[sidr] Validation reconsidered and X.509v3 extension OIDs

[Rob Austein <sra@hactrn.net>]

Reminding the WG of an old issue I raised years ago for validation
reconsidered which, as far as I know, has not yet been addressed.

If we change the validation algorithm, we really should also change
the object identifiers used in the X.509v3 extensions used to convey
the resources.

The reason for this is simple: the RFC 3779 validation algorithm has
shipped, long since.  My implementation has been part of OpenSSL for
the last decade, and while it's not enabled by default on all
platforms, it is on some, and is available as a configuration option
on others.  It is far too late to change this, that ship has sailed.

So if we're talking about changing the validation algorithm now, we
need to label the algorithm we're using, so that validation code knows
which algorithm it's supposed to follow.  Otherwise, we'll get
different validation results at different sites depending on which
algorithm they're using this week, different routing decisions as a
consequence, dogs and cats living together, mass hysteria.

The solution to this is simple: change the extension OIDs.  X.509's
"critical extension" mechanism will take care of the rest.

This will require some kind of phase-in/phase-out process during which
the new OIDs appear and the old OIDs vanish, and will require RP code
to implement the new OIDs, but these are trivial issues given that the
RP behavior has to change in any case, that being the point of the
entire validation reconsidered exercise.

Yes, this will be a bit painful, but I view it as in essence exposing
a problem that already exists, rather than sweeping it under the rug.

Sorry for reminding the WG of this yet again at what some may consider
a late date, but I have raised this issue before, I just haven't
(re)raised it in the last few months.