Andy,
A couple of comments:
1) I'm hoping to constrain the type and number of qualifiers that can be
included.
5280 defines two types: cps (for certificate practice statements) and
unotice (to display info to relying parties when the certificate is
used). I'm hoping you just want the cps choice, which is just a URI.
And, if it's just the CPS then there's only one CPS under which a
certificate is issued - right? How about:
OLD:
This document updates [RFC6487], Section 4.8.9, to explicitly allow
optional PolicyQualifierInfo objects in the PolicyInformation
specified by [RFC6487].
NEW:
This document updates [RFC6487], Section 4.8.9, as follows:
OLD:
This extension MUST be present and MUST be marked critical. It
MUST include exactly one policy, as specified in the RPKI CP
[RFC6484].
NEW:
This extension MUST be present and MUST be marked critical. It
MUST include exactly one policy, as specified in the RPKI CP
[RFC6484]. Exactly one policy qualifier MAY be included. If a
policy qualifier is included, the policyQualifierId MUST be the
CPS pointer qualifier type (id-qt-cps).
I think it's clear the value is the cPSuri choice, do you think anybody
else would pick userNotice?
3) Two process points:
3.1) Need an IANA considerations section:
IANA Considerations
None.
3.2) Need a security considerations section. It would also be good to
say why it's not a security issue to add the URI, but you'll need to
confirm my assumption that relying parties aren't actually going to
chase the URI. Alternatively, text could be added to s7.1.1 of RFC 6487
to say "don't process the URI", but I think putting it in the security
considerations is probably less painful. Suggested text:
Security Considerations
The Security Considerations of [RFC6487] apply to this document.
This document updates the RPKI certificate profile to specify that the
certificate policies extension can include a policy qualifier, which is
a URI. Checking of the URI might allow denial-of-service (DoS) attacks,
where the target host may be subjected to bogus work resolving the URI.
However, this specification, like [RFC5280], places no processing
requirements on the URI included in the qualifier.
4) I hope you'll ask the WG to adopt this draft ;)
spt
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
