On Tue, Nov 29, 2011 at 10:27 AM, Stephen Kent <[email protected]> wrote: > There are controls to allow RPs to ignore the expiration of the certs for > the widget maker, but that's not the best outcome. Ultimately the widget > maker > would like to have a new CA cert issued to it, and continue to manage the' > corresponding CRL, manifest, and ROA(s). All of that can be accommodated > using the LTA mechanisms, but it will become complex if there are a lot of > exceptions of this sort.
I think this last bit gets at danny's concern (after the 'but every asn in the path has to agree that the root is wrong' bit)... lots more complexity here is not helpful :( -chris _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
