Hi Sean,
Please see below.
On 03/01/17 18:12, Sean Turner wrote:
Yaron,
Thanks for the review.
On Jan 1, 2017, at 11:26, Yaron Sheffer <[email protected]> wrote:
Reviewer: Yaron Sheffer
Review result: Has Nits
* 3.1.1: The serial number in RFC 6487 is still a real, unique serial
number that uniquely identifies the certificate. Here it is used as
something other than a serial number, which is explicitly NOT unique,
and the CA is left to decide how to make it unique in the face of
potentially repeating BGP IDs. If this is not a real issue (e.g.
because duplicate IDs are rare and never within a RIR), please say
so.
As Rob pointed out this paragraph is talking about the serial number naming
attribute. Maybe something like:
r/only two attributes/only two naming attributes
and
r/common name and serial number/common name (i.e., X520CommonName) and serial
number (i.e., X520SerialNumber)
People ought to them be able to track down the definitions.
I'm good with these changes. However, according to Randy's response to
my review, the text later on is subtly incorrect (or at least
misleading). Router IDs are not globally unique, but the combination of
AS Number and Router ID is in fact globally unique.
* 3.2: earlier we said that Basic Constraints must not be included in
the EE cert. Now we are saying that only a particular boolean flag
must not be honored when processing the Cert Request. What happens if
Basic Constraints is included in the Cert Request but with other
flags?
The CA is ultimately the one who decides what gets issued. A good CA would know to
only issue properly formatted BGPsec certificates either by ignoring the improperly
requested “feature" or rejecting it outright. Since these CAs really aren’t
open CAs then the CA ought not get caught off-guard with requests.
I'm not sure I understand. Why not give a consistent advice to EEs and
CAs, e.g., reject any request that includes any Basic Constraints.
* 3.3: ID.sidr-rfc6485bis -> RFC 7935
drat I missed one.
* 6: in the paragraph that discusses hash functions, please spell out
the names of the two key identifiers, because I cannot determine what
they are from the document.
Ack they’re the key identifiers in the cert: Subject Key Identifier and Issuer
Key Identifier
r/two key identifier extensions./two key identifier extensions (i.e., Subject
Key Identifier and Issuer Key Identifier)
Yes.
spt
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
