-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Walker [mailto:denis@ripe.net] wrote:
Hi Jeroen
Jeroen Massar wrote:
<SNIP>
I could live with changing the mnt-irt to be an or case with the mnt-by too indeed as currently when one wants to update an object protected by the mnt-irt it needs to be signed by both the mnt-by and the mnt-irt, when you are 'outsourcing' as you call it this is a problem, otherwise one will have access to both the maintainer and the irt anyhow.
You only need to include the authorisation for the mnt-irt: when it is first added to an object. Once the mnt-irt: is in the object you do not need to include this authorisation for subsequent modifications or deletions. Nor do you need this authorisation to remove the mnt-irt: from this object. So only the addition of an mnt-irt: attribute needs to be authorised by the mnt-irt:.
Then people should not have a problem at all with this concept. Thus it is only needed when there is extra 'work' for the IRT. Thanks for the clarification. Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQFdXmAAAr5QAnRx+C/gqbqESOzOVnmCKlA2E ukWwAJ9wJ7hHpq5vfPR8lTXta/ewwGhzJw== =O7wT -----END PGP SIGNATURE-----