Hi,
On 31 Aug 2012, at 14:34, Brian Dickson wrote:
> So, does it not make sense that the RPKI, meaning its design, architecture,
> procedures, etc., should actually enforce exclulsivity?
I think that INRs appearing on certs in multiple locations, different TAs, or
different branches, are not really a *technical* problem. Meaning that if these
certs are used to sign objects they are just complementary. It doesn't matter
whether one CA signs a set of objects or the same set (content) is signed by
multiple CAs. Plus, this feature is actually needed when doing
make-before-break transfers of live networks.
Of course it's important that information is correct. But the notion that
uniqueness of resources in the tree guarantees correctness seems fundamentally
flawed to me. Correctness is assumed by transitive trust placed in the TA(s),
and can only be manually verified by comparing certs to public registration
databases.
Regards,
Tim
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
