On Jun 27, 2014, at 8:53 PM, Randy Bush <ra...@psg.com> wrote: > > [ you omitted the as number in your discussion, but ca needs a so it > knows which AS signs. luckily bgpsec-pki-profiles does have it in the > pkcs#10 subject ]
That's a good point. Actually, bgpsec-pki-profiles does NOT have it in the PKCS#10 subject. bgpsec-pki-profiles gives a list of exceptions to the PKCS#10 defined in RFC6487, but the exceptions do not include the AS number. I had forgotten (if I ever noted) that the PKCS#10 profile in RFC6487 does not include the number resources. So we need to come up with a way to get the AS number to the CA, also. > >> 4 We could change the "the value of this field SHOULD be empty" text >> in RFC6487 to add an exception for router certs. That would allow the >> PKCS#10 subject name to be non-empty so it could carry the router ID >> in the subject name. > > that's a, b, and k. the ca has all it needs. yummy. We don't yet have the "a" part of this. Work to be done. > > so, imiho, 1 and 3 are not viable. 2 and 4 are viable, but 4 requires > less work and invention than 2. > Except for the point you made about the AS number. --Sandy, speaking as regular ol' member
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr