Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Warren Kumari]

On Jul 10, 2012, at 12:15 PM, Sean Turner wrote:

> On 7/3/12 4:50 PM, Warren Kumari wrote:
>> 
>> On Jun 28, 2012, at 4:49 PM, Murphy, Sandra wrote:
>> 
>>> This last call has ended.  There were only three comments during the wglc.
>>> 
>>> Two noted that the document was solid, but that it was premature to advance 
>>> the draft when the protocols spec was still undergoing changes and might 
>>> produce new required features for the router certificates.
>>> 
>>> So what is the desire of the working group:
>>> 
>>> - put the document on hold, refreshing versions numbers as necessary to 
>>> keep it on the secretariat list of current drafts, until we are more 
>>> certain no further features will be needed
>>> 
>>> - publish the draft now and amend if new features should pop up
>> 
>> This one please!
> 
> For what it's worth I like this one too, but I'm one of the editors.
> 

Fair 'nuff…


> spt
> 
>> W
>> 
>>> 
>>> If the later, more support for publication is needed.

So, is this sufficinet support for publication? If not, how much more is 
needed? And by when?

W


>>> 
>>> --Sandy, speaking as wg co-chair
>>> ________
>>> From: sidr-boun...@ietf.org [sidr-boun...@ietf.org] on behalf of 
>>> Christopher Morrow [morrowc.li...@gmail.com]
>>> Sent: Friday, April 13, 2012 4:16 PM
>>> To: sidr@ietf.org; sidr-cha...@ietf.org
>>> Subject: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles
>>> 
>>> Helo WG peoples,
>>> The following update posted today. Sean and Tom have come to agreement
>>> on their differences, I believe this closes the last open items on
>>> this document.
>>> 
>>> Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012
>>> 
>>> Thanks!
>>> -Chris
>>> 
>>> 
>>> On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
>>>> 
>>>> A New Internet-Draft is available from the on-line Internet-Drafts 
>>>> directories. This draft is a work item of the Secure Inter-Domain Routing 
>>>> Working Group of the IETF.
>>>> 
>>>>   Title   : A Profile for BGPSEC Router Certificates, 
>>>> Certificate Revocation Lists, and Certification Requests
>>>>   Author(s)   : Mark Reynolds
>>>> Sean Turner
>>>> Steve Kent
>>>>   Filename: draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>>>>   Pages   : 11
>>>>   Date: 2012-04-13
>>>> 
>>>>  This document defines a standard profile for X.509 certificates for
>>>>  the purposes of supporting validation of Autonomous System (AS) paths
>>>>  in the Border Gateway Protocol (BGP), as part of an extension to that
>>>>  protocol known as BGPSEC.  BGP is a critical component for the proper
>>>>  operation of the Internet as a whole.  The BGPSEC protocol is under
>>>>  development as a component to address the requirement to provide
>>>>  security for the BGP protocol.  The goal of BGPSEC is to design a
>>>>  protocol for full AS path validation based on the use of strong
>>>>  cryptographic primitives.  The end-entity (EE) certificates specified
>>>>  by this profile are issued under Resource Public Key Infrastructure
>>>>  (RPKI) Certification Authority (CA) certificates, containing the AS
>>>>  Identifier Delegation extension, to routers within the Autonomous
>>>>  System (AS).  The certificate asserts that the router(s) holding the
>>>>  private key are authorized to send out secure route advertisements on
>>>>  behalf of the specified AS.  This document also profiles the
>>>>  Certificate Revocation List (CRL), profiles the format of
>>>>  certification requests, and specifies Relying Party certificate path
>>>>  validation procedures.  The document extends the RPKI; therefore,
>>>>  this documents updates the RPKI Resource Certificates Profile (RFC
>>>>  6487).
>>>> 
>>>> 
>>>> A URL for this Internet-Draft is:
>>>> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>>>> 
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>> 
>>>> This Internet-Draft can be retri

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Sean Turner]

On 7/3/12 4:50 PM, Warren Kumari wrote:


On Jun 28, 2012, at 4:49 PM, Murphy, Sandra wrote:


This last call has ended.  There were only three comments during the wglc.

Two noted that the document was solid, but that it was premature to advance the 
draft when the protocols spec was still undergoing changes and might produce 
new required features for the router certificates.

So what is the desire of the working group:

- put the document on hold, refreshing versions numbers as necessary to keep it 
on the secretariat list of current drafts, until we are more certain no further 
features will be needed

- publish the draft now and amend if new features should pop up


This one please!


For what it's worth I like this one too, but I'm one of the editors.

spt


W



If the later, more support for publication is needed.

--Sandy, speaking as wg co-chair

From: sidr-boun...@ietf.org [sidr-boun...@ietf.org] on behalf of Christopher 
Morrow [morrowc.li...@gmail.com]
Sent: Friday, April 13, 2012 4:16 PM
To: sidr@ietf.org; sidr-cha...@ietf.org
Subject: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

Helo WG peoples,
The following update posted today. Sean and Tom have come to agreement
on their differences, I believe this closes the last open items on
this document.

Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012

Thanks!
-Chris


On Fri, Apr 13, 2012 at 3:03 PM,   wrote:


A New Internet-Draft is available from the on-line Internet-Drafts directories. 
This draft is a work item of the Secure Inter-Domain Routing Working Group of 
the IETF.

   Title   : A Profile for BGPSEC Router Certificates, Certificate 
Revocation Lists, and Certification Requests
   Author(s)   : Mark Reynolds
 Sean Turner
 Steve Kent
   Filename: draft-ietf-sidr-bgpsec-pki-profiles-03.txt
   Pages   : 11
   Date: 2012-04-13

  This document defines a standard profile for X.509 certificates for
  the purposes of supporting validation of Autonomous System (AS) paths
  in the Border Gateway Protocol (BGP), as part of an extension to that
  protocol known as BGPSEC.  BGP is a critical component for the proper
  operation of the Internet as a whole.  The BGPSEC protocol is under
  development as a component to address the requirement to provide
  security for the BGP protocol.  The goal of BGPSEC is to design a
  protocol for full AS path validation based on the use of strong
  cryptographic primitives.  The end-entity (EE) certificates specified
  by this profile are issued under Resource Public Key Infrastructure
  (RPKI) Certification Authority (CA) certificates, containing the AS
  Identifier Delegation extension, to routers within the Autonomous
  System (AS).  The certificate asserts that the router(s) holding the
  private key are authorized to send out secure route advertisements on
  behalf of the specified AS.  This document also profiles the
  Certificate Revocation List (CRL), profiles the format of
  certification requests, and specifies Relying Party certificate path
  validation procedures.  The document extends the RPKI; therefore,
  this documents updates the RPKI Resource Certificates Profile (RFC
  6487).


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt

___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr



--
"Working the ICANN process is like being nibbled to death by ducks,
it takes forever, it doesn't make sense, and in the end we're still dead in the 
water."
 -- Tom Galvin, VeriSign's vice president for government relations.



___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr



___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Warren Kumari]

On Jun 28, 2012, at 4:49 PM, Murphy, Sandra wrote:

> This last call has ended.  There were only three comments during the wglc.  
> 
> Two noted that the document was solid, but that it was premature to advance 
> the draft when the protocols spec was still undergoing changes and might 
> produce new required features for the router certificates.
> 
> So what is the desire of the working group:
> 
> - put the document on hold, refreshing versions numbers as necessary to keep 
> it on the secretariat list of current drafts, until we are more certain no 
> further features will be needed
> 
> - publish the draft now and amend if new features should pop up

This one please!

W

> 
> If the later, more support for publication is needed.
> 
> --Sandy, speaking as wg co-chair
> 
> From: sidr-boun...@ietf.org [sidr-boun...@ietf.org] on behalf of Christopher 
> Morrow [morrowc.li...@gmail.com]
> Sent: Friday, April 13, 2012 4:16 PM
> To: sidr@ietf.org; sidr-cha...@ietf.org
> Subject: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles
> 
> Helo WG peoples,
> The following update posted today. Sean and Tom have come to agreement
> on their differences, I believe this closes the last open items on
> this document.
> 
> Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012
> 
> Thanks!
> -Chris
> 
> 
> On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts 
>> directories. This draft is a work item of the Secure Inter-Domain Routing 
>> Working Group of the IETF.
>> 
>>   Title   : A Profile for BGPSEC Router Certificates, 
>> Certificate Revocation Lists, and Certification Requests
>>   Author(s)   : Mark Reynolds
>> Sean Turner
>> Steve Kent
>>   Filename: draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>>   Pages   : 11
>>   Date: 2012-04-13
>> 
>>  This document defines a standard profile for X.509 certificates for
>>  the purposes of supporting validation of Autonomous System (AS) paths
>>  in the Border Gateway Protocol (BGP), as part of an extension to that
>>  protocol known as BGPSEC.  BGP is a critical component for the proper
>>  operation of the Internet as a whole.  The BGPSEC protocol is under
>>  development as a component to address the requirement to provide
>>  security for the BGP protocol.  The goal of BGPSEC is to design a
>>  protocol for full AS path validation based on the use of strong
>>  cryptographic primitives.  The end-entity (EE) certificates specified
>>  by this profile are issued under Resource Public Key Infrastructure
>>  (RPKI) Certification Authority (CA) certificates, containing the AS
>>  Identifier Delegation extension, to routers within the Autonomous
>>  System (AS).  The certificate asserts that the router(s) holding the
>>  private key are authorized to send out secure route advertisements on
>>  behalf of the specified AS.  This document also profiles the
>>  Certificate Revocation List (CRL), profiles the format of
>>  certification requests, and specifies Relying Party certificate path
>>  validation procedures.  The document extends the RPKI; therefore,
>>  this documents updates the RPKI Resource Certificates Profile (RFC
>>  6487).
>> 
>> 
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> This Internet-Draft can be retrieved at:
>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>> 
>> ___
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
> 

--
"Working the ICANN process is like being nibbled to death by ducks,
it takes forever, it doesn't make sense, and in the end we're still dead in the 
water." 
-- Tom Galvin, VeriSign's vice president for government relations.



___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Randy Bush]

> I'll advocate for a "publish it now and fix it later if needed"
> strategy.

the hidden tao of the ietf


___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Stephen Kent]

At 8:49 PM + 6/28/12, Murphy, Sandra wrote:
This last call has ended.  There were only three comments during the wglc. 

Two noted that the document was solid, but that it was premature to 
advance the draft when the protocols spec was still undergoing 
changes and might produce new required features for the router 
certificates.


So what is the desire of the working group:

- put the document on hold, refreshing versions numbers as necessary 
to keep it on the secretariat list of current drafts, until we are 
more certain no further features will be needed


- publish the draft now and amend if new features should pop up

If the later, more support for publication is needed.

--Sandy, speaking as wg co-chair


I'll advocate for a "publish it now and fix it later if needed"
strategy.

Steve
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Murphy, Sandra]

This last call has ended.  There were only three comments during the wglc.  

Two noted that the document was solid, but that it was premature to advance the 
draft when the protocols spec was still undergoing changes and might produce 
new required features for the router certificates.

So what is the desire of the working group:

- put the document on hold, refreshing versions numbers as necessary to keep it 
on the secretariat list of current drafts, until we are more certain no further 
features will be needed

- publish the draft now and amend if new features should pop up

If the later, more support for publication is needed.

--Sandy, speaking as wg co-chair

From: sidr-boun...@ietf.org [sidr-boun...@ietf.org] on behalf of Christopher 
Morrow [morrowc.li...@gmail.com]
Sent: Friday, April 13, 2012 4:16 PM
To: sidr@ietf.org; sidr-cha...@ietf.org
Subject: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

Helo WG peoples,
The following update posted today. Sean and Tom have come to agreement
on their differences, I believe this closes the last open items on
this document.

Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012

Thanks!
-Chris


On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories. This draft is a work item of the Secure Inter-Domain Routing 
> Working Group of the IETF.
>
>Title   : A Profile for BGPSEC Router Certificates, 
> Certificate Revocation Lists, and Certification Requests
>Author(s)   : Mark Reynolds
>  Sean Turner
>  Steve Kent
>Filename: draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>Pages   : 11
>Date: 2012-04-13
>
>   This document defines a standard profile for X.509 certificates for
>   the purposes of supporting validation of Autonomous System (AS) paths
>   in the Border Gateway Protocol (BGP), as part of an extension to that
>   protocol known as BGPSEC.  BGP is a critical component for the proper
>   operation of the Internet as a whole.  The BGPSEC protocol is under
>   development as a component to address the requirement to provide
>   security for the BGP protocol.  The goal of BGPSEC is to design a
>   protocol for full AS path validation based on the use of strong
>   cryptographic primitives.  The end-entity (EE) certificates specified
>   by this profile are issued under Resource Public Key Infrastructure
>   (RPKI) Certification Authority (CA) certificates, containing the AS
>   Identifier Delegation extension, to routers within the Autonomous
>   System (AS).  The certificate asserts that the router(s) holding the
>   private key are authorized to send out secure route advertisements on
>   behalf of the specified AS.  This document also profiles the
>   Certificate Revocation List (CRL), profiles the format of
>   certification requests, and specifies Relying Party certificate path
>   validation procedures.  The document extends the RPKI; therefore,
>   this documents updates the RPKI Resource Certificates Profile (RFC
>   6487).
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Sean Turner]

On 5/3/12 10:14 AM, Chris Morrow wrote:



On 05/03/2012 03:57 AM, t.petch wrote:

A question arising from my ignorance.

How do values in the security arc get assigned?  Not IANA since there are no
IANA considerations, but how then?


good question... the below are asn.1 things, quickly searching around
isn't helping me out much either :(

Russ, any idea how this happens in practice? 'lick finger, test wind,
guess number' seems like the wrong method...


Russ Housley controls the pkix arc (has for years).  If we need a value 
from that arc (e.g., for the EKU extension and module OID), then 
we'll/I'll send a request to Russ for an OID.  He then returns an OID 
after some review.  I know he often compiles the modules too.


If you're curious about the OIDs under the 1.3.6.1.5.5.7 arc, the values 
can be found at: http://www.imc.org/ietf-pkix/pkix-oid.asn.


The longer term plan is to transition the arc to IANA when PKIX closes.

spt



On the IANA profiles web page I can see
(1.3.6.1.5.5.4)
and
(1.3.6.1.5.5.8)
but no 1.3.6.1.5.5.7, just a reference to Russ.


Tom Petch

- Original Message -
From: "Christopher Morrow"
To:;
Sent: Friday, April 13, 2012 10:16 PM

Helo WG peoples,
The following update posted today. Sean and Tom have come to agreement
on their differences, I believe this closes the last open items on
this document.

Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012

Thanks!
-Chris


On Fri, Apr 13, 2012 at 3:03 PM,  wrote:


A New Internet-Draft is available from the on-line Internet-Drafts

directories. This draft is a work item of the Secure Inter-Domain Routing
Working Group of the IETF.


Title : A Profile for BGPSEC Router Certificates, Certificate Revocation

Lists, and Certification Requests

Author(s) : Mark Reynolds
Sean Turner
Steve Kent
Filename : draft-ietf-sidr-bgpsec-pki-profiles-03.txt
Pages : 11
Date : 2012-04-13

This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of Autonomous System (AS) paths
in the Border Gateway Protocol (BGP), as part of an extension to that
protocol known as BGPSEC. BGP is a critical component for the proper
operation of the Internet as a whole. The BGPSEC protocol is under
development as a component to address the requirement to provide
security for the BGP protocol. The goal of BGPSEC is to design a
protocol for full AS path validation based on the use of strong
cryptographic primitives. The end-entity (EE) certificates specified
by this profile are issued under Resource Public Key Infrastructure
(RPKI) Certification Authority (CA) certificates, containing the AS
Identifier Delegation extension, to routers within the Autonomous
System (AS). The certificate asserts that the router(s) holding the
private key are authorized to send out secure route advertisements on
behalf of the specified AS. This document also profiles the
Certificate Revocation List (CRL), profiles the format of
certification requests, and specifies Relying Party certificate path
validation procedures. The document extends the RPKI; therefore,
this documents updates the RPKI Resource Certificates Profile (RFC
6487).


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt

___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr


___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr


___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Matt Lepinski]

I have read the -03 version of bgpsec profiles. I think the current 
version of the document is solid. But I don't think the protocol spec is 
quite stable enough to say "we aren't going to be making any changes to 
the bgpsec protocol that will require a change to the profiles document" 
... but I hope the protocol spec will soon (several months) be that stable.


- Matt Lepinski

On 4/13/2012 5:26 PM, Brian Dickson wrote:
While I think the document may be pretty solid currently, the 
meta-issue of the tail wagging the dog exists.


I.e. There still exists the potential for additional requirements to 
surface,
related to the design and implementation of the bgpsec protocol, which 
have
the potential to "inform" additional requirements for the EE certs, 
and/or other (new) cert types.


So, even if it passes WGLC intact, I'm of the opinion that it should 
be kept in the "hold" buffer,
until the other work goes through more substantial development and 
review cycles.


Brian

On Fri, Apr 13, 2012 at 4:16 PM, Christopher Morrow 
mailto:morrowc.li...@gmail.com>> wrote:


Helo WG peoples,
The following update posted today. Sean and Tom have come to agreement
on their differences, I believe this closes the last open items on
this document.

Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012

Thanks!
-Chris


On Fri, Apr 13, 2012 at 3:03 PM, mailto:internet-dra...@ietf.org>> wrote:
>
> A New Internet-Draft is available from the on-line
Internet-Drafts directories. This draft is a work item of the
Secure Inter-Domain Routing Working Group of the IETF.
>
>Title   : A Profile for BGPSEC Router
Certificates, Certificate Revocation Lists, and Certification Requests
>Author(s)   : Mark Reynolds
>  Sean Turner
>  Steve Kent
>Filename: draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>Pages   : 11
>Date: 2012-04-13
>
>   This document defines a standard profile for X.509
certificates for
>   the purposes of supporting validation of Autonomous System
(AS) paths
>   in the Border Gateway Protocol (BGP), as part of an extension
to that
>   protocol known as BGPSEC.  BGP is a critical component for the
proper
>   operation of the Internet as a whole.  The BGPSEC protocol is
under
>   development as a component to address the requirement to provide
>   security for the BGP protocol.  The goal of BGPSEC is to design a
>   protocol for full AS path validation based on the use of strong
>   cryptographic primitives.  The end-entity (EE) certificates
specified
>   by this profile are issued under Resource Public Key
Infrastructure
>   (RPKI) Certification Authority (CA) certificates, containing
the AS
>   Identifier Delegation extension, to routers within the Autonomous
>   System (AS).  The certificate asserts that the router(s)
holding the
>   private key are authorized to send out secure route
advertisements on
>   behalf of the specified AS.  This document also profiles the
>   Certificate Revocation List (CRL), profiles the format of
>   certification requests, and specifies Relying Party
certificate path
>   validation procedures.  The document extends the RPKI; therefore,
>   this documents updates the RPKI Resource Certificates Profile (RFC
>   6487).
>
>
> A URL for this Internet-Draft is:
>

http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
>

ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> ___
> sidr mailing list
> sidr@ietf.org 
> https://www.ietf.org/mailman/listinfo/sidr
___
sidr mailing list
sidr@ietf.org 
https://www.ietf.org/mailman/listinfo/sidr




___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr


___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Chris Morrow]

On 05/03/2012 03:57 AM, t.petch wrote:
> A question arising from my ignorance.
> 
> How do values in the security arc get assigned?  Not IANA since there are no
> IANA considerations, but how then?

good question... the below are asn.1 things, quickly searching around
isn't helping me out much either :(

Russ, any idea how this happens in practice? 'lick finger, test wind,
guess number' seems like the wrong method...

> 
> On the IANA profiles web page I can see
> (1.3.6.1.5.5.4)
> and
> (1.3.6.1.5.5.8)
> but no 1.3.6.1.5.5.7, just a reference to Russ.
> 
> 
> Tom Petch
> 
> - Original Message -
> From: "Christopher Morrow" 
> To: ; 
> Sent: Friday, April 13, 2012 10:16 PM
> 
> Helo WG peoples,
> The following update posted today. Sean and Tom have come to agreement
> on their differences, I believe this closes the last open items on
> this document.
> 
> Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012
> 
> Thanks!
> -Chris
> 
> 
> On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This draft is a work item of the Secure Inter-Domain Routing
> Working Group of the IETF.
>>
>> Title : A Profile for BGPSEC Router Certificates, Certificate Revocation
> Lists, and Certification Requests
>> Author(s) : Mark Reynolds
>> Sean Turner
>> Steve Kent
>> Filename : draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>> Pages : 11
>> Date : 2012-04-13
>>
>> This document defines a standard profile for X.509 certificates for
>> the purposes of supporting validation of Autonomous System (AS) paths
>> in the Border Gateway Protocol (BGP), as part of an extension to that
>> protocol known as BGPSEC. BGP is a critical component for the proper
>> operation of the Internet as a whole. The BGPSEC protocol is under
>> development as a component to address the requirement to provide
>> security for the BGP protocol. The goal of BGPSEC is to design a
>> protocol for full AS path validation based on the use of strong
>> cryptographic primitives. The end-entity (EE) certificates specified
>> by this profile are issued under Resource Public Key Infrastructure
>> (RPKI) Certification Authority (CA) certificates, containing the AS
>> Identifier Delegation extension, to routers within the Autonomous
>> System (AS). The certificate asserts that the router(s) holding the
>> private key are authorized to send out secure route advertisements on
>> behalf of the specified AS. This document also profiles the
>> Certificate Revocation List (CRL), profiles the format of
>> certification requests, and specifies Relying Party certificate path
>> validation procedures. The document extends the RPKI; therefore,
>> this documents updates the RPKI Resource Certificates Profile (RFC
>> 6487).
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> This Internet-Draft can be retrieved at:
>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>>
>> ___
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
> 
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[t . petch]

A question arising from my ignorance.

How do values in the security arc get assigned?  Not IANA since there are no
IANA considerations, but how then?

On the IANA profiles web page I can see
(1.3.6.1.5.5.4)
and
(1.3.6.1.5.5.8)
but no 1.3.6.1.5.5.7, just a reference to Russ.


Tom Petch

- Original Message -
From: "Christopher Morrow" 
To: ; 
Sent: Friday, April 13, 2012 10:16 PM

Helo WG peoples,
The following update posted today. Sean and Tom have come to agreement
on their differences, I believe this closes the last open items on
this document.

Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012

Thanks!
-Chris


On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the Secure Inter-Domain Routing
Working Group of the IETF.
>
> Title : A Profile for BGPSEC Router Certificates, Certificate Revocation
Lists, and Certification Requests
> Author(s) : Mark Reynolds
> Sean Turner
> Steve Kent
> Filename : draft-ietf-sidr-bgpsec-pki-profiles-03.txt
> Pages : 11
> Date : 2012-04-13
>
> This document defines a standard profile for X.509 certificates for
> the purposes of supporting validation of Autonomous System (AS) paths
> in the Border Gateway Protocol (BGP), as part of an extension to that
> protocol known as BGPSEC. BGP is a critical component for the proper
> operation of the Internet as a whole. The BGPSEC protocol is under
> development as a component to address the requirement to provide
> security for the BGP protocol. The goal of BGPSEC is to design a
> protocol for full AS path validation based on the use of strong
> cryptographic primitives. The end-entity (EE) certificates specified
> by this profile are issued under Resource Public Key Infrastructure
> (RPKI) Certification Authority (CA) certificates, containing the AS
> Identifier Delegation extension, to routers within the Autonomous
> System (AS). The certificate asserts that the router(s) holding the
> private key are authorized to send out secure route advertisements on
> behalf of the specified AS. This document also profiles the
> Certificate Revocation List (CRL), profiles the format of
> certification requests, and specifies Relying Party certificate path
> validation procedures. The document extends the RPKI; therefore,
> this documents updates the RPKI Resource Certificates Profile (RFC
> 6487).
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr


___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Brian Dickson]

While I think the document may be pretty solid currently, the meta-issue of
the tail wagging the dog exists.

I.e. There still exists the potential for additional requirements to
surface,
related to the design and implementation of the bgpsec protocol, which have
the potential to "inform" additional requirements for the EE certs, and/or
other (new) cert types.

So, even if it passes WGLC intact, I'm of the opinion that it should be
kept in the "hold" buffer,
until the other work goes through more substantial development and review
cycles.

Brian

On Fri, Apr 13, 2012 at 4:16 PM, Christopher Morrow  wrote:

> Helo WG peoples,
> The following update posted today. Sean and Tom have come to agreement
> on their differences, I believe this closes the last open items on
> this document.
>
> Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012
>
> Thanks!
> -Chris
> 
>
> On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This draft is a work item of the Secure Inter-Domain Routing
> Working Group of the IETF.
> >
> >Title   : A Profile for BGPSEC Router Certificates,
> Certificate Revocation Lists, and Certification Requests
> >Author(s)   : Mark Reynolds
> >  Sean Turner
> >  Steve Kent
> >Filename: draft-ietf-sidr-bgpsec-pki-profiles-03.txt
> >Pages   : 11
> >Date: 2012-04-13
> >
> >   This document defines a standard profile for X.509 certificates for
> >   the purposes of supporting validation of Autonomous System (AS) paths
> >   in the Border Gateway Protocol (BGP), as part of an extension to that
> >   protocol known as BGPSEC.  BGP is a critical component for the proper
> >   operation of the Internet as a whole.  The BGPSEC protocol is under
> >   development as a component to address the requirement to provide
> >   security for the BGP protocol.  The goal of BGPSEC is to design a
> >   protocol for full AS path validation based on the use of strong
> >   cryptographic primitives.  The end-entity (EE) certificates specified
> >   by this profile are issued under Resource Public Key Infrastructure
> >   (RPKI) Certification Authority (CA) certificates, containing the AS
> >   Identifier Delegation extension, to routers within the Autonomous
> >   System (AS).  The certificate asserts that the router(s) holding the
> >   private key are authorized to send out secure route advertisements on
> >   behalf of the specified AS.  This document also profiles the
> >   Certificate Revocation List (CRL), profiles the format of
> >   certification requests, and specifies Relying Party certificate path
> >   validation procedures.  The document extends the RPKI; therefore,
> >   this documents updates the RPKI Resource Certificates Profile (RFC
> >   6487).
> >
> >
> > A URL for this Internet-Draft is:
> >
> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > This Internet-Draft can be retrieved at:
> >
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
> >
> > ___
> > sidr mailing list
> > sidr@ietf.org
> > https://www.ietf.org/mailman/listinfo/sidr
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

[sidr] WGLC: draft-ietf-sidr-bgpsec-pki-profiles

[Christopher Morrow]

Helo WG peoples,
The following update posted today. Sean and Tom have come to agreement
on their differences, I believe this closes the last open items on
this document.

Let's start a WGLC for this, ending: 4/27/2012 or 27/4/2012

Thanks!
-Chris


On Fri, Apr 13, 2012 at 3:03 PM,   wrote:
>
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories. This draft is a work item of the Secure Inter-Domain Routing 
> Working Group of the IETF.
>
>        Title           : A Profile for BGPSEC Router Certificates, 
> Certificate Revocation Lists, and Certification Requests
>        Author(s)       : Mark Reynolds
>                          Sean Turner
>                          Steve Kent
>        Filename        : draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>        Pages           : 11
>        Date            : 2012-04-13
>
>   This document defines a standard profile for X.509 certificates for
>   the purposes of supporting validation of Autonomous System (AS) paths
>   in the Border Gateway Protocol (BGP), as part of an extension to that
>   protocol known as BGPSEC.  BGP is a critical component for the proper
>   operation of the Internet as a whole.  The BGPSEC protocol is under
>   development as a component to address the requirement to provide
>   security for the BGP protocol.  The goal of BGPSEC is to design a
>   protocol for full AS path validation based on the use of strong
>   cryptographic primitives.  The end-entity (EE) certificates specified
>   by this profile are issued under Resource Public Key Infrastructure
>   (RPKI) Certification Authority (CA) certificates, containing the AS
>   Identifier Delegation extension, to routers within the Autonomous
>   System (AS).  The certificate asserts that the router(s) holding the
>   private key are authorized to send out secure route advertisements on
>   behalf of the specified AS.  This document also profiles the
>   Certificate Revocation List (CRL), profiles the format of
>   certification requests, and specifies Relying Party certificate path
>   validation procedures.  The document extends the RPKI; therefore,
>   this documents updates the RPKI Resource Certificates Profile (RFC
>   6487).
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-bgpsec-pki-profiles-03.txt
>
> ___
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
___
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr