Re: [sidr] [Technical Errata Reported] RFC6487 (3174)

David Mandelberg <> Wed, 04 April 2012 17:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD31011E807F for <>; Wed, 4 Apr 2012 10:21:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vMzEuLRVySMK for <>; Wed, 4 Apr 2012 10:21:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1F4DD11E8072 for <>; Wed, 4 Apr 2012 10:21:19 -0700 (PDT)
Received: from ([]:52142) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <>) id 1SFTt7-000F9g-8M; Wed, 04 Apr 2012 13:20:53 -0400
Received: from ([]) by with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <>) id 1SFTtM-0000d9-Ln; Wed, 04 Apr 2012 13:21:08 -0400
Message-ID: <1333560064.10619.36.camel@titan>
From: David Mandelberg <>
To: Geoff Huston <>
Date: Wed, 04 Apr 2012 13:21:04 -0400
In-Reply-To: <>
References: <> <>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.2.2-
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
Cc:,,, RFC Errata System <>,
Subject: Re: [sidr] [Technical Errata Reported] RFC6487 (3174)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Apr 2012 17:21:19 -0000

On Wed, 2012-04-04 at 09:27 +1000, Geoff Huston wrote:
> I'm tending to a "reject". Section 4.8.3 does not precisely apply to CRLs, so to accept this would then require a further errata notice to amend this errata to narrow down the scope of the AIA further.

AKI, not AIA. I just meant that the CRL AKI should have the same format
and meaning as in 4.8.3, i.e. it should use the SHA-1 hash of the
issuer's public key with neither authorityCertIssuer nor
authorityCertSerialNumber fields present. Maybe the errata should be
rejected and resubmitted with text copied and edited from 4.8.3, instead
of referencing 4.8.3?

> Given that the text already says:  "The algorithm used in CRLs issued under this profile is specified in [RFC6485]." then I'm not not what futerhe specification is required here.

What part of RFC6485 says anything about CRL AKIs? The closest I can
find is in Section 2:

         NOTE: The exception to the above hashing algorithm is the use
         of SHA-1 [SHS] when Certification Authorities (CAs) generate
         authority and subject key identifiers [RFC6487].

That maybe could be interpreted as saying that CRL AKIs should use
SHA-1, but it doesn't say that authorityCertIssuer and
authorityCertSerialNumber must be absent. It also doesn't explicitly say
what to take the SHA-1 of when generating a CRL AKI.

David Mandelberg
Wed Apr 4 13:07:37 EDT 2012