this works for me Geoff
On 01/12/2010, at 11:16 PM, Sean Turner wrote: > Sandy, > > My only reservation with this document before I support progressing it is the > following from section 4.2: > > When a key rollover occurs, the EE certificate for the RPKI signed > object MUST be re-issued, under the key of the NEW CA. A CA MAY > choose to treat this EE certificate the same way that it deals with > CA certificates, i.e., to copy over all fields and extensions, and > MAY change only the notBefore date and the serial number. If the CA > adopts this approach, then the new EE certificate is inserted into > the CMS wrapper, but the signed context remains the same. (If the > signing time or binary signing time values in the CMS wrapper are > non-null, they MAY be updated to reflect the current time.) > > I think a note/warning/pointer is needed to reiterate what's in Section > 2.1.6.4.3/4 of [ID.ietf-sidr-signed-object] because normally changing the > value of signed attribute would invalidate the signature on that object. > [ID.ietf-sidr-signed-object] says: > > The presence or absence of the SigningTime/BinarySigningTime attribute MUST > NOT affect the validity of the signed object. > > So maybe adding something like: > > As noted in Section 2.1.6.4.3 and 2.1.6.4.4 of [ID.ietf-sidr-signed-object], > the presence or absence of the SigningTime and/or the BinarySigningTime > attribute MUST NOT affect the validity of the signed object. > > would help us CMS weenies ;) > > spt > > On 11/17/10 11:56 PM, Sandra Murphy wrote: >> >> Geoff Huston has requested a WG LC for draft "CA Key Rollover in the RPKI". >> >> The document and the draft version history are available at >> http://tools.ietf.org/wg/sidr/draft-ietf-sidr-keyroll. >> >> The Last Call will end Wed, 1 Dec 2010 (AOE). >> >> As usual, please address all comments to the WG mailing list, and >> please be clear in your comments to this last call if you are >> supporting the document's submission to the IESG or if you are >> opposed. If you are opposed, please indicate why. >> >> --Sandy, speaking with wg chair derby on >> >> _______________________________________________ >> sidr mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/sidr >> > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr -- Geoff Huston Chief Scientist, APNIC +61 7 3858 3100 [email protected] _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
