It was pointed out in passing (hallway/table conversation) that in:
draft-ietf-sidr-bgpsec-algs-05 (at least 05)
there's this text in section 2:
"NOTE: The exception to the above hashing algorithm is the use of
SHA-1 [SHS] when CAs generate authority and subject key
identifiers [ID.bgpsec-pki-profiles]."
The reference to bgpsec-pki-profiles, is PROBABLY really:
draft-sidr-bgpsec-pki-profiles
<http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol>
There doesn't seem to be a reference to sha1 here for making an SKI.
It looks like you'd have to inherit and inherit from 3779 -> 5280 and
text in section 4.2.1.2:
" For CA certificates, subject key identifiers SHOULD be derived from
the public key or a method that generates unique values. Two common
methods for generating key identifiers from the public key are:
(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).
Cooper, et al. Standards Track [Page 28]
RFC 5280 PKIX Certificate and CRL Profile May 2008
(2) The keyIdentifier is composed of a four-bit type field with
the value 0100 followed by the least significant 60 bits of
the SHA-1 hash of the value of the BIT STRING
subjectPublicKey (excluding the tag, length, and number of
unused bits).
"
Is this the intention? that spelunking in rfcs is required to figure
out that sha1 would be used? or could/should the reference be more
clear?
-chris
(care of mystery caller #7)
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
