Policy Qualifiers in Resource Public Key Infrastructure (RPKI) Certificates
RFC 7318
Yes
No Objection
Note: This ballot was opened for revision 01 and is now closed.
(Adrian Farrel; former steering group member) Yes
(Alia Atlas; former steering group member) Yes
(Alissa Cooper; former steering group member) No Objection
Section 2: It would be useful if there was a sentence in this section that explained why this change to RFC6487 is being made. s/any optional policy qualifiers/any optional policy qualifier/ (the whole point is that there can only be one policy qualifier, right?)
(Barry Leiba; former steering group member) No Objection
(Benoît Claise; former steering group member) No Objection
I have the exact same comment as Alissa: It would be useful if there was a sentence in this section that explained why this change to RFC6487 is being made.
(Brian Haberman; former steering group member) No Objection
I agree with Alissa that having a brief description of why this change is needed would be useful.
(Jari Arkko; former steering group member) No Objection
(Joel Jaeggli; former steering group member) No Objection
(Kathleen Moriarty; former steering group member) No Objection
I support Stephen's comments.
(Martin Stiemerling; former steering group member) No Objection
(Richard Barnes; former steering group member) No Objection
(Spencer Dawkins; former steering group member) No Objection
(Stephen Farrell; former steering group member) No Objection
- general: Adding more to policy stuff in certs seems like a bad plan. However, since a CPS pointer URI doesn't impose any more processing on the client, I'm ok with it, if those are the certs with which RPs have to handle. (I assume this is the reason to add this - that CAs are issuing such certs, right?) - Section 4 says: "Checking of the URI might allow denial-of-service (DoS) attacks, where the target host may be subjected to bogus work resolving the URI." I think that's a little unclear. It might be better to say "While de-referencing the URI is not required for certificate validation, doing so could provide a denial-of-service (DoS) vector, where the target host may be subjected to bogus work de-referencing the URI." Additionally, you could also re-state a RECOMMENDATION that RPs don't de-ref the URI. (Note: If you'd rather not make this change that's fine, its almost a nit.)
(Ted Lemon; former steering group member) No Objection