geoff and george, i am trying to understand $subject, and need some help. it seems the key motivation is that, in a transfer,
If the original registry's certification actions are simply to issue a new certificate for the current holder with a reduced resource set, and to revoke the original certificate, then there is a distinct possibility of encountering the situation illustrated by the example in the previous section. This is a result of an operational process for certificate issuance by the parent CA being de-coupled from the certificate operations of child CA. i.e. the operational problem you fear is that a parent CA shrinking a child's certificate will not cause the child's CA to shrink subordinate certificates it has issued, and so on down the tree. but would this not be a spec violation and hence a bug? is it worth whacking validation so heavily to whitewash this corner case when good code and ops practice should prevent it? this would be a *really big* change to validation, so had best be really worthwhile. otoh, at breakfast a few weeks ago, i thought you, gih, said that this hack might make alternate views, aka LTA, much easier. if so, i might be much more tempted. if i did not mis-hear, could you expand? thanks. randy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
