Roque Gagliano escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcelo, On Oct 6, 2009, at 7:32 PM, marcelo bagnulo braun wrote:ah, perfect then! I guess i got confused by the title of the section that reads: 3. SEND SKI trust anchor identifier optionBut you are not defining a SEND SKI trust anchor identifier option but you are defining a SKI NAME TYPE, correct?correct.If so, i don't think we need to update rfc3971, we just need to publish this document as STD RFC, correct?The problem that I described in the original email was that RFC 3971 does not define a registry for name type. We issue this document just to point out that we believe that this new name type is needed. What we could do is to modify the draft to create this registry and add the SKY name type to the ones defined in RFC 3971.What does the group feel about this?
this seems a reasonable option to me could you update the document and include a iana considerations section? Regards, marcelo
Roque.Regards, marcelo Roque Gagliano escribió:Marcelo,What is being propossed is exactly that, a new Name Type of the Trust anchor Option:Name Type TBD SHA-1 Subject Key Identifier (SKI) To be added to the ones already defined in RFC 3971in sectin 6.4.3 "The type of the name included in the Name field. Thisspecification defines two legal values for this field: 1 DER Encoded X.501 Name 2 FQDN"Regards, Roque On Oct 6, 2009, at 2:53 PM, marcelo bagnulo braun wrote:Hi, My take on this one.I think we need a way to distinguish TAs across different CAs. I think that using the Hash of the public key is a reasonable option.Now, what i am not sure i understand is why do we need a new option.I mean, wouldn't be possible to define a new Name Type of the Trust anchor Option defined in section 6.4.3 of RFC3971, the new Name type being the SKI?People that are using multiple Tas should use this Name Type to be certain that they identify the right TA accors multiple TAs.Regards, marcelo Roque Gagliano escribió:Dear WG,At the "cert" team we have identify a problem with RFC 3971 and the trust anchor name types defined there. The RFC defines as possible name types a X501 subject name or a FQDN. The problem we have is that subject name may not be unique across CAs in a PKI. As we decided to adopt SIDR WG certificate profile, the Subject Key Identifier extension is mandatory now. Consequently, we can use this hash of the subject public key to identify the host TAs even if we need to search across several CAs.We are issuing this draft to document the problem. However, RFC 3971 did not set a Registry for name types in the TA ICMP option, which means that the only way to implement this new name type is to modify RFC 3971 that I understand was already part of the plans for this WG.How do the group feels about taking this path? Regards, Roque, Suresh, Ana. Begin forwarded message:*From: *IETF I-D Submission Tool <idsubmission at ietf.org <mailto:idsubmission at ietf.org>>*Date: *October 6, 2009 12:23:13 PM GMT+01:00 *To: *roque at lacnic.net <mailto:roque at lacnic.net>*Cc: *suresh.krishnan at ericsson.com <mailto:suresh.krishnan at ericsson.com>,ana.kukec at fer.hr <mailto:ana.kukec at fer.hr> *Subject: **New Version Notification for draft-rgaglian-csi-send-ski-ta-nametype-00 *A new version of I-D, draft-rgaglian-csi-send-ski-ta-nametype-00.txt has been successfuly submitted by Roque Gagliano and posted to the IETF repository.Filename: draft-rgaglian-csi-send-ski-ta-nametype Revision: 00 Title: Subject Key Identifier (SKI) name type for SEND TA option Creation_date: 2009-10-06 WG ID: Independent Submission Number_of_pages: 10 Abstract: SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates forperforming router authorization. This document specifies a SEND nametype to identify trust anchor X.509v3 certificates based on its Subject Key Identifier. The IETF Secretariat.------------------------------------------------------------- Roque Gagliano LACNIC roque at lacnic.net <mailto:roque at lacnic.net> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365 DB72 9E4F 964A 01E9 6CEE------------------------------------------------------------------------_______________________________________________ CGA-EXT mailing list CGA-EXT at ietf.org <mailto:CGA-EXT at ietf.org> https://www.ietf.org/mailman/listinfo/cga-ext------------------------------------------------------------- Roque Gagliano LACNIC roque at lacnic.net <mailto:roque at lacnic.net> GPG Fingerprint: E929 06F4 D8CD 2AD8 9365 DB72 9E4F 964A 01E9 6CEE- ------------------------------------------------------------- Roque Gagliano LACNIC roque at lacnic.net GPG Fingerprint: E929 06F4 D8CD 2AD8 9365 DB72 9E4F 964A 01E9 6CEE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkrLl/gACgkQnk+WSgHpbO5GRQCfQnc72yzvMDbwj+Sd5kRfu1PD CBMAoKgpH6jz9UbiMcfzAJ/SVzjDWaUR =Qwfu -----END PGP SIGNATURE----- _______________________________________________ CGA-EXT mailing list CGA-EXT at ietf.org https://www.ietf.org/mailman/listinfo/cga-ext