At 7:41 AM +1000 7/18/11, Geoff Huston wrote:
On 18/07/2011, at 12:53 AM, Rob Austein wrote:
This draft defines the mappings from filename extension (.cer, .roa,
.crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc).
Without this mapping, relying party tools have no way of knowing what
they're looking at in most cases, and would have to attempt to decode
every object in various ways to see which (if any) worked. This would
be tedious, error prone, and generally a bad idea.
But wouldn't the CMS (and ASN.1 for that matter) effectively tell
the RP what the object was intended to be? It strikes me that the
file name extension is a bit of syntactic sugar rather than an
essential and necessary component, so I'm curious to understand what
has changed in this particular PKI that makes the filename extension
such a necessary attribute. If this is the case would a rogue CA be
able to mount an effective DOS attack for all RPs by deliberately
mis-naming objects?
If youy want to compare the RPKI to the general PKI repository model
(X.500), note that in an X.500 directory, every object is tagged in a
fashion analogous to the filename extension. LDAP tags objects as
well. So why is it not appropriate to do so, in a normative fashion
here?
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
