Re: [sidr] TA questions

To: Robert Kisteleki <robert at ripe.net>
Subject: Re: [sidr] TA questions
From: George Michaelson <ggm at apnic.net>
Date: Sat, 7 Nov 2009 06:26:16 +0800
Cc: "sidr at ietf.org" <sidr at ietf.org>
Delivered-to: sidr at core3.amsl.com
In-reply-to: <4AF291C2.6000103 at ripe.net>
List-archive: <http://www.ietf.org/mail-archive/web/sidr>
List-help: <mailto:sidr-request@ietf.org?subject=help>
List-id: Secure Interdomain Routing <sidr.ietf.org>
List-post: <mailto:sidr@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
References: <4AF291C2.6000103 at ripe.net>

On 05/11/2009, at 4:50 PM, Robert Kisteleki wrote:

Hi,
I'm proxying two questions from our development team regarding theTA draft:
1) How do the authors envision key roll overs for the RTA?
Even though the draft allows for re-publication of the self-signedRTA with new resources, it does not seem to address key roll oversfor that RTA. It seems one would have to publish a new ETA tosupport this, which would make invalidating the previous RTA (ifthat's ever needed) difficult.

Nowhere in the document does it say that the ETA and RTA keys arelinked. Therefore it's not clear to me *WHY* the ETA has tonecessarily roll when an RTA re-keys.

If an RTA publisher wanted to roll their RTA key, then it seemsfeasible by having the ETA simply use the key conservatively andassume an indefinite lifetime. The important caveat is that the RTAshould be treated with the same level of respect as any trust anchor.

2) Can we have a more clear pointer the RTACMS object for relyingparties?
The current proposal has the ETA CA point to a directory. See page 7of the draft for an ascii-art representation of this. This meansthat relying parties will have to find the actual RTACMS object inthis directory themselves. Probably rsync the whole thing and loopover the entries to figure out which is which.

Robert, the ETA certificate has an SIA. The ETA SIA *should* point toa directory, which will contain a CMS object, and a CRL. It *can*contain the ETA too. What else does this directory contain, that arelying party is not interested in seeing?

Relying party software, assuming it trusts this ETA, periodicallyscans this SIA space and picks up all valid CMS signed objects andloads the payload RTAs, again assuming that it trusts the ETA. Itneeds to see the CRL too.

CMS is quite recognisable, testable, provable. Thats the whole point.The ETA can be signing over more than one RTA (for instance, keyrollover) so there can be more than one CMS bundle to be seen, signedby the ETA.


-George

Follow-Ups:
- [sidr] TA document review
  - From: Roque Gagliano
- Re: [sidr] TA questions
  - From: Robert Kisteleki

References:
- [sidr] TA questions
  - From: Robert Kisteleki

Prev by Date: Re: [sidr] draft-pmohapat-sidr-pfx-validate-03.txt as SIDR WG document
Next by Date: Re: [sidr] draft-pmohapat-sidr-pfx-validate-03.txt as SIDR WG document
Previous by thread: [sidr] TA questions
Next by thread: Re: [sidr] TA questions
Index(es):
- Date
- Thread

Re: [sidr] TA questions

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.