The discussion of the draft-ietf-sidr-rpsl-sig draft with the IESG brought the single-use language in RFC6487 into the discussion.
The authors of the rpsl-sig pointed to the language in RFC6487 section 3: The private key associated with an EE certificate is used to sign a single RPKI signed object, i.e., the EE certificate is used to validate only one object. While this language is not normative, this language could be taken as a requirement. The working group and the IESG accepted removal of this requirement for the EE certificates used in the rpsl-sig attributes. The same applies to the router certificates defined in draft-ietf-bgpsec-pki-profiles-16. The chairs direct the authors to add the following to draft-ietf-sidr-bgpsec-pki-profiles-16. 3.4 Router Certificates and Signing Functions in the RPKI As described in Section 1, the primary function of BGPsec router certificates in the RPKI is for use in the context of certification of Autonomous System (AS) paths in the Border Gateway Protocol Security protocol (BGPsec). The private key associated with a router EE certificate may be used multiple times in generating signatures in multiple instances of the BGPsec_Path Attribute Signature Segments [ID.sidr-bgpsec-protocol] . I.e., the BGPsec router certificate is used to validate multiple signatures. BGPsec router certificates are stored in the issuing CA's repository, where a repository following RFC6481 MUST use a .cer filename extension for the certificate file. —Sandy, speaking as one of the co-chairs _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
