Hiya, On 05/01/17 00:34, Sean Turner wrote: >> ---------------------------------------------------------------------- >> >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> >> - section 2: I think this is a bit badly written: "The use >> of BGPsec Router Certificates in no way affects RPKI RPs that >> process Manifests and ROAs because the public key found in the >> BGPsec Router Certificate is used only to verify the signature on >> the BGPsec certificate request (only CAs process these) and the >> signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol] >> (only BGPsec routers process these)." Do you mean that there's no >> way that an entity can confuse a Manifest, ROA, CSR or BGPsec >> update so there's no issue with which public keys are used to >> verify the signatures on those data structures? > > Gahhhh … so that’s a little tortured; it’s a continuation of the > whole “these certs don’t really affect the rest of the RPKI". How > about: > > BGPsec Router Certificates are used only to verify the signature on > the BGPsec certificate request (only CAs process these) and the > signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol] (only > BGPsec routers process these); BGPsec Router Certificates are not > used to process Manifests and ROAs or verify signatures on > Certificates or CRLs.
Yep, better. > >> - section 3: As noted in my comments on the BGPsec protocol, it'd >> be better to call out the SKI here if you don't add the direct ref >> to 6487 to the BGPsec protocol draft. > > Wait, I thought I wasn’t supposed to duplicate any of the crazy stuff > from 6487 :) Well, this is describing a different PDU though:-) But yeah, better if the protocol spec points direct to 6487 direct. Cheers, S. > > spt >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
