From 74d2ca709be709265a6ab77c98516f7397b87306 Mon Sep 17 00:00:00 2001 From: Randy Bush Date: Thu, 10 Mar 2022 12:45:11 -0800 Subject: [PATCH] tim bray wanted 6480 pushed harder --- draft-ietf-sidrops-rpki-has-no-identity.xml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/draft-ietf-sidrops-rpki-has-no-identity.xml b/draft-ietf-sidrops-rpki-has-no-identity.xml index e88e90e..9d8c83f 100644 --- a/draft-ietf-sidrops-rpki-has-no-identity.xml +++ b/draft-ietf-sidrops-rpki-has-no-identity.xml @@ -130,11 +130,15 @@ services. They claim to be authoritative, at least for the INRs which they allocate. - RPKI-based credentials of INRs MUST NOT be used to authenticate - real-world documents or transactions without some formal external - authentication of the INR and the authority for the actually - anonymous INR holder to authenticate the particular document or - transaction. + PKI operations MUST NOT be performed with RPKI certificates other + than exactly as described, and for the purposes described, in . + + I.e., RPKI-based credentials of INRs MUST NOT be used to + authenticate real-world documents or transactions without some + formal external authentication of the INR and the authority for the + actually anonymous INR holder to authenticate the particular + document or transaction. Given sufficient external, i.e. non-RPKI, verification of authority, the use of RPKI-based credentials seems superfluous. @@ -231,13 +235,13 @@ Control of INRs for an entity could be used to falsely authorize transactions or documents for which the INR manager has no authority. - +