Mahesh Jethanandani <[email protected]> wrote: > Thanks first of all for providing your feedback. Can you confirm if the > -08 version of the draft addresses your comments?
Mostly.
I still find that there is text in section 6, re-explaining CMS.
I was told that this would be removed, but -08 still has it.
... reiterating:
In particular, it's difficult from reading the description to know if there
are significant changes to CMS being detailed, or if it's just a retelling.
{And I've used CMS lots}
The EUF concerns with CMS should be clearly articulated.
(Mention this in point 5 of that section)
I understand the desire to have files with sane (CRLF) line endings.
I don't understand why this goes into the authentication process as an
explicit canonicalization step.
Sign whatever is in the file; it's not email subject to mutations.
In email, we have to worry about 7bit<->8bit translations, and some systems
removing trailing white space, ... but this isn't the case.
I don't understand what attack/risk is being dealt with by having a
(local/subordinate) CA sign a new EE, and then throw that away after using it
once. I can't say that I understand RFC6487's reasons for having these
one-time-use EE, either.
Are people worried that the private key will get lost or disclosed?
Why not the same worry about the local CA's key?
The signatures for RPKI ROAs and for prefix lengths (and for geofeed) are not
updated that often. If geofeed and prefix lengths are adopting this
one-time-use EE because RPKI does it, and common tooling is good, then I'm
fine with that.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
