> 在 2015年12月2日,18:23,Geoff Huston <gih...@gmail.com> 写道:
>
>
>
> Example 2:
>
> A CA Cert: 1.0.0.0/24, 2.0.0.0/24
>
> issues:
>
> B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24
>
> issues:
>
> C EE Cert: 1.0.0.0/24, 2.0.0.0/24
>
> and signs
>
> ROA: 1.0.0.0/24 AS1
>
> still all good (assuming that A is a trust anchor)
>
> Example 3:
>
> A CA Cert: 1.0.0.0/24, 2.0.0.0/24
>
> issues:
>
> B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24
>
> issues:
>
> C EE Cert: 1.0.0.0/24, 3.0.0.0/24
>
> and signs
>
> ROA: 1.0.0.0/24 AS1
>
> still all good (assuming that A is a trust anchor)
Geoff,
In section 2.3 of RFC 6480, the very text says:
For ROAs and manifests, there will be a one-to-one correspondence
between end-entity certificates and signed objects, i.e., the private
key corresponding to each end-entity certificate is used to sign
exactly one object, and each object is signed with only one key.
Due to the so-called one-to-one, why bother to create an EE cert that has more
INR than its corresponding ROA?
Sorta confused.
Di
>
> Example 4:
>
> A CA Cert: 1.0.0.0/24, 2.0.0.0/24
>
> issues:
>
> B CA Cert: 1.0.0.0/24, 2.0.0.0/24, 3.0.0.0/24
>
> issues:
>
> C EE Cert: 1.0.0.0/24, 3.0.0.0/24
>
> and signs
>
> ROA: 1.0.0.0/24, 3.0.0.0/24 AS1
>
> invalid ROA
>
> (or at least that’s my opinion of what should happen. My assumption here is
> that the ROA IS intentionally a collection of resources where the entirety of
> the collection is important, so if all elements of the collection cannot be
> validated via the ROA’s EE certificate then its a dud ROA.)
>
>
>
>>
>> Under validation-reconsidered, we would need to make sure this section said
>> something about the validity of the resources in the valid EE cert.
>
>
> I don’t think its a question of the EE cert, but the question of section 4 of
> RFC6482 and what validation of the ROA means.
>
>>
>> Just in case it is not obvious:
>>
>> Suppose the EE cert always contained more resources than the ROA mentioned.
>
>
> which is ok today under RFC6482
>
>>
>> Suppose the ROA did not mention the resources that were removed. In that
>> case the shrinking of the parent causes a shrinking of the set of resources
>> that are contained in the EE cert that are considered valid under
>> validation-reconsidered. The valid subset of the resources contained in the
>> valid EE cert (i.e., the shrunken resources) would still cover the resources
>> mentioned in the ROA. So a ROA whose resources were contained exclusively
>> within the retained resources would be valid. (I would say that’s good.)
>
>
> i.e. thats like my example 3 above, so I agree thats good from where I sit as
> well.
>
>>
>> —Sandy, speaking as regular ol’ member
>>
>> (We’ve overloaded “Valid” a couple of different ways valid certs, valid
>> ROAs, valid origins, valid Signature_Blocks, …) - it might be nice to
>> readers and users to come up with a different adjective here for the subset
>> of the resources that are contained within the certificate, rather than yet
>> another use of “valid”. Before we have to talk about valid certs with
>> invalid resources.)
>>
>
>
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr