The Introduction says: This document reviews the certificate validation procedure specified in RFC6487 and highlights aspects of potentially acute operational fragility in the management of certificates in the RPKI in response to the movement of resources across registries, and the associated actions of Certification Authorities to maintain continuity of validation of certification of resources during this movement.
When this working group was developing the RPKI specifications, the RIRs essentially asked us not to specify how the "movement of resources across registries" would take place. I for one accepted this at the time because it looked like an issue between RIRs. This document is calling for a make-before-break certificate issuance capability. Maybe there are other motives too. RFC 3779 has been implemented. For example, OpenSSL implements RFC 3779, and others make use of this certificate handling software. We are not talking about a little tweak to such a library. Implementation would require a path validation parameter to pass the content of the ROA. As I understand the situation, the existing specification works, but it imposes some restrictions on the order that certificates that must be issued and distributed. I really want to see the RPKI deployed, and deployed really soon. I worry greatly that this proposed change will result in a very significant delay. To change my mind, I'd need to see a serious impact on operators by the current specification. Can it be demonstrated with the various implementations that we already have in front of us? Russ _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
