Hi, On 28/10/2014 20:17, John Curran wrote: > ... snip ... > > I'm certain there is a simple answer for this question, but it alludes me > at the present time... > > Given the risks of full resource list invalidation due to overclaiming, why > aren't distinct certificates used for distinct resources? If this is not > practical in general, wouldn't it at least be prudent to "groom" resources > that are going to be transferred into their own certificate so that the rest > of the resources held by the original child are not put at validation risk > (if a coordination error were to occur in subsequent transfer processing)
I believe you are right, in fact, I'm pretty sure, and I discussed this with Mark a few weeks ago, that it's possible to get quite close to the proposed semantics of validation-reconsidered just by separating (grooming to use your term :-) ) resource sets accross different certs, according to specific criteria. This, to me, means that validation-reconsidered is actually is more like an optimization proposal to something that could already be done today iif we had HSMs able to support enough keys/certs. I'm convinced that there isn't here a radical departure from the original spirit of validation rules. > > Thanks! > /John > cheers! -Carlos > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
