At Mon, 13 Mar 2017 10:55:56 +0100, Tim Bruijnzeels <t...@ripe.net> wrote: > > Hi, > > So, to me it seems that having new OIDs makes perfect sense as long as > there is a choice of two validation algorithms. Then having an > explicit flag set by CAs tells RPs decide which way to go. Because of > this I also do not see an immediate need to have a time line for all > CAs to use the new protocol for all its products. It's all explicit.
I was thinking that today code for CA/RP doesn't understand (mostly) the 'new' way. Tomorrow 'some' of the CA/RP world will shift to being able to do both ways. So, until all of the CA/RP software is updated and deployed, CAs can't make new OID/validation content and expect them to be respected. I expect a transition to the new validation algorithm (for even a single CA) will have to wait until this point in time. Once there are new and old validation algorithm data available a CA probably should flush the 'old' and publish the 'new'. I think Tim's correct that an RP can see: "Oh, new OID here, run new algorithm!" and be perfectly fine... but, having 2 versions of the validation algorithm and seeing published data for both OID sets for a single prefix/publication bundle will be very problematic. There's no proscribed 'prefer new over old' action here, so a CA must only publish one version of their data. -chris _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr