Hi all, I wanted to ask how others feel about having resource certificates that say: "no resources certified."
We have a use case for this at the RIPE NCC. It may happen (for various reasons) that a member who formerly had a resource certificate issued by us no longer holds any certifiable resources. We can of course revoke all existing resource certificate and not issue a new one. But.. I feel this is confusing to RPs. In particular RPs may assume, wrongly, that we just forgot to issue a new cert. It's a much more clear to have a new certificate that says "no resources". But it seems this is not allowed by the res-cert draft: We MUST include at least one of "an IP Resources extension, an AS Resources extension", as described here: http://tools.ietf.org/html/draft-ietf-sidr-res-certs-18#section-4.9.10 And that inclusion of an "IPAddressFamily" only gives us the option to either: (1) include a specific resource(range) of that type, or (2) inherit from the issuer, as described here: http://tools.ietf.org/html/rfc3779#section-2.2.3 So, we can not legally issue a new resource certificate that says: "no resources". As far as I can tell this is perfectly legal to do under rfc3779: just don't include any "IPAddressFamily"; use a "SEQUENCE OF" with length 0. So, to re-state my question: do others also see a use-case for resource certs that have no resources? And if so, could section 4.9.10 of the res-cert draft be reworded: MUST -> MAY. Regards, Tim Bruijnzeels Senior Software Developer RIPE NCC _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
