Hi,
My take on this one.
I think we need a way to distinguish TAs across different CAs. I think
that using the Hash of the public key is a reasonable option.
Now, what i am not sure i understand is why do we need a new option.
I mean, wouldn't be possible to define a new Name Type of the Trust
anchor Option defined in section 6.4.3 of RFC3971, the new Name type
being the SKI?
People that are using multiple Tas should use this Name Type to be
certain that they identify the right TA accors multiple TAs.
Regards, marcelo
Roque Gagliano escribió:
Dear WG,
At the "cert" team we have identify a problem with RFC 3971 and the
trust anchor name types defined there. The RFC defines as possible
name types a X501 subject name or a FQDN. The problem we have is that
subject name may not be unique across CAs in a PKI.
As we decided to adopt SIDR WG certificate profile, the Subject Key
Identifier extension is mandatory now. Consequently, we can use this
hash of the subject public key to identify the host TAs even if we
need to search across several CAs.
We are issuing this draft to document the problem. However, RFC 3971
did not set a Registry for name types in the TA ICMP option, which
means that the only way to implement this new name type is to modify
RFC 3971 that I understand was already part of the plans for this WG.
How do the group feels about taking this path?
Regards,
Roque, Suresh, Ana.
Begin forwarded message:
*From: *IETF I-D Submission Tool <[email protected]
<mailto:[email protected]>>
*Date: *October 6, 2009 12:23:13 PM GMT+01:00
*To: *[email protected] <mailto:[email protected]>
*Cc: *[email protected]
<mailto:[email protected]>,[email protected]
<mailto:[email protected]>
*Subject: **New Version Notification for
draft-rgaglian-csi-send-ski-ta-nametype-00 *
A new version of I-D, draft-rgaglian-csi-send-ski-ta-nametype-00.txt
has been successfuly submitted by Roque Gagliano and posted to the
IETF repository.
Filename: draft-rgaglian-csi-send-ski-ta-nametype
Revision: 00
Title: Subject Key Identifier (SKI) name type for SEND TA option
Creation_date: 2009-10-06
WG ID: Independent Submission
Number_of_pages: 10
Abstract:
SEcure Neighbor Discovery (SEND) Utilizes X.509v3 certificates for
performing router authorization. This document specifies a SEND name
type to identify trust anchor X.509v3 certificates based on its
Subject Key Identifier.
The IETF Secretariat.
-------------------------------------------------------------
Roque Gagliano
LACNIC
[email protected] <mailto:[email protected]>
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365 DB72 9E4F 964A 01E9 6CEE
------------------------------------------------------------------------
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
