[sidr] draft-ietf-sidr-bgpsec-pki-profiles-16 and multiple use EE certs
Sandra Murphy <sandra.murphy@parsons.com> Fri, 27 May 2016 17:39 UTC
Return-Path: <sandra.murphy@parsons.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F1712D6F3 for <sidr@ietfa.amsl.com>; Fri, 27 May 2016 10:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRg8_ay6GL3c for <sidr@ietfa.amsl.com>; Fri, 27 May 2016 10:39:11 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 868E212D0F3 for <sidr@ietf.org>; Fri, 27 May 2016 10:39:11 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id D14E928B0052; Fri, 27 May 2016 13:39:10 -0400 (EDT)
Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id BC4121F8055; Fri, 27 May 2016 13:39:10 -0400 (EDT)
From: Sandra Murphy <sandra.murphy@parsons.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 27 May 2016 13:39:08 -0400
Message-Id: <AD99C239-1E27-4A61-9D20-2AEDBEB97B72@parsons.com>
To: sidr <sidr@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sidr/kTh_9IVm0HDgNlsxauSUelAqVqY>
Cc: Sandra Murphy <sandra.murphy@parsons.com>
Subject: [sidr] draft-ietf-sidr-bgpsec-pki-profiles-16 and multiple use EE certs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2016 17:39:12 -0000
The discussion of the draft-ietf-sidr-rpsl-sig draft with the IESG brought the single-use language in RFC6487 into the discussion. The authors of the rpsl-sig pointed to the language in RFC6487 section 3: The private key associated with an EE certificate is used to sign a single RPKI signed object, i.e., the EE certificate is used to validate only one object. While this language is not normative, this language could be taken as a requirement. The working group and the IESG accepted removal of this requirement for the EE certificates used in the rpsl-sig attributes. The same applies to the router certificates defined in draft-ietf-bgpsec-pki-profiles-16. The chairs direct the authors to add the following to draft-ietf-sidr-bgpsec-pki-profiles-16. 3.4 Router Certificates and Signing Functions in the RPKI As described in Section 1, the primary function of BGPsec router certificates in the RPKI is for use in the context of certification of Autonomous System (AS) paths in the Border Gateway Protocol Security protocol (BGPsec). The private key associated with a router EE certificate may be used multiple times in generating signatures in multiple instances of the BGPsec_Path Attribute Signature Segments [ID.sidr-bgpsec-protocol] . I.e., the BGPsec router certificate is used to validate multiple signatures. BGPsec router certificates are stored in the issuing CA's repository, where a repository following RFC6481 MUST use a .cer filename extension for the certificate file. —Sandy, speaking as one of the co-chairs
- [sidr] draft-ietf-sidr-bgpsec-pki-profiles-16 and… Sandra Murphy