From bfeebcd54ea65ecb397fab84836339a8733a9fb0 Mon Sep 17 00:00:00 2001
From: Nicola Rustignoli <nic@scion.org>
Date: Wed, 9 Oct 2024 20:00:05 +0200
Subject: [PATCH 1/2] anapaya feedback

---
 draft-dekater-scion-pki.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-dekater-scion-pki.md b/draft-dekater-scion-pki.md
index 56379d0..b6d2236 100644
--- a/draft-dekater-scion-pki.md
+++ b/draft-dekater-scion-pki.md
@@ -1351,7 +1351,7 @@ Compared to other trust architectures, in SCION there is no central authority th
 This section deals with possible recovery from the compromises discussed in the previous paragraph.
 As described in [](#substitutes-to-revocation), there is no revocation in the CP-PKI.
 
-- On TRC level: If any of the root keys or voting keys contained in the TRC are compromised, the TRC MUST be updated as described in [](#update). Note that this is a sensitive TRC update, as the certificate related to the compromised private key MUST be replaced with an entirely new certificate (and not just changed). A trust reset is only required in the case the number of compromised  keys at the same time is greater or equal than the TRC's quorum (see [](#quorum)).
+- On TRC level: If any of the root keys or voting keys contained in the TRC are compromised, the TRC MUST be updated as described in [](#update). A trust reset is only required in the case the number of compromised  keys at the same time is greater or equal than the TRC's quorum (see [](#quorum)) and a invalid update has been produced and distributed in the network.
 - On CA level: If the private key related to a CA certificate is compromised, the impacted CA AS MUST obtain a new CA certificate from the corresponding root AS. CA certificates are generally short lived to limit the impact of compromise. Alternatively, with a TRC update, a new root keys can also be forced, invalidating the compromised CA.
 - On AS level: In the event of a key compromise of a (non-core) AS, the impacted AS needs to obtain a new certificate from its CA. This process will vary depending on internal issuance protocols.
 

From b3e7f10a87f2d1a2f13d442ca5c8afa3d623dac2 Mon Sep 17 00:00:00 2001
From: Nicola Rustignoli <nic@scion.org>
Date: Wed, 16 Oct 2024 22:56:12 +0200
Subject: [PATCH 2/2] remove wrong sentence about TRC update

---
 draft-dekater-scion-pki.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-dekater-scion-pki.md b/draft-dekater-scion-pki.md
index 07b1668..0117d5b 100644
--- a/draft-dekater-scion-pki.md
+++ b/draft-dekater-scion-pki.md
@@ -1376,7 +1376,7 @@ In SCION there is no central authority that could "switch off" an ISD as each re
 This section deals with possible recovery from the compromises discussed in the previous paragraph.
 As described in [](#substitutes-to-revocation), there is no revocation in the Control Plane PKI.
 
-- At TRC level: If any of the root keys or voting keys contained in the TRC are compromised, the TRC MUST be updated as described in [](#update). Note that this is a sensitive TRC update, as the certificate related to the compromised private key MUST be replaced with an entirely new certificate (and not just changed). A trust reset is only required in the case the number of compromised  keys at the same time is greater or equal than the TRC's quorum (see [](#quorum)) and a invalid update has been produced and distributed in the network.
+- At TRC level: If any of the root keys or voting keys contained in the TRC are compromised, the TRC MUST be updated as described in [](#update). A trust reset is only required in the case the number of compromised  keys at the same time is greater or equal than the TRC's quorum (see [](#quorum)) and a invalid update has been produced and distributed in the network.
 - At CA level: If the private key related to a CA certificate is compromised, the impacted CA AS MUST obtain a new CA certificate from the corresponding root AS. CA certificates are generally short lived to limit the impact of compromise. Alternatively, with a TRC update, a new root keys can also be forced, invalidating the compromised CA.
 - At AS level: In the event of a key compromise of a (non-core) AS, the impacted AS needs to obtain a new certificate from its CA. This process will vary depending on internal issuance protocols.