[Sidrops] Re: I-D Action: draft-ietf-sidrops-aspa-profile-21.txt
Job Snijders <job@bsd.nl> Fri, 16 January 2026 13:07 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@mail2.ietf.org
Delivered-To: sidrops@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6CCD2A892C49 for <sidrops@mail2.ietf.org>; Fri, 16 Jan 2026 05:07:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.877
X-Spam-Level:
X-Spam-Status: No, score=-1.877 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.017, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j44BVItHI-bw for <sidrops@mail2.ietf.org>; Fri, 16 Jan 2026 05:07:20 -0800 (PST)
Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 78229A892C3E for <sidrops@ietf.org>; Fri, 16 Jan 2026 05:07:20 -0800 (PST)
Received: by mail-ej1-f53.google.com with SMTP id a640c23a62f3a-b87003e998bso516496366b.1 for <sidrops@ietf.org>; Fri, 16 Jan 2026 05:07:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768568833; x=1769173633; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=4pG33c9k5x2JfyvQw1l5MDhYOA18QLrv+g6qtHf9s/8=; b=Zl9em7lC7NMxVIJwHFKfZBoJ6cYEDPscJDISHvFJ8el2TL7lS3zZX/g5yBPRet5ul3 ZYXcUJ8uBCYhNo2qDhW2P5n6dL2mzYUU8zBcqcNHv+B7FYvP5UqPe1kvQoRN5vU0otSJ Ir3A3e017ebysbch34+fJgTScF8rQ3cY645ec5U5d7RtLOdXBcUVQ7jKp1a+owiVdHdQ jWlu98IuT7xoqon7LMmQNf41P1VNqjXDnPBQAMzti/u3V8WtRR1J+jAYuy+Lrt6/ZUxn nd/MnMXaozJRe/lEpPk7ivvpG6yfR4h4DCUDZbBpM9HJNto8iOmrvD3Q8/osVRmvmUfD uUqA==
X-Gm-Message-State: AOJu0YzdPGqky9DlkMHAhfEdZEdmMBzRmInrfyt56UgN30jmUk7GuFbf BUHY/Q4sPHMZpwAknd3Ao0/8/bLIds7y5sHKNGyepMvZK4+bt6UKY6q5qSWpcNCfBqidnIlT9fl +Bnz3tMs=
X-Gm-Gg: AY/fxX6ZHsAkfg2JYlxHg1/8wQLk/GtDLNdsE8XALlLsr3vRsfZd0qgZp4SeZe/joFq GUFGMcPEtsvfobRxj5+moFfJ3c3EcpJPchuabpmavI0K4RcD0x7Kfyv94sKtBvL3RzHvkDCXJDA goGKtyXbFymOxhy+CzKqUfzC7DyDElK9NrRqG4kBgQr15SxCGoHXKKdmvnddhHwIagtjUr67bCa NqzH4TTaOnhcU+rR1wZDOfkukDFBXYKBcfeLVccx5n9toDnyU+GAVeK+Wf19cuCJgskTizWmzm4 NbqSGqLGEi16fJENToprYzevuKs01d3tR25A2xufnDmwZcHm8E8EjdrjRDtq5pbyHhqgvOtsSjd +yqEt/vKTK7M6gUSg6Ca0fKNaPCmbt1KGpl9AVFMB2kHY5YmhkEOkdyRisq0nv+66R7qkDY6E7o mHz3PCQMm4T3qcgoIu1+HTS6SM63E7HEourhHIkKw8YG+7lmIPhwMmqhem1thQ4z9/HAUt3Sflm wW1A3oGRutunoV0zuoiS9udXmiw9OuUzbcRAFxezqG/8MSVwucKMTzKaFsLadyDb93wTBeI
X-Received: by 2002:a17:907:7243:b0:b86:f558:ecbd with SMTP id a640c23a62f3a-b8793890124mr344059766b.13.1768568832654; Fri, 16 Jan 2026 05:07:12 -0800 (PST)
Received: from feather.sobornost.net ([192.147.168.2]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b879e2c1be7sm147963566b.67.2026.01.16.05.07.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Jan 2026 05:07:11 -0800 (PST)
Date: Fri, 16 Jan 2026 13:07:10 +0000
From: Job Snijders <job@bsd.nl>
To: sidrops@ietf.org
Message-ID: <aWo3_sEM5AMBq94n@feather.sobornost.net>
References: <176856799339.114496.4298005588069734285@dt-datatracker-865585c994-4fgh4>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <176856799339.114496.4298005588069734285@dt-datatracker-865585c994-4fgh4>
X-Clacks-Overhead: GNU Erik Bais
Message-ID-Hash: BTR2P264XGUZWWWIE66N7EULIM575YOA
X-Message-ID-Hash: BTR2P264XGUZWWWIE66N7EULIM575YOA
X-MailFrom: job@instituut.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-sidrops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Sidrops] Re: I-D Action: draft-ietf-sidrops-aspa-profile-21.txt
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7Hitf3Kn8MCxKG7Ox96wT0fiyhM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Owner: <mailto:sidrops-owner@ietf.org>
List-Post: <mailto:sidrops@ietf.org>
List-Subscribe: <mailto:sidrops-join@ietf.org>
List-Unsubscribe: <mailto:sidrops-leave@ietf.org>
Dear all, This mostly is just a refresh of the draft which specifies the ASPA object profile, with one minor change relevant to both CAs & RPs to tighten the bolts on this profile. In previous versions of this profile it was possible to superfluously encode multiple (unrelated) ASIds in the ASPA's End Entity (EE) certificate. Going forward, encoding of multiple ASNs is disallowed. This simplifies the model for both issuers & validators: an explicit one-to-one mapping is used between the CustomerASID contained within the ASPA's eContent payload and the ASID encoded in the RFC 3779 extensions of the ASPA's EE certificate. The existing ASPA deployment https://console.rpki-client.org/aspa.html is fully compatible with this change. No code changes are required for most (if not all) CA implementations. On the RP side of the house, implementers could add an extra check to confirm the 3779 AS extension of the EE contains only a single ASID. Kind regards, Job On Fri, Jan 16, 2026 at 04:53:13AM -0800, internet-drafts@ietf.org wrote: > Internet-Draft draft-ietf-sidrops-aspa-profile-21.txt is now available. It is > a work item of the SIDR Operations (SIDROPS) WG of the IETF. > > Title: A Profile for Autonomous System Provider Authorization > Authors: Alexander Azimov > Eugene Uskov > Randy Bush > Job Snijders > Russ Housley > Ben Maddison > Name: draft-ietf-sidrops-aspa-profile-21.txt > Pages: 15 > Dates: 2026-01-16 > > Abstract: > > This document defines a Cryptographic Message Syntax (CMS) protected > content type for Autonomous System Provider Authorization (ASPA) > objects for use with the Resource Public Key Infrastructure (RPKI). > An ASPA is a digitally signed object through which the issuer (the > holder of an Autonomous System identifier), can authorize one or more > other Autonomous Systems (ASes) as its upstream providers. When > validated, an ASPA's eContent can be used for detection and > mitigation of route leaks. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-21 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-sidrops-aspa-profile-21 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > Sidrops mailing list -- sidrops@ietf.org > To unsubscribe send an email to sidrops-leave@ietf.org
- [Sidrops] Re: I-D Action: draft-ietf-sidrops-aspa… Job Snijders
- [Sidrops] I-D Action: draft-ietf-sidrops-aspa-pro… internet-drafts