On 20 May 2014, at 4:38 am, Christopher Morrow <[email protected]> wrote:
> On Thu, Apr 17, 2014 at 11:35 AM, Tim Bruijnzeels <[email protected]> wrote: >> Certificate 1: {10.0.0.0/12, AS64501, AS64505, AS64509} (TA certificate) >> Certificate 2: {10.0.0.0/22, AS64501, AS64505, AS64511} >> Certificate 3: {10.0.0.0/20, AS64501, AS64509} > > It's unclear to me what would happen if you split this into a > prefix/asn per cert and just carried more certs in your purse. Why > would I not just add more certs to my purse? is there a particular > reason to conglomerate these under the minimal number of certs? are we > trying to minimize space in my purse? if so the purse is large, and > the certs very small... I could 10x or 100x the number of certs here > and be ok still. For AS numbers thats an interesting approach, if you carry a single ASN per cert then yes, there would be a whole lot more certs around (-ve), but any discrepancy in AS registry records between parent and child would be limited to just those ASns where there are such discrepancies (+ve) However I'm unsure how you could or would apply this principle to IPv4 addresses. And I'm even more unclear about IPv6. However, in principle, the validation algorithm proposed in this draft performs a validation function which is semantically equivalent to breaking down each certificate into a collection of certificates, each describing one element of the original number set, but this approach does not require one to define the minimal unit of addresses in IPv6, nor try to generate an enumeration of individual /128s (or even /64s!) in IPv6, which I guess is a Good Thing. Geoff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
