On Mon, 11 Jul 2011, Stephen Kent wrote:
At 12:08 PM -0700 7/8/11, Brian Weis wrote:
Hi Roque,
This draft seems very complete. I have just a few questions and comments:
1. Section 2. "A failure to comply with this process during an algorithm
transition MUST be considered as non-compliance with ...
I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply with
this process would be result in non-compliance. It would be hopeful to more
specific here.
Agreed. The CP cites the alg spec (draft-ietf-sidr-rpki-algs). However, this
doc say that the alg specs doc will be updated to reflect the new alg suite,
and to include the timeline for the alg transition. Once that happens, a
failure to comply with the alg transition procedure described here will imply
noncompliance with the CP.
S---T---R---E---T---C---H???
If the non-compliance with this draft was to fail to update the algs
document, then the failure to comply with the procedure would not imply
non-compliance with the CP.
--Sandy, speaking as wg chair
2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues
certificates to entities not under its administrative control." I believe
this effectively means "CAs that have children", and if that's the
intended meaning perhaps that's a better statement. The present definition
could apply to a CA cross-certifying another CA and other non-child
certificate signing. Even if those situations don't expect to be possible
within the RPKI, it would be helpful to clarify the definition. Also, it's
not clear to me that a child CA is "under its administrative control" in
the sense that the child CA (e.g., ISP) might not be administered by the
parent (e.g., RIR).
There is no cross-certification (in the common, but incorrect, use of the
term) in the RPKI, because of the constraints imposed by the 3779 extensions.
Still, I agree that the definition could be improved. How about:
Non-leaf CA: A CA that issues certs to other CAs in a non-leaf CA. In
contrast, a leaf CA is a CA that issues only EE certs.
...
5. Section 4.5. "During this phase all signed product sets MUST be
available using both Algorithm Suite A and Algorithm Suite B." It isn't
clear to me what "During this phase" means in Phase 2. Does it mean "By the
end of this phase"? Or does it mean "Before the start of Phase 3", which is
not the same moment in time according to the figures in Section 4.2. I'm
inclined to think it means "Before the start of Phase 3", because by Phase
3 "all product sets are available". Although again, Section 4.6 uses the
phrase "During this phrase" so that also isn't clear and I would recommend
being more precise here too.
Yes, it would be more accurate to say "at the start of Phase 2, all signed
products ..."
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
