Andrew Chi wrote:
On 9/16/2010 10:04 AM, Tim Bruijnzeels wrote:
So, we can not legally issue a new resource certificate that says: "no
resources". As far as I can tell this is perfectly legal to do under
rfc3779: just don't include any "IPAddressFamily"; use a "SEQUENCE OF"
with length 0.
True. Currently, draft-ietf-sidr-res-certs-18 leaves the loophole that
even if an IP Resources extension is present, it can have length 0.
If we decide to disallow certs with no resources, we should eliminate
this loophole by rewording the appropriate sentences in 4.9.10 and
4.9.11 to something like: "All Resource Certificates MUST include a
non-empty IP Resources extension, a non-empty AS Resource extension, or
both."
This made me go and look at what draft-ietf-sidr-roa-format says about
how many need to be present. What it says is that "one or more IP
address prefixes that will be advertised". Should we make the ASN.1
match this? That is:
OLD:
ipAddrBlocks SEQUENCE OF ROAIPAddressFamily }
NEW:
ipAddrBlocks SEQUENCE (SIZE(1..MAX)) OF ROAIPAddressFamily }
and
OLD:
addresses SEQUENCE OF ROAIPAddress }
NEW:
addresses SEQUENCE (SIZE(1..MAX)) OF ROAIPAddress }
spt
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
