At Thu, 16 Sep 2010 16:04:03 +0200, Tim Bruijnzeels wrote: > > I wanted to ask how others feel about having resource certificates that > say: "no resources certified." > > We have a use case for this at the RIPE NCC. It may happen (for various > reasons) that a member who formerly had a resource certificate issued by > us no longer holds any certifiable resources.
And relying parties need to know about this why? Serious question. The whole RPKI system is designed to obfuscate the identities of resource holders, so, absent the proposed ghostbusters record, all one ever really knows is that the holder of key X holds resource Y. What is a relying party going to do about key X no longer holding resource Y other than clean up? Even in the presence of ghostbuster records, what is an RP meant to do with the information that RIPE has certified no resources to Foo Ltd? As far as I can tell, all that these tombstone certificates would do is clutter up the system, creating more work for relying parties, with no clear benefit. YMMV. > We can of course revoke all existing resource certificate and not issue > a new one. But.. I feel this is confusing to RPs. In particular RPs may > assume, wrongly, that we just forgot to issue a new cert. It's a much > more clear to have a new certificate that says "no resources". Maybe I've been drinking the RPKI Kool-Aid for too long, but that doesn't seem clearer to me. Resource classes come and go at the whim of the parent. When resources in a class shrink to the null set, the resource class goes away, taking its certificates with it. When all of a child's resource classes go away, the child has no resources. Art is not eternal. :) > But it seems this is not allowed by the res-cert draft: I believe that the prohibition was deliberate, and that the person who feels most vehemently about this is on this list, so I'll let him speak for himself. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
