[sidr] [IANA #1266244] [Errata Verified] RFC8182 (7239)
Amanda Baber via RT <iana-matrix@iana.org> Thu, 09 February 2023 03:56 UTC
Return-Path: <iana-shared@icann.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2331BC14CE27 for <sidr@ietfa.amsl.com>; Wed, 8 Feb 2023 19:56:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.948
X-Spam-Level:
X-Spam-Status: No, score=-3.948 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qd9pEGn2b9IT for <sidr@ietfa.amsl.com>; Wed, 8 Feb 2023 19:56:14 -0800 (PST)
Received: from smtp.lax.icann.org (smtp.lax.icann.org [192.0.33.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FA80C14CEE3 for <sidr@ietf.org>; Wed, 8 Feb 2023 19:56:14 -0800 (PST)
Received: from request6.lax.icann.org (request1.lax.icann.org [10.32.11.221]) by smtp.lax.icann.org (Postfix) with ESMTP id D8447E388A; Thu, 9 Feb 2023 03:56:13 +0000 (UTC)
Received: by request6.lax.icann.org (Postfix, from userid 48) id D5F474B10A; Thu, 9 Feb 2023 03:56:13 +0000 (UTC)
RT-Owner: amanda.baber
From: Amanda Baber via RT <iana-matrix@iana.org>
Reply-To: iana-matrix@iana.org
In-Reply-To: <20230208173143.D7FE74C099@rfcpa.amsl.com>
References: <RT-Ticket-1266244@icann.org> <20230208173143.D7FE74C099@rfcpa.amsl.com>
Message-ID: <rt-5.0.3-3135562-1675914973-537.1266244-37-0@icann.org>
X-RT-Loop-Prevention: IANA
X-RT-Ticket: IANA #1266244
X-Managed-BY: RT 5.0.3 (http://www.bestpractical.com/rt/)
X-RT-Originator: amanda.baber@icann.org
To: rfc-editor@rfc-editor.org
CC: tim@ripe.net, sra@hactrn.net, sidr@ietf.org, oleg@ripe.net, job@fastly.com, jgs@juniper.net, bryan@cobenian.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Precedence: bulk
Date: Thu, 09 Feb 2023 03:56:13 +0000
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/6cjQV9QpPoR_k2fB95kGSqeXB04>
Subject: [sidr] [IANA #1266244] [Errata Verified] RFC8182 (7239)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 03:56:18 -0000
Hi, Does this errata report need to be listed as an additional reference for the id-ad-rpkiNotify registration? See https://www.iana.org/assignments/smi-numbers thanks, Amanda Baber IANA Operations Manager On Wed Feb 08 17:32:05 2023, rfc-editor@rfc-editor.org wrote: > The following errata report has been verified for RFC8182, > "The RPKI Repository Delta Protocol (RRDP)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7239 > > -------------------------------------- > Status: Verified > Type: Technical > > Reported by: Job Snijders <job@fastly.com> > Date Reported: 2022-11-04 > Verified by: John Scudder (IESG) > > Section: 3.2 > > Original Text > ------------- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Corrected Text > -------------- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in CA resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Notes > ----- > Between draft-ietf-sidr-delta-protocol-04 and draft-ietf-sidr-delta- > protocol-05 a bit of text was removed (perhaps because it was > considered redundant). But, unfortunately that snippet helped > establish important context as to what types of certificates are > expected to contain the id-ad-rpkiNotify accessMethod inside the > Subject Information Access extension. The text that was removed: > > """ > Relying Parties that do not support this delta protocol MUST MUST NOT > reject a CA certificate merely because it has an SIA extension > containing this new kind of AccessDescription. > """ > > From the removed text is is clear that id-ad-rpkiNotify was only > expected to show up on CA certificates. However, without the above > text, Section 3.2 of RFC 8182 is somewhat ambiguous whether 'resource > certificates' is inclusive of EE certificates or not. > > RFC 6487 Section 4.8.8.2 sets expectations that only id-ad- > signedObject is expected to show up in the SIA of EE certificates > "Other AccessMethods MUST NOT be used for an EE certificates's SIA." > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify in > the SIA of the EE certificate of all signed objects they produce (such > as ROAs). The RIR indicated they'll work to remove id-ad-rpkiNotify > from all EE certificates their CA implementation produces. > > It should be noted that the presence of id-ad-rpkiNotify in EE > certificates is superfluous; Relying Parties can't use the rpkiNotify > accessMethod in EE certificates for any purpose in the validation > decision tree. > > (Verifying this Errata does not block a future transition from rsync > to https; as RFC6487 Section 4.8.8.2 leaves room for additional > instances of id-ad-signedObject with non-rsync URIs) > > -------------------------------------- > RFC8182 (draft-ietf-sidr-delta-protocol-08) > -------------------------------------- > Title : The RPKI Repository Delta Protocol (RRDP) > Publication Date : July 2017 > Author(s) : T. Bruijnzeels, O. Muravskiy, B. Weber, R. > Austein > Category : PROPOSED STANDARD > Source : Secure Inter-Domain Routing > Area : Routing > Stream : IETF > Verifying Party : IESG
- [sidr] [Errata Verified] RFC8182 (7239) RFC Errata System
- [sidr] [IANA #1266244] [Errata Verified] RFC8182 … Amanda Baber via RT
- Re: [sidr] [IANA #1266244] [Errata Verified] RFC8… Job Snijders