On 2015-11-24 23:35, Randy Bush wrote: >> Every public/private working group that I have been part of that >> discusses potential incremental roll out of RPKI based origin >> validation gets hung up on FUD about the brittleness of the system. > > universally, the brittleness that seems to concern operators is the > hierarchy and the 'dutch court' attack. this does nothing for that.
Indeed it doesn't solve all possible problems. But it solves a real tangible one. > the brittleness this seems to address is perceived by rirs, who have > already deployed. RIRs are expected to be higher-than-average in the certificate chain, therefore any mistake made on this level could affect a large population. However, the issue addressed can happen on any level and will affect any descendants -- therefore benefits apply to them to. > so i do not see this as solving a real deployment issue. otoh, i do > not see it as being highly destructive. more of a not clearly needed > change when there is plenty of other work to be done. I don't think we should accept the situation that, for example, my certificate (and ROA, whatever) covering my precious prefix will become invalid because my grand-grand-grandparent, whom I never met, made a booboo about an ASN they never had. Therefore I think this draft, or the concept therein, should be completed. Robert _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
