--- 1/draft-ietf-hip-rfc6253-bis-02.txt	2015-07-27 02:15:09.058751870 -0700
+++ 2/draft-ietf-hip-rfc6253-bis-03.txt	2015-07-27 02:15:09.086752551 -0700
@@ -1,19 +1,19 @@
 
 Host Identity Protocol                                              Heer
 Internet-Draft                         Hirschmann Automation and Control
 Intended status: Standards Track                                Varjonen
-Expires: December 31, 2015                        University of Helsinki
-                                                           June 29, 2015
+Expires: January 28, 2016                         University of Helsinki
+                                                           July 27, 2015
 
                   Host Identity Protocol Certificates
-                     draft-ietf-hip-rfc6253-bis-02
+                     draft-ietf-hip-rfc6253-bis-03
 
 Abstract
 
    The Certificate (CERT) parameter is a container for digital
    certificates.  It is used for carrying these certificates in Host
    Identity Protocol (HIP) control packets.  This document specifies the
    certificate parameter and the error signaling in case of a failed
    verification.  Additionally, this document specifies the
    representations of Host Identity Tags in X.509 version 3 (v3) and
    Simple Public Key Infrastructure (SPKI) certificates.
@@ -35,21 +35,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on December 31, 2015.
+   This Internet-Draft will expire on January 28, 2016.
 
 Copyright Notice
    Copyright (c) 2015 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
    carefully, as they describe your rights and restrictions with respect
@@ -196,21 +196,21 @@
 
    Distinguished Name (DN) encodings (7 and 8) are represented by the
    string representation of the certificate's subject DN as defined in
    [RFC4514].  Using the DN encoding results in smaller HIP control
    packets, but requires the receiver to retrieve the certificate or
    check a local cache against the DN.
 
 3.  X.509 v3 Certificate Object and Host Identities
 
    If needed, HITs can represent an issuer, a subject, or both in X.509
-   v3.  HITs are represented as IPv6 addresses as defined in [RFC4843].
+   v3.  HITs are represented as IPv6 addresses as defined in [RFC7343].
    When the Host Identifier (HI) is used to sign the certificate, the
    respective HIT SHOULD be placed into the Issuer Alternative Name
    (IAN) extension using the GeneralName form iPAddress as defined in
    [RFC5280].  When the certificate is issued for a HIP host, identified
    by a HIT and HI, the respective HIT SHOULD be placed into the Subject
    Alternative Name (SAN) extension using the GeneralName form
    iPAddress, and the full HI is presented as the subject's public key
    info as defined in [RFC5280].
 
    The following examples illustrate how HITs are presented as issuer
@@ -219,21 +219,21 @@
        Format of X509v3 extensions:
            X509v3 Issuer Alternative Name:
                IP Address:hit-of-issuer
            X509v3 Subject Alternative Name:
                IP Address:hit-of-subject
 
        Example X509v3 extensions:
            X509v3 Issuer Alternative Name:
                IP Address:2001:24:6cf:fae7:bb79:bf78:7d64:c056
            X509v3 Subject Alternative Name:
-               IP Address:2001:2C:5a14:26de:a07c:385b:de35:60e3
+               IP Address:2001:2c:5a14:26de:a07c:385b:de35:60e3
 
    Appendix B shows a full example X.509 v3 certificate with HIP
    content.
 
    As another example, consider a managed Public Key Infrastructure
    (PKI) environment in which the peers have certificates that are
    anchored in (potentially different) managed trust chains.  In this
    scenario, the certificates issued to HIP hosts are signed by
    intermediate Certification Authorities (CAs) up to a root CA.  In
    this example, the managed PKI environment is neither HIP aware, nor
@@ -296,35 +296,22 @@
 
      INVALID_CERTIFICATE                       50
 
      Sent in response to a failed verification of a certificate.
      Notification Data MAY contain n groups of 2 octets (n calculated
      from the NOTIFICATION parameter length), in order Cert group and
      Cert ID of the CERT parameter that caused the failure.
 
 7.  IANA Considerations
 
-   This document defines the CERT parameter for the Host Identity
-   Protocol [RFC7401].  This parameter is defined in Section 2 with type
-   768.  The parameter type number is also defined in [RFC7401].
-
-   The CERT parameter has an 8-bit unsigned integer field for different
-   certificate types, for which IANA is to create and maintain a new
-   sub-registry entitled "HIP certificate types" under the "Host
-   Identity Protocol (HIP) Parameters".  Initial values for the
-   Certificate type registry are given in Section 2.  New values for the
-   Certificate types from the unassigned space are assigned through IETF
-   Review.
-
-   In Section 6, this document defines two new types for the "NOTIFY
-   message types" sub-registry under "Host Identity Protocol (HIP)
-   Parameters".
+   As this document replaces [RFC6253], references to [RFC6253] in IANA
+   registries have to be replaced by references to this document.
 
 8.  Security Considerations
 
    Certificate grouping allows the certificates to be sent in multiple
    consecutive packets.  This might allow similar attacks, as IP-layer
    fragmentation allows, for example, the sending of fragments in the
    wrong order and skipping some fragments to delay or stall packet
    processing by the victim in order to use resources (e.g., CPU or
    memory).  Hence, hosts SHOULD implement mechanisms to discard
    certificate groups with outstanding certificates if state space is
@@ -365,20 +352,29 @@
 
    [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
               Housley, R., and W. Polk, "Internet X.509 Public Key
               Infrastructure Certificate and Certificate Revocation List
               (CRL) Profile", RFC 5280, May 2008.
 
    [RFC5996]  Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
               "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
               5996, September 2010.
 
+   [RFC6253]  Heer, T. and S. Varjonen, "Host Identity Protocol
+              Certificates", RFC 6253, DOI 10.17487/RFC6253, May 2011,
+              <http://www.rfc-editor.org/info/rfc6253>.
+
+   [RFC7343]  Laganier, J. and F. Dupont, "An IPv6 Prefix for Overlay
+              Routable Cryptographic Hash Identifiers Version 2
+              (ORCHIDv2)", RFC 7343, DOI 10.17487/RFC7343, September
+              2014, <http://www.rfc-editor.org/info/rfc7343>.
+
    [RFC7401]  Moskowitz, R., Heer, T., Jokela, P., and T. Henderson,
               "Host Identity Protocol Version 2 (HIPv2)", RFC 7401,
               April 2015.
 
    [X.690]    ITU-T, , "Recommendation X.690 (2002) | ISO/IEC
               8825-1:2002, Information Technology - ASN.1 encoding
               rules: Specification of Basic Encoding Rules (BER),
               Canonical Encoding Rules (CER) and Distinguished Encoding
               Rules (DER)", July 2002.