[sidr] FW: question on SKI and router public key retrieval in signature attribute in BGPSEC

Murphy, Sandra Wed, 14 Mar 2012 10:16:04 -0700

Sorry, did not reply to the list.

--Sandy

________________________________________
From: Murphy, Sandra
Sent: Wednesday, March 14, 2012 10:40 AM
To: nalini iyer
Subject: RE: [sidr] question on SKI and router public key retrieval in 
signature attribute in BGPSEC

Speaking as regular ol' member.

If I understand your questions correctly:

(a) This is just a hash, not a signature or MAC - no key required
(b) There is no de-hashing of the SKI - it is just a way to index into your 
pile of certs to find the right one.
(c) Again, no de-hashing of the key - the SKI is a way to identify the right 
certificate.

See page 18 of the protocol spec:

   o  (Step I): Locate the public key needed to verify the signature (in
      the current Signature-Segment).  To do this, consult the valid
      RPKI end-entity certificate data and look for an SKI that matches
      the value in the Subject Key Identifier 1 field of the Signature-
      Segment.

And section 4.8.2 page 9 of rfc6487 (the old res-certs draft)

   The Key Identifier used for resource certificates is the 160-bit
   SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the
   Subject Public Key, as described in Section 4.2.1.2 of [RFC5280].

No key involved.  Just a cryptographic hash.  No crypto operations, just an 
indexing/matching into a store of data.

--Sandy, speaking as regular ol' member

________________________________________
From: [email protected] [[email protected]] on behalf of nalini iyer 
[[email protected]]
Sent: Wednesday, March 14, 2012 10:20 AM
To: [email protected]
Subject: [sidr] question on SKI and router public key retrieval in signature 
attribute in BGPSEC

Sorry for asking this but despite looking at likely sources  off the
documents list on the SIDR page am still in the dark, and would like
to confirm suspicions.

The SKI in the signature attribute is a hash of the signing router's public key,

a) Is this hashed with the CA's pvt key?
b) How is the corresponding CA certificate (to de-hash the SKI) obtained?
c) From where is the router EE cert identified by the SKI then
obtained, or is getting the router's cert considered  unnecessary as
the router  public key is contained in the de-hashed SKI?
thank you,
N.I.
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

[sidr] FW: question on SKI and router public key retrieval in signature attribute in BGPSEC

Reply via email to