speaking as regular ol' member. On Oct 30, 2014, at 2:38 PM, Tim Bruijnzeels <[email protected]> wrote:
> Hi John, all, > > Hoping to clarify my reasoning why I think this is validation approach > provides a significant quick win.. > > > On 29 Oct 2014, at 00:17, John Curran <[email protected]> wrote: > >> On Aug 11, 2014, at 11:58 AM, Tim Bruijnzeels <[email protected]> wrote: >>> >>> @1 The *grand*-parent shrinks the *parent* certificate without the parent >>> knowing about this, and some of these resources appear on the, now >>> overclaiming, child certificate. The grand-parent and parent are not >>> involved in an active transfer process. They may not agree that the >>> resource in question should be removed, or the grand-parent may have shrunk >>> these resources in error. If the removed resources re improperly removed, accepting the remaining resources does not help them. I don't think this is an error case that we are trying to work out, here. If we are trying to address that, we have a whole lot more solution space to explore. >>> >>> If the CA really intended that the remaining resources should not be tied >>> to the certificate, they would have revoked. Ironically, and no one has mentioned this much, but the CP says if a certificate's resources are reduced, the certificate with the original set is revoked. (Then a new certificate with the reduced set is issued with the same key. I think that's weird. There are people who think it is weird that I think it is weird. :-) ) I wonder sometimes if evaluating a ROA EE cert would find the new reduced certificate in the cache first or the issuing original certificate on the CRL first. --Sandy, speaking as regular ol' member
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
