On Thu, 2011-03-10 at 11:31 -0800, Paul Hoffman wrote:
for changes that need to change the system's semantics, you
change the certificates in a way that relying parties that don't
understand the change won't accept the certificate.
Sure. The way to do that is to issue a certificate with a critical
extension. An RP encountering a certificate with a critical extension
it doesn't understand will not accept the certificate.
What the profile does as written is require RP's to treat all extensions
as critical, even if they are not so marked. That reduces flexibility
without gaining anything in return. In particular, we don't gain the
ability to make a change that will prevent certificates from being
accpted by RPs that don't understand them, because we already had that.
Steve noted a desire to limit the liability of entities acting as CAs in
the RPKI. I agree that goal is desirable, and restrictions on what
certificates issued by those CAs can contain help to do that (provided
the CAs actually comply). However, requiring compliant RPs to treat all
extensions as critical does _not_ help, because an RP which incorrectly
accepts an over-broad RPKI certificate for some other purpose is
probably not an implementation of this profile and thus not bound by the
restriction.
--Jeff
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf