Hi,
I’m working through this example and I can’t help but observe that its
"ill-defined and, the most likely interpretation doesn't seem to work”
to borrow your words….
Consider a cert path from a trust anchor TA, to CA1 to CA2 to an EE cert for a
ROA.
TA->CA 1->CA 2->ROA
Assume the TA cert contains address space T, U, V, W, X, Y and Z.
Assume the CA 1 cert contains address space T, U, V, and W.
Assume the CA 2 cert contains address space V and W.
Let's say that the ROA EE cert issued by CA 2 contains address space V.
CA 2 is about to receive address space Z from some other ISP, so it has asked
CA 1 to issue a new CA cert to it, in anticipation of the transfer. CA 1 agrees,
and issues a new cert to CA 2 and that cert contains address space V and Z.
CA1 has already issued a cert with subject “CA2” and resources (V,W) - lets
call this cert No 1
Do you mean:
a) CA 1 issues a cert with subject “CA2” and resources (V,Z) - lets call this
cert No 2
OR the combination of actions:
b) CA 1 issues a SECOND cert with subject “CA2” and resources (V,Z) - lets
call this Cert No 2
AND
CA1 revokes the cert with subject “CA2” and resources (V,W) (which we
call Cert No 1)
Now, under the assumption about what "specific resource set" means, when
an RP tries to validate CA 2's ROA,
Now I’m confused - originally the ROA was signed by an EE cert issued by CA 2’s
Cert No 1
so when you refer to CA 2’s ROA do you mean the ROA that was signed by an EE
cert issued by CA 2’s Cert No 1,
or do you mean a new ROA signed by an EE issued by CA 2’s Cert No 2?
the "specific resource set" will be V, and
so it will be valid, because V is in all of the certs from the TA through CA 1
to CA 2. Even though CA 2's cert contains Z, which is not contained
in CA 1's cert, this will not be considered in the validation of the ROA EE
cert.
This is the desired outcome, because CA 2 has begun the process of getting its
new address space (Z), but that process has not broken its CA cert. I assume
this
is an example of the reduced fragility that is so appealing.
So I _think_ you are assuming that there is a new ROA, signed by an EE cert
issued by
the CA that has a CA cert issued by CA 1 with resources (V,Z), and evidently
you are referring
to this new ROA and its new EE cert.
If CA 2 issued a ROA for Z, then validation of that ROA would fail, because
the CA 1 cert does not contain Z. That's good, because the second ROA exmaple
ought not be valid, since the transfer has not yet completed.
So far, so good. But, let's look at the implications of this revised validation
procedure in greater depth.
What if CA 1, acting on the request from CA 2 asked the TA to add Z to CA 2's
cert,
Huh?????
The TA has issued a cert for subject “CA 1” - Since when did Ca2 have a
relationship
with the TA?
in anticipation of the transfer? Then we have a problem, because Z is under the
tree from this TA and if it agreed to add Z to CA 1's cert, then a ROA for Z,
issued by CA 2, would be valid, even though the transfer had not yet been
effected.
I’m having trouble following this - I think you have a typo of otherwise
confused
the example at this point.
I’ll stop here because I can’t see the point of the ensuring text without some
additional
clarity and precision of the example scenario that does not invent arbitrary
relationships
between CAs.
regards,
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
