WG Chair hat off:
On 07/10/2008, at 10:42 AM, Randy Bush wrote:
it is not necessary. it is not operationally useful. it adds
complexity to a security application.
is there a netowrk operator here who really needs it?
and we have already heard from the major open source full system
implementor, who does not plan to add it.
As I understand the substance of this post, the comment has been
raised (again) that this is an unlikely situation and there is no need
to make the specification more complex for unlikely cases.
In response I would argue (again) that the specification should be
complete and provide appropriate guidance to implementors for all
situations where interoperability is required, and this case, although
not common, has been visible in the routing table already and will
likely be visible in the routing table in future. Given that this does
not define a new signature standard for CMS, nor a major change in the
logic of ROA processing I do not see that this adds any undue
complexity to implementations and has the benefit of covering the full
range of anticipated use cases for ROAs in their application to
signing route origination.
But I've said all this already, so nothing new from me either yet.
In a (possibly futile) effort to break out of this cycle of mindless
repetition, here's a further contribution looking at what text would
change in the ROA specification draft-ietf-sidr-roa-format to allow
this proposed resolution to the issue:
section 2.1.4
...the end entity certificate(s) needed to validate this ROA.
section 3
step 1 d. ... contains one or more EE certificates, where each EE
certificate's Subject Key Identifier (SKi) matches the sid field of
one instance of the SignerInfo object.
section 3
step 2 ... in each EE certificate ...
section 3
step 3 ... and that the union of the IP address prefix(es) in the
EE certificate(s) extension(s) encompass the Ip address prefix(es) in
the ROA.
section 3
step 4 ... that each EE certificate is...
section 3
Remove the sentences starting with "Note that ..." and "Indeed,
since ..."
section 4
... are encompassed by those in thge address space extension(s)
in the EE certificate(s) used to sign the ROA.
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
