> On Jan 4, 2017, at 19:39, Stephen Farrell <[email protected]> wrote: > > > Hiya, > > On 05/01/17 00:34, Sean Turner wrote: >>> ---------------------------------------------------------------------- >>> >>> > COMMENT: >>> ---------------------------------------------------------------------- >>> >>> >>> >>> > - section 2: I think this is a bit badly written: "The use >>> of BGPsec Router Certificates in no way affects RPKI RPs that >>> process Manifests and ROAs because the public key found in the >>> BGPsec Router Certificate is used only to verify the signature on >>> the BGPsec certificate request (only CAs process these) and the >>> signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol] >>> (only BGPsec routers process these)." Do you mean that there's no >>> way that an entity can confuse a Manifest, ROA, CSR or BGPsec >>> update so there's no issue with which public keys are used to >>> verify the signatures on those data structures? >> >> Gahhhh … so that’s a little tortured; it’s a continuation of the >> whole “these certs don’t really affect the rest of the RPKI". How >> about: >> >> BGPsec Router Certificates are used only to verify the signature on >> the BGPsec certificate request (only CAs process these) and the >> signature on a BGPsec Update Message [ID.sidr-bgpsec-protocol] (only >> BGPsec routers process these); BGPsec Router Certificates are not >> used to process Manifests and ROAs or verify signatures on >> Certificates or CRLs. > > Yep, better.
Incorporated in my editor’s copy. spt _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
