Hi,
I’m working through this example and I can’t help but observe that its
"ill-defined and, the most likely interpretation doesn't seem to work”
to borrow your words….
>
> Consider a cert path from a trust anchor TA, to CA1 to CA2 to an EE cert for
> a ROA.
>
> TA->CA 1->CA 2->ROA
>
>
> Assume the TA cert contains address space T, U, V, W, X, Y and Z.
>
> Assume the CA 1 cert contains address space T, U, V, and W.
>
> Assume the CA 2 cert contains address space V and W.
>
> Let's say that the ROA EE cert issued by CA 2 contains address space V.
>
> CA 2 is about to receive address space Z from some other ISP, so it has asked
> CA 1 to issue a new CA cert to it, in anticipation of the transfer. CA 1
> agrees,
> and issues a new cert to CA 2 and that cert contains address space V and Z.
CA1 has already issued a cert with subject “CA2” and resources (V,W) - lets
call this cert No 1
Do you mean:
a) CA 1 issues a cert with subject “CA2” and resources (V,Z) - lets call this
cert No 2
OR the combination of actions:
b) CA 1 issues a SECOND cert with subject “CA2” and resources (V,Z) - lets
call this Cert No 2
AND
CA1 revokes the cert with subject “CA2” and resources (V,W) (which we
call Cert No 1)
>
> Now, under the assumption about what "specific resource set" means, when
> an RP tries to validate CA 2's ROA,
Now I’m confused - originally the ROA was signed by an EE cert issued by CA 2’s
Cert No 1
so when you refer to CA 2’s ROA do you mean the ROA that was signed by an EE
cert issued by CA 2’s Cert No 1,
or do you mean a new ROA signed by an EE issued by CA 2’s Cert No 2?
> the "specific resource set" will be V, and
> so it will be valid, because V is in all of the certs from the TA through CA 1
> to CA 2. Even though CA 2's cert contains Z, which is not contained
> in CA 1's cert, this will not be considered in the validation of the ROA EE
> cert.
> This is the desired outcome, because CA 2 has begun the process of getting
> its
> new address space (Z), but that process has not broken its CA cert. I assume
> this
> is an example of the reduced fragility that is so appealing.
So I _think_ you are assuming that there is a new ROA, signed by an EE cert
issued by
the CA that has a CA cert issued by CA 1 with resources (V,Z), and evidently
you are referring
to this new ROA and its new EE cert.
>
> If CA 2 issued a ROA for Z, then validation of that ROA would fail, because
> the CA 1 cert does not contain Z. That's good, because the second ROA exmaple
> ought not be valid, since the transfer has not yet completed.
>
> So far, so good. But, let's look at the implications of this revised
> validation
> procedure in greater depth.
>
> What if CA 1, acting on the request from CA 2 asked the TA to add Z to CA 2's
> cert,
Huh?????
The TA has issued a cert for subject “CA 1” - Since when did Ca2 have a
relationship
with the TA?
>
> in anticipation of the transfer? Then we have a problem, because Z is under
> the
> tree from this TA and if it agreed to add Z to CA 1's cert, then a ROA for Z,
> issued by CA 2, would be valid, even though the transfer had not yet been
> effected.
I’m having trouble following this - I think you have a typo of otherwise
confused
the example at this point.
I’ll stop here because I can’t see the point of the ensuring text without some
additional
clarity and precision of the example scenario that does not invent arbitrary
relationships
between CAs.
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
