Hi Steve, Thanks for your comments.
I tried to extract the most relevant for discussion on text format. 1) Section 2: RFC 6487 limitation to multiple Repository Publication Points. Comment: "6487 says that, for AIA: In this profile, a single reference to the publication point of the immediate superior certificate MUST be present, …That RFC later says that it’s OK to have other types of accessMethods, which contradicts the earlier text. In any case, the latter text prohibits multiple instances of the same method (e.g., rynch) so …" (Roque) In summary, RFC 5280 allows multiple "accessMethod + accessLocation". However, RFC 6487 has the contradiction that you pointed out that would prevent not only multiple Repository Publication Points but also for the AIA to allow RSYNC + HTTP support (something we have commented in this list). Although we know that today the AIA has in practice little use, I think we would need to update RFC 6487 in the text to remove the reference to the "single reference". 2) Section 3: "In order to increase robustness, It is RECOMMENDED that a different FQDN could be resolved to IP addresses included in ROA objects from different CAs and hosted in diverse Repository Publication Points." Comment:"I can’t understand the latter part of this sentence." (Roque) The idea is that the different FQDN: rpki.operator1.org, rpki.operator2.net resolve respectively to IP1 and IP2 addresses. So, those two addresses are recommended to be covered by different ROAs, even administrated by different CAs. Again, the idea is to increase diversity and to avoid any sort of circular dependency. 3) Section 3.2 "A RP can use different rules to select the URI from which to fetch the Trust Anchor certificate." Comment: "Is this a good recommendation?" (Roque) The idea here was to imitate the DNS behavior and let the RP to have their "secret sauce" to chose the operator. Normally what you want is to chose the closest one, that is why in DNS you keep track of the response time from the different servers. Regards, Roque On Jul 17, 2012, at 8:16 PM, Stephen Kent wrote: > I'm in favor of a doc that describes ways for CAs to take advantage of > multiple publication points for RPKI data, but I have a number of comments on > the specific proposals in this doc. See the attached file for > edits and comments. > > Steve > <draft-rogaglia-sidr-multiple-publication-points-00.pdf>_______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
