On Mon, 06 Aug 2007 17:08:14 -0400 Rob Austein <[EMAIL PROTECTED]> wrote:
> At Sun, 05 Aug 2007 11:27:01 +1000, Geoff Huston wrote: > > I don't agree with this assessment and to me ruling out the ability > > of multiple signatures on a ROA introduces the potential for undue > > levels of uncertainty in relying party validation of route objects. > > For that reason I continue to support the concept of allowing > > multiple signatures on a ROAs. > > I don't see how this follows. I still don't believe that there's any > real need for multiple signatures, because there's no good reason for > the issuer to force this mess upon its subjects. As far as I can tell > this is a non-problem to which we do not need a solution. > I can foresee plausible circumstances where even if we didn't want them, purposeful multiple signings could exist. You say above 'the issuer' but we already know that ERX has resulted in thousands of swampy fragments being distributed amongst the RIR, such that there isn't one 'issuer' to sign over any re-combined prefixes in the space. I think that a standard in ROA which didn't admit of multiple signings would be weak. I think we'd be forcing single-sign imperatives on the community before we fully understand what people expect to do in ROA, and in the litany of related signings which will exist under 3779 qualified certificates. I want there to be a good definition of what a multiple sign looks like, and I support the WG defining it. I suspect that it adds a very small amount of ASN1 'overhead' in the simple case of a single-sign, and I don't see why it causes you such a problem as a code developer. -George _______________________________________________ Sidr mailing list [email protected] https://www1.ietf.org/mailman/listinfo/sidr
