Re: [OPSAWG] I-D Action: draft-ietf-opsawg-9092-update-03.txt
Job: > The example signature chain still is broken :-/ Thank you for your very careful review. > 1/ The Trust Anchor cert still doesn't mark its RFC 3779 > autonomousSysNum extension as critical. RFC 6487 section 4.8.11 > requires this. I must have done something very clumsy when I composed the XML, because looking at my individual files, the extension is marked critical. $openssl x509 -in exampleta.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 12:08:32:70:da:05:55:18:c0:b8:df:c5:c3:b5:11:bb:40:c4:64:d0 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = example-ta Validity Not Before: Sep 19 20:33:39 2023 GMT Not After : Sep 16 20:33:39 2033 GMT Subject: CN = example-ta Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:a6:b4:7e:83:f8:b8:27:23:9b:55:44:53:a7: 52:69:18:cd:b7:bc:63:f2:13:97:c3:28:53:ea:57: ba:f0:33:50:26:9b:b7:27:7b:0e:ba:53:4d:88:cd: 5d:17:e6:88:af:e6:74:86:7d:15:f9:53:1b:1b:47: eb:f0:3c:13:1c:79:0c:83:81:2e:65:7b:11:62:bf: 87:c1:fd:58:df:0d:3d:aa:5f:f5:23:b0:b2:fd:40: e7:9a:48:e8:7b:4e:82:52:2e:39:ad:a5:ad:03:f6: 2c:fb:7e:e9:77:85:dc:51:8e:93:0c:66:21:3f:ad: e5:fd:ff:29:9d:a5:6f:c4:76:0d:05:eb:e4:fd:58: 66:44:d6:68:8f:78:88:e5:e4:e6:70:9e:62:c7:09: fb:64:37:f6:9a:62:4d:62:3c:d8:cd:9e:21:d8:20: e8:c2:d6:34:a9:00:19:a8:67:24:e3:b2:0a:f0:2c: 4d:85:d5:f2:11:91:59:30:01:2a:93:a2:af:c3:e6: ff:6f:a1:76:98:61:a5:d4:34:96:f8:1f:fe:70:7a: 74:6e:bd:3e:4e:fe:7e:8f:5e:1e:f4:ac:c4:32:17: 9c:b3:2e:cf:7a:ca:dc:6a:83:98:06:5f:d9:1a:6d: 59:ef:c4:55:3c:9c:77:cf:6b:4a:e1:97:07:d3:26: 79:63 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C0:BD:52:5D:BE:D2:78:B2:16:EC:B3:A3:43:95:D2:06:0B:99:08:32 X509v3 Authority Key Identifier: C0:BD:52:5D:BE:D2:78:B2:16:EC:B3:A3:43:95:D2:06:0B:99:08:32 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Certificate Policies: critical Policy: ipAddr-asNumber Subject Information Access: RPKI Manifest - URI:rsync://rpki.example.net/repository/example-ta.mft RPKI Notify - URI:https://rrdp.example.net/notification.xml CA Repository - URI:rsync://rpki.example.net/repository/ sbgp-ipAddrBlock: critical IPv4: 0.0.0.0/0 IPv6: ::/0 sbgp-autonomousSysNum: critical Autonomous System Numbers: 0-4294967295 Signature Algorithm: sha256WithRSAEncryption Signature Value: 6b:d7:8b:63:d4:00:9a:79:59:38:8c:8e:cd:ba:6d:6b:9c:2a: 70:e5:10:57:fc:91:ee:8f:f4:d7:39:04:65:a4:9a:bc:a0:6d: d7:d9:4c:2b:a0:17:66:ea:f1:d5:3e:63:ca:32:30:1b:b6:c4: b5:96:53:86:3b:47:da:6f:34:57:99:1c:da:db:05:8d:2a:bf: ca:9e:cd:24:17:25:30:75:5d:de:d5:ec:7b:d2:1f:de:75:d8: 17:86:f1:44:87:22:af:59:57:94:06:d8:37:e1:28:d5:4d:e2: e6:a2:4e:f9:fc:68:bb:3b:7b:31:ea:e4:d8:38:a1:9e:c7:a7: 4d:e5:ca:cc:de:ed:7e:6b:82:61:96:47:08:2f:2f:88:2a:09: 59:d1:fe:a3:5b:91:33:84:e2:40:0a:59:b1:42:7c:b0:5e:13: 00:1a:eb:44:99:80:fc:47:79:bf:40:93:05:b8:2a:4f:1e:f2: 83:4f:95:6a:b1:4b:3d:d9:e3:62:0b:69:a0:22:6a:c0:4d:82: d5:4a:57:d7:9a:d9:49:a2:d5:b8:65:ed:6f:05:dd:fd:c1:c4: 83:9b:c5:5b:a4:13:b0:c7:8c:40:51:14:6b:a8:64:89:c0:c6: b7:12:d3:51:d8:5c:90:18:26:08:6a:05:da:79:59:8a:2e:5f: d4:14:d6:02 > 2/ The intermediate CA cert lists > > URI:rsync://rpki.example.net/repository/3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642.crl > as its CRLDP; but instead must reference > URI:rsync://rpki.example.net/repository/example-ta.crl > The intermediate CA is subordinate to the TA, and thus should > reference the CRL signed by the TA (not the CRL it signed itself). Indeed. This is a cut-and-paste error. just corrected it. I have a long plane ride tomorrow. I'll try to correctly generate the XML on the plane. Russ ___ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-9092-update-03.txt
Dear all, The example signature chain still is broken :-/ 1/ The Trust Anchor cert still doesn't mark its RFC 3779 autonomousSysNum extension as critical. RFC 6487 section 4.8.11 requires this. 2/ The intermediate CA cert lists URI:rsync://rpki.example.net/repository/3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642.crl as its CRLDP; but instead must reference URI:rsync://rpki.example.net/repository/example-ta.crl The intermediate CA is subordinate to the TA, and thus should reference the CRL signed by the TA (not the CRL it signed itself). A possible path forward to incorporate working examples would be to simply use these new ones I generated for an IPv4 prefix & dumpasn1: https://git.rg.net/randy/draft-9092update/pulls/2/files Kind regards, Job On Wed, Sep 20, 2023 at 03:33:50PM -0700, internet-dra...@ietf.org wrote: > Internet-Draft draft-ietf-opsawg-9092-update-03.txt is now available. It is a > work item of the Operations and Management Area Working Group (OPSAWG) WG of > the IETF. > >Title: Finding and Using Geofeed Data >Authors: Randy Bush > Massimo Candela > Warren Kumari > Russ Housley >Name:draft-ietf-opsawg-9092-update-03.txt >Pages: 26 >Dates: 2023-09-20 > > Abstract: > >This document specifies how to augment the Routing Policy >Specification Language inetnum: class to refer specifically to >geofeed data files and describes an optional scheme that uses the >Resource Public Key Infrastructure to authenticate the geofeed >datafiles. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-9092-update/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-9092-update-03 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-9092-update-03 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > ___ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg ___ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
[OPSAWG] I-D Action: draft-ietf-opsawg-9092-update-03.txt
Internet-Draft draft-ietf-opsawg-9092-update-03.txt is now available. It is a work item of the Operations and Management Area Working Group (OPSAWG) WG of the IETF. Title: Finding and Using Geofeed Data Authors: Randy Bush Massimo Candela Warren Kumari Russ Housley Name:draft-ietf-opsawg-9092-update-03.txt Pages: 26 Dates: 2023-09-20 Abstract: This document specifies how to augment the Routing Policy Specification Language inetnum: class to refer specifically to geofeed data files and describes an optional scheme that uses the Resource Public Key Infrastructure to authenticate the geofeed datafiles. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-opsawg-9092-update/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-9092-update-03 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-9092-update-03 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg