Dear Randy, On Mon, May 21, 2018 at 01:02:24PM -0700, Randy Bush wrote: > > me and Job Snijders have recently submitted > > draft-ss-grow-rpki-as-cones-00, which discusses AS-Cones, an attempt > > to bring as-sets into RPKI to facilitate route filtering. > > in irr, an as-set may reference an as-set. could you explain the > authority model you have for this when as-sets are signed?
My initial thinking for RPKI AS Cones, is that a given Cone in an ASN's namespace can only be defined by the owner of the ASN in who's namespace the Cone is defined. If a reference is included to another Cone residing in someone elses namespace, a provisioning system can follow the reference and verify that the referenced Cone is defined by the ASN who's namespace that cone resides in. AS Cone Certificates are EE Certificates. The draft needs a ton of work to properly communicate to implementers what goes where. I am a novice when it comes to the X.509 / PKIX / ASN.1. Kind regards, Job _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
