On 16/10/2010, at 3:28 AM, Karen Seo wrote: > Folks, > > We just submitted a new version of the RPKI Certificate Policy. In addition > to a few typo/format corrections, we have included all the changes for which > there was consensus among those who provided review feedback. We believe the > document has thus completed WG Last Call and respectfully request that it > proceed to the next stage of review.
Respectfully, I have to disagree that this document is ready. Its a long document and for me each re-reading reveals more nits, unfortunately. I am sorry I did not raise this before, but I'd like to understand how this constraint in the second paragraph of the Introduction, namely This PKI is designed exclusively for use in support of validation of claims related to INR holdings. Use of the certificates and certificate revocation lists (CRLs) managed under this PKI for any other purpose is a violation of this CP, and relying parties (RPs) SHOULD reject certificates presented for such uses. relates to the processing of manifests in the RPKI repository infrastructure, where a certificate used in the context of the RPKI is NOT used for support of validation of claims related to INR holdings. The constraint above appears to preclude the use of manifests in the RPKI, and I believe that this is an inappropriate constraint. Section 1.4.1 is also perhaps misleading, where is allows for these certificates to be used to support operation of this infrastructure, but cites an example of access control, whereas the example of manifest is the case in point where there is a defined use. I suggest that the wording in the introduction be altered to allow for use in support of the operation of this infrastructure so that sections 1.4.1 and the Introduction agree. Also, please correct the back ref in section 1.4.2 i.e. s/1.5.1/1.4.1/ Section 4.7.1 referes to section 5.6 relating to key validity intervals. But in changing section 5.6, the reference in 4.7.1 is no longer appropriate. This forward reference should be omitted, as the advice is no longer provided. This version added the text in section 4.8.1: When previously distributed INRs are removed from a certificate, then the old certificate MUST be revoked and a new certificate MUST be issued, reflecting the changed INR holdings. (The SIA extension MAY also be changed during this action, if required.) I'm not sure of the circumstances where the issuer knows what SIA to use IF it is going to change. The SIA is normally supplied by the subject, so in the case of certificate modification by the issuer in response to a "shrink" in response where is the subject's certificate request that contains a new SIA? regards, Geoff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
