Re: [sidr] Validation Reconsidered (again/again) question

[Stephen Kent <kent@bbn.com>]

Geoff,

Happy new year.


> ...
>
>> Consider a cert path from a trust anchor TA, to CA1 to CA2 to an EE cert for a ROA.
>>
>> TA->CA 1->CA 2->ROA
>>
>>
>> Assume the TA cert contains address space T, U, V, W, X, Y and Z.
>>
>> Assume the CA 1 cert contains address space T, U, V, and W.
>>
>> Assume the CA 2 cert contains address space V and W.
>>
>> Let's say that the ROA EE cert issued by CA 2 contains address space V.
>>
>> CA 2 is about to receive address space Z from some other ISP, so it has asked
>> CA 1 to issue a new CA cert to it, in anticipation of the transfer. CA 1 agrees,
>> and issues a new cert to CA 2 and that cert contains address space V and Z.
> CA1 has already issued a cert with subject “CA2” and resources (V,W) - lets call this cert No 1
>
> Do you mean:
>
> a) CA 1 issues a cert  with subject “CA2” and resources (V,Z) - lets call this cert No 2
>
> OR the combination of actions:
>
> b)    CA 1 issues a SECOND cert  with subject “CA2” and resources (V,Z)  - lets call this Cert No 2
>     AND
>        CA1 revokes the cert with subject “CA2” and resources (V,W) (which we call Cert No 1)
I intended the second case. Chris pointed out to me in a private message 
that
I failed to include W in this cert; my bad. I intended to have the new 
cert add Z to V and W.
>> Now, under the assumption about what "specific resource set" means, when
>> an RP tries to validate CA 2's ROA,
> Now I’m confused - originally the ROA was signed by an EE cert issued by CA 2’s Cert No 1
>
> so when you refer to CA 2’s ROA do you mean the ROA that was signed by an EE cert issued by CA 2’s Cert No 1,
> or do you mean a new ROA signed by an EE issued by CA 2’s Cert No 2?
No ROA is "signed" by any cert; a signature on a ROA (or a cert) is 
verified using a cert.

The ROA to which I refer is issued under CA 2 (your Cert 1), and it is 
not new.
I described the ROA when I trued to set the stage for the example:
     "Let's say that the ROA EE cert issued by CA 2 contains address 
space V."
>> the "specific resource set" will be V, and
>> so it will be valid, because V is in all of the certs from the TA through CA 1
>> to CA 2. Even though CA 2's cert contains Z, which is not contained
>> in CA 1's cert, this will not be considered in the validation of the ROA EE cert.
>> This is the desired outcome, because CA 2 has begun the process of getting its
>> new address space (Z), but that process has not broken its CA cert. I assume this
>> is an example of the reduced fragility that is so appealing.
> So I _think_ you are assuming that there is a new ROA, signed by an EE cert issued by
> the CA that has a CA cert issued by CA 1 with resources (V,Z), and evidently you are referring
> to this new ROA and its new EE cert.
no, it's the same ROA I defined in the intro to the example.

I'll stop at this point, because the remainder of your comments are
based on the assumption that this was a new ROA, which was not my intent.

Sorry for the typo in the resource set for "Cert 1" and for not being
more explicit in saying that the new Cert for CA 2 was issued by CA 1
as a replacement for the original CA 2 cert.

Steve