Hi, From: Stephen Kent <[email protected]<mailto:[email protected]>> Date: Thursday, 24 July 2014 5:20 pm To: Tim Bruijnzeels <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt
Tim, I think I was not clear in requesting clarification for your tests. I didn't mean to ask what your RP code does. I was asking what your CA code does to detect and reject over-claiming, and what it will do under relaxed validation rules. I ask because it may be harder to perform such checks when there is an explicit intent to issue a CA cert that contains INRs not present in the parent cert. I can't speak for RIPE, but at APNIC when a child requests a certificate for us, we intersect it with our registry data, and our own CA certificate. What we cannot do is confirm that our own parent hasn't in the meantime published a new certificate for us with some resource removed: we can only detect that after it has happened, and it would be preferable that detection leads to correction without an intermediate step of total invalidation of a region. In a perfect world, of course, no process would ever lead to a parent shrinking their child's certificate without adequate communication and preparation, but if we were in a perfect world, a large part of the use case for SIDR would be gone, because no router operator would ever make an erroneous BGP announcement. Byron
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
