Re: [secdir] Secdir review of draft-ietf-sidr-res-certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 6:07 PM -0400 5/3/11, Sam Hartman wrote:
 >>>>> "Stephen" == Stephen Kent <kent@xxxxxxx> writes:


    >>
    >> I guess the only question I'd have remaining is whether ROAs or
    >> other signed objects are intended to be used in other protocols
    >> besides simply living in the SIDR repository?

    Stephen> The RPKI repository is designed to support a specific,
    Stephen> narrow set of apps. That's what the CP says, and we try to
    Stephen> make these certs unattractive for other apps, e.g., by use
    Stephen> of the non-meaningful names.

You had mentioned that about the PKI before.  Now, though I'm focusing
on the ROAs and other signed objects, not the certificates and CRLs.  Do
these narrow applications involve simply storing these objects in the
repository, or are there plans to use ROAs or other signed objects as
elements in protocols?  At least years ago, for example, there was
discussion of carrying signatures of objects in BGP. I understand that's
not within SIDR's current charter, but is SIDR intended to support that
style of use, or have things been narrowed to a point where that would
require reworking details of the repository and PKI?

If the answer is that those sorts of uses are not in scope for the SIDR
architecture, then I think you've basically resolved my concerns.

Sam,

You might want to look again at the SIDR charter, since it has just been revised to include BGP path validation. The path validation approach being pursued makes use of the RPKI, consistent with the scope of the CP, not surprisingly.

The BGPSEC protocol being defined does not pass around ROAs or other RPKI repository objects. It defines two new, signed objects that are passed in UPDATE messages, and are not stored in the repository. These objects are verified using RPKI certs and CRLs, so there is a linkage.

Does that answer your question?

Steve
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]