At Thu, 15 Oct 2009 15:28:35 -0400, Steve Kent wrote: > ... > There are some costs associated with offering this option:
Another issue besides the one you listed: reason codes would further complicate the software that has to generate all the certificates and ROAs, perhaps significantly (haven't analyzed in detail yet). Right now, we revoke certificates when resources shrink, when we're rolling keys and want to kill off any certificates signed by the old one, or when a child entity goes away. The last case most closely corresponds to the hypothetical situation in which you might want to use these reason codes, but note that reason codes would change the requirements: one would have to keep a tombstone for children that have gone away, so that you know why, so that you know whether to use a reason code and, if so what reason code to use. Given this and the other problems you listed, I do not think it would be productive to extend the CRL profile to allow reason codes, at least not at this time. I can see revisiting the issue after we have some operational experience, but I see little value in opening this can of worms at this time. _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
