Re: [sidr] Question about manifest document

To: Stephen Kent <kent at bbn.com>
Subject: Re: [sidr] Question about manifest document
From: Geoff Huston <gih at apnic.net>
Date: Sat, 21 Nov 2009 11:18:17 +1100
Cc: Rob Austein <sra at isc.org>, sidr at ietf.org
Delivered-to: sidr at core3.amsl.com
In-reply-to: <p06240811c72cbfac7715 at [192.168.1.3]>
List-archive: <http://www.ietf.org/mail-archive/web/sidr>
List-help: <mailto:sidr-request@ietf.org?subject=help>
List-id: Secure Interdomain Routing <sidr.ietf.org>
List-post: <mailto:sidr@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
References: <Pine.WNT.4.64.0911171910530.5096 at SANDYM-LT.columbia.ads.sparta.com> <AF9E9439-B9CB-4713-96D7-7D9B962A95D3 at apnic.net> <p06240811c72cbfac7715 at [192.168.1.3]>

On 21/11/2009, at 8:51 AM, Stephen Kent wrote:

> At 11:39 AM +1100 11/18/09, Geoff Huston wrote:
>> WG co-chair hat OFF
>> 
>> This is a posting made in my role as a document co-author, and not as a co-chair of the WG
>> 
>> In reviewing the manifest document I notice that the document in its current version defines a manifest as an RPKI construct. I have two questions about  this:
>> 
>> 1. Should the manifest document be constrained in this manner as being exclusively an RPKI construct, or should the reference to exclusive use by the RPKI be removed such that the manifest is defined in a manner that is agnostic to the context of the PKI in which the manifest may be used, so that any CA may use a manifest?
>> 
>> 2. In the context of the RPKI should the manifest document used a SHOULD to specify that the resources in the RPKI EE certificate used to validate the manifest's signature be specified using the inherit bit setting of the RFC3779 extensions?
>> 
>> Do any of the document's co-authors, or any WG folk, have an opinion of either or both of these questions that they'd like to share?
>> 
>> thanks,
>> 
>>  Geoff
>> 
>> WG co-chair hat OFF
> 
> I agree that the manifest structure is more general than the RPKI context.
> 
> However, if we choose to make the manifest document generic, we probably need another document that profiles it for the RPKI.
> 
> Steve

WG co-chair hat OFF

This is a posting made in my role as a document co-author, and not as a co-chair of the WG.

Thanks for this comment Steve. I am happy to attempt to redraft the manifest as a more generic document that describes a manifest in terms of a list of published products of a CA, with a signature that is verified using an EE certificate that is a subordinate product of that CA.

At this stage I'm of the view that the only RPKI-specific profile would be to say that the RPKI EE cert SHOULD use the inherit bit in the RFC3779 extension, and this seeems such a small profile component that it could fit into the res-cert profile draft in its own section.

regards,

   Geoff

WG co-chair hat OFF

Follow-Ups:
- Re: [sidr] Question about manifest document
  - From: Tim Bruijnzeels

References:
- [sidr] Question about manifest document
  - From: Geoff Huston
- Re: [sidr] Question about manifest document
  - From: Stephen Kent

Prev by Date: Re: [sidr] Question about manifest document
Next by Date: Re: [sidr] Question about manifest document
Previous by thread: Re: [sidr] Question about manifest document
Next by thread: Re: [sidr] Question about manifest document
Index(es):
- Date
- Thread

Re: [sidr] Question about manifest document

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.