Not wanting to put words in his mouth, I believe Steve has said that the manifest, or something very similar in terms of a formally signed statement of what IS in a repository, as opposed to a CRL as a mechanism to deprecate what should NOT be in a repository, was a concept raised during early phases of X509 design, and dropped for various reasons. So, there is some sense that this is a general purpose, useful thing, and in that context, I am attracted to generalizing words around it in SIDR drafts, so that should it become more common in other PKI contexts, there is good support for it from tools.
Therefore, I think it would be best to remove strong normative requirements for RFC3779 extensions in EE certificates from the manifest, unless there is a clear reason relating to RPKI facing context, in which case it would be nice to find words which make it plain that an OID, or Version, or some other reference clarifies why the RPKI Manifest Certificate has mandatory elements which a more general manifest might not have. Maybe a mechanism like tying the OID of the certificate used to an OID in the Manifest itself, so that its clear the certificates context defines why 3779 is relevant? Thats a reasonably low-level cost in ASN.1. -George _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
