On Aug 8, 2014, at 10:42 PM, Randy Bush <[email protected]> wrote: >>>> The question was about why, in this effort, we are using 3779 >>>> validation rules >>> because we understand how they work formally from considerable >>> experience with PKIs. they are deployed and working today. >> Well ok. Where else are the 3779 rules used? > > the validation for 3779 is essentially the same as for X.509, a rigid > hierarchy. some do not like different aspects of that rigidity, i am > among them, but for different aspects than this one.
Ah. I think I see the disconnect. The validity of a certificate with 3779 extensions is covered by section 2.3 and 3.3 of 3779. Those are the rules for answering “Is this certificate valid?” However, what use is that question by itself? Isn’t a better question, “Can this IP address be validated with this certificate?” It is a matter of context, and the current validation rules lack context. If a certificate covers 192.0.2.0/24 and 198.51.100.0/24 yet its parent only covers 192.0.2.0/24, that certificate is invalid even though 192.0.2.0/24 has a path of validity. Why? In the context of “Is 192.0.2.0/24 valid with this certificate?”, why can’t we say yes? >>> to paraphrase, C’mon Andy. You're better than this. >> Imitation is the sincerest form of flattery. I’m now thinking about >> shaving off my beard. ;) > > not likely. the last time i was beardless jack kennedy was president. > i do not change running beard without a sound technical reason. otoh, > if you can document how i can transfer to a 27 year old body, we would > likely have a deal. Can we compromise with a zombie-JFK? -andy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
