On Fri, Mar 21, 2025 at 07:33:30PM +0100, Theo Buehler wrote:
> On Fri, Mar 21, 2025 at 06:25:37PM +0000, Job Snijders wrote:
> > Dear all,
> > 
> > Had a super interesting converstion with beck@ in which he convinced me
> > that it'll be better to revert course here and go a different direction.
> > 
> > There is a lot of complexity around fetching RPKI TA certifcates and
> > automatically selecting one that probably^Hhopefully doesn't mess up the
> > tree (such as the still-valid olden narrowly rfc3779-constrained trust
> > anchor certificate issuances). Instead, we can work towards maintaining
> > this aspect as a more traditional rootstore (/etc/rpki/certs.pem). 
> 
> I don't really follow the reasoning since one thing does not preclude
> the other but I always hated this code, so I'm fine with removing it.

I'm also OK with removing this. It seems we need a bit more time to rethink
the options.

-- 
:wq Claudio