At 11:05 AM -0400 5/3/11, Sam Hartman wrote:
Let me make sure I'm understanding what you're saying. I can have
multiple ROAs for the same set of prefixes in the repository and valid
at the same time: one signed by a new certificate and one signed by a
previous certificate? If so, I think I now begin to understand why the
SIDR working group believes this is a reasonable strategy.
yes, that is correct. This is an essential part of the alg transition
I guess the only question I'd have remaining is whether ROAs or other
signed objects are intended to be used in other protocols besides simply
living in the SIDR repository?
The RPKI repository is designed to support a specific, narrow set of
apps. That's what the CP says, and we try to make these certs unattractive
for other apps, e.g., by use of the non-meaningful names.
Ietf mailing list