Hi,
We've had an APNIC internal workshop last week on resource certification,
looking at what we will be working on over the coming months and how this
can mesh in with related activities across the RIRs.
We like to propose a number of specific topics for discussion in meeting at
Tallinn. It may not take the entire time, but in trying to nominate agenda
topics in advance we would like to think that it could help in structuring
our common efforts at this stage.
So we'd like to propose the following agenda items:
1. The IR-ISP Protocol
There have been some changes to this protocol in January and again in
March and its not clear what is the definitive spec at this stage. It
would be good to be able to reach closure on this spec so that we can
implement against it, and we'd like to see if we can achieve that at
this meeting.
We'd like to propose taking the following spec:
http://mirin.apnic.net/resourcecerts/wiki/index.php/IR-ISP_Definition_%28RobL%27s_Fork%29
and consider some simplifying assumptions that might be useful for
implementation of version 1 of this protocol. The changes proposed
attempt to conclude some of the current outstanding issues with the
protocol and also proposing punting some issues relating to potential
support for resource trading models that might rely on certificate
behaviours to potential subsequent version of this protoco.
The specific changes proposed are:
a) promote the header attributes to be attributes of the <message />
b) include a required "type" attribute of the <message />
c) remove explicit enumeration of resources in the certificate issuance
request for version=1 of this spec
d) redefine the meaning the resource_set_* attributes of the class
field of the resource class list response to be the complete set of
resources that the issuer could certify for the subject at this point in
time
e) redefine the meaning the resource_set_* attributes of the cert
field of the resource class list response to be the set of resources
certified in this certificate
f) add a new request / response where the ISP requests a copy of the
certificate issued to this ISP identified by the previously supplied
url in the resouce class list response.
g) remove the "terminology" section
h) remove the Asynchronous (Off-line) Key Signing Operation section
i) we'd like to propose that there is no "auto-issue" explicit control
and the normative behavior that the issuer will auto-issue certs
in the event of resource shrinkage, resource allocation, and issuer key
rollover.
2. The Left-Right Protocol
As this is an internal protocol we'd like to propose that no common
specification for this protocol is required, and the protocol used to
communicate between the module of the certificate system and the
associated databases are a matter for the implementation to determine.
3. Review of the Resource Certificate draft
We'd like to put this document forward as finished, so there are a
number of items we'd like to discuss to see if we are all ok with this:
a) the subject name and subject alt name fields are a matter for the
issuer to determine and the CPS to specify. In the context of the
APNIC work we are looking at a CPS that specifies that the Subject
name is a hex representation of a large number that is unique per
customer and the Subject Alt Name is not present, but that does not
necessarily bind other issuers to the same name policy.
b) the SIA value is not necessarily unique and two or more CAs can
specify the same SIA
4. Review of Work / Plans
We have been undertaking some internal planning here and are happy to
report on where we are up to and what we are looking at undertaking in
terms of system development work in APNIC in the next 3 - 6 months.
What other topics should we be talking about that should be included on the
agenda for this meeting?
regards,
George, Rob and Geoff
