Re: [sidr] I-D Action:draft-ietf-sidr-ta-00.txt

To: sidr at ietf.org
Subject: Re: [sidr] I-D Action:draft-ietf-sidr-ta-00.txt
From: Terry Manderson <terry at terrym.net>
Date: Tue, 3 Mar 2009 15:23:34 +1000
Delivered-to: sidr at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=pv9kFXWnNo2Gxz33Xdcxk3nCjP0xa/tT9BvEcIdUjYk=; b=gNQdbIqF6BiLPq6OJG6s9oB0WtQQvAIOAXpdNE2Ag0cEP2snIQ6SGXcrI4fjcSCN/G vcaDtQzky4LFL9md2oGLxZ+nznxzpd8MixnhPXzyNxY+YFVgq0nz8lfi4xwdlAYygi7V rfqlAJA9zGDzlL9jBRj5UP1raaF4/e2NGahP4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=QJFcwZWDalqyZVx0vf1ZP7pl3wpwuORD4hGXF6rRjbFH6JYiqGawBlYXdhfPD7V2mM ukTMqnW12HnWyFvfuxOv3pMeS7WIqFMZD3K9hsRGXY3dpcaBu0Wk2GI/tKk5Go90dziZ CNZYi9ToGHZydrS77c1TPUf6PA9T5d6LpqXCE=
In-reply-to: <20090227040001.8E86F3A68AB at core3.amsl.com>
List-archive: <http://www.ietf.org/mail-archive/web/sidr>
List-help: <mailto:sidr-request@ietf.org?subject=help>
List-id: Secure Interdomain Routing <sidr.ietf.org>
List-post: <mailto:sidr@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
References: <20090227040001.8E86F3A68AB at core3.amsl.com>
Sender: Terry Manderson <terry.mndrsn at gmail.com>

After a read through of the draft, I have some points to raise.

Section 1, Last paragraph

"locally manage trust anchors in a fashion that preserves theresource subset constraints imposed by the use the RFC 3779 extensions."


	I think you mean

"locally manage trust anchors in a fashion that preserves theresource subset constraints imposed by the use of RFC 3779 extensions.

Further from section 1. Is the structure really designed to enable RPsto self manage TAs?


Section 2: Para 1

"This does not nominate any organizations as default trust anchorsfor the RPKI."


	Perhaps

"This document does not nominate any organizations as default RelyingParty (RP) trust anchors for the RPKI."


Section 2: Para 2
	"cannot be modified (undetectably) by other than the"

	i think you mean
	
	"cannot be modified (un-detectably) by anyone other than the"

Section 2 para 9

Do you mean for the sentence "The format used to represent the ETA isbased on ongoing IETF PKIX WG activities to define a format for trustanchor material." to be there? Or should it be in para 8? It justseems disjointed to me.


	And with that, do you have a draft reference to guide the implementer?

at the end of section 2 a diagram would be very helpful:

eg

ETA ---> CRL

\----> EE ----> CMS [ payload: RTA (with 3779), signed attr ETA-EE ]



Section 3, para 1

"This suggests that the structure of certificates in the RPKI thatrelate to the use of public number resources is a public context"


	maybe

"This suggests that the structure of certificates in the RPKI thatrelate to the use of public number resources in a public context"


Section 3 para 2

Would the authors consider saying that RTAs from two putative publicTA organisations must not overlap?Just so we really do try to avoid the state of two organisationsclaiming to be authoritative for the

	same information?


Section 3 para 5+

I have some questions about the recommended operational maintenanceprocedure.

Early in the document it is suggested that the ETA be an offline CAyeah? Its fine to publish a CRL for the offline ca, however section 3suggests that the ETA issue a CRL shorter than the validity period forthe RTA. This pseudo synchronisation implies the ETA will need toregularly brought back online for CRL issuance which tends to negatethe concept of a long lived crl from an off-line CA. Or have Iincorrectly interpreted what you are saying? I think the same goes forwhere a trust anchor re-issues the RTA. The frequency of this impliesthat both the RTA and ETA will be on-line CAs.

or perhaps you can help me understand why a new ETA-EE certificateneeds to be created to sign the CMS for the new RTA? I see that youare tying to signify to relying parties that the RTA has changed andthey need to fetch the RTA CMS blog, but wouldn't a manifest be ofmore utility and provide for less cert churn?

I agree also with the authors note, a diagram of the SIA, locations,and crl locations would be helpful.

Further, can you separate the 'private number' items into their ownheadings in the documents?


Cheers
Terry

On 27/02/2009, at 2:00 PM, Internet-Drafts at ietf.org wrote:

A New Internet-Draft is available from the on-line Internet-Draftsdirectories.This draft is a work item of the Secure Inter-Domain Routing WorkingGroup of the IETF.

Title : A Profile for Trust Anchor Material for theResource Certificate PKI

	Author(s)       : G. Michaelson, et al.
	Filename        : draft-ietf-sidr-ta-00.txt
	Pages           : 17
	Date            : 2009-02-26

This document defines a standard profile for the publication of Trust
Anchor material for the Resource Certificate Public Key
Infrastructure.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-ta-00.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<mime-attachment>_______________________________________________
sidr mailing list
sidr at ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Follow-Ups:
- Re: [sidr] I-D Action:draft-ietf-sidr-ta-00.txt
  - From: Terry Manderson

References:
- [sidr] I-D Action:draft-ietf-sidr-ta-00.txt
  - From: Internet-Drafts

Prev by Date: Re: [sidr] Fwd: I-D Action:draft-ietf-sidr-ta-00.txt
Next by Date: [sidr] meeting agenda topics
Previous by thread: Re: [sidr] Fwd: I-D Action:draft-ietf-sidr-ta-00.txt
Next by thread: Re: [sidr] I-D Action:draft-ietf-sidr-ta-00.txt
Index(es):
- Date
- Thread

Re: [sidr] I-D Action:draft-ietf-sidr-ta-00.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.