At 10:20 AM -0400 3/14/12, nalini iyer wrote:
Sorry for asking this but despite looking at likely sources off the
documents list on the SIDR page am still in the dark, and would like
to confirm suspicions.
The SKI in the signature attribute is a hash of the signing router's
public key,
yes, and it is computed as described in RFC 5280, 4.2.1.2.
a) Is this hashed with the CA's pvt key?
no. a one-way hash function (in contrast to a hash-based MAC function
such as HMAC) does not make use of a key. And, hash-based MACs used
symmetric keys, not
private keys of a public key pair.
b) How is the corresponding CA certificate (to de-hash the SKI) obtained?
de-hash? the SKI for the router's cert is verified using the router's cert,
not using the cert of the CA that issued the router's cert. anyway,
the CA cert under which the router's cert was issued would be
obtained from the RPKI repository, as it is the CA cert associated
with the ISP operating the router.
c) From where is the router EE cert identified by the SKI then
obtained, or is getting the router's cert considered unnecessary as
the router public key is contained in the de-hashed SKI?
thank you,
as above, router certs are obtained from the RPKI repository system.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
