At 11:25 AM -0500 11/9/06, Sandy Murphy wrote:
>b. ROA format and content proposalSimilar work, started from a different point of view. No Questions / CommentsOne more (this could have been an off-mike exchange, if so, sorry) Sandy Murphy: why a list of signatures? Brian Weis/Geoff Huston: with mulitiple trust anchors, it is possible that you might have multiple resource certificates for the same prefixes. You would need to sign the ROA with all those certificates so that it would validate no matter what trust anchor "relying parties" might use. --Sandy
This is not the way that a PKI would be expected to work, in general. A signer of data cannot in general know what TAs RPs may select, so it is not incumbent on a signer to try to provide multiple signatures to accommodate this uncertainty. In our context, a signer selects a cert that embodies the necessary authorization and uses the corresponding private key. It is up to an RP to construct a path to one of his TAs to verify the signature.
Steve _______________________________________________ Sidr mailing list [email protected] https://www1.ietf.org/mailman/listinfo/sidr
