> ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - section 2: I think this is a bit badly written: "The use > of BGPsec Router Certificates in no way affects RPKI RPs > that process Manifests and ROAs because the public key > found in the BGPsec Router Certificate is used only to > verify the signature on the BGPsec certificate request > (only CAs process these) and the signature on a BGPsec > Update Message [ID.sidr-bgpsec-protocol] (only BGPsec > routers process these)." Do you mean that there's no way > that an entity can confuse a Manifest, ROA, CSR or BGPsec > update so there's no issue with which public keys are used > to verify the signatures on those data structures?
Gahhhh … so that’s a little tortured; it’s a continuation of the whole “these certs don’t really affect the rest of the RPKI". How about: BGPsec Router Certificates are used only to verify the signature on the BGPsec certificate request (only CAs process these) and the signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol] (only BGPsec routers process these); BGPsec Router Certificates are not used to process Manifests and ROAs or verify signatures on Certificates or CRLs. > - section 3: As noted in my comments on the BGPsec > protocol, it'd be better to call out the SKI here if you > don't add the direct ref to 6487 to the BGPsec protocol > draft. Wait, I thought I wasn’t supposed to duplicate any of the crazy stuff from 6487 :) spt _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
