Hi Richard,
Removing the stuff we agreed upon.
On 10-05-31 08:22 PM, Richard L. Barnes wrote:
Hey Suresh,
Most of these comments look OK to me. Couple of responses inline.
--Richard
Sec 6 Para 4
The requirement for RFC 3779 extension seems to contradict the use of
ETAs as Trust Anchor Material, i.e., the last sentence of the first
paragraph in this section.
Good catch. I am not sure how to resolve this. One way would be to
specify that the ETA EE certificates are exempt from requiring the
RFC3779 extensions. Do you have any suggestions?
I think the rest of the section is clear enough -- the TA material
either has to be a self-signed certificate or it has to be an ETA. So
maybe you could just delete the phrase "and MUST always refer to a
certificate that includes a RFC 3779 address extension"?
Hmm. The ETA certificate itself does not need to have the RFC3779
extension in it, but the relying party needs to fetch an RTA certificate
which will contain a RFC3779 extension.
As an aside, do you want to specify that in the first case (the non-ETA
case), the self-signed TA cert MUST conform to the RPKI profile?
Will do.
Thanks
Suresh
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf