[sidr] FW: question on SKI and router public key retrieval in signature attribute in BGPSEC
"Murphy, Sandra" <Sandra.Murphy@sparta.com> Wed, 14 March 2012 17:16 UTC
Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3973F21F86EF for <sidr@ietfa.amsl.com>; Wed, 14 Mar 2012 10:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.401
X-Spam-Level:
X-Spam-Status: No, score=-102.401 tagged_above=-999 required=5 tests=[AWL=0.198, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4GbM+BUsmAi for <sidr@ietfa.amsl.com>; Wed, 14 Mar 2012 10:16:00 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 8F42821F86AD for <sidr@ietf.org>; Wed, 14 Mar 2012 10:16:00 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q2EHFxCC018809 for <sidr@ietf.org>; Wed, 14 Mar 2012 12:15:59 -0500
Received: from Hermes.columbia.ads.sparta.com ([157.185.80.107]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q2EHFxxZ006907 for <sidr@ietf.org>; Wed, 14 Mar 2012 12:15:59 -0500
Received: from HERMES.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) by Hermes.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) with mapi id 14.01.0355.002; Wed, 14 Mar 2012 13:15:58 -0400
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: "sidr@ietf.org" <sidr@ietf.org>
Thread-Topic: [sidr] question on SKI and router public key retrieval in signature attribute in BGPSEC
Thread-Index: AQHNAe2dMJJAJLI6IEaTkCDFY5H/dJZp2cxfgAAuHic=
Date: Wed, 14 Mar 2012 17:15:57 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F60F6C7C9D@Hermes.columbia.ads.sparta.com>
References: <CAPFvSjVDvGap-+yV7J4nirTtU3jygx6rsGTAyUjHSvh9iqjmbA@mail.gmail.com>, <24B20D14B2CD29478C8D5D6E9CBB29F60F6C7BEA@Hermes.columbia.ads.sparta.com>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F60F6C7BEA@Hermes.columbia.ads.sparta.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.185.63.118]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [sidr] FW: question on SKI and router public key retrieval in signature attribute in BGPSEC
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 17:16:01 -0000
Sorry, did not reply to the list.
--Sandy
________________________________________
From: Murphy, Sandra
Sent: Wednesday, March 14, 2012 10:40 AM
To: nalini iyer
Subject: RE: [sidr] question on SKI and router public key retrieval in signature attribute in BGPSEC
Speaking as regular ol' member.
If I understand your questions correctly:
(a) This is just a hash, not a signature or MAC - no key required
(b) There is no de-hashing of the SKI - it is just a way to index into your pile of certs to find the right one.
(c) Again, no de-hashing of the key - the SKI is a way to identify the right certificate.
See page 18 of the protocol spec:
o (Step I): Locate the public key needed to verify the signature (in
the current Signature-Segment). To do this, consult the valid
RPKI end-entity certificate data and look for an SKI that matches
the value in the Subject Key Identifier 1 field of the Signature-
Segment.
And section 4.8.2 page 9 of rfc6487 (the old res-certs draft)
The Key Identifier used for resource certificates is the 160-bit
SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the
Subject Public Key, as described in Section 4.2.1.2 of [RFC5280].
No key involved. Just a cryptographic hash. No crypto operations, just an indexing/matching into a store of data.
--Sandy, speaking as regular ol' member
________________________________________
From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] on behalf of nalini iyer [nlniyer2@gmail.com]
Sent: Wednesday, March 14, 2012 10:20 AM
To: sidr@ietf.org
Subject: [sidr] question on SKI and router public key retrieval in signature attribute in BGPSEC
Sorry for asking this but despite looking at likely sources off the
documents list on the SIDR page am still in the dark, and would like
to confirm suspicions.
The SKI in the signature attribute is a hash of the signing router's public key,
a) Is this hashed with the CA's pvt key?
b) How is the corresponding CA certificate (to de-hash the SKI) obtained?
c) From where is the router EE cert identified by the SKI then
obtained, or is getting the router's cert considered unnecessary as
the router public key is contained in the de-hashed SKI?
thank you,
N.I.
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
- [sidr] question on SKI and router public key retr… nalini iyer
- Re: [sidr] question on SKI and router public key … Stephen Kent
- [sidr] FW: question on SKI and router public key … Murphy, Sandra