Hi,
There's some text in draft-ietf-sidr-bgpsec-pki-profiles-10 sections
3.1 and 3.1.3 that I found confusing. For reference,
https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-10#section-3.1:
This profile is also based on [RFC6487] and
only the differences between this profile and the profile in
[RFC6487] are listed.
https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-10#section-3.1.3:
The following X.509 V3 extensions MUST be present (or MUST be
absent,
if so stated) in a conforming BGPSEC Router Certificate, except
where
explicitly noted otherwise. No other extensions are allowed in a
conforming BGPSEC Router Certificate.
I checked with the authors, and the intent was that "the following"
refers to all extensions in RFC6487 and the updates to extensions in
draft-ietf-sidr-bgpsec-pki-profiles-10. However, I initially read the
text in 3.1.3 as forbidding all extensions not mentioned in
draft-ietf-sidr-bgpsec-pki-profiles-10, including some useful ones like
the SKI.
I think it might be clearer to simply remove the entire first paragraph
of section 3.1.3. RFC 6487 section 4.8 contains similar[0] text, and
section 3.1 of the draft makes it clear that RFC 6487 section 4.8
applies.
[0] But not the same. That issue should probably be handled by
draft-rhansen-sidr-rfc6487bis though.
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
