Sandy,
Perhaps you are reading too much into the use of "conforming to"?
Perhaps saying "aligning with" would make it more clear to you? I do
not know what current CMS implementations would do if they were
presented with a RFC6485 compliant RPKI signed object. They may indeed
report the signed object is "non-conformant with the CMS standards".
So I can not say that "rejected as non-conformant with the CMS
standards" is incorrect. Error message aside, it is clear that any
RFC6485 compliant RPKI signed object (if we could find one) would be
rejected by existing implementations. There might be ways to improve
that "rejected as non-conformant" phrase of the text, but I don't
think it is necessarily wrong.
you and I disagree here ;-). Conforming, in my mind, implies that we
use the same syntax,
validity checks, same alg requirements, etc. What we need to say is that
we profile the CMS
spec, deviating only with respect to the MTI algorithm. Using a phrase
like "aligning with"
seems needlessly ambiguous.
Thus, I think it's important to make it clear which definition of
rsaEncryption is intended.
For example, RFC3370 (for CMS) says that rsaEncryption is either a key
type identifier or a signature algorithm identifier, while RFC3279 (for
PKIX) says that it's only a key type identifier and thus not suitable
for identifying signature algorithms in a PKIX context (you must use
xxxWithRSAEncryption instead to specify the digest).
To avoid potential confusion we need to avoid ambiguity in specifying
alg identifiers.
RFC 3280 didn't resolve this particular ambiguity for PKIX, nor did
3370. However,
this ambiguity was later addressed in RFC 4055 and RFC 5756. We should
figure out
which RSA-based signature alg we're mandating, and then cite the
relevant, recent RFC.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
