Re: [sidr] about a router AS-related certificate (fwd)

Sandra Murphy <> Fri, 14 October 2011 21:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6273E21F8753 for <>; Fri, 14 Oct 2011 14:50:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3DBtZstwHWdN for <>; Fri, 14 Oct 2011 14:50:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AD8B821F8726 for <>; Fri, 14 Oct 2011 14:50:46 -0700 (PDT)
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id p9ELojQX017743 for <>; Fri, 14 Oct 2011 16:50:45 -0500
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id p9ELojXp017594 for <>; Fri, 14 Oct 2011 16:50:46 -0500
Received: from ([]) by over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 14 Oct 2011 17:50:45 -0400
Date: Fri, 14 Oct 2011 17:50:45 -0400
From: Sandra Murphy <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: MULTIPART/Mixed; boundary="108376495-18642-1318628647=:4820"
X-OriginalArrivalTime: 14 Oct 2011 21:50:45.0823 (UTC) FILETIME=[53E97CF0:01CC8ABB]
Subject: Re: [sidr] about a router AS-related certificate (fwd)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Oct 2011 21:50:47 -0000

Sorry, somehow did NOT reply all.


---------- Forwarded message ----------
Date: Fri, 14 Oct 2011 17:44:07 -0400 (Eastern Daylight Time)
From: Sandra Murphy <>
To: Brian Dickson <>
Subject: Re: [sidr] about a router AS-related certificate

On Fri, 14 Oct 2011, Brian Dickson wrote:

> Hi, Sandy,
> Would it be too much to ask, to get a brief summary email sent to the
> list, of recent last-calls or adoption-calls, and pro/con responses
> levels?

Not sure if you mean on a regular periodic basis or right now for the recent 
flurry of wg calls.

The summary of the recent flurry can be constructed well enough.  (If you want 
a rough immediate idea, the mail archive can display a thread index of the 

A periodic message is also possible, if people would find that useful. You 
indicate that you just recently joined the list, so maybe you don't realize 
that this wg is particularly bursty, but obviously there's reasonable 
periodicity that could be used.

> This would be to get an idea of whether some might have been missed,
> and which need support to progress?

Some care would be wise.  A message from the wg chairs to say "hey, wg, you 
haven't demonstrated support for draft X" might be construed as undue
chair influence on the wg consensus.

The periodic summary you suggest is objective enough that it could/might pass 

> And I'd suggest that if there were not-many pros, and none or much
> fewer than normal cons, that asking again to boost the pro responses,
> may be all that is needed.

IMHO, the wg chairs taking steps to boost the pro response would be truly 
skating too close to the edge of undue influence.  OVer the edge, maybe.

> The inter-dependencies of some of these drafts, makes it pretty important.
> BTW, I would be more than happy to contribute to the WG in whatever way I 
> can.



> Thanks,
> Brian Dickson
> On Fri, Oct 14, 2011 at 10:50 AM, Sandra Murphy
> <> wrote:
>> The wg has just demonstrated a lack of support for adoption of a suggested
>> cert profile for routers in draft-turner-sidr-bgpsec-pki-profiles.
>> Unfortunately, a router certificate is already mentioned in existing wg
>> drafts.
>> The bgpsec-overview draft says:
>>   BGPSEC extends the RPKI by adding an additional type of certificate,
>>   referred to as a BGPSEC router certificate, that binds an AS number
>>   to a public signature verification key, the corresponding private key
>>   of which is held by one or more BGP speakers within this AS.
>> The bgpsec-ops drafts says:
>>   AS/Router Certificates
>>   A site/operator MAY use a single certificate/key in all their
>>   routers, one certificate/key per router, or any granularity in
>>   between.
>>   A large operator, concerned that a compromise of one router's key
>>   would make many routers vulnerable, MAY accept a more complex
>>   certificate/key distribution burden to reduce this exposure.
>>   On the other extreme, an edge site with one or two routers MAY use a
>>   single certificate/key.
>> Is there an alternative router certificate that the wg would like to adopt?
>> If the wg did not realize that the router certificate was needed to fulfill
>> existing wg drafts, please speak up.
>> At any rate, the wg needs to indicate how to proceed here.
>> --Sandy, speaking as wg chair
>> _______________________________________________
>> sidr mailing list