Re: [sidr] [Technical Errata Reported] RFC6487 (3174)
David Mandelberg <dmandelb@bbn.com> Wed, 04 April 2012 17:21 UTC
Return-Path: <dmandelb@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD31011E807F for <sidr@ietfa.amsl.com>; Wed, 4 Apr 2012 10:21:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMzEuLRVySMK for <sidr@ietfa.amsl.com>; Wed, 4 Apr 2012 10:21:19 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4DD11E8072 for <sidr@ietf.org>; Wed, 4 Apr 2012 10:21:19 -0700 (PDT)
Received: from mail.bbn.com ([128.33.0.48]:52142) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <dmandelb@bbn.com>) id 1SFTt7-000F9g-8M; Wed, 04 Apr 2012 13:20:53 -0400
Received: from dhcp89-089-068.bbn.com ([128.89.89.68]) by mail.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <dmandelb@bbn.com>) id 1SFTtM-0000d9-Ln; Wed, 04 Apr 2012 13:21:08 -0400
Message-ID: <1333560064.10619.36.camel@titan>
From: David Mandelberg <dmandelb@bbn.com>
To: Geoff Huston <gih@apnic.net>
Date: Wed, 04 Apr 2012 13:21:04 -0400
In-Reply-To: <0B52207B-078C-4651-BEB2-3A667934E6B7@apnic.net>
References: <20120403182631.92C0072E004@rfc-editor.org> <0B52207B-078C-4651-BEB2-3A667934E6B7@apnic.net>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.2-
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Cc: Sandra.Murphy@sparta.com, morrowc@ops-netman.net, sidr@ietf.org, RFC Errata System <rfc-editor@rfc-editor.org>, ggm@apnic.net
Subject: Re: [sidr] [Technical Errata Reported] RFC6487 (3174)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 17:21:19 -0000
On Wed, 2012-04-04 at 09:27 +1000, Geoff Huston wrote: > I'm tending to a "reject". Section 4.8.3 does not precisely apply to CRLs, so to accept this would then require a further errata notice to amend this errata to narrow down the scope of the AIA further. AKI, not AIA. I just meant that the CRL AKI should have the same format and meaning as in 4.8.3, i.e. it should use the SHA-1 hash of the issuer's public key with neither authorityCertIssuer nor authorityCertSerialNumber fields present. Maybe the errata should be rejected and resubmitted with text copied and edited from 4.8.3, instead of referencing 4.8.3? > Given that the text already says: "The algorithm used in CRLs issued under this profile is specified in [RFC6485]." then I'm not not what futerhe specification is required here. What part of RFC6485 says anything about CRL AKIs? The closest I can find is in Section 2: NOTE: The exception to the above hashing algorithm is the use of SHA-1 [SHS] when Certification Authorities (CAs) generate authority and subject key identifiers [RFC6487]. That maybe could be interpreted as saying that CRL AKIs should use SHA-1, but it doesn't say that authorityCertIssuer and authorityCertSerialNumber must be absent. It also doesn't explicitly say what to take the SHA-1 of when generating a CRL AKI. -- David Mandelberg Wed Apr 4 13:07:37 EDT 2012
- Re: [sidr] [Technical Errata Reported] RFC6487 (3… Geoff Huston
- [sidr] [Technical Errata Reported] RFC6487 (3174) RFC Errata System
- Re: [sidr] [Technical Errata Reported] RFC6487 (3… David Mandelberg
- Re: [sidr] [Technical Errata Reported] RFC6487 (3… Stewart Bryant