Geoff, >> Do you need somewhat different wording for the case of ROA validation? >> (Is a ROA also technically a "certificate"?) >> When you say "resource contained in the resource extension", >> is that well defined for a ROA as well?
>RFC6482 need not be altered at all. >Section 4 of RFC64582 states: > The IP address delegation extension [RFC3779 is present in the > end-entity (EE) certificate (contained within the ROA), and each > IP address prefix(es) in the ROA is contained within the set of IP > addresses specified by the EE certificate's IP address delegation > extension. >which still holds in this slightly altered certificated validation framework. That is good. But what I meant was (in your I-D under discussion) does the alternate validation algorithm for a ROA need slightly different wording (as compared to that for certificates)? Such as: A ROA is "valid" for a given IP address prefix specified in the ROA, if the given IP address prefix is subsumed in the resource extension field of the end-entity (EE) certificate (contained within the ROA), and also subsumed in the resource extension field of all other certificates that are contained in a certification path, where the construction of this certification path is defined in Section 6 of RFC5280. Sriram _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
