Re: [Sidrops] Multiple publication points in certificate
"Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl> Sat, 30 July 2022 11:52 UTC
Return-Path: <k.w.vanhove@student.utwente.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52916C14CF0B for <sidrops@ietfa.amsl.com>; Sat, 30 Jul 2022 04:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.826
X-Spam-Level:
X-Spam-Status: No, score=-1.826 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=universiteittwente.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHsIDBKHWdY5 for <sidrops@ietfa.amsl.com>; Sat, 30 Jul 2022 04:52:21 -0700 (PDT)
Received: from out67-ams.mf.surf.net (out67-ams.mf.surf.net [145.0.1.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16DA4C14F744 for <sidrops@ietf.org>; Sat, 30 Jul 2022 04:52:20 -0700 (PDT)
Received: from exedge61.ad.utwente.nl (exedge61.ad.utwente.nl [130.89.9.12]) by outgoing3-ams.mf.surf.net (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 26UBqFqn021244 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 30 Jul 2022 13:52:16 +0200
Received: from EXMRS62.ad.utwente.nl (2001:67c:2564:a187::2:62) by mail.ad.utwente.nl (2001:67c:2564:a187::2:161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Sat, 30 Jul 2022 13:52:15 +0200
Received: from exmrs73.ad.utwente.nl (2001:67c:2564:a187::2:73) by EXMRS62.ad.utwente.nl (2001:67c:2564:a187::2:62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Sat, 30 Jul 2022 13:52:15 +0200
Received: from exedge62.ad.utwente.nl (2001:67c:2564:a187::2:162) by exmrs73.ad.utwente.nl (2001:67c:2564:a187::2:73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Sat, 30 Jul 2022 13:52:15 +0200
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (104.47.51.172) by mail.ad.utwente.nl (130.89.9.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Sat, 30 Jul 2022 13:52:15 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jMVSg3YjnAJiHuMv5jG1aQ0JAHOm+Up2C/NYyhpH2fMtFtTWwTDHxxRluubramSBj8GwTuRB9qk6lObxmY1KTVJVwfRka+sscXAPtluFKV3l/O/QAlm5otqZRiV7m89Cs/dyzqbBTVDJBoAUC0PYwa47dSdWJeJ5S5fxyHYivOJ8NkxLd8IQA9mNVpWQB2H63AEBlEiJ/va00s74dZh0mG9SiFBRCMzpRHOaO4vdGabB4WnlgzDZu0Hiqa+ZmuDNNwj+aJkjheick4cQpe+Xj/D8i5x/Nnp8D8AFtiIoeohU61cqy+XlJIKWmA3oj22ASWpuSi5ibknVLiLbMByqrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i13fZ1xVcrn1V/d4mtRb+jjCweNhZlD1TPRJGvJQ6Mk=; b=iyEgaC4ivtaEPFgfbHucp/N2AMKDWgRSPkpX5hp2bhqxcy1LZP4aDrReJwBrsX+P3o1c1vDJDFOdFDZrb/iNWvDfdXqihk94aejJihEMkcrjLPiWKpGugls8lzESf+ii+1V+aGLZn44O/ca6CQyGUSyGGELZ+FNRu9uzW6ireTFeQqrDPF4mBKi6kywLrse7ZNW88ZXQskI845ZOH1F5Qf9bExCA7D0+P6LQYNI0t6jD6YZN2Aa6ZF9KeMtjdaeSME43khyvjXfjd7+2kXh2rRoUsZoMHylPouB51UfeCk7zU1zOzpUxpTMN3upu4nUjN9al70aT9OD7TxX+19v1/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=student.utwente.nl; dmarc=pass action=none header.from=student.utwente.nl; dkim=pass header.d=student.utwente.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=universiteittwente.onmicrosoft.com; s=selector2-universiteittwente-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i13fZ1xVcrn1V/d4mtRb+jjCweNhZlD1TPRJGvJQ6Mk=; b=GtjaLDdSBQ8N1lta/l0XNvEMNRVn9UuztbToF75UOmLeLmPglJmfg6Q4ZQ23WwXrKTSHxyo3pXbE3+p4qgCZak/b67DOrpE1LAWzwnNYNSIfG/xTxyPXIwqYl+3ezrR/nX0tFKz0PDglLPfkv4JyeXg9dzxpjMKuFUWZoyTC/7w=
Received: from DB9P195MB1420.EURP195.PROD.OUTLOOK.COM (2603:10a6:10:335::18) by GV2P195MB1965.EURP195.PROD.OUTLOOK.COM (2603:10a6:150:af::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.6; Sat, 30 Jul 2022 11:52:12 +0000
Received: from DB9P195MB1420.EURP195.PROD.OUTLOOK.COM ([fe80::a135:dd79:4daa:307b]) by DB9P195MB1420.EURP195.PROD.OUTLOOK.COM ([fe80::a135:dd79:4daa:307b%9]) with mapi id 15.20.5482.012; Sat, 30 Jul 2022 11:52:12 +0000
From: "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl>
To: Job Snijders <job@fastly.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Multiple publication points in certificate
Thread-Index: Adih9WDWFWwzPvVhRAamZrtgdqJwBgABS2KAABzkhoMAa1xEAA==
Date: Sat, 30 Jul 2022 11:52:12 +0000
Message-ID: <595BC0ED-03DF-41DE-A077-8D702D649B09@student.utwente.nl>
References: <DB9P195MB1420D2ABBBC3111449F141BB8C979@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM> <YuGlK4hrITxZx+4v@snel> <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
In-Reply-To: <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
Accept-Language: nl-NL, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=student.utwente.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2db94df6-59d2-43e1-7c0e-08da7221f0c1
x-ms-traffictypediagnostic: GV2P195MB1965:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EQx4CZjLk5pp9UFEddqHj2ijDrW6Wxms9KT+3f074r/Rh2XDlWTTZ0jxWvvo+TQeRPRwmrVMSpQEGkGg2qCa5+b4ZLxput30NyOfV7IwOOa/3/+qYZTIt2ekpHSZSSxtpR7FMRPUeHBF81tSl+oMCHcZCaUeIuuKspsLZIoRX/zhhelbE505RKNxpmvjCF6YO2+sKSOA0g8yuss0lutuR5UUU9jKgL9j+1q5DKqhnzPk5qi/muSWtbK2h5Cj3hHvJEk2ZmtMOeovnzjwhYie7tUG2T8z/jpATE3WAXa0kNI7kBMPrTfu3AaWqA3NNlbk0v3nvkrCSNvwdAAfpzANjzFhhPY3Sw80O3bJ71NEHheEEW65YM5OqZbmLdSdoLOxaUhA05we7K4TNqPiydX+5DuSvS/NBbZ9n2SVKdw15M0lUFOMAEwl+zI9NLvpSOACvlGRYE32Ts38zg9Z/YUk0R67PvWIzDaH5jlc4GNAyTN9Rh+NxwGgdVeY+bbs68LWHW+TybQ08g3q7KGFKKIvkBUkgvLB3a+e7TRHh+qQLlhQt0Vkqoogi1U1bdBx8gCdHlb1lpCv1QvPLa1iJZjmHDi21sYzLCFXy1MHDaRqpXa8KGeVMjwZ93omv8UKpUcAtlC1jJRlebmE6y7dLYjTiv63piFSnVOVOJvJ893vZUud04OuydtmgCgU3xhTVKEUku2WVBJxXtwwEEtIoX2JQCX+/KDz77wzQhJTlvCJo/RAQYdytQGNKCIzGULFwy1Y5mTu9iK9dmLi0AoCOQz5OLhmqN2pQnN2Tzhv7plPjdu+yFvBOTvwssudpXXo3RcmLCQeuVcDJB2zxxJp3DcM9zNK2hZRlfBa32HRvVRf47A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P195MB1420.EURP195.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39850400004)(376002)(396003)(346002)(136003)(366004)(41300700001)(5660300002)(966005)(33656002)(2906002)(2616005)(122000001)(38070700005)(186003)(6506007)(6512007)(86362001)(41320700001)(38100700002)(53546011)(8936002)(478600001)(66446008)(76116006)(4326008)(66946007)(83380400001)(91956017)(71200400001)(6486002)(6916009)(64756008)(19627235002)(786003)(316002)(66476007)(66556008)(8676002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 05oAKlxaESwUj4yMI2aWaXmYxIVgvrjvLnlx1zUqEI8zli8X6cAO/iOlFfn0jxzBUUEhOusHEuD9n9JVewBSjoSOMnOEn7nyH0A7Da9zv7VSzLJCfxwYlPl6qJo8YbnuR3ANbtgkgp2j1uqgTcblNkkuRv2Irp16dPhamdK8z+iG+cCiKc8vZyiLDMIO9fxwkSke21UWXpzc/q1uy+EdJSwoZZk+gBsffVPEt7TTPxc270rPcQjzfagnGoxKccIOXTA0mP/IF+/YwkWUTQP9vX/7+Ogos8wogQ2RHhE+reIPKr6K7XYmrb9NP+IxNO2wCpV7rPk6z6OboCUHcXFsrD6HD5pUGC30/FO5ULkknRegpAnrD9q+OGVXAHK2taNQUzgERm8blJ0n1A6qdqDN0ygbY1w9KxRLVtjRbuJLXFkrGOo6DjvB9jJluICgUvlxKF7rDXf9V6ijKD46FK40/Iu9p7uVzXCxTpKC7/vPTW1XdngP+tBm0O7+czC1Gh/9kpwrTjknB8CTDuOc0FZC/wm7/e7VLF+NbRBJPZXFyaIYK3iaKD8PNS+oVwjAJpCnd4i533a9Fl/Sk6Y0+ZI75FwGs+JayF7Q7tCmh8DTlW2ibxrHae0DnEoFruHtFCxuHFJVB32aOiRfOrsR23UnneCzhXhrZG0u2OpJZFBZKE8wdMDk9cxV40LXUecbpv94fCbwvHOzDDIUdeoQi7zgIp0j1Asr6i6RBXDPl8RBsl0DAd5mZF86du5qKqNcBGvPmckH2Brwb5EbSFID32f28eQK0c9qUF73kmPgvJKTUOX4VFLR8euyfkdroGBap9DB+sb5oQrgc/XIHOc/BTX6zlG+6iB6bVPVA6qhavXAhWBl7qZeSsBUw/gKr5HWCrsJQlFmQdSDsA5bppySNwxVHy/z40srO7nTjsZnOWpCS0LizREQh84Rwafa1hEr6n1XCzIJBNDSNhi9ze/qs+YmwZithKYpDbl6m3T2CfHJ+bys2wOecsVEUPCKDUYOrn/HUQWonqqCm3IF7GybuW4JTgwCTV/xOLvKJDioxHT/eRw3+Ce8Noj8R9en2PboxL/+Y6J8XIprZ81tR6pgOye0XV1OxEG9NOfCzZtUSrSevaz5pQH+Hp39a7yIiIKulZ5D90M3OliA5PVYzrUwuyE9/nJMrs1k/EuN8QPtyrd1M0ioSBvXwNFJOsTT0bqYdKX2jl5TvIikI3hZ9/xsY4/tEDXQHXiqozwKjNDU0nN+pub374C7Wr1Fd2xNqgS9hkPV8WDT3usDFvNEJb3ibiOBNrMOxzIVF3RHTYQnklsZFziLmOf6aLJXWKFYHwBrQKyEJDhpXPz73P+bVSxJdOBBHvzArDAyb9rUjn8JvoUnO4UEBxLpSk5Ik9MXW0do2DQqg6h6e4zA4qrbN/MdTAlQ7XJiod97ohy8hlqF/63tv8Oqo/AdVoBrIjRIJTYNuggEVg/nzkMNNFGW6LpWqHZe2O7k74IsjGKntM7LDECgjnVcDwjq61VNUEXeXKE0BwkT90nqcKIBblgTViwLbj56vwcRodp6pD/1sNsvlHuYAQpnuPzHvb5Adrx6Hf0YtiUeqhJ/womKahZWyDnL2rwsUWfRk+06pqnr8QwGQRzcZ3eNolC7E1w8qdM8iK1EmIZv
Content-Type: text/plain; charset="utf-8"
Content-ID: <1131ACC554D4C942A4898D217EF67BFF@EURP195.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9P195MB1420.EURP195.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2db94df6-59d2-43e1-7c0e-08da7221f0c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2022 11:52:12.4733 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 723246a1-c3f5-43c5-acdc-43adb404ac4d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yHlAR/kUNU/CUoYtLrGDKN510In+UKFlP4HuITqLYKcdjrlZBAGvzadbFGqv060t00KxTgUD8eOYC9/WgMknEes6CpFkFJXc1S5UbLYcWb4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2P195MB1965
X-OriginatorOrg: student.utwente.nl
X-Bayes-Prob: 0.5 (Score 0, tokens from: utwente-out:default, utwente:default, base:default, @@RPTN)
X-CanIt-Geo: ip=130.89.9.12; country=NL; latitude=52.3824; longitude=4.8995; http://maps.google.com/maps?q=52.3824,4.8995&z=6
X-CanItPRO-Stream: utwente-out:default (inherits from utwente:default, base:default)
X-Canit-Stats-ID: 0b81nQfAC - 884512e4eb0c - 20220730
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xeutvDM2sGmG3lF2sNWEyoiE_DI>
Subject: Re: [Sidrops] Multiple publication points in certificate
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jul 2022 11:52:25 -0000
Hi all, On request I also created a TAL and certificate with the publication points in the reverse order (i.e. broken one first, working one last). It can be found here: https://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/koenvh-P.tal I am not sure whether I mentioned it last time (and whether it needs mentioning), but it is available over IPv6 only. The working one contains one ROA that authorizes AS 1 for 1.2.3.0/24 and AS 1 for 2001:db9::/64. Certificate: Data: Version: 3 (0x2) Serial Number: 42:33:f9:10:1f:c8:01:fe:cc:8b:18:b6:3a:f5:c2:b8:7d:bf:9b:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=593cba02eb7f5483858028cfe972e4c3602362be Validity Not Before: Jul 30 10:31:54 2022 GMT Not After : May 18 10:31:54 2032 GMT Subject: CN=593cba02eb7f5483858028cfe972e4c3602362be Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b7:34:eb:a0:a5:f4:82:ad:0a:2b:ea:80:9b:65: 2b:3a:d8:45:0b:9f:41:2c:6e:c0:74:c3:e0:d4:f3: a3:09:17:7b:70:b0:d9:ab:44:27:49:09:d4:43:19: 57:8f:9a:0e:8d:90:b7:4a:d2:04:93:cd:6f:85:ad: be:e2:bd:e9:e3:cd:c4:45:c7:51:fc:27:2a:4f:d8: 8c:53:a3:df:4b:8e:ec:de:f8:65:9c:31:f8:c3:09: 8d:a6:e1:98:e1:2c:d3:1d:ed:b4:01:7f:2d:91:d1: 91:3a:b8:b6:4b:b2:3e:57:89:21:dc:f4:78:60:51: 4c:65:74:56:97:9b:6b:8f:d1:b7:bd:8a:7f:02:8c: ed:05:d6:69:05:00:8c:27:eb:da:17:e2:5a:5a:8a: 2c:d3:30:a3:7b:02:27:c4:03:9f:92:e0:64:5d:79: da:2e:2b:96:74:d1:47:81:25:c7:15:b2:c0:fb:dd: 62:55:37:fe:c3:39:ec:62:9c:2c:3d:30:57:5f:07: f9:b6:c4:3c:20:91:a3:cd:01:87:04:a8:18:b0:c2: b4:0d:9b:a9:b9:14:f3:db:7d:a2:c3:27:b6:74:6d: 67:91:88:35:45:44:a9:b2:28:b5:9b:17:40:bb:44: 8e:64:19:07:c0:3c:53:59:3c:d0:55:15:cc:19:55: f9:b3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 69:1E:BB:12:05:70:F0:91:68:8E:87:6E:D4:1E:40:D2:E1:7B:5D:8D X509v3 Authority Key Identifier: keyid:69:1E:BB:12:05:70:F0:91:68:8E:87:6E:D4:1E:40:D2:E1:7B:5D:8D X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Subject Information Access: 1.3.6.1.5.5.7.48.10 - URI:rsync://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/repository/koenvh.mft 1.3.6.1.5.5.7.48.13 - URI:https://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/notification2.xml 1.3.6.1.5.5.7.48.13 - URI:https://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/notification.xml CA Repository - URI:rsync://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/repository/ X509v3 Certificate Policies: critical Policy: 1.3.6.1.5.5.7.14.2 sbgp-ipAddrBlock: critical 0.0.....0....0.....0.... sbgp-autonomousSysNum: critical 0...0.0 .......... Signature Algorithm: sha256WithRSAEncryption 6c:be:a3:fa:1b:da:7c:a1:db:d6:ce:01:80:67:7e:fc:4b:8e: d7:3c:aa:25:4e:1f:3b:6a:99:6a:07:8c:fd:3b:2e:1c:4f:67: b7:2c:c3:bb:1c:7f:10:4d:a8:02:93:65:9a:41:1e:2f:69:15: e9:19:82:01:86:ca:2d:fb:88:8f:07:9a:f4:c7:74:82:7d:bc: fb:0d:f9:31:b0:ad:58:c0:58:24:01:77:ca:cb:7a:72:e7:24: 78:b3:05:fe:76:d3:79:8a:63:97:a0:aa:59:47:fd:ea:44:40: e9:27:89:dd:cc:4d:c4:56:ea:f7:58:73:7a:22:1b:51:bc:10: b6:2d:81:88:72:14:eb:76:42:02:49:8e:12:de:1f:b1:d1:33: 4a:ae:69:25:3e:91:fd:a2:db:36:9a:af:d3:42:5b:23:2e:11: bc:07:cb:ef:46:81:6e:62:72:53:58:28:d3:d6:14:06:0d:4a: 69:a8:7f:27:d0:34:64:87:0c:09:41:bd:bb:1f:60:24:48:ac: 3c:e3:0c:eb:37:32:47:81:39:a7:63:ac:e2:f7:bc:1a:3b:cd: fb:2c:0a:b1:fe:33:ab:09:c9:4c:d5:d7:4c:e5:75:5d:77:53: 1d:76:59:e6:bc:cc:5b:30:ee:da:95:c8:e7:88:fb:00:61:67: b6:88:70:e5 Cordially, Koen van Hove On 28/07/2022, 13:38, "Sidrops on behalf of Hove, K.W. van (Koen, Student M-CS)" <sidrops-bounces@ietf.org on behalf of k.w.vanhove@student.utwente.nl> wrote: Hi Job, all, I did indeed see that draft from sidr. If it is possible, then it might make the repository migrations as touched upon by Tim yesterday far simpler (as you could go from "A" to "A and B" to "B"). I quickly created a certificate with two RRDP points. The TAL for it can be found here: https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/koenvh-P.tal Certificate: Data: Version: 3 (0x2) Serial Number: 79:6a:49:49:3d:05:6d:17:2a:ba:b5:79:65:d8:46:82:16:52:77:ef Signature Algorithm: sha256WithRSAEncryption Issuer: CN=226f435fd04b482d853462ad40735c05bd34b8f2 Validity Not Before: Jul 28 09:25:51 2022 GMT Not After : May 16 09:25:51 2032 GMT Subject: CN=226f435fd04b482d853462ad40735c05bd34b8f2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d3:0f:ca:b4:9c:2b:0b:c2:3b:22:6f:1e:bb:52: 08:06:72:6b:1f:29:99:83:38:6d:af:fd:2e:ad:de: e4:7f:ab:fd:8c:92:4e:4d:4d:b3:b3:5f:83:49:3a: f1:83:d8:48:0f:5a:45:91:5a:e2:b2:ba:5e:bc:a9: a2:6d:7d:af:85:94:81:6e:59:c1:0f:17:8e:ad:ff: 40:35:74:ac:72:75:a2:72:dc:99:ae:1f:d2:89:56: 86:aa:55:ef:22:1d:25:7b:e5:77:0a:a6:1a:de:55: 39:10:57:f9:4f:53:21:ed:c3:01:39:6f:09:d0:7a: 16:26:71:86:3d:0b:dd:99:25:73:63:d5:84:df:f5: 30:15:b0:bd:60:bf:41:33:3f:3f:b1:82:04:ac:4b: cc:ac:56:c6:81:4a:db:40:a7:04:8c:1c:68:32:de: 4d:e2:4a:ed:77:27:1c:24:b8:cf:4b:df:94:43:ce: 6c:a9:8f:86:ff:d7:c3:e4:78:15:15:ee:f7:89:01: f2:04:eb:35:1b:a9:6d:19:c0:5a:d3:5f:d4:52:9f: cc:9f:e0:57:bf:a1:a2:8f:e0:e4:e8:64:8e:bb:d1: f9:0b:62:a5:8c:90:62:c5:6c:7e:52:34:b1:81:1a: b7:35:ca:49:86:9d:19:90:25:62:29:aa:a8:e6:af: 84:5f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09 X509v3 Authority Key Identifier: keyid:22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Subject Information Access: 1.3.6.1.5.5.7.48.10 - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/koenvh.mft 1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification.xml 1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification2.xml CA Repository - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/ X509v3 Certificate Policies: critical Policy: 1.3.6.1.5.5.7.14.2 sbgp-ipAddrBlock: critical 0.0.....0....0.....0.... sbgp-autonomousSysNum: critical 0...0.0 .......... Signature Algorithm: sha256WithRSAEncryption 6f:36:7d:e7:81:68:46:b4:1c:af:b6:13:8e:ff:30:2f:a1:c9: aa:a8:98:60:a9:68:0c:21:64:c4:90:48:f9:e3:c6:89:c9:f0: da:0f:82:af:3f:c6:75:d0:82:43:b1:1f:2d:47:10:57:c0:77: 4b:6f:70:ba:b9:9d:c4:e2:1d:0c:4e:9a:2c:88:6a:39:83:c2: c0:48:73:fa:f1:2c:c6:87:0c:cb:14:37:d9:71:2b:7b:1e:d5: 5b:89:ea:9d:aa:ce:9c:8d:bd:7a:fa:41:51:d2:eb:ed:83:2a: 18:14:9c:bf:be:a6:2e:86:b5:4f:9a:11:4a:9e:da:b9:97:f2: 1e:90:43:d4:2d:9f:21:fe:a0:16:b3:e0:3a:a3:41:a6:c1:cf: 4d:6d:35:f2:d5:00:de:05:ee:68:bf:69:36:b4:1f:e2:69:27: ba:da:34:a7:52:48:7e:ff:68:7f:20:c5:e4:32:da:24:fb:01: cb:93:a9:dd:6c:d1:a1:dd:08:11:f3:17:01:82:ff:95:cf:89: bb:ee:60:39:b6:fc:0a:c9:df:c1:c9:c2:52:ef:ad:03:39:9c: 8d:12:6b:42:ef:6e:01:5e:01:32:18:41:91:b6:3b:e2:ec:dd: fa:84:9e:a4:0e:54:56:35:fa:cc:e5:3f:24:dc:bd:33:25:ef: 53:bd:e8:df So far it seems that: - Routinator only visits the first - OctoRPKI only visits the second - rpki-client outputs "RFC 6487 section 4.8: SIA: rpkiNotify already specified" and visits neither - FORT outputs "Extension 'SIA' has multiple 'rpkiNotify' HTTPS URIs." and visits neither So current behaviour seems to be quite diverging. Cordially, Koen van Hove From: Job Snijders <job@fastly.com> Date: Wednesday, 27 July 2022 at 22:51 To: Hove, K.W. van (Koen, Student M-CS) <k.w.vanhove@student.utwente.nl> Cc: sidrops@ietf.org <sidrops@ietf.org> Subject: Re: [Sidrops] Multiple publication points in certificate Hi Koen, On Wed, Jul 27, 2022 at 08:17:03PM +0000, Hove, K.W. van (Koen, Student M-CS) wrote: > Recently I investigated strategies to make ROAs more resilient to > outages by publishing them at multiple publication points. During the > discussion, I noticed that the SIA AccessDescription extension on > certificates, specifically the id-ad-rpkiNotify accessMethod > referenced in RFC 8182 section 3.2, does not mention that there can > only be one. As far as I can see, there is no restriction in the > standard that there must be at most one for each type. In theory > multiple RRDP URIs (or rsync URIs for that matter) should be possible. > Is this correct, or did I overlook something? And if so, what is the > expected behaviour when multiple are defined? There is some prior work that might be of interest to you: https://datatracker.ietf.org/doc/html/draft-ietf-sidr-multiple-publication-points Specifically section 4, which notes: "The support for multiple operators in the RPKI Certificate Authority (CA) and End Entity (EE) certificates is supported as the RFC 5082 allows multiple repository publication point operators as the SIA, AIA and CRLDP are implemented as sequences. Consequently, no changes are needed on the existing RPKI standard and this section could be considered informative." I am not sure what the expected behavior would be when multiple are specified in the Subject Information Access extension. I believe rpki-client (at the moment of writing) only uses a single id-ad-rpkiNotify access description entry (if encountered) and will ignore additional entries (if multiple exist). Reviving draft-ietf-sidr-multiple-publication-points (or starting from scratch in a new document); outlining what the desired strategy is, is a possibility. I suspect an argument can be made that if multiple id-ad-rpkiNotify are specified, an RP has to contact *all* publication points, to increase its chances of finding the Manifest with the highest ManifestNumber (I imagine multiple pubpoints existing, increases the chances of them those being out-of-sync with each other. I look forward to your findings. Kind regards, Job _______________________________________________ Sidrops mailing list Sidrops@ietf.org https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] Multiple publication points in certific… Hove, K.W. van (Koen, Student M-CS)
- Re: [Sidrops] Multiple publication points in cert… Job Snijders
- Re: [Sidrops] Multiple publication points in cert… Hove, K.W. van (Koen, Student M-CS)
- Re: [Sidrops] Multiple publication points in cert… Geoff Huston
- Re: [Sidrops] Multiple publication points in cert… Job Snijders
- Re: [Sidrops] Multiple publication points in cert… Tim Bruijnzeels
- Re: [Sidrops] Multiple publication points in cert… Ties de Kock
- Re: [Sidrops] Multiple publication points in cert… Hove, K.W. van (Koen, Student M-CS)