Last Call Review of draft-ietf-sidr-cp-

Request Review of draft-ietf-sidr-cp
Requested rev. no specific revision (document currently at 17)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-02-21
Requested 2011-02-16
Authors Derrick Kong, Ronald Watro, Karen Seo, Stephen Kent
Draft last updated 2011-02-22
Completed reviews Secdir Last Call review of -?? by Paul Hoffman
Assignment Reviewer Paul Hoffman 
State Completed
Review review-ietf-sidr-cp-secdir-lc-hoffman-2011-02-22
Review completed: 2011-02-22


I have reviewed this document as part of the security directorate's 

ongoing effort to review all IETF documents being processed by the IESG. 

 These comments were written primarily for the benefit of the security 

area directors.  Document editors and WG chairs should treat these 

comments just like any other last call comments.

This document describes a certificate policy for Internet number 

resource holdings; basically, this is proposed to be the CP for the 

routing PKI being proposed in the SIDR WG. As such, it is a bunch of 

minutae that relying parties are supposed to care about, but will mostly 

accept blindly. This document is closely modeled after RFC 3647, the CP 

that is the framework for most CPs we see in the PKIX world.

The security considerations listed in the document seem fine. They call 

out the fact that names are not unique in the RPKI (as if they were in 

the normal PKIX world...), so that relying parties must not rely just on 

the names for chaining, but must also be sure the expected signing key 

is used as well. This document could have a zillion more security 

considerations aimed at relying parties that don't pay careful 

attention, but such text would likely be ignored by the same parties who 

ignore the main CP text. Thus, this document is fine as-is.

--Paul Hoffman