Hi Russ, > >>> The Certification Authority (CA) The CA MUST > >>> generate a new End Entity (EE) certificate for each signing of a > >>> particular prefixlen file. The private key associated with the > >>> EE certificate SHOULD sign only one prefixlen file. That is, > >>> a new key pair SHOULD be generated > >>> for each new version of a particular prefixlen file. > >>> The EE certificate used in this fashion is termed a "one-time-use" > >>> EE certificate (see Section 3 of [RFC6487]). > >> > >> I am not sure what more to say... > > > > We obviously disagree that with the current "SHOULDs" this can be > > generally termed as "one-time-use of EE certificate" (at least in my reading > > of RFC 6487). > > > > But since this is only a remark, I can see it as a nit, not as an issue. > > > > Thank you for the explanation. > > If the SHOULDs are followed, then the EE provate key is "one-time-use".
Sure. But "if" here is a critical part. If this "if" were in the text, then I would not have had any problems with it. Regards, Valery. > Russ= _______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
