One question that comes up when reading this document. Now that we've removed the dependency between Origin Validation and Path Validation but are expecting them to run in parallel with some shared components, do we need to discuss how BGPSec cert rollover interacts with Origin Validation cert rollover, possibly giving hints to what a combined rollover process looks like? Are we expecting that they should be done at the same time, or that they should NOT be done at the same time, or does it just not matter? For example, if it's better to have the rolls done separately, then probably some guidance about the expiry times not lining up might be good. It's conceivable that if you're doing an emergency roll on account of compromised keys, you might be doing both at once, regardless of whether it's a good idea normally, so I think we need to highlight any gotchas that may be present. Maybe this belongs in the ops doc?
Thanks, Wes On 3/6/15, 7:43 PM, "internet-dra...@ietf.org" <internet-dra...@ietf.org> wrote: > >A New Internet-Draft is available from the on-line Internet-Drafts >directories. > This draft is a work item of the Secure Inter-Domain Routing Working >Group of the IETF. > > Title : BGPSEC Router Certificate Rollover > Authors : Roque Gagliano > Keyur Patel > Brian Weis > Filename : draft-ietf-sidr-bgpsec-rollover-03.txt > Pages : 15 > Date : 2015-03-06 > >Abstract: > BGPSEC will need to address the impact from regular and emergency > rollover processes for the BGPSEC End-Entity (EE) certificates that > will be performed by Certificate Authorities (CAs) participating at > the Resource Public Key Infrastructure (RPKI). Rollovers of BGPSEC > EE certificates must be carefully managed in order to synchronize > distribution of router public keys and the usage of those pubic keys > by BGPSEC routers. This document provides general recommendations > for that process, as well as describing reasons why the rollover of > BGPSEC EE certificates might be necssary. > > >The IETF datatracker status page for this draft is: >https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-rollover/ > >There's also a htmlized version available at: >http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-03 > >A diff from the previous version is available at: >http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-rollover-03 > > >Please note that it may take a couple of minutes from the time of >submission >until the htmlized version and diff are available at tools.ietf.org. > >Internet-Drafts are also available by anonymous FTP at: >ftp://ftp.ietf.org/internet-drafts/ > >_______________________________________________ >sidr mailing list >sidr@ietf.org >https://www.ietf.org/mailman/listinfo/sidr This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
