.com, morrowc@ops-netman.net, sidr@ietf.org, ggm@apnic.net
Subject: Re: [sidr] [Technical Errata Reported] RFC6487 (3174)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 23:27:35 -0000

I'm tending to a "reject". Section 4.8.3 does not precisely apply to CRLs, so to accept this would then require a further errata notice to amend this errata to narrow down the scope of the AIA further. 

Given that the text already says:  "The algorithm used in CRLs issued under this profile is specified in [RFC6485]." then I'm not not what futerhe specification is required here.

regards,

    Geoff







On 04/04/2012, at 4:26 AM, RFC Errata System wrote:

> 
> The following errata report has been submitted for RFC6487,
> "A Profile for X.509 PKIX Resource Certificates".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6487&eid=3174
> 
> --------------------------------------
> Type: Technical
> Reported by: David Mandelberg <dmandelb@bbn.com>
> 
> Section: 5
> 
> Original Text
> -------------
>   An RPKI CA MUST include the two extensions, Authority Key Identifier
>   and CRL Number, in every CRL that it issues.  RPs MUST be prepared to
>   process CRLs with these extensions.  No other CRL extensions are
>   allowed.
> 
> Corrected Text
> --------------
>   An RPKI CA MUST include the two extensions, Authority Key Identifier
>   and CRL Number, in every CRL that it issues.  The Authority Key
>   Identifier extension MUST follow the same restrictions as in
>   Section 4.8.3 above.  RPs MUST be prepared to process CRLs with
>   these extensions.  No other CRL extensions are allowed.
> 
> Notes
> -----
> RFC 6487 doesn't specify any restrictions on the format of the AKI extension in CRLs.
> 
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC6487 (draft-ietf-sidr-res-certs-22)
> --------------------------------------
> Title               : A Profile for X.509 PKIX Resource Certificates
> Publication Date    : February 2012
> Author(s)           : G. Huston, G. Michaelson, R. Loomans
> Category            : PROPOSED STANDARD
> Source              : Secure Inter-Domain Routing
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG