Folks,
In explaining the differences between the new TA proposal and the
compound TA proposal to a staff member, I realized that there is
another (perhaps minor) difference that I failed to include in my
analysis last week.
The new (simple) TA proposal requires each RP to fetch the trust
anchor (the self-signed cert) to make sure that the RP has the
current version re the 3779 resources contained therein. I don't
recall that Sam's I-D specified how frequently an RP should (SHOULD?)
perform this fetch. The simple, safe answer might be to perform the
fetch every time the RP does a tree walk to gather new certs, CRLs,
etc.
In the compound TA mode the ETA is constant for a very long period
(indicated by the validity interval in the self-signed cert). The CMS
blob that contains the RTA is fetched (presumably as part of the tree
walk), and verified using the (single-use?) EE cert contained in the
blob, to obtain the up-to-date TA for RPKI cert validation. Thios is
essentially the same sort of operation we have to do for other CMS
blobs (e.g., ROAs and manifests), except in terms of what we do with
the content.
Not sure if anyone cares about this difference, but I thought I would
mention it for completeness.
Steve
P.S. I accidentally sent this to the secdir list first. Whoops.
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
