Sean, Thanks for the quick review. Replies inline...
On 12/5/12 4:30 PM, "Sean Turner" <[email protected]> wrote: >Andy, > >A couple of comments: > >1) I'm hoping to constrain the type and number of qualifiers that can be >included. > >5280 defines two types: cps (for certificate practice statements) and >unotice (to display info to relying parties when the certificate is >used). I'm hoping you just want the cps choice, which is just a URI. >And, if it's just the CPS then there's only one CPS under which a >certificate is issued - right? How about: > >OLD: > > This document updates [RFC6487], Section 4.8.9, to explicitly allow > optional PolicyQualifierInfo objects in the PolicyInformation > specified by [RFC6487]. > >NEW: > > This document updates [RFC6487], Section 4.8.9, as follows: > > OLD: > > This extension MUST be present and MUST be marked critical. It > MUST include exactly one policy, as specified in the RPKI CP > [RFC6484]. > > NEW: > > This extension MUST be present and MUST be marked critical. It > MUST include exactly one policy, as specified in the RPKI CP > [RFC6484]. Exactly one policy qualifier MAY be included. If a > policy qualifier is included, the policyQualifierId MUST be the > CPS pointer qualifier type (id-qt-cps). > >I think it's clear the value is the cPSuri choice, do you think anybody >else would pick userNotice? It is possible that somebody somewhere might find them useful. But I'm not gonna fall on my sword over the inclusion of user notices. A CPS pointer is what we need. I'll incorporate your text. Thanks. > >3) Two process points: > >3.1) Need an IANA considerations section: > >IANA Considerations > >None. Noted. > >3.2) Need a security considerations section. It would also be good to >say why it's not a security issue to add the URI, but you'll need to >confirm my assumption that relying parties aren't actually going to >chase the URI. Alternatively, text could be added to s7.1.1 of RFC 6487 >to say "don't process the URI", but I think putting it in the security >considerations is probably less painful. Suggested text: > >Security Considerations > >The Security Considerations of [RFC6487] apply to this document. > >This document updates the RPKI certificate profile to specify that the >certificate policies extension can include a policy qualifier, which is >a URI. Checking of the URI might allow denial-of-service (DoS) attacks, >where the target host may be subjected to bogus work resolving the URI. > However, this specification, like [RFC5280], places no processing >requirements on the URI included in the qualifier. This is a very good point. And I think addressing it in security considerations, as you have suggested, is the appropriate thing to do. > >4) I hope you'll ask the WG to adopt this draft ;) Yes, I was planning to do so after a re-spin of this document. Thanks for your review and text. -andy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
