[apwg-chairs] Re: [ca-tf] Certification-Policy Proposal - next steps?
Nigel Titley nigel.titley at uk.easynet.net
Fri Mar 26 17:30:09 CET 2010
On Fri, 2010-03-26 at 11:15 +0100, Sander Steffann wrote: > Hi, > > > I must observe that none of the secure routing drafts say "you must reject an invalid signed route" -- they only affect the preferences in best path selection. That is a big difference, as revoking a certificate does _not_ tell anyone they should drop that announcement, merely that it's not as attractive as others may be. > > > > And even that only applies to direct path selection in the routers themselves, they have got nothing to do with filter constructions, where the choice is 100% up to the individual ISPs. > > This is what the community needs to hear. If everybody understands this there will be a lot less resistance. I think that this has always been understood by anyone that actually takes the trouble. However, for those ISPs who *don't* understand, rather like those people who apply RBL filters without understanding them, there is always the good chance that unsigned/invalidly signed prefixes will be dropped. However, I think if we take the action to generate BCP documents to aid the, err..., more technically challenged ISPs out there, as and when the secure routing stuff starts to appear then we will sooth fears greatly, as Sander says. Nigel
[ Ca-tf Archive ]
