hi Stephen, > > The security requirement for CRLs in the RPKI is that the key used to verify > the CRL has to be the same as the key used to verify certs issued by the CA > in question. Adding the CRDLP URI to the CRL would minimize the likelihood of > a non-malicious name collision, but it is not a secure basis for deciding > whether an RP is using the "right" CRL. >
In order to verify this point, do you agree in adding the AKI check on the certificate validation section to certified that the cert and the CRL were signed by the same key? I believe it is the most reasonable suggestion on the table. Roque. > Steve > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
