Re: [sidr] WGLC for draft-ietf-sidr-keyroll-04

Wed, 01 Dec 2010 04:17:00 -0800 

Sandy,
My only reservation with this document before I support progressing it is the following from section 4.2: 

 When a key rollover occurs, the EE certificate for the RPKI signed
 object MUST be re-issued, under the key of the NEW CA.  A CA MAY
 choose to treat this EE certificate the same way that it deals with
 CA certificates, i.e., to copy over all fields and extensions, and
 MAY change only the notBefore date and the serial number.  If the CA
 adopts this approach, then the new EE certificate is inserted into
 the CMS wrapper, but the signed context remains the same.  (If the
 signing time or binary signing time values in the CMS wrapper are
 non-null, they MAY be updated to reflect the current time.)


I think a note/warning/pointer is needed to reiterate what's in Section 
2.1.6.4.3/4 of [ID.ietf-sidr-signed-object] because normally changing 
the value of signed attribute would invalidate the signature on that 
object.  [ID.ietf-sidr-signed-object] says:



The presence or absence of the SigningTime/BinarySigningTime attribute 
MUST NOT affect the validity of the signed object.


So maybe adding something like:


As noted in Section 2.1.6.4.3 and 2.1.6.4.4 of 
[ID.ietf-sidr-signed-object], the presence or absence of the SigningTime 
and/or the BinarySigningTime attribute MUST NOT affect the validity of 
the signed object.


would help us CMS weenies ;)

spt

On 11/17/10 11:56 PM, Sandra Murphy wrote:


Geoff Huston has requested a WG LC for draft "CA Key Rollover in the RPKI".

The document and the draft version history are available at
http://tools.ietf.org/wg/sidr/draft-ietf-sidr-keyroll.

The Last Call will end Wed, 1 Dec 2010 (AOE).

As usual, please address all comments to the WG mailing list, and
please be clear in your comments to this last call if you are
supporting the document's submission to the IESG or if you are
opposed. If you are opposed, please indicate why.

--Sandy, speaking with wg chair derby on

_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr


_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr






















					Reply via email to