Re: [sidr] question on SKI and router public key retrieval in signature attribute in BGPSEC
Stephen Kent <kent@bbn.com> Wed, 14 March 2012 15:24 UTC
Return-Path: <kent@bbn.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9561521F86FA for <sidr@ietfa.amsl.com>; Wed, 14 Mar 2012 08:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.443
X-Spam-Level:
X-Spam-Status: No, score=-106.443 tagged_above=-999 required=5 tests=[AWL=0.156, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQPH20NX1t6G for <sidr@ietfa.amsl.com>; Wed, 14 Mar 2012 08:24:44 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id ECF7F21F86F8 for <sidr@ietf.org>; Wed, 14 Mar 2012 08:24:43 -0700 (PDT)
Received: from dhcp89-089-054.bbn.com ([128.89.89.54]:49168) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1S7q41-0004nS-TQ; Wed, 14 Mar 2012 11:24:34 -0400
Mime-Version: 1.0
Message-Id: <p06240805cb86638adf9a@[128.89.89.54]>
In-Reply-To: <CAPFvSjVDvGap-+yV7J4nirTtU3jygx6rsGTAyUjHSvh9iqjmbA@mail.gmail.com>
References: <CAPFvSjVDvGap-+yV7J4nirTtU3jygx6rsGTAyUjHSvh9iqjmbA@mail.gmail.com>
Date: Wed, 14 Mar 2012 11:09:52 -0400
To: nalini iyer <nlniyer2@gmail.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: sidr@ietf.org
Subject: Re: [sidr] question on SKI and router public key retrieval in signature attribute in BGPSEC
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 15:24:44 -0000
At 10:20 AM -0400 3/14/12, nalini iyer wrote: >Sorry for asking this but despite looking at likely sources off the >documents list on the SIDR page am still in the dark, and would like >to confirm suspicions. > >The SKI in the signature attribute is a hash of the signing router's >public key, yes, and it is computed as described in RFC 5280, 4.2.1.2. > >a) Is this hashed with the CA's pvt key? no. a one-way hash function (in contrast to a hash-based MAC function such as HMAC) does not make use of a key. And, hash-based MACs used symmetric keys, not private keys of a public key pair. >b) How is the corresponding CA certificate (to de-hash the SKI) obtained? de-hash? the SKI for the router's cert is verified using the router's cert, not using the cert of the CA that issued the router's cert. anyway, the CA cert under which the router's cert was issued would be obtained from the RPKI repository, as it is the CA cert associated with the ISP operating the router. >c) From where is the router EE cert identified by the SKI then >obtained, or is getting the router's cert considered unnecessary as >the router public key is contained in the de-hashed SKI? >thank you, as above, router certs are obtained from the RPKI repository system. Steve
- [sidr] question on SKI and router public key retr… nalini iyer
- Re: [sidr] question on SKI and router public key … Stephen Kent
- [sidr] FW: question on SKI and router public key … Murphy, Sandra