> <reference anchor="HOWTO" > target="https://sobornost.net/~job/using_geofeed_authenticators.txt";> > <front> > <title>Example on how to use rpki-client to authenticate a signed > Geofeed</title> > <author fullname="Job Snijders"/> > <date month="September" year="2023" /> > </front> > </reference>
thanks >>> In section 5 it is unclear why RPKI-RTA and RFC 9323 are compared to >>> each other in a subjective manner about perceived complexity. >> >> a *comparison* was not intended, and i don't see it there. > > Ah, ok. For both RSC and RTA distinct properties are listed such as > "applicable in long run", "usable", "complex code"; if no comparison is > intended I'd just remove the two paragraphs about RTA & RSC. we seem to be at cross-purposes here. the point was not comparison at all. never has been. the point is two illustrations of signing. > 1/ the new EE certificate uses an 'inherit' element in its RFC3779 > extension, but section 5 disallows the use of 'inherit' in EEs. sigh. russ? > 2/ given that the example EE was refreshed in -01, the example > Base64-encoded CMS signature (page 24) also must be refreshed. russ? > 3/ might be good to suggest the use of one-time-use EE certs, perhaps: > > The CA MUST sign only one Geofeed with each generated private key and > MUST generate a new key pair for each new version of the Geofeed. An > associated EE certificate used in this fashion is termed a > "one-time-use" EE certificate (see Section 3 of [RFC6487]). MUST is not "suggest." perhaps SHOULD? randy _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
