As newly-added co-author of this document, I obviously share the concerns expressed in Section 3.
Although it can be argued that these issues could be worked around by careful coordination among all involved CAs when any change is to be performed on resource sets included in CA certificates, these coordination steps are only viable when only few CAs are involved. Moreover, I believe that in an escenario where the Internet comes to see any signficant deployment of the RPKI Provisioning Protocol this coordination becomes more and more difficult and the chances for possible brokenness in some limbs of the RPKI tree at a a particular point in time will be rather high. This is clearly not acceptable, and I believe the SIDR standards need to be engineered for resiliency as much as for security. In Section 4 two possible paths forward are proposed. The first option presents a simple, understandable and workable alternative that, as Tim has already mentioned, can be implemented by relying parties in a short period of time. Warm regards, -Carlos On 7/1/14, 10:27 PM, internet-dra...@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing Working Group > of the IETF. > > Title : RPKI Validation Reconsidered > Authors : Geoff Huston > George Michaelson > Carlos M. Martinez > Tim Bruijnzeels > Andrew Lee Newton > Alain Aina > Filename : draft-ietf-sidr-rpki-validation-reconsidered-00.txt > Pages : 10 > Date : 2014-07-01 > > Abstract: > This document reviews the certificate validation procedure specified > in RFC6487 and highlights aspects of potentially acute operational > fragility in the management of certificates in the RPKI in response > to the movement of resources across registries, and the associated > actions of Certification Authorities to maintain continuity of > validation of certification of resources during this movement. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
