Re: [sidr] Fwd: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt
Sean Turner <turners@ieca.com> Sun, 23 October 2011 22:25 UTC
Return-Path: <turners@ieca.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D289B21F8AF7 for <sidr@ietfa.amsl.com>; Sun, 23 Oct 2011 15:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEz87pmg9XvV for <sidr@ietfa.amsl.com>; Sun, 23 Oct 2011 15:25:06 -0700 (PDT)
Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [69.56.170.20]) by ietfa.amsl.com (Postfix) with SMTP id A5DED21F8AF2 for <sidr@ietf.org>; Sun, 23 Oct 2011 15:25:06 -0700 (PDT)
Received: (qmail 24367 invoked from network); 23 Oct 2011 21:24:39 -0000
Received: from gator1743.hostgator.com (184.173.253.227) by gateway02.websitewelcome.com with SMTP; 23 Oct 2011 21:24:39 -0000
Received: from [71.191.15.80] (port=47934 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1RI6TX-0004Mt-T6; Sun, 23 Oct 2011 17:25:04 -0500
Message-ID: <4EA4943F.80106@ieca.com>
Date: Sun, 23 Oct 2011 18:25:03 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Roque Gagliano <rogaglia@cisco.com>
References: <20110802092022.13671.96567.idtracker@ietfa.amsl.com> <1C1A5E2A-1C8A-4023-B2BA-A2D340470649@cisco.com> <p06240807ca5e0bcbcee5@[192.168.1.12]> <B02911FA-F807-4A6F-837A-205236B02325@cisco.com> <m239hiqa4p.wl%randy@psg.com> <4E3A9A65.4010207@ieca.com> <Pine.WNT.4.64.1108051408150.6664@SMURPHY-LT.columbia.ads.sparta.com> <4E3C503D.2050004@ieca.com> <EE05681A-CC67-4417-A335-379E7DB90338@cisco.com>
In-Reply-To: <EE05681A-CC67-4417-A335-379E7DB90338@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-71-191-15-80.washdc.east.verizon.net (thunderfish.local) [71.191.15.80]:47934
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: Sandra Murphy <Sandra.Murphy@sparta.com>, sidr@ietf.org
Subject: Re: [sidr] Fwd: New Version Notification for draft-ietf-sidr-algorithm-agility-03.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Oct 2011 22:25:14 -0000
Roque, The algorithms used to issue and validate BGPSEC certificates are the same as those for RPKI res-certs. This bit is in Section 2: Further, the algorithms used to generate RPKI CA certificates that issue the BGPSEC Router Certificates and the CRLs necessary to check the validity of the BGPSEC Router Certificates remain unchanged (i.e., they are as specified in [ID.sidr-rpki-algs]). What that means is that a BGPSEC certs could be validated by a RP compliant with res-cert (modulo the things noted in Sec 3.3). Now if that same RP wants to do BGPSEC it's got to support the bgpsec-prtocol, bgpsec-pki-profile, and bgpsec-pki-algs drafts too. The other way to think about this is that if a BGPSEC RP is going to validate a BGPSEC signature - it's going to need to validate the BGPSEC protocol signature with the public key in the BGPSEC router's certificate using the algs in bgpsec-pki-algs, then the RP is going to need to validate the signature on the BGPSEC router's certificate with the public key and algs in rpki-certs and rpki-algs, and then repeat until it gets to a TA. I also made sure to put in the bgpsec-algs document that the algs used to sign the BGPSEC certs are found in rpki-algs. I could see changing the following in Section 3.1: OLD: A BGPSEC Router Certificate is a valid X.509 public key certificate, consistent with the PKIX profile [RFC5280] and [ID.sidr-res-cert- profile], containing the fields listed in this section. Only the differences between this profile and the profile in [ID.sidr-res- cert-profile] are listed. NEW: A BGPSEC Router Certificate is a valid X.509 public key certificate, consistent with the PKIX profile [RFC5280], containing the fields listed in this section. This profile is based on [ID.sidr- res-cert-profile] and only the differences between this profile and the profile in [ID.sidr-res-cert-profile] are listed. Section 3.1.2 points to the bgpsec-algs draft only for the key/alg in the EE certificate. The signature alg is still as specified in draft-ietf-sidr-rpki-algs-05 because the bgpsec-algs draft is only listing the differences. Section 3.2 also points to the bgpsec-algs draft because the BGPSEC router is going to request the certificate using the algorithms specified in that draft. But, I could see adding something like the following to Sec 3.3: NOTE: The cryptographic algorithms used by BGPSEC routers are found in [ID.sidr-bgpsec-algs]. Currently, the algorithms specified in [ID.sidr-bgpsec-algs] and [ID.sidr-rpki-algs] are different. BGPSEC RPs will need to support algorithms that are needed to validate BGPSEC signatures as well as the algorithms that are needed to validate signatures on BGPSEC certificates, RPKI CA certificates, and RPKI CRLs. I rambled a bit so let me know if this makes sense. spt On 8/9/11 11:59 AM, Roque Gagliano wrote: > Sean, > > In Section 3.3 of http://datatracker.ietf.org/doc/draft-turner-sidr-bgpsec-pki-profiles/, you are missing to mention that one of the difference from draft-ietf-sidr-res-cert-profile is that your document refers a different algorithm suite document. Consequently, a BGPSEC certificate will not validate draft-ietf-res-cert-profile, as long as the two algorithm suites are different, correct? If that is the case, I believe you should clarify it and probably remove the references that the new profile is consistent with draft-ietf-sidr-res-cert-profile certificates. > > Roque > > > > On Aug 5, 2011, at 10:19 PM, Sean Turner wrote: > >> On 8/5/11 2:11 PM, Sandra Murphy wrote: >>> >>> >>> On Thu, 4 Aug 2011, Sean Turner wrote: >>> >>>> On 8/3/11 8:43 PM, Randy Bush wrote: >>>>>> The intention was to focus on the use case for the proposed changes >>>>>> (BGPSEC certs). >>>>> >>>>> what is a "BGPSEC cert?" >>>> >>>> What Mark and I are currently proposing in >>>> draft-turner-sidr-bgpsec-pki-profiles is that a BGPSEC certificate is a >>> >>> <snip> >>> >>>> >>>> PS Technically, the EKU is defined in >>>> draft-turner-bpgsec-pki-profiles. It's >>> >>> <snip> >>> >>>> If the WG decides to adopt this approach, then we'll go through the >>>> appropriate procedures to request an OID and include it in the draft. >>> >>> Sean, would you like to request wg adoption for these two drafts? >> >> Yes I would like the wg to consider adoption of: >> >> http://datatracker.ietf.org/doc/draft-turner-sidr-bgpsec-pki-profiles/ >> http://datatracker.ietf.org/doc/draft-turner-sidr-bgpsec-algs/ >> >> as the starting point for certificates and algorithms for BGPSEC. >> >> spt >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >
- [sidr] Fwd: New Version Notification for draft-ie… Roque Gagliano
- Re: [sidr] Fwd: New Version Notification for draf… Sandra Murphy
- Re: [sidr] Fwd: New Version Notification for draf… Roque Gagliano
- Re: [sidr] Fwd: New Version Notification for draf… Stephen Kent
- Re: [sidr] Fwd: New Version Notification for draf… Stephen Kent
- Re: [sidr] Fwd: New Version Notification for draf… Roque Gagliano
- Re: [sidr] Fwd: New Version Notification for draf… Randy Bush
- Re: [sidr] Fwd: New Version Notification for draf… Sean Turner
- Re: [sidr] Fwd: New Version Notification for draf… Sandra Murphy
- Re: [sidr] Fwd: New Version Notification for draf… Sean Turner
- Re: [sidr] Fwd: New Version Notification for draf… Randy Bush
- Re: [sidr] Fwd: New Version Notification for draf… Warren Kumari
- Re: [sidr] Fwd: New Version Notification for draf… Roque Gagliano
- Re: [sidr] Fwd: New Version Notification for draf… Sean Turner
- Re: [sidr] Fwd: New Version Notificationfor draft… t.petch