Hi,
Here are some comments on the document, some reflects the conflict
that Robert mentioned about being more clear that one EE ETA cert is
valid at any particular time, some are typos.
Roque.
--------------------
2.1. A Compound Trust Anchor Structure
The ETA issues a CRL and one EE certificate.
(Roque) I believe it needs to be explained that more than one ETA EE
cert may be issued during the life-time of the ETA CA however at any
particular moment there is only one valid EE cert.
4.2. RPKI Trust Anchor Object Validation
2. Use the public key in the EE certificate to verify the
signature on the RTA Trust Anchor Object.
(Roque) s/EE certificate/ETA EE certificate
* Each time an RTA certificate is re-issued, or prior to the
expiration of the ETA EE certificate, the ETA generates a
Cryptographic Message Syntax (CMS) [RFC3852] signed-data
object, the payload of which is an RTA certificate.
(Roque) If the ETA EE cert validity period is identical to the RTA
validity period as stated in a previous bullet, the second condition
("prior to the expiration of the ETA EE certificate") would be the
same as in the following section:
"If a trust anchor chooses to reissue its RTA certificate before the
expiration of that certificate."
5. Relying Party use of Trust Anchor Material
* The ETA's CRL and CMS objects are retrieved from the
publication point referenced by the SIA in the ETA
certificate.
(Roque) s/CMS objects/CMS object
Relying Parties SHOULD perform this retrieval and validation
operation at intervals no less frequent than the nextUpdate time of
the published ETA CRL, and SHOULD perform the retrieval operation
prior to the expiration of the ETA EE certificate, or upon
revocation
of the ETA EE certificate.
(Roque) If the retrieval operation is for both the CRL and the CMS, I
do not understand the last sentence because the RP is not aware of the
revocation until it has retrieve the CRL and in at that time it
already has the new CMS. So, I would:
s/, or upon revocation of the ETA EE certificate//
--------------------
-------------------------------------------------------------
Roque Gagliano
LACNIC
ro...@lacnic.net
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365 DB72 9E4F 964A 01E9 6CEE
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr