> I note that any reference to an SIA is not present in RFC 3280 - given > that this document defines a particular profile of that specification > for use in a RPKI context, then why is a URL necessary here in this > profile, but not in the more general case as described in RFC3280?
I think it is in the nature of the PKI. Most other PKIs know a priori where to find the certificate store, or they are provided with the cert chain with a request. "Enterprise" applications are probably just know. For S/MIME, HTTPS and most other internet applications provide the cert chain. I don't believe that many other PKIs have the need to retrieve all of the published objects, starting just from TA material. I have echoes of a conversation with Steve Kent or Russ Housley playing in my head, but the closest I can come to a quote is that we appear to have one of the few useful applications of SIA. So I suspect that it just hasn't come up before. I think that the TA material in our profile appears to be (1) through (4) that we inherit from 3280, (5) that we get from 3779, and in this profile we should probably add a (6) for the URL.... Which will be the SIA, if the TA is provided as a self-signed cert. Alternatively, if there isn't a URL in the TA material, where do we start pulling pulling certs from? Rob -- Robert Loomans Email: [EMAIL PROTECTED] Programmer/Analyst, APNIC Phone: +61 7 3858 3100 http://www.apnic.net Fax: +61 7 3858 3199
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sidr mailing list [email protected] https://www1.ietf.org/mailman/listinfo/sidr
