>> >> That is good. But what I meant was (in your I-D under discussion) does >> the alternate validation algorithm for a ROA need slightly different >> wording (as compared to that for certificates)? > >I think not. RFC6482 did not define how the EE certificate is to be validated. >It simply states that the IP addresses listed in the ROA must also be found in >the >resource extensions of the signing EE cert. This still holds. > >i.e. no change is required there. >
I think you are saying that a ROA is "valid" for all prefixes listed in it, if the signing EE cert is "valid" for each of those prefixes (in accordance with the alternate validation method). I.e., there is no such thing as 'the ROA is (partially) valid for some of the listed prefixes'. Does not harm to include some statement this effect in your I-D. We discussed the possibility of ROA over-claiming earlier. The above is not accommodative of that. And I think that is also OK for now. We can revisit if robustness to ROA over-claiming is something that interests anyone else on this list. Thanks. Sriram _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
