The trust anchor information, describing a CA that serves as a
trust anchor, includes the following:
(1) the trusted issuer name,
(2) the trusted public key algorithm,
(3)the trusted public key,
(4)optionally, the trusted public key parameters associated with
the public key, and
(5) a resource set, consisting of a set of IPv4 resources, IPv6
resources and AS number resources.
The trust anchor information may be provided to the path processing
procedure in the form of a self-signed certificate.
I believe that regarding a TA:
- (1) is optional
- (5) is optional
- A URL for top-down chaining (practically a "starting SIA") is
useful, therefore optional.
Hmm - 1 through 4 are a direct cut and past from RFC3280 - I don't
see the logic that turns (1) into optional here given that it is part
of the trust anchor information describing a trusted CA.
(5) is based on the implications of a resource certificate attribute
- saying you trust a given CA is fine, but in the context of a
resource PKI the statement is "I trust a CA with regard to being
authoritative to certify the following resources. Accordingly, (5)
does not appear to be optional in this context.
I note that any reference to an SIA is not present in RFC 3280 -
given that this document defines a particular profile of that
specification for use in a RPKI context, then why is a URL necessary
here in this profile, but not in the more general case as described in RFC3280?
thanks,
Geoff
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
