At 2:41 PM +0200 7/22/10, Roque Gagliano wrote:
hi Stephen,
The security requirement for CRLs in the RPKI is that the key used
to verify the CRL has to be the same as the key used to verify
certs issued by the CA in question. Adding the CRDLP URI to the CRL
would minimize the likelihood of a non-malicious name collision,
but it is not a secure basis for deciding whether an RP is using
the "right" CRL.
In order to verify this point, do you agree in adding the AKI check
on the certificate validation section to certified that the cert and
the CRL were signed by the same key?
I believe it is the most reasonable suggestion on the table.
Roque.
Roque,
As David has noted, the normal (5280) validation process does not
call for such checks. Also, one would really have two checks here;
one for verify that the AKI is a hash of the public key, and one to
match the AKI/SKI in the certs.
It might just be better to expand on the text in 4.9.6 to remind RPs
that the CA is the CRL issuer and thus the same public key MUSt be
used to verify a cert and the CRL being checked for that cert.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
