Hi all, At IETF92 I mentioned (see slides at [1]) the two changes that are new to draft-rhansen-sidr-rfc6487bis-00 [2]. I want to bring them up again here for two purposes: to see if there is WG consensus around the changes, and to get a feel for whether the WG is interested in adopting the draft.
[1] https://www.ietf.org/proceedings/92/slides/slides-92-sidr-0.pdf [2] https://tools.ietf.org/html/draft-rhansen-sidr-rfc6487bis-00 Both of these changes were originally submitted as errata, but deemed substantive and thus requiring an update or bis RFC. I chose to do a bis. Note that the draft also includes the three approved errata and the update from RFC 7318, so those changes will show up in the diff. There are some unrelated nits that people have suggested to me off-list; I'll submit a new version of the draft with these later. I also think it is worth discussing SHA-256 key identifiers a bit more, but I'd like to postpone that discussion until a conclusion has been reached on these two changes. ====================================================================== Change #1: Make it clear that no other cert extensions are allowed Sections 1 and 8 say that no other certificate extensions are allowed. Section 4.8, however, implies that other extensions are allowed. Change the last sentence of the intro paragraph for Section 4.8 from: A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize; however, a non-critical extension MAY be ignored if it is not recognized [RFC5280]. to: A certificate-using system MUST reject the certificate if it encounters an extension not explicitly mentioned in this document. This is in contrast to [RFC5280] which allows non- critical extensions to be ignored. See: http://www.rfc-editor.org/errata_search.php?eid=3168 http://thread.gmane.org/gmane.ietf.sidr/4168 http://thread.gmane.org/gmane.ietf.sidr/5837 ====================================================================== Change #2: Specify CRL AKI format RFC6487 says that the CRL must include the AKI, but it doesn't say which optional fields to include and how to format the keyIdentifier field (if included). Change the start of the 6th paragraph of section 5 from: An RPKI CA MUST include the two extensions, Authority Key Identifier and CRL Number, in every CRL that it issues. to: An RPKI CA MUST include the two extensions, Authority Key Identifier and CRL Number, in every CRL that it issues. The Authority Key Identifier extension MUST follow the same restrictions as in Section 4.8.3 above. See: http://www.rfc-editor.org/errata_search.php?eid=3174 http://thread.gmane.org/gmane.ietf.sidr/4314 Thanks, Richard _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
