This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[routing-wg] Publish in Parent - input requested
- Previous message (by thread): [routing-wg] Publish in Parent - input requested
- Next message (by thread): [routing-wg] Publish in Parent - input requested
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Randy Bush
randy at psg.com
Tue Oct 4 00:06:29 CEST 2022
a friend has asked me about the possibility of DoS of a CA pushing
random dren to a publication point; e.g. rsc signed kernel binaries,
etc.
obviously, it would have been unwise for the 8181 publication protocol
to enumerate the allowed objects, or it would need to be updated every
time the ietf sausage machine defined a new object (router key, aspa,
etc.)
but 8181 does provide for error handling. it seems obvious that a
publisher reject a request to publish an object other than a formally
correct rpki object. e.g. it should not accept the kernel blob.
interesting, we do not have a document enumerating formal rpki signed
objects.
https://www.iana.org/assignments/rpki/rpki.xhtml#signed-objects
is missing a few, e.g. certificates, crls. i have taken this up with
the powers that be.
randy
- Previous message (by thread): [routing-wg] Publish in Parent - input requested
- Next message (by thread): [routing-wg] Publish in Parent - input requested
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]