Ok, so I misunderstood the RFC6486:
"A manifest is a signed object that enumerates all the signed objects
(files) in the repository publication point (directory) that are
associated with an authority responsible for publishing at that
publication point."
RFC6488:
"Other information assertions about
resources are expressed via digitally signed, non-X.509 data
structures that are referred to as "signed objects" in the RPKI
context."
So, in the first sentence, "signed object" means all files which were
signed by the CA instance and not a RPKI signed object as in the second
one?!
Thank you for your answers.
Kind regards
Demian
Am 03.03.2014 17:44, schrieb Andrew Chi:
All of these are detectable.
On Mon, Mar 3, 2014 at 11:08 AM, Demian Rosenkranz
<drose...@smail.inf.h-brs.de <mailto:drose...@smail.inf.h-brs.de>> wrote:
... a CA certificate and all files underneath that certificate, the
rp software WOULDN'T recognize anything. So the whole structure
underneath that certificate would be invalid.
CA certs are listed by the manifest that sits in the same publication
point (directory). In addition, the cert's SIA contains a URI for all
of the "children." If the CA cert were present but "all files
underneath" were missing, the RP software would at the very least log a
failure to fetch the child directory.
... a Router certificate, the RP WOULDN'T recognize it, because it
isn't listet in any other file.
A manifest will cover anything in the directory (except itself), so that
should include router certs.
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr
