[Sidrops] What are the RFC 5280 § 6.1.1 inputs for (c) (e) (f) (g) in context of RFC 8360?
Job Snijders <job@fastly.com> Tue, 17 October 2023 02:18 UTC
Return-Path: <jsnijders@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31BA3C1519B9 for <sidrops@ietfa.amsl.com>; Mon, 16 Oct 2023 19:18:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVwFV-WBGQrY for <sidrops@ietfa.amsl.com>; Mon, 16 Oct 2023 19:18:45 -0700 (PDT)
Received: from mail-oa1-x2c.google.com (mail-oa1-x2c.google.com [IPv6:2001:4860:4864:20::2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CBACC151535 for <sidrops@ietf.org>; Mon, 16 Oct 2023 19:18:45 -0700 (PDT)
Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-1ea45b07c59so1013659fac.0 for <sidrops@ietf.org>; Mon, 16 Oct 2023 19:18:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1697509124; x=1698113924; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=fzq6R4LEPWjBo+UC3VJzQIor6/xqAf/PAHNgW1CiC5U=; b=QU33hKuZlEy5WI/8MgZseuvwT8Y7E0nE+IWT/JmZKnLlvkAe7K1uxTPu+wSiP3Sdye f/Opyzb0BCANCZMEbVm6RfL1S9Oe+02UZ0+zYQEZw7UgjRa4mOzvxk0dZ5e+P9a0qOkY TXs1kSpb2moc/+aMljvSfVDS0n76baH8nBn3Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697509124; x=1698113924; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fzq6R4LEPWjBo+UC3VJzQIor6/xqAf/PAHNgW1CiC5U=; b=JkHDeVWnWYVd15m+j0YKsIKde7pdPT+4zSD2MqPHDrR+eDgLTesff2KFNBirRScHnB idcpCd1SrtFWda0BKF5AEdFSemwRh04VWgTL59+a4xBCkj4fFIhxdm7x8otiYn8uIcy9 FF7gvQTCNVYeZG7oleoPAvLby/Ad3CRu/hMFpAKCs4hvEXnZe368z+9OjuEFXLgSO7LU MFvcLhijThsoUljBps7ytrwNOT2WzWbrgv2Buvkt+xePaitJ8Lq4jwMs6kXwGJtr5tS3 sGQtSBg4H6dMGOMwXpavDniYTqVzbePCxrinH6V3s+KSe3fx5Hjp7+thlrl3ZCRUQ6RV cRLw==
X-Gm-Message-State: AOJu0YxuYBaC+au7BrZAcUlMEjIh9ez54zydjxmIkC+BG4Iwy03bNJXo E0a8YCiYpRHvqt3FjSsOpFZR/wi6+LOvtM9X+qD1JEg5rJXT3FSFYBg=
X-Google-Smtp-Source: AGHT+IHDsggRNcS/A+C2iSvwAGddcHENbcL5WrYbBn8Bu+PKinZHOIhP0dejsufnOkENRFdtDPNb4jLalAnj5+0MgVE=
X-Received: by 2002:a05:6871:d06:b0:1e9:b811:da13 with SMTP id vh6-20020a0568710d0600b001e9b811da13mr882428oab.49.1697509124388; Mon, 16 Oct 2023 19:18:44 -0700 (PDT)
MIME-Version: 1.0
From: Job Snijders <job@fastly.com>
Date: Mon, 16 Oct 2023 19:18:33 -0700
Message-ID: <CAMFGGcAftQp0fG+mZw5nASF4hcWYaR13Q+wLHLXu2SUCjrUcAg@mail.gmail.com>
To: sidrops@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005cce950607e024d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/L02g9Z8OIUc1AOi_IoRViOvTSCY>
Subject: [Sidrops] What are the RFC 5280 § 6.1.1 inputs for (c) (e) (f) (g) in context of RFC 8360?
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2023 02:18:49 -0000
Dear working group, The rpki-client project developers are studying how to implement support for RFC 8360, while at the same time maintain compliance with RFC 6487 and RFC 5280. RFC 5280 § 6.1.1 defines a number of "Inputs" which are used in the algorithm to establish validity. RFC 8360 doesn't specify the following inputs: (c) user-initial-policy-set: A set of certificate policy identifiers naming the policies that are acceptable to the certificate user. (e) initial-policy-mapping-inhibit, which indicates if policy mapping is allowed in the certification path. (f) initial-explicit-policy, which indicates if the path must be valid for at least one of the certificate policies in the user-initial-policy-set. (g) initial-any-policy-inhibit, which indicates whether the anyPolicy OID should be processed if it is included in a certificate. Without the above information implementation is somewhat challenging. Perhaps it’s worthwhile to re-re-consider updating the algorithm to allow for intermediate CAs to overclaim? This expired draft by no means is perfect but it might be a starting point https://www.ietf.org/archive/id/draft-spaghetti-sidrops-rpki-validation-update-02.html Kind regards, Job
- [Sidrops] What are the RFC 5280 § 6.1.1 inputs fo… Job Snijders
- Re: [Sidrops] What are the RFC 5280 § 6.1.1 input… Geoff Huston
- Re: [Sidrops] What are the RFC 5280 § 6.1.1 input… Job Snijders
- Re: [Sidrops] What are the RFC 5280 § 6.1.1 input… George Michaelson