At 3:19 PM -0500 11/7/09, Curtis Villamizar wrote:
In message <[email protected]>
Larry Blunk writes:
It's my understanding (please correct me if I'm wrong)
that by issuing a CA-Cert a provider is
not only giving the customer authority to register their own
ROA's, but to also issue ROA's or CA-Cert's for
customers of the customer (and so on). I suspect many providers would
be reluctant to grant this level of authority over the PA space
they have assigned.
And the CA-Cert is not revokable?
Curtis
Yes, the CA cert can be revoked.
Also, if we wanted to provide the ISP with additional controls, there
is a cert path length as part of the basic constraints extension that
is in the RPKI profile (although the path length field is currently
deprecated). This field allows an issuer to restrict the issuance of
CA certs below the CA certs that it issued.
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
