> "From there, we can discuss the issue of, for example, HOW TO onboard
> and purge signing and validating certificates to routers from the RPKI
> [I suspect the intention was to use rpki-rtr protocol for this, but it
> doesn't currently support it, nor are the security implications clear]."
it is very hard to understand this, but this is my guess.
certificates do not sign, keys do, and not the public keys which are in
the certificates, but the corresponding private keys.
the public keys used to validate bgpsec signatures are in router ee
certs in the rpki. indeed some of the router ee cert's data will need
to be in validating routers. indeed there currently is no specification
for how this is done. indeed, the rpki-rtr protocol could be extended
to do this, should be trivial.
but, until we have the bgpsec protocol nailed down a bit further, this
would be premature.
and i have said this at least once before, though possibly in private
email to danny.
randy
_______________________________________________
sidr mailing list
sidr@...
https://www.ietf.org/mailman/listinfo/sidr
