> "From there, we can discuss the issue of, for example, HOW TO onboard > and purge signing and validating certificates to routers from the RPKI > [I suspect the intention was to use rpki-rtr protocol for this, but it > doesn't currently support it, nor are the security implications clear]."
it is very hard to understand this, but this is my guess. certificates do not sign, keys do, and not the public keys which are in the certificates, but the corresponding private keys. the public keys used to validate bgpsec signatures are in router ee certs in the rpki. indeed some of the router ee cert's data will need to be in validating routers. indeed there currently is no specification for how this is done. indeed, the rpki-rtr protocol could be extended to do this, should be trivial. but, until we have the bgpsec protocol nailed down a bit further, this would be premature. and i have said this at least once before, though possibly in private email to danny. randy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
