I think this is useful. It shows how tools that operations people are familiar with can be used to improve the trust in the feed.
Nice work Job! -G On Wed, Feb 3, 2021 at 12:25 PM Job Snijders <[email protected]> wrote: > > Dear Randy, working group, > > It appears to me you really wanted to ask 'how the heck did you do it???' > > *** warning: operating a CA is real work, do NOT follow the below *** > > I declared my signing operation 'proprietary' because I can't recommend > it as a 'recipe'. I prefer to promote man pages over howtos; especially > when signing operators need to walk the path towards production > environment. > > My objective in sharing a real-world example @ 2001:67c:208c::/48 is to > facilitate the 'draft-ietf-opsawg-finding-geofeeds' effort. I imagine > publishing a publicly verifable real-world example helps validator > implementers. Validators ofcourse should assume extreme hostile input. > > My show case was generated without any assistance or communication with > the authors of the draft. In doing so, hopefully proving (or disproving) > the draft is readable and understandable, so that implementers can > produce similar results. > > As you asked how exactly the 'kroket' is made.... > > On Tue, Feb 02, 2021 at 02:33:54PM -0800, Randy Bush wrote: > > > The signature was produced through proprietary means, but for the > > > purpose of validating the signature & interopability testing that > > > shouldn't matter... right? > > > > unless you are a security person and lived through trojans such as > > dual-ec. extension of kerckhoffs's principle. > > I used modern versions of libressl and openssl to generate the EE cert > and the signature. > > $ openssl cms -sign \ > -econtent_type 1.2.840.113549.1.9.16.1.47 \ > -nosmimecap \ > -md sha256 \ > -signer ee.cert \ > -inkey ee.key \ > -in geofeed.csv \ > -outform DER \ > -out signature.der > > The EE cert was created with a CSR and a lengthy .cnf file. The > '1.2.840.113549.1.9.16.1.47' string can be replaced with a text string > after OpenSSL merges in https://github.com/openssl/openssl/pull/14050 > The 'free, functional, secure, and mostly compatible public-API' > LibreSSL project appears comfortable adding the OID based on just the > IANA registry. > > Kind regards, > > Job > > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
