Stephen Kent wrote:
However, I worry that we need to tightly restrict which RPSL data can be
validated using an RPKI cert. My concern is that it would be easy for
folks to misinterpret the extent of what an RPLI cert attests to, and
thus accord signed RPSL data more trust than it deserves. I also worry
that using RPKI certs for this purpose might cause folks to want to have
Subject names be meaningful, not arbitrary, as now required by our
specs. So, if Robert is comfortable with imposing these sorts of
constraints, I think it appropriate to make this a work item.
Section (2) of the draft says:
"2. Meaning of a signature
By signing an RPSL object, the signer of the object expresses that:
o they have the right to use the resource that the object refers to
(ie. found as the primary key or in some other field of the
object);
o ..."
So in fact I already restrict the usage to only those type of objects that
have something to to with actual number resources (ie. this excludes person
objects). I'd be less comfortable to state *in this document* that the
certificate subject names should not be meaningful; I'd defer that to the
higher level documents such as the certificate profile and architecture
documents. However, since this is only redundancy, not a new requirement,
I'm not specifically against this.
Robert
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
