Re: Secdir review of draft-ietf-sidr-res-certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/10/11 9:37 AM, Sam Hartman wrote:
The document also requires that relying parties reject certificates that
include unknown extensions. The rationale explained in section 8 is that
it is undesirable to have a situation where if an RP implemented more
extensions it would reject certificates that a more minimal RP would
accept.
In other words the profile picks security and minimalism over
extensibility.

This statement is too narrow, and it causes your analysis to come to a too narrow conclusion. The profile picks security and minimalism over extensibility *of this profile only*. If a flaw is later found that requires an extension, that extension will be written up in a standards-track document that will obsolete this profile. An implementation that conforms to that new profile will use the extension. Thus, errors can be corrected with new profiles, and the RPKI will have multiple profiles running on it, just as the Internet has multiple versions of some protocols running on it.

--Paul Hoffman
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]