Re: [sidr] Subject naming in the RPKI

David A. Cooper Wed, 21 Jul 2010 06:29:05 -0700

Steve,

draft-ietf-sidr-res-certs-18 only calls for two CRL extensions: authorityKeyIdentifier and cRLNumber. But even if it did call for inclusion of an issuingDistributionPoint extension, what is the compelling reason to mandate that the RPKI be designed in a manner that is not X.509-compliant? Why take that risk when the problem could so easily be avoided?

Dave

On 07/20/2010 09:14 PM, Stephen Kent wrote:

Re: [sidr] Subject naming in the RPKI
I also note that the profile calls for inclusion of a URI in the CRLDP and in the IDP of the CRL. Since these URIs are globally unique publication points, no "accidental" name collisions in CAs will cause confusion re picking the right CRL to use. To avoid secruity problems in the face of a malicious CA name reuse, the only safe solution appears to be mandating a check that the key used to verify the cert is the same key used to verify the CRL.

Steve

_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] Subject naming in the RPKI

Reply via email to