speaking as one of the wg co-chairs On May 11, 2016, at 9:08 AM, Brian Haberman <brian@xxxxxxxxxxxxxxxxxx> wrote: > Hi Tom, > Thanks for the in-depth review and your efforts in creating another > implementation of this draft. Responses to your comments are below... > > On 4/28/16 6:54 PM, Tom Harrison wrote: >> Section 5 requires that an EE certificate be used for the signing of >> the RPSL object. An EE certificate must contain an SIA extension that >> points to an RPKI signed object (RFC 6487 [4.8.8.2]). The draft does >> not define a profile for a new type of object, or specify an existing >> one that may be used instead. There are a number of ways to deal with >> this: for example, by defining a new profile and changing the >> signature URL to suit, or by amending RFC 6487 such that object >> pointers in EE certificates are optional. > > I would propose adding some text to this draft (probably as a > sub-section in section 2) that says that the SIA defined in RFC 6487 is > omitted when a certificate is used to sign RPSL objects. Given the > single-use nature of the key-pair (section 3.2, point #1), omitting the > SIA is straightforward. > Speaking as one of the wg co chairs: You are suggesting much the same as draft-ietf-sidr-bgpsec-pki-profiles - defining a new EE cert profile. This draft would have to say that it is updating RFC6485(bis). Which means making clear what the additions/modification/deletions are. So that implementations know how to interpret these new certs when they find them in some repository, it must be possible to distinguish these new EE certs from other EE certs. Etc. And the wg would have to agree on the changes. —Sandy, speaking as one of the wg co-chairs
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail