Valery: > > Hi Russ, > >>>>> The Certification Authority (CA) The CA MUST >>>>> generate a new End Entity (EE) certificate for each signing of a >>>>> particular prefixlen file. The private key associated with the >>>>> EE certificate SHOULD sign only one prefixlen file. That is, >>>>> a new key pair SHOULD be generated >>>>> for each new version of a particular prefixlen file. >>>>> The EE certificate used in this fashion is termed a "one-time-use" >>>>> EE certificate (see Section 3 of [RFC6487]). >>>> >>>> I am not sure what more to say... >>> >>> We obviously disagree that with the current "SHOULDs" this can be >>> generally termed as "one-time-use of EE certificate" (at least in my reading >>> of RFC 6487). >>> >>> But since this is only a remark, I can see it as a nit, not as an issue. >>> >>> Thank you for the explanation. >> >> If the SHOULDs are followed, then the EE provate key is "one-time-use". > > Sure. But "if" here is a critical part. If this "if" were in the text, then I > would not have > had any problems with it.
I suggest: The Certification Authority (CA) The CA MUST generate a new End Entity (EE) certificate for each signing of a particular prefixlen file. The private key associated with the EE certificate SHOULD sign only one prefixlen file. That is, a new key pair SHOULD be generated for each new version of a particular prefixlen file. When the EE certificate used in this fashion, it is termed a "one-time-use" EE certificate (see Section 3 of [RFC6487]). Russ _______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
