At 12:08 PM -0700 7/8/11, Brian Weis wrote:
Hi Roque,
This draft seems very complete. I have just a few questions and comments:
1. Section 2. "A failure to comply with this process during an
algorithm transition MUST be considered as non-compliance with ...
I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply
with this process would be result in non-compliance. It would be
hopeful to more specific here.
Agreed. The CP cites the alg spec (draft-ietf-sidr-rpki-algs).
However, this doc say that the alg specs doc will be updated to
reflect the new alg suite, and to include the timeline for the alg
transition. Once that happens, a failure to comply with the alg
transition procedure described here will imply noncompliance with the
CP.
2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues
certificates to entities not under its administrative control." I
believe this effectively means "CAs that have children", and if
that's the intended meaning perhaps that's a better statement. The
present definition could apply to a CA cross-certifying another CA
and other non-child certificate signing. Even if those situations
don't expect to be possible within the RPKI, it would be helpful to
clarify the definition. Also, it's not clear to me that a child CA
is "under its administrative control" in the sense that the child CA
(e.g., ISP) might not be administered by the parent (e.g., RIR).
There is no cross-certification (in the common, but incorrect, use of
the term) in the RPKI, because of the constraints imposed by the 3779
extensions. Still, I agree that the definition could be improved. How
about:
Non-leaf CA: A CA that issues certs to other CAs in a non-leaf CA. In
contrast, a leaf CA is a CA that issues only EE certs.
...
5. Section 4.5. "During this phase all signed product sets MUST be
available using both Algorithm Suite A and Algorithm Suite B." It
isn't clear to me what "During this phase" means in Phase 2. Does it
mean "By the end of this phase"? Or does it mean "Before the start
of Phase 3", which is not the same moment in time according to the
figures in Section 4.2. I'm inclined to think it means "Before the
start of Phase 3", because by Phase 3 "all product sets are
available". Although again, Section 4.6 uses the phrase "During this
phrase" so that also isn't clear and I would recommend being more
precise here too.
Yes, it would be more accurate to say "at the start of Phase 2, all
signed products ..."
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
