a friend has asked me about the possibility of DoS of a CA pushing random dren to a publication point; e.g. rsc signed kernel binaries, etc. obviously, it would have been unwise for the 8181 publication protocol to enumerate the allowed objects, or it would need to be updated every time the ietf sausage machine defined a new object (router key, aspa, etc.) but 8181 does provide for error handling. it seems obvious that a publisher reject a request to publish an object other than a formally correct rpki object. e.g. it should not accept the kernel blob. interesting, we do not have a document enumerating formal rpki signed objects. https://www.iana.org/assignments/rpki/rpki.xhtml#signed-objects is missing a few, e.g. certificates, crls. i have taken this up with the powers that be. randy