At 12:02 PM -0400 4/25/11, Sam Hartman wrote:
However, when I look at section 2.1.4 in the signed-object document ,
the signer can only include one certificate.
How does that work during phase 2 when some of the RPs support the new
format and some only support the old format?
Your text above suggests that RPs grab the certificates from the RPKI
repository, but it seems at least for end entity certificates they are
included in the signed object.
What happens for end entity certificates during this form of upgrade?
Yes, only one cert is associated with an RPKI signed object, and yes,
this cert is embedded in the signed object format. So, when a new
cert is issued, using a new format, the object itself is changed.
Thus, the text describing Phase 2 is saying that there will be
parallel instances of certs, CRLs, and signed objects in the RPKI
repository system, associated with the old and new cert/CRL formats.
I could add a sentence or two making this explicit, and referring the
reader to the phased transition strategy used for algorithm
transition in the RPKI, and described in
draft-sidr-algorithm-agility. The reference would be informative, as
this I-D is still in development and I don't want to hold up the
progress of the rest of the SIDR docs.
Let me know if this addresses your question.
Ietf mailing list