diff --git a/draft-ymbk-lsvr-l3dl-signing.xml b/draft-ymbk-lsvr-l3dl-signing.xml index 510e032..a26342d 100644 --- a/draft-ymbk-lsvr-l3dl-signing.xml +++ b/draft-ymbk-lsvr-l3dl-signing.xml @@ -36,7 +36,7 @@ Vigil Security, LLC
- 918 Spring Knoll Drive + 516 Dranesville Road Herndon VA 20170 @@ -137,7 +137,7 @@ is needed.
@@ -145,7 +145,7 @@ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Type = 8 | Payload Length | New Key Type | +| Type = 9 | Payload Length | New Key Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | New Key Length | ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+ @@ -187,7 +187,8 @@ OPEN PDU, as it can not be verified against any authority. Hence it is jokingly referred to as Married On First Date. The assurance it does provide is that subsequent signed PDUs are from the same peer. - And data integrity is a positive side effect of the signature. + And data integrity is a positive side effect of the signature + covering the payload. The PKI-based method offers assurance that the certificate, and hence the keying material, provided in the OPEN PDU are authorized @@ -196,7 +197,7 @@ the same as in the TOFU method. With the PKI-based method, automated device provisioning could - restrict which subsidiary certificates were allowed from which peers + restrict which subsidiary certificates are allowed from which peers on a per interface basis. This would complicate key rolls. Where one draws the line between rigidity, flexibility, and security varies. @@ -215,7 +216,7 @@ PDU Code PDU Name ---- ------------------- - 8 NEWKEY + 9 NEWKEY