On Jul 6, 2015, at 10:44 AM, Stephen Kent <[email protected]> wrote: > Sandy, > >> Perhaps you are reading too much into the use of "conforming to"? Perhaps >> saying "aligning with" would make it more clear to you? I do not know what >> current CMS implementations would do if they were presented with a RFC6485 >> compliant RPKI signed object. They may indeed report the signed object is >> "non-conformant with the CMS standards". So I can not say that "rejected as >> non-conformant with the CMS standards" is incorrect. Error message aside, it >> is clear that any RFC6485 compliant RPKI signed object (if we could find >> one) would be rejected by existing implementations. There might be ways to >> improve that "rejected as non-conformant" phrase of the text, but I don't >> think it is necessarily wrong. > you and I disagree here ;-). Conforming, in my mind, implies that we use the > same syntax, > validity checks, same alg requirements, etc. What we need to say is that we > profile the CMS > spec, deviating only with respect to the MTI algorithm. Using a phrase like > "aligning with" > seems needlessly ambiguous.
[I'll repeat myself. This argument is about the clarity of the description of the motivation for the change. There's no specification or implementation impact.] I am not certain I am understanding your point. So I'll review the background as I know it. Richard's view is that the word "conforming" in "By conforming to the CMS specifications" makes it sounds as if RFC6485 were not in compliance with the CMS specs. But RFC6485 is definitely in compliance with the CMS specs. The mandatory algorithm choice in RFC6485 is not the same as the MTI choice in the CMS specs. That is allowed. Unfortunately, that mandatory algorithm choice made RFC6485, er, uh, out-of-step with common CMS implementations. So RPKI signed objects that were compliant with RFC6485 would be rejected by the common CMS implementations - they support only the CMS MTI algorithm. This bis changes the mandatory algorithm choice so it is the same as the CMS MTI choice. Richard thinks "conforming" implies something not true, you think "aligning" is ambiguous - do you have a different verb to suggest? > What we need to say is that we profile the CMS > spec, deviating only with respect to the MTI algorithm. This bis removes the deviation, and makes the MTI algorithms the same. So I disagree with this sentence. --Sandy, speaking as regular ol' member >>> Thus, I think it's important to make it clear which definition of >>> rsaEncryption is intended. >>> >>> For example, RFC3370 (for CMS) says that rsaEncryption is either a key >>> type identifier or a signature algorithm identifier, while RFC3279 (for >>> PKIX) says that it's only a key type identifier and thus not suitable >>> for identifying signature algorithms in a PKIX context (you must use >>> xxxWithRSAEncryption instead to specify the digest). > To avoid potential confusion we need to avoid ambiguity in specifying alg > identifiers. > RFC 3280 didn't resolve this particular ambiguity for PKIX, nor did 3370. > However, > this ambiguity was later addressed in RFC 4055 and RFC 5756. We should figure > out > which RSA-based signature alg we're mandating, and then cite the relevant, > recent RFC. The idea here is to use whatever CMS uses. Whether CMS is ambiguous in its specification of the alg identifier, or correct in using rsaEncryption as a signature algorithm identifier, we definitely want to use whatever it is that CMS is using, because we want to be using CMS implementations. > > Steve > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
