[sidr] #9: TA nits

Wed, 11 Nov 2009 03:49:47 -0800 

#9: TA nits
--------------------------------+-------------------------------------------
 Reporter:  g...@…               |       Owner:     
     Type:  defect              |      Status:  new
 Priority:  medium              |   Milestone:     
Component:  ta                  |     Version:     
 Severity:  Active WG Document  |    Keywords:     
--------------------------------+-------------------------------------------
 Reported by Roque Gagliano

 2.1.  A Compound Trust Anchor Structure

          The ETA issues a CRL and one EE certificate.

 (Roque) I believe it needs to be explained that more than one ETA EE cert
 may be issued during the life-time of the ETA CA however at any particular
 moment there is only one valid EE cert.

 4.2.  RPKI Trust Anchor Object Validation

   2.  Use the public key in the EE certificate to verify the
           signature on the RTA Trust Anchor Object.

 (Roque) s/EE certificate/ETA EE certificate


       *  Each time an RTA certificate is re-issued, or prior to the
          expiration of the ETA EE certificate, the ETA generates a
          Cryptographic Message Syntax (CMS) [RFC3852] signed-data
          object, the payload of which is an RTA certificate.

 (Roque) If the ETA EE cert validity period is identical to the RTA
 validity period as stated in a previous bullet, the second condition
 ("prior to the expiration of the ETA EE certificate") would be the same as
 in the following section:
 "If a trust anchor chooses to reissue its RTA certificate before the
 expiration of that certificate."


 5.  Relying Party use of Trust Anchor Material

       *  The ETA's CRL and CMS objects are retrieved from the
          publication point referenced by the SIA in the ETA certificate.
 (Roque) s/CMS objects/CMS object

   Relying Parties SHOULD perform this retrieval and validation
    operation at intervals no less frequent than the nextUpdate time of
    the published ETA CRL, and SHOULD perform the retrieval operation
    prior to the expiration of the ETA EE certificate, or upon revocation
    of the ETA EE certificate.

 (Roque) If the retrieval operation is for both the CRL and the CMS, I do
 not understand the last sentence because the RP is not aware of the
 revocation until it has retrieve the CRL and in at that time it already
 has the new CMS. So, I would:
         s/, or upon revocation of the ETA EE certificate//

-- 
Ticket URL: <http://trac.tools.ietf.org/wg/sidr/trac/ticket/9>
sidr <http://tools.ietf.org/sidr/>

_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

Reply via email to