At Wed, 11 May 2016 15:04:58 -0400, Sandra Murphy wrote: ... > A new type of EE cert does sound cleaner. It puts the burden on the RPKI implementer rather than the RPSL database operators, of course.
We already have precedent and mechanism for adding application-specific EE certificates: assign a new EKU OID, write a profile, make sure that the profile requires the new EKU and specifies all deviations from the base certificate profile. This is what we did with router certificates. As with router certificates, this means that RP code that doesn't know about the new flavor of EE certificates won't allow them. This is by design: we don't accept RPKI objects with unknown semantics. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
