Dear WG, After receiving some feedback on the previous version and discussion with co-authors, this version: - Does not reject 'over-claiming' EE certificates, but uses VRS-IP/AS there as well - Includes text to update ROA validation (in short requires that all prefixes are in VRS-IP of the EE) - Includes a request to the authors of the bgpsec-rpki-profile document.
The reason why the change that I proposed to reject EE certificates has been reverted is that: - This way the validation algorithm is consistent between CA and EE certificates - Even though ROAs still require that *all* prefixes are contained in the VRS-IP, there may be other future use cases of EE certificates where a VRS-IP/AS that is smaller than the resources contained in the extensions. Stephen Kent comment on -04 of this document saying that it should not attempt to update the BGPSec Router Certificate I-D because it's not an RFC, just yet. It's currently in IESG Processing. The current document therefore has a request and some suggestion to the authors to change the document (in which case the section can be deleted in the next (hopefully final) version of this document. I don't mind either way. Maybe the chairs have an idea about what the best process is. But in either case we would like to ask the BGPSec Router Certificate authors to review the included text. Thanks, Tim > On 08 Jul 2016, at 11:19, [email protected] wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing of the IETF. > > Title : RPKI Validation Reconsidered > Authors : Geoff Huston > George Michaelson > Carlos M. Martinez > Tim Bruijnzeels > Andrew Lee Newton > Daniel Shaw > Filename : draft-ietf-sidr-rpki-validation-reconsidered-06.txt > Pages : 12 > Date : 2016-07-08 > > Abstract: > This document proposes an update to the certificate validation > procedure specified in RFC 6487 that reduces aspects of operational > fragility in the management of certificates in the RPKI, while > retaining essential security features. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-06 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-06 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
