Tim Bruijnzeels wrote on 01/12/15 14:55: > Hi Andrei > >> On 01 Dec 2015, at 12:04, Andrei Robachevsky <andrei.robachev...@gmail.com> >> wrote: >> >> Tim Bruijnzeels wrote on 26/11/15 13:29: >>> Please note that for ROAs there is a requirement that all ROA >>> prefixes are included on the EE certificate of the (ROA) signed >>> object CMS. This proposal does not change this. A ROA that has >>> prefixes that were removed for whatever reason higher in the path >>> would still become invalid using this algorithm. >> >> Tim, I am not sure I understand this. If the parent of the EE cert has a >> shrunken set of resources, will it invalidate the EE or only the >> non-overlapping subset? > > If the parent has a shrunken resource set this would lead to the EE > certificate being accepted only for the intersection of its resources, and > the parent. Because there is a requirement that all prefixes on a ROA are > included (and accepted in reconsidered) in the resource set of the EE > certificate the ROA will be considered invalid. >
Thank you Tim, this makes sense. Otherwise we will be changing the semantics of ROA, which is tricky. Could you please point me to the place where the requirement is specified? > To avoid this it would be better to create one ROA per prefix and avoid fate > sharing. That way only the ROA(s) for the prefix(es) that are no longer held > by the (grand)parent(s) are affected. > Right. Thanks, Andrei > Tim > >> >> Andrei >> >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
