WG chair hgat off
On 07/10/2008, at 10:08 AM, Rob Austein wrote:
At Tue, 7 Oct 2008 09:40:17 +1100, Geoff Huston wrote:
... I would argue (again) that the specification should be
complete and provide appropriate guidance to implementors for all
situations where interoperability is required, and this case,
although
not common, has been visible in the routing table already and will
likely be visible in the routing table in future. Given that this
does
not define a new signature standard for CMS, nor a major change in
the
logic of ROA processing I do not see that this adds any undue
complexity to implementations and has the benefit of covering the
full
range of anticipated use cases for ROAs in their application to
signing route origination.
It adds a requirement that the validator, rather than doing a "simple"
tree walk, must now attempt to trace multiple paths through the tree
in order to check the signatures on the ROA.
Rather rather than a single check that the single certificate in the
<certificates> field of the Signed Data type is valid this becomes a
iterative loop that invokes the validation procedure for each
certificate in the <certificates> field of the Signed Data type.
Faiure at any stage is failure of the validation procedure. So far I'm
not seeing complexity.
Rather than a single pass through step 1 of the algorithm specified in
section 3 of the draft there is a loop for each SignerInfo instance n
the CMS. Again I'm not seeing complexity here.
step 2 of that process is also repeated for each EE certificate rater
than a single call.
step 3 requires that the IP addresses in the collection of the EE
certificates be merged into a single set before the "encompass" test
is performed Without specifying the algorithm in detail here, I cannot
see that this is a complex piece of code.
Step 4 is repeated for each EE certificate, as noted above. Again I'm
not seeing complexity here.
This adds quite a bit of
complexity to the validation process,
If one assumes that iterative loops are complex then I could readily
agree with this assertion. But I've never found them complex myself.
Geoff
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
