1. Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-02 Suresh Krishnan Ana Kukec Khaja Ahmed

2. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-192 Scope of the document  SEND uses X.509v3 certificates defined in RFC3280  RFC3280 is generic and hence does not define any SEND specific information  We need additional specification to nail down SEND specific certificate information

3. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-193 What’s wrong with -02  The draft tried to define a completely new certificate profile  Related work had been taking place in the sidr working group for routing certificates –The work in sidr is far ahead and well reviewed  Draft received substantial comments from the Security area folks –Thanks to Steve Kent, Sandy Murphy, Richard Barnes and Tim Polk  After discussion with these folks we realized that the RPKI certs can be used for SEND purposes

4. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-194 Way forward  The authors will submit a new revision of the document –This will use the RPKI certs as defined in draft-ietf-sidr-res- certs-15  Define the EKUs required for SEND inside the RPKI certs  Specify how to use the revocation information in SEND

5. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-195 Obstacles going forward  RPKI is not deployed –Work is ongoing in the RIRs to start giving out RPKI certs for their address blocks –SEND certs based on RPKI will work locally even if there is no RPKI deployed –One kind of certificate for both downstream and upstream usage makes router implementations simpler  RPKI certs do not allow EKUs –Sidr will work on not prohibiting EKUs in the RPKI certs –We can define EKUs required for SEND in this document

6. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-196 Obstacles going forward (2)  RPKI uses CRLs for revocation –CRLs can get pretty large –Large CRLs lead to fragmentation of ND messages  This is undesirable –PKIX experts have assured us that CRLs will be small in properly defined systems  The document will not address the case where CRLs are large enough

7. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-197 Next Steps  Submit a new revision of the document  Adopt as wg item  Start investigating changes to SEND procedures

8. Slide title In CAPITALS 50 pt Slide subtitle 32 pt Questions? Thank You

9. Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt Suresh Krishnancsi wgSEND Certificate Profile2008-11-199 Extended Key Usage  The Internet PKI document [RFC3280] specifies the extended key usage X.509 certificate extension.  The extension indicates one or more purposes for which the certified public key may be used.  The extended key usage extension can be used in conjunction with key usage extension, which indicates the intended purpose of the certified public key.