Re: [sidr] [Technical Errata Reported] RFC6487 (3238)

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Thu, 31 May 2012 15:29 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1934D11E80CF for <sidr@ietfa.amsl.com>; Thu, 31 May 2012 08:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lNaFMX2vV8b for <sidr@ietfa.amsl.com>; Thu, 31 May 2012 08:29:19 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id CB8FA11E80C8 for <sidr@ietf.org>; Thu, 31 May 2012 08:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=9013; q=dns/txt; s=iport; t=1338478159; x=1339687759; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=C0MMvo7CNRQtwIp1UqI0YMQDSbZwMeg2hFNmupzDEEs=; b=fnydJX9hRji5pZLfm56D8z/Hfu3jfwYpqC11dLl3nVqxE8e/XOgUecmU DHCXmlk7xDZgmgL8lQVrM9ROnQ4iyOtjymV21XUErJNBMHSFOToqwEc3/ OuIqu/3tAlnf29ROOcdwsGobdOEUevaSY8zPDKp9TLN05ppKhXtASzb0u Q=;
X-Files: smime.p7s : 4389
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAOWNx0+tJXG+/2dsb2JhbAAqEAq0DIEHghgBAQEDAQEBAQ8BWxALAgEIRgIlCyUCBBMOFIdkBQspmQafWosREIRWYAOONYEdhUaODYFmgmBv
X-IronPort-AV: E=Sophos; i="4.75,693,1330905600"; d="p7s'?scan'208"; a="88328598"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-6.cisco.com with ESMTP; 31 May 2012 15:29:18 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id q4VFTIB3018993 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <sidr@ietf.org>; Thu, 31 May 2012 15:29:18 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.61]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0298.004; Thu, 31 May 2012 10:29:18 -0500
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [sidr] [Technical Errata Reported] RFC6487 (3238)
Thread-Index: AQHNP0IkceACaXSj0EiHfTbYAW7KLA==
Date: Thu, 31 May 2012 15:29:17 +0000
Message-ID: <2BAE4694-60C2-4301-BFAF-05DF49054BF4@cisco.com>
References: <20120531145543.F363272E004@rfc-editor.org>
In-Reply-To: <20120531145543.F363272E004@rfc-editor.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.147.19.47]
x-tm-as-product-ver: SMEX-10.2.0.1135-6.800.1017-18938.006
x-tm-as-result: No--35.653900-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed; boundary="Apple-Mail-293--606296011"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Subject: Re: [sidr] [Technical Errata Reported] RFC6487 (3238)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2012 15:29:20 -0000

Hi Steve,

> 
> The following errata report has been submitted for RFC6487,
> "A Profile for X.509 PKIX Resource Certificates".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6487&eid=3238
> 
> --------------------------------------
> Type: Technical
> Reported by: Stephen Kent <kent@bbn.com>
> 
> Section: 6.3
> 
> Original Text
> -------------
> ExtendedKeyUsage
>         The CA MAY honor ExtendedKeyUsage extensions of keyCertSign and
>         cRLSign if present, as long as this is consistent with the
>         BasicConstraints SubjectType sub-field, when specified.
> 
> Corrected Text
> --------------
> ExtendedKeyUsage
>         The CA MAY honor ExtendedKeyUsage extensions in requests for EE
>         certificates that are issued to routers or other devices, consistent with values
>         specified in Standards Track RFCs that adopt this profile and that identify
>         application-specific requirements that motivate the use of such EKUs.
> 

I agree that this correction make sense. I also agree on the restriction to uses that are compatible with this profile rather than the complete registry list. We already have RFC 6494 as example.

Roque




> Notes
> -----
> The current text appears to be the result of a "cut and paste" error. It is essentially identical to the text 
> for the Key Usage extension, and names two fields that appear in that extension, not in an EKU extension. The text I propose above parallels what appears in Section 4.8.5, which describes how an
> EKU MAY be used in RPKI certificates.
> 
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC6487 (draft-ietf-sidr-res-certs-22)
> --------------------------------------
> Title               : A Profile for X.509 PKIX Resource Certificates
> Publication Date    : February 2012
> Author(s)           : G. Huston, G. Michaelson, R. Loomans
> Category            : PROPOSED STANDARD
> Source              : Secure Inter-Domain Routing
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr