a delegated CA may publish at their parent or anywhere else.
As I understand the current situation under the RIPE NCC Trust Anchor, a "Delegated CA" can publish anywhere ... *except* at their parent.
that is an implementation, not protool, artifact.
In this thread I'm to start and participate in a community dialogue, asking fellow RPKI operators what their take is on RFC 8181 in context of RIPE NCC's RPKI services, if they think it would be useful or not.
What do you think?
i suspect that ops who run delegated tend toward wanting control; and would be disinclined to publish back at parent. but, back in the day when we designed this stuff, we had the idea that there might be highly scaled providers of publication services not associated with any CA. </hint> randy --- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery