On 8 Jul 2014, at 8:37 am, Matthew Lepinski <[email protected]> wrote:
> Yes, let me try re-sending my original message -- this time with
> correct RFC numbers:
>
> I believe the question is what types of keys can appear as the subject
> public key in an RPKI certificate.
>
> -- RFC 6487 says "See 6485" (and thus 6485bis when it is published)
> to find out what is allowed as a subject public key
>
> -- draft-ietf-sidr-bgpsec-pki-profiles updates RFC 6487 and says "For
> Router Certs (end-entity certificates use by BGPSEC) see
> draft-ietf-sidr-bgpsec-algs
but...
the header of draft-ietf-sidr-bgpsec-algs-08 says:
"Updates: 6485 (if approved) "
so I'm still confused about the two 6485 update drafts.
>
> Ideally, this shouldn't be a problem. RFC 6487 governs subject public
> keys for all certificates in the RPKI except BGPSEC router
> certificates and draft-sidr-bgpsec-algs covers that case.
errr - do you mean 6487 or 6485?
>
> That being said, we currently have two working group documents that
> update existing documents and I am not sure that the text of those
> documents (taken together) is sufficiently clear on what can and
> cannot appear as a subject public key in an RPKI certificate.
I can agree wholeheartedly on this observation of a lack of clarity here!
Geoff
>
> In particular, 6485bis seems to say "only RSA with SHA256" and I think
> what sidr-bgpsec-pki-profiles wants to say (but I don't know if it is
> sufficiently clear) that b485bis applies to all RPKI certificates
> except end-enty router certificates and that those certificates should
> look at bgpsec-algs to figure out what an acceptable subject public
> key is
>
> On Mon, Jul 7, 2014 at 6:29 PM, Geoff Huston <[email protected]> wrote:
>> yes confusion all round
>>
>>
>>> -- RFC 6485 says "See 6487" (and thus 6487bis when it is published)
>>> to find out what is allowed as a subject public key
>>
>>
>> RFC 6487 says "See RFC6485" and (thus 6485bis when it is published) to find
>> out what is allowed as a subject public key
>>
>> i.e. I think I understand what you are saying here, but you seem to have
>> 6485 and 6487 swapped - right?
>>
>>
>> g
>>
>>
>>
>>
>>
>> On 8 Jul 2014, at 7:04 am, Matthew Lepinski <[email protected]> wrote:
>>
>>> Yes, there seems to be an issue here:
>>>
>>> I believe the question is what types of keys can appear as the subject
>>> public key in an RPKI certificate.
>>>
>>> -- RFC 6485 says "See 6487" (and thus 6487bis when it is published)
>>> to find out what is allowed as a subject public key
>>>
>>> -- draft-ietf-sidr-bgpsec-pki-profiles updates RFC 6485 and says "For
>>> Router Certs (end-entity certificates use by BGPSEC) see
>>> draft-ietf-sidr-bgpsec-algs
>>>
>>> Ideally, this shouldn't be a problem. RFC 6487 governs subject public
>>> keys for all certificates in the RPKI except BGPSEC router
>>> certificates and draft-sidr-bgpsec-algs covers that case.
>>>
>>> That being said, we currently have two working group documents that
>>> update RFC 6485 and I am not sure that it is sufficiently clear in the
>>> text of those documents how the two updates interact.
>>>
>>> On Mon, Jul 7, 2014 at 4:28 PM, Geoff Huston <[email protected]> wrote:
>>>> Hi Sean,
>>>>
>>>> Whats the relationship between this draft and draft-ietf-sidr-rfc6485bis?
>>>>
>>>> g
>>>>
>>>>
>>>> On 3 Jul 2014, at 1:36 am, Sean Turner <[email protected]> wrote:
>>>>
>>>>> A minor update to move some references that were in the wrong place as
>>>>> well as to correctly identify where the OID goes that indicates the
>>>>> algorithm used in the CRMF (thanks Sandy for pointing these out). Oh and
>>>>> I updated the dates.
>>>>>
>>>>> spt
>>>>>
>>>>> On Jul 02, 2014, at 11:34, [email protected] wrote:
>>>>>
>>>>>>
>>>>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>>>> directories.
>>>>>> This draft is a work item of the Secure Inter-Domain Routing Working
>>>>>> Group of the IETF.
>>>>>>
>>>>>> Title : BGP Algorithms, Key Formats, & Signature Formats
>>>>>> Author : Sean Turner
>>>>>> Filename : draft-ietf-sidr-bgpsec-algs-07.txt
>>>>>> Pages : 7
>>>>>> Date : 2014-07-02
>>>>>>
>>>>>> Abstract:
>>>>>> This document specifies the algorithms, algorithms' parameters,
>>>>>> asymmetric key formats, asymmetric key size and signature format used
>>>>>> in BGPSEC (Border Gateway Protocol Security). This document updates
>>>>>> the Profile for Algorithms and Key Sizes for use in the Resource
>>>>>> Public Key Infrastructure (RFC 6485).
>>>>>>
>>>>>>
>>>>>> The IETF datatracker status page for this draft is:
>>>>>> https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-algs/
>>>>>>
>>>>>> There's also a htmlized version available at:
>>>>>> http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-algs-07
>>>>>>
>>>>>> A diff from the previous version is available at:
>>>>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-algs-07
>>>>>>
>>>>>>
>>>>>> Please note that it may take a couple of minutes from the time of
>>>>>> submission
>>>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>>>
>>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>>>
>>>>>> _______________________________________________
>>>>>> sidr mailing list
>>>>>> [email protected]
>>>>>> https://www.ietf.org/mailman/listinfo/sidr
>>>>>
>>>>> _______________________________________________
>>>>> sidr mailing list
>>>>> [email protected]
>>>>> https://www.ietf.org/mailman/listinfo/sidr
>>>>
>>>> _______________________________________________
>>>> sidr mailing list
>>>> [email protected]
>>>> https://www.ietf.org/mailman/listinfo/sidr
>>
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
