 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
At 3:19 PM -0500 11/7/09, Curtis Villamizar wrote:
In message <4AF48D1C.4040107 at merit.edu> Larry Blunk writes:It's my understanding (please correct me if I'm wrong) that by issuing a CA-Cert a provider is not only giving the customer authority to register their own ROA's, but to also issue ROA's or CA-Cert's for customers of the customer (and so on). I suspect many providers would be reluctant to grant this level of authority over the PA space they have assigned.And the CA-Cert is not revokable? Curtis
Yes, the CA cert can be revoked.Also, if we wanted to provide the ISP with additional controls, there is a cert path length as part of the basic constraints extension that is in the RPKI profile (although the path length field is currently deprecated). This field allows an issuer to restrict the issuance of CA certs below the CA certs that it issued.
Steve