At Wed, 7 Oct 2015 09:22:40 -0400, Sean Turner wrote: > > On Oct 06, 2015, at 08:30, Sandra Murphy <[email protected]> wrote: >> On Oct 5, 2015, at 4:36 PM, David Mandelberg <[email protected]> wrote: >>> >>> 4. Add text warning relying parties to detect malicious CAs that >>> cause too many KI collisions, and blacklist those CAs. Similarly, >>> warn routers and/or rpki-rtr caches to detect AS numbers with too >>> many public keys sharing the same SKI, and blacklist those AS >>> numbers. >> >> I?m ok with ?warn?, but ?blacklist? is a bit strong for me. If you >> mean stop using that CA, i.e. remove all objects produced by that >> CA, then the whole tree under that CA would fall off the planet. I >> think that?s a potentially large cone of consequence and I believe >> it should be undertaken by brains, not code. >> >> I?d prefer a warning in the security considerations section and a >> recommendation to alert the operator. > > Yep let?s just put a warning in the security considerations and > alert the operator.
Agreed. "Blacklist" sounds too much like mandatory policy. My RP, who are you to decide how much of its CPU time I should waste? _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
