Re: [sidr] Last Call: <draft-ietf-sidr-rpsl-sig-10.txt> (Securing RPSL Objects with RPKI Signatures) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Randy,

On 5/11/16 12:42 PM, Randy Bush wrote:
>> I would propose adding some text to this draft (probably as a
>> sub-section in section 2) that says that the SIA defined in RFC 6487 is
>> omitted when a certificate is used to sign RPSL objects.
> 
> perhaps you might also include your reasoning for this seemingly odd
> choice.

The SIA in 6487 mandates an rsync URI that points to the object that is
signed with the certificate. I am not aware of any RPSL servers that
support referencing an RPSL object via rsync.

> 
>> I agree that the original text allowing multiple signatures supports
>> the case where the components of the primary key of the object (i.e.,
>> prefix+ASN) come from different resource holders. I will restore that
>> text.
> 
> this is gonna be really simple; no complications at all i am sure.
> 
> btw, was this a consensus of the wg?

The original draft supported multiple signature attributes. During WG
review (WGLC?, don't recall), several people suggested simplifying the
approach by only allowing one signature attribute. Given the route[6]
example, we need multiple signatures modulo the proposed text to clarify
the handling/generation of those signatures.

Regards,
Brian


Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]