diff options
| author | Rob Austein <sra@hactrn.net> | 2008-03-24 19:24:12 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2008-03-24 19:24:12 +0000 |
| commit | 738be12e5fdf4a89e25f7e4d65b8dd07cf693e05 (patch) | |
| tree | aabccbf2accec4cb9a10ce0c985d8f271343da72 | |
| parent | 38621998c155e5e220cdb2ab760de5fdf7b04703 (diff) | |
Post-IETF notes
svn path=/rpkid/README; revision=1561
| -rw-r--r-- | rpkid/README | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/rpkid/README b/rpkid/README index df7aba33..0ed4c7ba 100644 --- a/rpkid/README +++ b/rpkid/README @@ -302,6 +302,11 @@ TO DO: certs instead of a single TA, but this is mostly just generalization and reuse of existing code, no bold new adventures. + Discussion in Philadelphia revealed that this is not yet a done + deal. Housley, RobK, and I all seem to be on the same page, and we + think that what we're proposing will make sense to APNIC once we + explain it properly, but overall we have not yet converged. + PRIORITY: Required (security issue) TIME REQUIRED: One week. @@ -312,19 +317,17 @@ TO DO: STATUS: Not started -- rcynic handling of RPKI trust anchors probably needs updating. - Discussions over last N months of how RPKI trust anchors work, how - we package them, and how we roll them over. The last (TA rollover) - is the driver for this. - - Last I recall (need to check email archives) APNIC had proposed a - relatively simple format (CMS signed PEM-encoded X.509 object set, - or something like that). Need to do analysis to make sure this is - adaquate for our needs, if so just use it. This would involve minor - changes to rcynic. - - Alternatively, this could be a separate program to keep this grot - out of rcynic itself, but that's probably a usability nightmare. +- rcynic handling of RPKI trust anchors needs updating. Discussions + over last N months of how RPKI trust anchors work, how we package + them, and how we roll them over. The last (TA rollover) is the + driver for this. + + APNIC has apparently moved on from their proposal to use CMS-signed + OpenSSL "PEM" format, they're now proposing a CMS-signed ASN.1 + SEQUENCE OF something. Precise details of APNIC's new model not yet + known. Need to do analysis to make sure this is adaquate for our + needs, if so just use it. This would involve minor changes to + rcynic. PRIORITY: Required (usability issue for relying parties) |