--- 1/draft-ietf-hip-cert-06.txt	2011-01-12 15:28:33.000000000 +0100
+++ 2/draft-ietf-hip-cert-07.txt	2011-01-12 15:28:33.000000000 +0100
@@ -1,21 +1,21 @@
 
 Host Identity Protocol                                              Heer
 Internet-Draft                           Distributed Systems Group, RWTH
 Intended status: Experimental                          Aachen University
-Expires: May 23, 2011                                           Varjonen
+Expires: July 16, 2011                                          Varjonen
                                       Helsinki Institute for Information
                                                               Technology
-                                                       November 19, 2010
+                                                        January 12, 2011
 
                   Host Identity Protocol Certificates
-                         draft-ietf-hip-cert-06
+                         draft-ietf-hip-cert-07
 
 Abstract
 
    The CERT parameter is a container for X.509.v3 certificates and
    Simple Public Key Infrastructure (SPKI) certificates.  It is used for
    carrying these certificates in Host Identity Protocol (HIP) control
    packets.  This document specifies the certificate parameter and the
    error signaling in case of a failed verification.  Additionally, this
    document specifies the representations of Host Identity Tags in
    X.509.v3 and SPKI certificates.
@@ -44,25 +44,25 @@
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/ietf/1id-abstracts.txt.
 
    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.
 
-   This Internet-Draft will expire on May 23, 2011.
+   This Internet-Draft will expire on July 16, 2011.
 
 Copyright Notice
 
-   Copyright (c) 2010 IETF Trust and the persons identified as the
+   Copyright (c) 2011 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
    carefully, as they describe your rights and restrictions with respect
    to this document.  Code Components extracted from this document must
    include Simplified BSD License text as described in Section 4.e of
    the Trust Legal Provisions and are provided without warranty as
@@ -208,21 +208,21 @@
    RECOMMENDED to use the FQDN/NAI from the hosts HOST_ID parameter in
    the DN if one exists.  The full HIs are presented in the public key
    entries of X.509.v3 certificates.
 
    The following examples illustrate how HITs are presented as issuer
    and subject in the DN and in the X.509.v3 extension alternative
    names.
 
        Format of DN:
            Issuer: CN=hit-of-issuer
-           Subject: CN=hit-of-issuer
+           Subject: CN=hit-of-subject
 
        Example DN:
            Issuer: CN=2001:14:6cf:fae7:bb79:bf78:7d64:c056
            Subject: CN=2001:1c:5a14:26de:a07c:385b:de35:60e3
 
        Format of X509v3 extensions:
            X509v3 Issuer Alternative Name:
                IP Address:hit-of-issuer
            X509v3 Subject Alternative Name:
                IP Address:hit-of-subject
@@ -329,29 +329,20 @@
 8.  Security Considerations
 
    Certificate grouping allows the certificates to be sent in multiple
    consecutive packets.  This might allow similar attacks as IP-layer
    fragmentation allows, for example sending of fragments in wrong order
    and skipping some fragments to delay or stall packet processing by
    the victim in order to use resources (e.g.  CPU or memory).  Hence,
    hosts SHOULD implement mechanisms to discard certificate groups with
    outstanding certificates if state space is scarce.
 
-   It is NOT RECOMMENDED to use grouping or hash and URL encodings when
-   HIP aware middleboxes are anticipated to be present on the
-   communication path between peers because fetching remote certificates
-   require the middlebox to buffer the packets and to request remote
-   data.  This makes these devices prone to denial of service (DoS)
-   attacks.  Moreover, middleboxes and responders that request remote
-   certificates could be used as deflectors for distributed denial of
-   service attacks.
-
 9.  Acknowledgements
 
    The authors would like to thank A. Keranen, D. Mattes, M. Komu and T.
    Henderson for the fruitful conversations on the subject.  D. Mattes
    most notably contributed the non-HIP aware use case in Section 3.
 
 10.  References
 
 10.1.  Normative References
 
@@ -397,43 +388,43 @@
 
 Appendix A.  SPKI certificate example
 
    This section shows a SPKI certificate with encoded HITs.  The example
    has been indented for readability.
 
    (sequence
      (public_key
        (rsa-pkcs1-sha1
          (e #010001#)
-         (n |uV7M1dl7OcJCPnlJrX8MvQ8SmE6wne5idnp7VfDMolestu
-             JqvB69z3UwlVuSr3VVaQvDSA+15BUweYkis/1+UVnSDdcS
-             XUTz6AUTH1tPifoebYPp4s+9XG/vAh7I25pImjW4uL6Jvq
-             vI3WBE36wBt3Zmq12hpdA8jSIE1CRZYA8=|
+         (n |yDwznOwX0w+zvQbpWoTnfWrUPLKW2NFrpXbsIcH/QBSLb
+             k1RKTZhLasFwvtSHAjqh220W8gRiQAGIqKplyrDEqSrJp
+             OdIsHIQ8BQhJAyILWA1Sa6f5wAnWozDfgdXoKLNdT8ZNB
+             mzluPiw4ozc78p6MHElH75Hm3yHaWxT+s83M=|
          )
        )
      )
      (cert
        (issuer
-         (hash hit 2001:001e:d709:1980:5c6a:bb0c:7650:a027)
+           (hash hit 2001:15:2453:698a:9aa:253a:dcb5:981e)
        )
        (subject
-         (hash hit 2001:001c:5a14:26de:a07c:385b:de35:60e3)
+           (hash hit 2001:12:ccd6:4715:72a3:2ab1:77e4:4acc)
        )
-       (not-before "2010-06-22_16:40:47")
-       (not-after "2010-07-02_16:40:47")
+         (not-before "2011-01-12_13:43:09")
+         (not-after "2011-01-22_13:43:09")
      )
      (signature
-       (hash sha1 |+UzjNn5+bXo3aMZQNGGtapKdlFAA|)
-       |Fhioyxi0mpHa2aq2ofhotsauYyDuCa45mMAQ+yTEGOzcc1K+Prx
-        +O6kFecKxl+Cwz9qXEI6a/zfAnZqLj18yvszM1D/tH+W3RKl2LW
-        +lASsCDKXOi9ObNx+Dwzj3YlHABPxt4gGk0XVadEMXfCPDqiLF+
-        zMR9fW5/OaJ+vRwhKs=|
+         (hash sha1 |h5fC8HUMATTtK0cjYqIgeN3HCIMA|)
+         |u8NTRutINI/AeeZgN6bngjvjYPtVahvY7MhGfenTpT7MCgBy
+         NoZglqH5Cy2vH6LrQFYWx0MjWoYwHKimEuBKCNd4TK6hrCyAI
+         CIDJAZ70TyKXgONwDNWPOmcc3lFmsih8ezkoBseFWHqRGISIm
+         MLdeaMciP4lVfxPY2AQKdMrBc=|
      )
    )
 
 Appendix B.  X.509.v3 certificate example
 
    This section shows a X.509.v3 certificate with encoded HITs.
 
    Certificate:
        Data:
            Version: 3 (0x2)
@@ -530,20 +521,29 @@
    o  Added reference to the IPv6 colon delimited presentation format.
 
    o  Small editorial changes.
 
    Changes from version 05 to 06:
 
    o  Editorial changes.
 
    o  Unified the example in Section 3.
 
+   Changes from version 06 to 07:
+
+   o  Editorial changes.
+
+   o  Removed a the second paragraph in section 8.
+
+   o  Changed the example in Appendix A (Cert created without the
+      leading zeroes in HITs).
+
 Authors' Addresses
 
    Tobias Heer
    Distributed Systems Group, RWTH Aachen University
    Ahornstrasse 55
    Aachen
    Germany
 
    Phone: +49 241 80 214 36
    Email: heer@cs.rwth-aachen.de