Steve,
Two things:
(1) Given the variable amount of time it takes to get RFCs
issued/ published after IESG signoff, are you and the WG sure
that you want to tie the phases of the phase-in procedure to RFC
publication?
(2) There is an incomplete sentence at the end of (2): "This
allows CAs to issue certificates under" (more context below).
john
--On Friday, April 15, 2011 14:45 -0400 Stephen Kent
<kent(_at_)bbn(_dot_)com> wrote:
2- During phase 2 CAs MUST issue certificates under the new
profile, and these certificates MUST co-exist with
certificates issued under the old format. (CAs will continue
to issue certificates under the old OID/format as well.) The
old and new certificates MUST be identical, except for the
policy OID and any new extensions, encodings, etc. Relying
parties MAY make use of the old or the new certificate formats
when processing signed objects retrieved from the RPKI
repository system. During this phase, a relying party that
elects to process both formats will acquire the same values
for all certificate fields that overlap between the old and
new formats. Thus if either certificate format is verifiable,
the relying party accepts the data from that certificate. This
allows CAs to issue certificates under
3- At the beginning of phase 3, all relying parties MUST be
capable of processing certificates under the new format.
...
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf