[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Hipsec] draft-ietf-hip-cert-02-pre00

To: miika.komu at hiit.fi
Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
From: Samu Varjonen <samu.varjonen at hiit.fi>
Date: Mon, 26 Oct 2009 11:13:30 +0200
Cc: HIP <hipsec at ietf.org>
Delivered-to: hipsec at core3.amsl.com
In-reply-to: <4ADFFD73.4030205 at hiit.fi>
List-archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-help: <mailto:hipsec-request@ietf.org?subject=help>
List-id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-post: <mailto:hipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
References: <4ADC1B4D.6010608 at hiit.fi> <E330FAC0AD42A34E90F3467F5A37AA372546211D2D at XCH-NW-11V.nw.nos.boeing.com> <4ADFF5ED.5090608 at hiit.fi> <4ADFFD73.4030205 at hiit.fi>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Miika Komu wrote:

Samu Varjonen wrote:

Hi,
Mattes, David kirjoitti:
Hi Samu,
As some background, I am focused on using HIP operationally andtherefore have a pragmatic point of view of the specifications. Hereare some in-line opinions for your questions below.
Also, what is the purpose of requiring the HIT as part of the X.509information? In practice (at least until HIP is a de-facto standard;-), I think it will be quite difficult to convince Certificateissuers to include new or different information. I think you shouldremove that recommendation from the draft.
We do not want to enforce all certificates to have HITs encoded assubjects and/or issuers. It is there if you need to encode HITs. Iwill rephrase the text to clearly state this.
does the HIT have problems with the planned algo agility mechanismdescribed in here:
http://www.ietf.org/mail-archive/web/hipsec/current/msg02661.html

As I have understood the HIT will remain in the present presentationformat and the hash algo is read from DNS or with I1-R1 exchange fromthe responders HOST-ID. In which, the KEY RR would just have a newalgorithm number. This affects the public-key and signature sequences inthe certificates but they are defined in their own respective documents(or need to be defined). HIP-cert only describes the parameter, how tocarry the certificates in side HIP control messages, and how to encodeand use HITs in certificates as entities like issuer and/or subject.

At least, now I do not see any problems, but if something comes upplease let me know.


BR,
Samu

References:
- [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Varjonen Samu
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Mattes, David
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Samu Varjonen
- Re: [Hipsec] draft-ietf-hip-cert-02-pre00
  - From: Miika Komu

Prev by Date: [Hipsec] I-D ACTION:draft-ietf-hip-nat-traversal-09.txt
Next by Date: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt
Previous by thread: Re: [Hipsec] draft-ietf-hip-cert-02-pre00
Next by thread: [Hipsec] I-D ACTION:draft-ietf-hip-nat-traversal-09.txt
Index(es):
- Date
- Thread