Hi Andrei > On 01 Dec 2015, at 12:04, Andrei Robachevsky <[email protected]> > wrote: > > Tim Bruijnzeels wrote on 26/11/15 13:29: >> Please note that for ROAs there is a requirement that all ROA >> prefixes are included on the EE certificate of the (ROA) signed >> object CMS. This proposal does not change this. A ROA that has >> prefixes that were removed for whatever reason higher in the path >> would still become invalid using this algorithm. > > Tim, I am not sure I understand this. If the parent of the EE cert has a > shrunken set of resources, will it invalidate the EE or only the > non-overlapping subset?
If the parent has a shrunken resource set this would lead to the EE certificate being accepted only for the intersection of its resources, and the parent. Because there is a requirement that all prefixes on a ROA are included (and accepted in reconsidered) in the resource set of the EE certificate the ROA will be considered invalid. To avoid this it would be better to create one ROA per prefix and avoid fate sharing. That way only the ROA(s) for the prefix(es) that are no longer held by the (grand)parent(s) are affected. Tim > > Andrei > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
