Chiming it late... On 2016-05-19 0:39, George Michaelson wrote: > I would rather the sigs were signed by ee certs which were in the > blob, than have to make an external reference and I would rather we > varied the compliance needs to remove a pointless external ref. > > If there has to be a ref, I think making it mandated to a specific > scheme is over specifying, especially in a context where we might > begin to understand *where you get cryptographic materials from is > less important than proving who said them*. > > Rsync is a bad fit. for the actual signing cert, Inline is better. It > can refer to whatever chain it likes. > > -G
In the good ol' days a reference was put in because while the signature itself is relatively small, including the full EE cert would bloat the whole RPSL object to potentially multiple times its original size -- and for those who don't care about signatures this is a huge overhead. Furthermore, if one would reuse EE certs in multiple signatures (I don't see why that would be prohibited -- for example if I want to sign multiple objects at the same time), then this method makes even more sense. Then the whole back-and-forth started about whether it should be rsync or http(s) and now perhaps it's neither. It feels like we're going around in circles here :) Robert _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
