IETF Logo Mail Archive

Re: [Sidrops] Multiple publication points in certificate

"Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl> Thu, 28 July 2022 11:37 UTC

Return-Path: <k.w.vanhove@student.utwente.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE47CC13195F for <sidrops@ietfa.amsl.com>; Thu, 28 Jul 2022 04:37:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.807
X-Spam-Level:
X-Spam-Status: No, score=-1.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=universiteittwente.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TaXbkBBfovV for <sidrops@ietfa.amsl.com>; Thu, 28 Jul 2022 04:37:17 -0700 (PDT)
Received: from out63-ams.mf.surf.net (out63-ams.mf.surf.net [145.0.1.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27BCDC131816 for <sidrops@ietf.org>; Thu, 28 Jul 2022 04:36:24 -0700 (PDT)
Received: from exedge62.ad.utwente.nl (exedge62.ad.utwente.nl [130.89.9.13]) by outgoing3-ams.mf.surf.net (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 26SBa5kg017457 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Jul 2022 13:36:21 +0200
Received: from exmrs65.ad.utwente.nl (2001:67c:2564:a187::2:65) by mail.ad.utwente.nl (2001:67c:2564:a187::2:162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Thu, 28 Jul 2022 13:36:19 +0200
Received: from exmrs73.ad.utwente.nl (2001:67c:2564:a187::2:73) by exmrs65.ad.utwente.nl (2001:67c:2564:a187::2:65) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Thu, 28 Jul 2022 13:36:19 +0200
Received: from exedge62.ad.utwente.nl (2001:67c:2564:a187::2:162) by exmrs73.ad.utwente.nl (2001:67c:2564:a187::2:73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Thu, 28 Jul 2022 13:36:19 +0200
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (104.47.17.170) by mail.ad.utwente.nl (130.89.9.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Thu, 28 Jul 2022 13:36:19 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LasG75UIl36SpVW2kVUB00e9iGMPulWODRWfoSc1SniHfXKvh0KfILjvAM11GIFt96AwdkBEP6fAuKdwDkEAOpxhyllbfibRak5GjKJYGn7eSXRo+4RfL+wS1ys99mfAvJjktQs4gtYDtx2jyVc/5V9GQxdpRedhmu6wg/V9BACpj5gkLbQTn6/InfYrqGK1HEVHgiKJkgbjud2/8BMKnMBiv3bESsj3blH2JHu2+W7C0XMwRxqlGYhASZ1p7m37O9oOhQvcAAOdktODQFp9CrbqLCxmZChAZJaEKp1V47HGNcgcatcGQmVebBkjC1zY45RWWUI6cRJ7Th6TRk1YVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SnsB/HHffUgbpASHs+8AvJ4gKhJ4zT+XvE5Gs3iFp44=; b=O7FgXdehOYSg66bFvEhybqNrjUg8eGU2Zjjd3vkEprWFEhJu4sCcuYc/ooof96uCPTnyl5jhMwvcs+IW/C5sQ5C+I6tVyh6bhBjQ3+pvafjDZQYWK5mBykleC1wR9+6IOHxROQCyip+L/YxfbQL/NZ1+saePN1TLbvua++e5s9qS/yHqbmuAbpiOsvRYyRxITFW9GGFxTbYdswlW+sKx2ci1lZukHCmbYE20gbn9wDNuoSJPFbpz9A6IaY4NBGBzp5TKvfV+CEOPviS2kR03krtsAhDGxDUhIZxAe/EDGCDzyvqVeOMrQ3Ux4CKkM/+BKjv+XJxPxloGcs+YqtFhhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=student.utwente.nl; dmarc=pass action=none header.from=student.utwente.nl; dkim=pass header.d=student.utwente.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=universiteittwente.onmicrosoft.com; s=selector2-universiteittwente-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SnsB/HHffUgbpASHs+8AvJ4gKhJ4zT+XvE5Gs3iFp44=; b=TfVqA9IEzeo3jhMYKAv70nE8DCLsd+QCD47oJvGN/mWDi1pj7r677/oTKjt5WH7l2Z7olNJ1X7Pm+2pYj40NSwDIpTJF/ZuVx2sVXWvKLWnXN4zxbzlK8BxThExvs37j7y+raSBm9jCXefjEY+9qn76WLNIqyuYYLoOrSx0OSdc=
Received: from DB9P195MB1420.EURP195.PROD.OUTLOOK.COM (2603:10a6:10:335::18) by AM9P195MB1233.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:3a1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Thu, 28 Jul 2022 11:36:18 +0000
Received: from DB9P195MB1420.EURP195.PROD.OUTLOOK.COM ([fe80::a135:dd79:4daa:307b]) by DB9P195MB1420.EURP195.PROD.OUTLOOK.COM ([fe80::a135:dd79:4daa:307b%8]) with mapi id 15.20.5458.025; Thu, 28 Jul 2022 11:36:18 +0000
From: "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl>
To: Job Snijders <job@fastly.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Multiple publication points in certificate
Thread-Index: Adih9WDWFWwzPvVhRAamZrtgdqJwBgABS2KAABzkhoM=
Date: Thu, 28 Jul 2022 11:36:18 +0000
Message-ID: <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
References: <DB9P195MB1420D2ABBBC3111449F141BB8C979@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM> <YuGlK4hrITxZx+4v@snel>
Accept-Language: nl-NL, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=student.utwente.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9122aee0-dd31-4ce5-d062-08da708d634d
x-ms-traffictypediagnostic: AM9P195MB1233:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rCnsNNv4fBxp79ixXxIjkwH17OUMPk0l9rVZavOpZBR79sgzXohRXase9pNukmzPULkIJVH/5xw8MhapCq6Hki5k77VXWdc4ss2EmgKtIV4B3bI9LDqTcqzzNJ1q7VeZy7C6B7Q5I9kMEF6BA6QgEBl8XTDyHCh1ho75wSCMfsdphPaNo01L6sPEpdHyrUpVjo6i0wYMv9qv0dF8bha8CrNRLHOszagN2GlxMrWImJg8xoBBnRyxQ/UNAIIULIjggbQ5NdAEiFfTNj51DdunRAPEPs3Pjhiz5pH4lHmFvcyt+E967NrD41CDMeTTfnjY4IlqWs4pWbFVcheEI/po5rOEiVTMKbhsAvRQA5o5B3aOL/gHBe7ONXDaYMegLpgsW/dRCRwI/ShacRCenS4nQFfIPv4/nShFsvTnsVF2f0/AHMIsbLIArzv+ar3Yisjfk1bH4hU7UPgF1Kiu9rEOuL/ldMDdxS/iVziblVKjJTSEEp7XUDfQYe3u5rt081E5oQB9AfsB6pYfJp3Epz8FhfbhnQkS4kz2uwei1mGWNK0a361ya2FZDNs74aKklxIRYtDO7qLAm/bZUOzXxraniPrqlAbaXhCC+Mc2VGQ7yk66nOh8qMeCp2kPJbtNxMUYn5QMNujsjsC8JbC8UHMW6AEM28NwPbgO815FrV6PMi5f8MZM0zwqtz8PdKgcGO2p4YB6ePr8wLYM0w5jNLVVtWlJFcJZw9QtEVqCaGWff5mY5FdmYvci5GxImRQuTH9HeuOWvtvUIBXdf0exP4wwawspOJtw+ad9iqzZWc2tRVhy3cXzPpsaYbNky88Us0Oj
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P195MB1420.EURP195.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(136003)(396003)(376002)(346002)(39860400002)(2906002)(8936002)(38100700002)(53546011)(41300700001)(9686003)(76116006)(4326008)(66556008)(64756008)(91956017)(83380400001)(86362001)(66446008)(966005)(8676002)(5660300002)(66476007)(478600001)(19627235002)(55016003)(52536014)(6916009)(7696005)(186003)(122000001)(786003)(316002)(33656002)(66946007)(38070700005)(71200400001)(6506007)(41320700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eHcGmaaO/9pVm0Kzcr3LOa863dZFWgCIXBRMQxGxAHJ1Pz1zqPgq9fZig2ACQCSzJrWZxONvP5msPrumcQdA5uYWifGDlc7QMMoqWoSHSmSmCQdXZi+KjbX3nkhgUnxi9VZE3qm3jqYMEVN8IsGd90w4lLSAQoGg//ooCR7zfl3vfRMwSQKjQP0nK/BRTt3oaReJJwy97zvOUOS+M6zCfKGuUyYUMKvENp7+Bl+8SOMya/b5WZWCSX5V9S97B5WpgBUIEfIetrRIlY2AswqB1GOkWsCoXbg591fbMjNC2MYl8E29ltW42cm+1Y1K5cKOvpaZBBPuIjy0dMF4RsJRmONPJq+N5dBzSh3+TwNmJF1LnoyZF2/rFDWGhrrhFJN+fwFK51MHiFI6QtwXMH0PnPCUOAOtYG31yaQ6Cjm1ki/geE6PpawaoFu8XLrSa+5vn11OqGN2EUOZBRgtIhvWTTRijrKqtzLtYiwQRcKGz0UcfSBkF7GmlSJ42u1qKhmVhyK6tvBM0LaSDCeHAoI1nyK+mcigl0LIoYKgOBD+yQX2SJkL4syB/ryQRf2LV4G+nNYEUmfkmBIRYr3a2H/CuwPnWvd177pbSqOC4cDfpJ8WerdD/1lM0ZMEjfBzAWs+spSSi8RN7aOwfIc+fpMPmGqjqJ6gBeyZuEZQe3AT7bAnIJ5GCyYpuBYvqQlr5gJDaE2d9Y0DBDKN+uNP3lZV1U/ZkXKVmxHZrVwAUyb4bm9TaEn634lw5PMiLDydn1L7+ZerLIjehszIgyRNroSZq8fBTCoDG11VvWbfZOxghR7NoR+wMspkh7/ynPZrmEd0lWKbRM9SvaxWifeRaY16m94tEij+3XcDix0hzSIay2HWQ3ZCAFu8FaVrUunjI3YSJ5kPqctlDnktuGr4p0Zp++Hr/RCeeFJ8eS3yvhgUaK9+S6L0F9ZypgY7eFPcccWiXcO88Z3HI5kL5imrxL7nObCuh8zVlbkkLtESQDUMPOU4eIx/1GBdwDc1uvv8OrMdLC7CkNA7uD9pHoQCaqvafCE3DTrpZx7sSwCM+Tka9CneSqMIe5shaVN/f0ajDc2XSXdfBj33k7vO18qJjPzNDLII5cPLQUEn9uuNj+sy+SShnt2GpfqxwVZHzU9QeWfYMOHOjW0k1/meX6A9S/djTUTz9z8+GskifwpLpzKwMGzNJ+RHuRB6J6oL4kGIKPZw6Ebr2yqrCltAJjnVNZSO66u/Lp4P2CZ6rXbizwH5bTA8ZmZcbzSvnB2jJekgNCwTuvnthBRbf72y41x5qipATODmi7LPRtGICmLIv6PTNTtv+xdnntQ9gPZpH5rE9FTBtCF1NTl3chrIV7rOSm1t0UiXe+q3WJDFhC0NsmbdLRMYLX983nA45H+iL4sG77q8gJm8ktptychM21+a+DdtmBus8EDaGUW9ahyAoCuRQ/1QeMnCCLyA7BaPq0nouBeuqdfle603MWkfSZG1G7dBG9WLeqXUh0OZmEhWnH3/ROR0Eb2ryJpHtcyqlqgksfPTyYLj1OYwEjNwlu54yCQ041IelOECqqZbIMgtrKQ95fLNgp/b6SD4xaPrWwGpRCqpret6PayLN4/WDRO98egJ90N7o9FmJKo9heKJ9NkvXENb77QfIb9uB9LQp+edwx2b
Content-Type: text/plain; charset="utf-8"
Content-ID: <A35969F0C0503940BB11987D190454D4@EURP195.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9P195MB1420.EURP195.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9122aee0-dd31-4ce5-d062-08da708d634d
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2022 11:36:18.4933 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 723246a1-c3f5-43c5-acdc-43adb404ac4d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4RpQAtzzUwNYLAcnzRCKysrIiku4seqcWgDkWDYjOqLl53ZxJ4Vwh3RAU6AvhsCOOM8JAzZV1Ax0srUlBwO8OZtDit7WyWEbEl1o8YHHfC4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P195MB1233
X-OriginatorOrg: student.utwente.nl
X-Bayes-Prob: 0.5 (Score 0, tokens from: utwente-out:default, utwente:default, base:default, @@RPTN)
X-CanIt-Geo: ip=130.89.9.13; country=NL; latitude=52.3824; longitude=4.8995; http://maps.google.com/maps?q=52.3824,4.8995&z=6
X-CanItPRO-Stream: utwente-out:default (inherits from utwente:default, base:default)
X-Canit-Stats-ID: 0b80zAleH - 727fb0d2516f - 20220728
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/g5tv69vdCem27dvL9IsHmOS60Mg>
Subject: Re: [Sidrops] Multiple publication points in certificate
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 11:37:23 -0000

Hi Job, all,

I did indeed see that draft from sidr. If it is possible, then it might make the repository migrations as touched upon by Tim yesterday far simpler (as you could go from "A" to "A and B" to "B").

I quickly created a certificate with two RRDP points. The TAL for it can be found here: https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/koenvh-P.tal 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            79:6a:49:49:3d:05:6d:17:2a:ba:b5:79:65:d8:46:82:16:52:77:ef
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=226f435fd04b482d853462ad40735c05bd34b8f2
        Validity
            Not Before: Jul 28 09:25:51 2022 GMT
            Not After : May 16 09:25:51 2032 GMT
        Subject: CN=226f435fd04b482d853462ad40735c05bd34b8f2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:0f:ca:b4:9c:2b:0b:c2:3b:22:6f:1e:bb:52:
                    08:06:72:6b:1f:29:99:83:38:6d:af:fd:2e:ad:de:
                    e4:7f:ab:fd:8c:92:4e:4d:4d:b3:b3:5f:83:49:3a:
                    f1:83:d8:48:0f:5a:45:91:5a:e2:b2:ba:5e:bc:a9:
                    a2:6d:7d:af:85:94:81:6e:59:c1:0f:17:8e:ad:ff:
                    40:35:74:ac:72:75:a2:72:dc:99:ae:1f:d2:89:56:
                    86:aa:55:ef:22:1d:25:7b:e5:77:0a:a6:1a:de:55:
                    39:10:57:f9:4f:53:21:ed:c3:01:39:6f:09:d0:7a:
                    16:26:71:86:3d:0b:dd:99:25:73:63:d5:84:df:f5:
                    30:15:b0:bd:60:bf:41:33:3f:3f:b1:82:04:ac:4b:
                    cc:ac:56:c6:81:4a:db:40:a7:04:8c:1c:68:32:de:
                    4d:e2:4a:ed:77:27:1c:24:b8:cf:4b:df:94:43:ce:
                    6c:a9:8f:86:ff:d7:c3:e4:78:15:15:ee:f7:89:01:
                    f2:04:eb:35:1b:a9:6d:19:c0:5a:d3:5f:d4:52:9f:
                    cc:9f:e0:57:bf:a1:a2:8f:e0:e4:e8:64:8e:bb:d1:
                    f9:0b:62:a5:8c:90:62:c5:6c:7e:52:34:b1:81:1a:
                    b7:35:ca:49:86:9d:19:90:25:62:29:aa:a8:e6:af:
                    84:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09
            X509v3 Authority Key Identifier: 
                keyid:22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Subject Information Access: 
                1.3.6.1.5.5.7.48.10 - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/koenvh.mft
                1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification.xml
                1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification2.xml
                CA Repository - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/

            X509v3 Certificate Policies: critical
                Policy: 1.3.6.1.5.5.7.14.2

            sbgp-ipAddrBlock: critical
                0.0.....0....0.....0....
            sbgp-autonomousSysNum: critical
                0...0.0
..........
    Signature Algorithm: sha256WithRSAEncryption
         6f:36:7d:e7:81:68:46:b4:1c:af:b6:13:8e:ff:30:2f:a1:c9:
         aa:a8:98:60:a9:68:0c:21:64:c4:90:48:f9:e3:c6:89:c9:f0:
         da:0f:82:af:3f:c6:75:d0:82:43:b1:1f:2d:47:10:57:c0:77:
         4b:6f:70:ba:b9:9d:c4:e2:1d:0c:4e:9a:2c:88:6a:39:83:c2:
         c0:48:73:fa:f1:2c:c6:87:0c:cb:14:37:d9:71:2b:7b:1e:d5:
         5b:89:ea:9d:aa:ce:9c:8d:bd:7a:fa:41:51:d2:eb:ed:83:2a:
         18:14:9c:bf:be:a6:2e:86:b5:4f:9a:11:4a:9e:da:b9:97:f2:
         1e:90:43:d4:2d:9f:21:fe:a0:16:b3:e0:3a:a3:41:a6:c1:cf:
         4d:6d:35:f2:d5:00:de:05:ee:68:bf:69:36:b4:1f:e2:69:27:
         ba:da:34:a7:52:48:7e:ff:68:7f:20:c5:e4:32:da:24:fb:01:
         cb:93:a9:dd:6c:d1:a1:dd:08:11:f3:17:01:82:ff:95:cf:89:
         bb:ee:60:39:b6:fc:0a:c9:df:c1:c9:c2:52:ef:ad:03:39:9c:
         8d:12:6b:42:ef:6e:01:5e:01:32:18:41:91:b6:3b:e2:ec:dd:
         fa:84:9e:a4:0e:54:56:35:fa:cc:e5:3f:24:dc:bd:33:25:ef:
         53:bd:e8:df

So far it seems that:
- Routinator only visits the first
- OctoRPKI only visits the second
- rpki-client outputs "RFC 6487 section 4.8: SIA: rpkiNotify already specified" and visits neither
- FORT outputs "Extension 'SIA' has multiple 'rpkiNotify' HTTPS URIs." and visits neither

So current behaviour seems to be quite diverging. 

Cordially,
Koen van Hove

From: Job Snijders <job@fastly.com>
Date: Wednesday, 27 July 2022 at 22:51
To: Hove, K.W. van (Koen, Student M-CS) <k.w.vanhove@student.utwente.nl>
Cc: sidrops@ietf.org <sidrops@ietf.org>
Subject: Re: [Sidrops] Multiple publication points in certificate
Hi Koen,

On Wed, Jul 27, 2022 at 08:17:03PM +0000, Hove, K.W. van (Koen, Student M-CS) wrote:
> Recently I investigated strategies to make ROAs more resilient to
> outages by publishing them at multiple publication points. During the
> discussion, I noticed that the SIA AccessDescription extension on
> certificates, specifically the id-ad-rpkiNotify accessMethod
> referenced in RFC 8182 section 3.2, does not mention that there can
> only be one. As far as I can see, there is no restriction in the
> standard that there must be at most one for each type. In theory
> multiple RRDP URIs (or rsync URIs for that matter) should be possible.
> Is this correct, or did I overlook something? And if so, what is the
> expected behaviour when multiple are defined? 

There is some prior work that might be of interest to you:

    https://datatracker.ietf.org/doc/html/draft-ietf-sidr-multiple-publication-points

Specifically section 4, which notes:

    "The support for multiple operators in the RPKI Certificate
    Authority (CA) and End Entity (EE) certificates is supported as the
    RFC 5082 allows multiple repository publication point operators as
    the SIA, AIA and CRLDP are implemented as sequences. Consequently,
    no changes are needed on the existing RPKI standard and this section
    could be considered informative."

I am not sure what the expected behavior would be when multiple are
specified in the Subject Information Access extension.

I believe rpki-client (at the moment of writing) only uses a single
id-ad-rpkiNotify access description entry (if encountered) and will
ignore additional entries (if multiple exist).

Reviving draft-ietf-sidr-multiple-publication-points (or starting from
scratch in a new document); outlining what the desired strategy is, is
a possibility. I suspect an argument can be made that if multiple
id-ad-rpkiNotify are specified, an RP has to contact *all* publication
points, to increase its chances of finding the Manifest with the highest
ManifestNumber (I imagine multiple pubpoints existing, increases the
chances of them those being out-of-sync with each other.

I look forward to your findings.

Kind regards,

Job

v2.23.0 | Report a Bug | By Email