Sandra Murphy wrote on 02/12/15 19:28: > Under validation-reconsidered, I would say that the ROA should be valid if > the IP addresses it contains are contained within the *valid* resources among > the resources specified in the EE cert. > > We need to say that because the valid resources specified in a valid EE cert > could be a proper subset of the resources specified in the EE cert. As your > examples show. Just “contained within” is not going to be sufficient > specification. > > No biggie, just a need for more precise text, under validation-reconsidered.
Agree, the validation reconsidered will require a more precise definition in RFC6482, something like: The IP address delegation extension [RFC3779] is present in the end-entity (EE) certificate (contained within the ROA), and the whole collection of IP address prefix(es) in the ROA is contained within the set of IP addresses specified by the EE certificate's IP address delegation extension that are valid according to the [validation-reconsidered] checks. There might be other places that may read ambiguously in light of validation reconsidered. The thing is that we now have a bunch of validity concepts: a valid certificate, a valid resource within an extension of a valid certificate, a valid ROA (and we do not extent this further to a valid resource within a ROA). Andrei
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
