You have to state quite clearly WHO IS SIGNING. Whern you define a signed object into RPKI, the critical question is the PKI validation question: what meaning is applied to the RPKI resources associated with the signature which validates the object.
You haven't stated anywhere what is in the signing EE certificate, or whose certificate it is. Clearly, in context, its the ASN which "owns" the cone. so the EE certificate has to consist of the RFC3779 list of ASN which say "I am the owner" As I said at a microphone at least once, Semantically, I think you have a problem because I believe the customer ASN are the ones who give authority to you to be placed into a cone, but we disagree there. Syntactically, I think you really need specific language to state the signer is the ASN constructing the cone, not the ASN inside the cone object. -George On Fri, Sep 7, 2018 at 9:48 PM <[email protected]> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Global Routing Operations WG of the IETF. > > Title : RPKI Autonomous Systems Cones: A Profile To Define > Sets of Autonomous Systems Numbers To Facilitate BGP Filtering > Authors : Job Snijders > Massimiliano Stucchi > Filename : draft-ietf-grow-rpki-as-cones-00.txt > Pages : 8 > Date : 2018-09-07 > > Abstract: > This document describes a way to define groups of Autonomous System > numbers in RPKI [RFC6480]. We call them AS-Cones. AS-Cones provide > a mechanism to be used by operators for filtering BGP-4 [RFC4271] > announcements. > > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-grow-rpki-as-cones/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-grow-rpki-as-cones-00 > https://datatracker.ietf.org/doc/html/draft-ietf-grow-rpki-as-cones-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
