On Wed, Nov 1, 2017 at 10:12 AM, Mark Kosters <[email protected]> wrote:
> Hi Andrew > > That was a good question – one that merited a bit of research on our part. > Here’s what we have. > > Yes, ROAs can not be created with dates past the expiration of the hosted > certificate. [snip] Arbitrary certificate churning or expiration based on time of credentials that have not been compromised and the associated maintenance cost is a good reason to avoid adopting RPKI in the first place. Is there any adequate justification they don't simply use an arbitrary value of 100, 200 Years or Infinite expiration period, for all the certs, in place of the arbitrary value of 10? So unless keys need to be manually revoked for valid security reasons, there should be no unnecessary certificate churn. Also, if you want the ROAs to be good for a reasonable length of time, then that implies you'll need a renewal of the hosted cert every year you make new ROAs. E.g. To make ROAs valid for 9+ years, then you're also then needing to renew the hosted cert every year to keep its expiration a sufficient number of years ahead into the future. -- -Jimmy
_______________________________________________ arin-tech-discuss mailing list [email protected] http://lists.arin.net/mailman/listinfo/arin-tech-discuss
