On 9/16/10 4:44 PM, Rob Austein wrote: > At Thu, 16 Sep 2010 16:04:03 +0200, Tim Bruijnzeels wrote: >> >> I wanted to ask how others feel about having resource certificates that >> say: "no resources certified." >> >> We have a use case for this at the RIPE NCC. It may happen (for various >> reasons) that a member who formerly had a resource certificate issued by >> us no longer holds any certifiable resources. > > And relying parties need to know about this why? Serious question. > The whole RPKI system is designed to obfuscate the identities of > resource holders, so, absent the proposed ghostbusters record, all one > ever really knows is that the holder of key X holds resource Y. What > is a relying party going to do about key X no longer holding resource > Y other than clean up? Even in the presence of ghostbuster records, > what is an RP meant to do with the information that RIPE has certified > no resources to Foo Ltd? >
It was not the intention to attest that some 'identity' has no resources. My reason re-stated below.. > As far as I can tell, all that these tombstone certificates would do > is clutter up the system, creating more work for relying parties, with > no clear benefit. YMMV. > >> We can of course revoke all existing resource certificate and not issue >> a new one. But.. I feel this is confusing to RPs. In particular RPs may >> assume, wrongly, that we just forgot to issue a new cert. It's a much >> more clear to have a new certificate that says "no resources". > > Maybe I've been drinking the RPKI Kool-Aid for too long, but that > doesn't seem clearer to me. Resource classes come and go at the whim > of the parent. When resources in a class shrink to the null set, the > resource class goes away, taking its certificates with it. When all > of a child's resource classes go away, the child has no resources. > Art is not eternal. :) > Even though "only revoked certs" and "revoked certs, plus one cert that says no resources" are semantically similar, the latter will not cause RPs to suspect race conditions (between looking and publication), or other problems affecting publication. But... looking at the reactions to my post it seems that this may not be an issue. And changing this would cause problems. I meant to raise it as an open question in the first place, so I have no problems in standing corrected ;) >> But it seems this is not allowed by the res-cert draft: > > I believe that the prohibition was deliberate, and that the person who > feels most vehemently about this is on this list, so I'll let him > speak for himself. > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
