Re: [sidr] RPKI validator testing summary

Geoff Huston <> Sat, 03 December 2011 01:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45DFE1F0C49 for <>; Fri, 2 Dec 2011 17:44:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -99.083
X-Spam-Status: No, score=-99.083 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, MANGLED_DOSE=2.3, RCVD_IN_PBL=0.905, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 92ki0wk8aw-Y for <>; Fri, 2 Dec 2011 17:44:43 -0800 (PST)
Received: from ( [IPv6:2001:dc0:2001:11::199]) by (Postfix) with ESMTP id 1060C1F0C38 for <>; Fri, 2 Dec 2011 17:44:43 -0800 (PST)
Received: from [] ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTP id 3F297B6767; Sat, 3 Dec 2011 11:44:40 +1000 (EST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Geoff Huston <>
In-Reply-To: <>
Date: Sat, 03 Dec 2011 12:44:38 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Andrew Chi <>
X-Mailer: Apple Mail (2.1251.1)
Cc: sidr wg <>
Subject: Re: [sidr] RPKI validator testing summary
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 03 Dec 2011 01:44:44 -0000

On 03/12/2011, at 8:46 AM, Geoff Huston wrote:

> On 01/12/2011, at 2:38 AM, Andrew Chi wrote:
>> 2. AIA correctness.  Does res-certs require validators to reject a certificate with a messed up AIA URI, even if top-down traversal is ok?  Having clean AIAs obviously helps bottom-up validators.  But validators capable of bottom-up traversal must already defend against AIA-wild-goose-chase DoS, e.g. by limiting chase depth.  Should we encourage validators to enforce AIA correctness?
> res-certs says that there  MUST be an AIA and the text says that it points to the "publication point of the immediate superior certificate". In the case where a local TA is being used (and in other conceivable cases) it is possible for multiple CAs to certify a subject. What the spec does NOT say is that the AIA must point to the publication point of all such CAs. So it appears to be within the bounds of the res-cert profile for a certificate hierarchy of the form
> CA A      CA B
>  |         |
>  V         V
>      CA C
> Now if the AIA of certificates issued by CA C points to the publication point of CA A, then if you are performing a validation along the path A to C then this is NOT "messed up", and things look fine. If you are performing a validation along the path from B to C then it IS "messed up", and things look good.

things _do not_ look good



> So "messed up" in AIA appears to be a little bit in the eyes of the beholder rather than an objective condition.
> On what grounds would a validator reject certificates issued by CA C in this example?
> regards,
>  Geoff
> _______________________________________________
> sidr mailing list


Geoff Huston
Chief Scientist, APNIC

+61 7 3858 3100