Hello, I think what we need to discuss is which certificate validation rules apply to our problem domain, basically securing origin and/or securing path.
Current specs refer that RFC 3779 validation rules should be applied to SIDR's problem domain. I couldn´t find any justification for this, other than 'RFC 3779 was already there by the time SIDR started'. Maybe I'm wrong and this discussion indeed took place. I'd appreciate any pointers. Regarding our draft, maybe we can split the discussion about possible solutions to the problem (as I understand from our last meeting there was rough consensus that there is indeed a problem to be solved here) in two parts: - Unbundling: For example, a wrong ASN list currently invalidates both IPv4 and IPv6 resources in the same cert and down below. It doesn´t seem to make much sense to have a mistake in one resource type invalidate the other two. Discuss #1! - Managing mistakes within the same resource type: Should a mistake in one IPv4 prefix invalidate the whole cert and down below for *all* prefixes? Discuss #2! I agree on keeping the discussion to real world problems and not perceptions. So the 'encouraging sloppiness' argument, whether perhaps having some merit, is not really about a threat or a specific attack or a about a specific problem. cheers! -Carlos _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
