>Strictly entre nous, I don't get a strong sense from the text that >entering into such an arrangement is an obvious and foolish mistake >:-} Unlike, for example, an ISP using its own key to proxy sign for a >customer, which is "considered a bad idea". > >Chris
If an ISP (or IXP/RS) and its customer feel strongly that they have a long trusted relationship, and they are comfortable with this type of arrangement (outside of BGPSEC but still only to allow them to perform BGPSEC more efficiently or with lower cost), what good does it do to tell them that they are making "an obvious and foolish mistake"? They also know that the customer can revoke the EE cert and annul the router (or RS)-specific private key if the relationship ends or trust is compromised (Section 6.6.2). Having said that, I respect Randy's viewpoint (and yours -- seems you are in agreement). There is no conflict here since it is not about BGPSEC protocol specification. This is about operational best practices. We can revise Section 6.6 to put greater emphasis on the "cons" part of it. Sriram ________________________________________ _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
