[sidr] TA document review

Sat, 07 Nov 2009 14:02:15 -0800 

Hi,
Here are some comments on the document, some reflects the conflict that Robert mentioned about being more clear that one EE ETA cert is valid at any particular time, some are typos. 

Roque.

--------------------

2.1.  A Compound Trust Anchor Structure

         The ETA issues a CRL and one EE certificate.


(Roque) I believe it needs to be explained that more than one ETA EE  
cert may be issued during the life-time of the ETA CA however at any  
particular moment there is only one valid EE cert.


4.2.  RPKI Trust Anchor Object Validation

  2.  Use the public key in the EE certificate to verify the
          signature on the RTA Trust Anchor Object.

(Roque) s/EE certificate/ETA EE certificate


      *  Each time an RTA certificate is re-issued, or prior to the
         expiration of the ETA EE certificate, the ETA generates a
         Cryptographic Message Syntax (CMS) [RFC3852] signed-data
         object, the payload of which is an RTA certificate.


(Roque) If the ETA EE cert validity period is identical to the RTA  
validity period as stated in a previous bullet, the second condition  
("prior to the expiration of the ETA EE certificate") would be the  
same as in the following section:
"If a trust anchor chooses to reissue its RTA certificate before the  
expiration of that certificate."



5.  Relying Party use of Trust Anchor Material

      *  The ETA's CRL and CMS objects are retrieved from the

         publication point referenced by the SIA in the ETA  
certificate.

(Roque) s/CMS objects/CMS object

  Relying Parties SHOULD perform this retrieval and validation
   operation at intervals no less frequent than the nextUpdate time of
   the published ETA CRL, and SHOULD perform the retrieval operation

   prior to the expiration of the ETA EE certificate, or upon  
revocation

   of the ETA EE certificate.


(Roque) If the retrieval operation is for both the CRL and the CMS, I  
do not understand the last sentence because the RP is not aware of the  
revocation until it has retrieve the CRL and in at that time it  
already has the new CMS. So, I would:

        s/, or upon revocation of the ETA EE certificate//

--------------------




-------------------------------------------------------------
Roque Gagliano
LACNIC
ro...@lacnic.net
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE


_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr






















					Reply via email to