Re: [Rescert] Notes from RPKI security review

To: Resource Cert List <rescert@apnic.net>
Subject: Re: [Rescert] Notes from RPKI security review
From: Rob Austein <sra@hactrn.net>
Date: Tue, 19 Jun 2007 21:07:46 -0400
Delivered-to: rescert@clove.apnic.net
In-reply-to: <46787C73.2030309@psg.com>
List-archive: <http://www.apnic.net/mailing-lists/rescert>
List-help: <mailto:rescert-request@apnic.net?subject=help>
List-id: <rescert.apnic.net>
List-post: <mailto:rescert@apnic.net>
List-subscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=subscribe>
List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/rescert>, <mailto:rescert-request@apnic.net?subject=unsubscribe>
References: <20070612212938.1D32222828@thrintun.hactrn.net> <46785C05.4070305@apnic.net> <20070619235532.EBA5622828@thrintun.hactrn.net> <46787159.2060508@psg.com> <20070620003814.AE9B422828@thrintun.hactrn.net> <467879FF.7000506@psg.com> <20070620005932.8141B22828@thrintun.hactrn.net> <46787C73.2030309@psg.com>
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Tue, 19 Jun 2007 15:01:39 -1000, Randy Bush wrote:
> 
> > Cert contqains CRLDP (inserted by cert's issuer) telling me where to
> > look to find out if cert has been revoked.  Whom am I trusting that I
> > should not be trusting, and what makes you think I'm trusting
> > anybody's IRBE?
> 
> you just paid 25 cents to verisign

I think you just jumped to TLS trust anchor management.  Which is
indeed a mess for us at the moment because we have not yet thought it
through, but:

My original observation was also about CRLs for CMS.  We already have
a fairly carefully worked out model for trust anchor management for
our use of CMS, but it says nothing about CRLs.

Follow-Ups:
- [Rescert] Revision of the Up/Down Protocol Spec and XML Schema
  - From: Geoff Huston <gih@apnic.net>

References:
- [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Geoff Huston <gih@apnic.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>
- Re: [Rescert] Notes from RPKI security review
  - From: Rob Austein <sra@hactrn.net>
- Re: [Rescert] Notes from RPKI security review
  - From: Randy Bush <randy@psg.com>

Prev by Date: Re: [Rescert] Notes from RPKI security review
Next by Date: [Rescert] Changes I'd make to the RelaxNG schema
Previous by thread: Re: [Rescert] Notes from RPKI security review
Next by thread: [Rescert] Revision of the Up/Down Protocol Spec and XML Schema
Index(es):
- Date
- Thread