Re: [CGA-EXT] Fwd: New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00

[marcelo bagnulo braun <marcelo at it.uc3m.es>]

Hi,

My take on this one.
I think we need a way to distinguish TAs across different CAs. I think 
that using the Hash of the public key is a reasonable option.

Now, what i am not sure i understand is why do we need a new option.
I mean, wouldn't be possible to define a new Name Type of the Trust 
anchor Option defined in section 6.4.3 of RFC3971, the new Name type 
being the SKI?

People that are using multiple Tas should use this Name Type to be 
certain that they identify the right TA accors multiple TAs.

Regards, marcelo


Roque Gagliano escribió:
> Dear WG,
>
> At the "cert" team we have identify a problem with RFC 3971 and the 
> trust anchor name types defined there. The RFC defines as possible 
> name types a X501 subject name or a FQDN. The problem we have is that 
> subject name may not be unique across CAs in a PKI. 
>
> As we decided to adopt SIDR WG certificate profile, the Subject Key 
> Identifier extension is mandatory now. Consequently, we can use this 
> hash of the subject public key to identify the host TAs even if we 
> need to search across several CAs.
>
> We are issuing this draft to document the problem. However, RFC 3971 
> did not set a Registry for name types in the TA ICMP option, which 
> means that the only way to implement this new name type is to modify 
> RFC 3971 that I understand was already part of the plans for this WG. 
>
> How do the group feels about taking this path?
>
> Regards,
>
> Roque, Suresh, Ana.
>
>
> Begin forwarded message:
>
> > *From: *IETF I-D Submission Tool <idsubmission at ietf.org 
> > <mailto:idsubmission at ietf.org>>
> > *Date: *October 6, 2009 12:23:13 PM GMT+01:00
> > *To: *roque at lacnic.net <mailto:roque at lacnic.net>
> > *Cc: *suresh.krishnan at ericsson.com 
> > <mailto:suresh.krishnan at ericsson.com>,ana.kukec at fer.hr 
> > <mailto:ana.kukec at fer.hr>
> > *Subject: **New Version Notification for  
> > draft-rgaglian-csi-send-ski-ta-nametype-00 *
> >
> >
> > A new version of I-D, draft-rgaglian-csi-send-ski-ta-nametype-00.txt 
> > has been successfuly submitted by Roque Gagliano and posted to the 
> > IETF repository.
> >
> > Filename: draft-rgaglian-csi-send-ski-ta-nametype
> > Revision: 00
> > Title: Subject Key Identifier (SKI) name type for SEND TA option
> > Creation_date: 2009-10-06
> > WG ID: Independent Submission
> > Number_of_pages: 10
> >
> > Abstract:
> > SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
> > performing router authorization.  This document specifies a SEND name
> > type to identify trust anchor X.509v3 certificates based on its
> > Subject Key Identifier.
> >
> >
> >
> > The IETF Secretariat.
>
> -------------------------------------------------------------
> Roque Gagliano
> LACNIC
> roque at lacnic.net <mailto:roque at lacnic.net>
> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT at ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext
>