a friend has asked me about the possibility of DoS of a CA pushing
random dren to a publication point; e.g. rsc signed kernel binaries,
etc.
obviously, it would have been unwise for the 8181 publication protocol
to enumerate the allowed objects, or it would need to be updated every
time the ietf sausage machine defined a new object (router key, aspa,
etc.)
but 8181 does provide for error handling. it seems obvious that a
publisher reject a request to publish an object other than a formally
correct rpki object. e.g. it should not accept the kernel blob.
interesting, we do not have a document enumerating formal rpki signed
objects.
https://www.iana.org/assignments/rpki/rpki.xhtml#signed-objects
is missing a few, e.g. certificates, crls. i have taken this up with
the powers that be.
randy
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/routing-wg
