Steve, thanks for your note.
I realize the certificate resource profile document has been approved,
but I'd still like to understand what is happening here.
I'm having trouble reconciling the new text you've added to the
document with draft-ietf-sidr-signed-object.
2- During phase 2 CAs MUST issue certificates under the new profile,
and these certificates MUST co-exist with certificates issued under the old
format. (CAs will continue to issue certificates under the old OID/format as
well.) The old and new certificates MUST be identical, except for the policy
OID and any new extensions, encodings, etc. Relying parties MAY make use of the
old or the new certificate formats when processing signed objects retrieved
from the RPKI repository system. During this phase, a relying party that elects
to process both formats will acquire the same values for all certificate fields
that overlap between the old and new formats. Thus if either certificate format
is verifiable, the relying party accepts the data from that certificate. This
allows CAs to issue certificates under
However, when I look at section 2.1.4 in the signed-object document ,
the signer can only include one certificate.
How does that work during phase 2 when some of the RPs support the new
format and some only support the old format?
Your text above suggests that RPs grab the certificates from the RPKI
repository, but it seems at least for end entity certificates they are
included in the signed object.
What happens for end entity certificates during this form of upgrade?
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf