IETF Logo Mail Archive

Re: [Sidrops] Multiple publication points in certificate

"Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl> Sat, 30 July 2022 11:52 UTC

Return-Path: <k.w.vanhove@student.utwente.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52916C14CF0B for <sidrops@ietfa.amsl.com>; Sat, 30 Jul 2022 04:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.826
X-Spam-Level:
X-Spam-Status: No, score=-1.826 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=universiteittwente.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHsIDBKHWdY5 for <sidrops@ietfa.amsl.com>; Sat, 30 Jul 2022 04:52:21 -0700 (PDT)
Received: from out67-ams.mf.surf.net (out67-ams.mf.surf.net [145.0.1.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16DA4C14F744 for <sidrops@ietf.org>; Sat, 30 Jul 2022 04:52:20 -0700 (PDT)
Received: from exedge61.ad.utwente.nl (exedge61.ad.utwente.nl [130.89.9.12]) by outgoing3-ams.mf.surf.net (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 26UBqFqn021244 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 30 Jul 2022 13:52:16 +0200
Received: from EXMRS62.ad.utwente.nl (2001:67c:2564:a187::2:62) by mail.ad.utwente.nl (2001:67c:2564:a187::2:161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Sat, 30 Jul 2022 13:52:15 +0200
Received: from exmrs73.ad.utwente.nl (2001:67c:2564:a187::2:73) by EXMRS62.ad.utwente.nl (2001:67c:2564:a187::2:62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Sat, 30 Jul 2022 13:52:15 +0200
Received: from exedge62.ad.utwente.nl (2001:67c:2564:a187::2:162) by exmrs73.ad.utwente.nl (2001:67c:2564:a187::2:73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Sat, 30 Jul 2022 13:52:15 +0200
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (104.47.51.172) by mail.ad.utwente.nl (130.89.9.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Sat, 30 Jul 2022 13:52:15 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jMVSg3YjnAJiHuMv5jG1aQ0JAHOm+Up2C/NYyhpH2fMtFtTWwTDHxxRluubramSBj8GwTuRB9qk6lObxmY1KTVJVwfRka+sscXAPtluFKV3l/O/QAlm5otqZRiV7m89Cs/dyzqbBTVDJBoAUC0PYwa47dSdWJeJ5S5fxyHYivOJ8NkxLd8IQA9mNVpWQB2H63AEBlEiJ/va00s74dZh0mG9SiFBRCMzpRHOaO4vdGabB4WnlgzDZu0Hiqa+ZmuDNNwj+aJkjheick4cQpe+Xj/D8i5x/Nnp8D8AFtiIoeohU61cqy+XlJIKWmA3oj22ASWpuSi5ibknVLiLbMByqrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i13fZ1xVcrn1V/d4mtRb+jjCweNhZlD1TPRJGvJQ6Mk=; b=iyEgaC4ivtaEPFgfbHucp/N2AMKDWgRSPkpX5hp2bhqxcy1LZP4aDrReJwBrsX+P3o1c1vDJDFOdFDZrb/iNWvDfdXqihk94aejJihEMkcrjLPiWKpGugls8lzESf+ii+1V+aGLZn44O/ca6CQyGUSyGGELZ+FNRu9uzW6ireTFeQqrDPF4mBKi6kywLrse7ZNW88ZXQskI845ZOH1F5Qf9bExCA7D0+P6LQYNI0t6jD6YZN2Aa6ZF9KeMtjdaeSME43khyvjXfjd7+2kXh2rRoUsZoMHylPouB51UfeCk7zU1zOzpUxpTMN3upu4nUjN9al70aT9OD7TxX+19v1/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=student.utwente.nl; dmarc=pass action=none header.from=student.utwente.nl; dkim=pass header.d=student.utwente.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=universiteittwente.onmicrosoft.com; s=selector2-universiteittwente-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i13fZ1xVcrn1V/d4mtRb+jjCweNhZlD1TPRJGvJQ6Mk=; b=GtjaLDdSBQ8N1lta/l0XNvEMNRVn9UuztbToF75UOmLeLmPglJmfg6Q4ZQ23WwXrKTSHxyo3pXbE3+p4qgCZak/b67DOrpE1LAWzwnNYNSIfG/xTxyPXIwqYl+3ezrR/nX0tFKz0PDglLPfkv4JyeXg9dzxpjMKuFUWZoyTC/7w=
Received: from DB9P195MB1420.EURP195.PROD.OUTLOOK.COM (2603:10a6:10:335::18) by GV2P195MB1965.EURP195.PROD.OUTLOOK.COM (2603:10a6:150:af::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.6; Sat, 30 Jul 2022 11:52:12 +0000
Received: from DB9P195MB1420.EURP195.PROD.OUTLOOK.COM ([fe80::a135:dd79:4daa:307b]) by DB9P195MB1420.EURP195.PROD.OUTLOOK.COM ([fe80::a135:dd79:4daa:307b%9]) with mapi id 15.20.5482.012; Sat, 30 Jul 2022 11:52:12 +0000
From: "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl>
To: Job Snijders <job@fastly.com>
CC: "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Multiple publication points in certificate
Thread-Index: Adih9WDWFWwzPvVhRAamZrtgdqJwBgABS2KAABzkhoMAa1xEAA==
Date: Sat, 30 Jul 2022 11:52:12 +0000
Message-ID: <595BC0ED-03DF-41DE-A077-8D702D649B09@student.utwente.nl>
References: <DB9P195MB1420D2ABBBC3111449F141BB8C979@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM> <YuGlK4hrITxZx+4v@snel> <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
In-Reply-To: <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
Accept-Language: nl-NL, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=student.utwente.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2db94df6-59d2-43e1-7c0e-08da7221f0c1
x-ms-traffictypediagnostic: GV2P195MB1965:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EQx4CZjLk5pp9UFEddqHj2ijDrW6Wxms9KT+3f074r/Rh2XDlWTTZ0jxWvvo+TQeRPRwmrVMSpQEGkGg2qCa5+b4ZLxput30NyOfV7IwOOa/3/+qYZTIt2ekpHSZSSxtpR7FMRPUeHBF81tSl+oMCHcZCaUeIuuKspsLZIoRX/zhhelbE505RKNxpmvjCF6YO2+sKSOA0g8yuss0lutuR5UUU9jKgL9j+1q5DKqhnzPk5qi/muSWtbK2h5Cj3hHvJEk2ZmtMOeovnzjwhYie7tUG2T8z/jpATE3WAXa0kNI7kBMPrTfu3AaWqA3NNlbk0v3nvkrCSNvwdAAfpzANjzFhhPY3Sw80O3bJ71NEHheEEW65YM5OqZbmLdSdoLOxaUhA05we7K4TNqPiydX+5DuSvS/NBbZ9n2SVKdw15M0lUFOMAEwl+zI9NLvpSOACvlGRYE32Ts38zg9Z/YUk0R67PvWIzDaH5jlc4GNAyTN9Rh+NxwGgdVeY+bbs68LWHW+TybQ08g3q7KGFKKIvkBUkgvLB3a+e7TRHh+qQLlhQt0Vkqoogi1U1bdBx8gCdHlb1lpCv1QvPLa1iJZjmHDi21sYzLCFXy1MHDaRqpXa8KGeVMjwZ93omv8UKpUcAtlC1jJRlebmE6y7dLYjTiv63piFSnVOVOJvJ893vZUud04OuydtmgCgU3xhTVKEUku2WVBJxXtwwEEtIoX2JQCX+/KDz77wzQhJTlvCJo/RAQYdytQGNKCIzGULFwy1Y5mTu9iK9dmLi0AoCOQz5OLhmqN2pQnN2Tzhv7plPjdu+yFvBOTvwssudpXXo3RcmLCQeuVcDJB2zxxJp3DcM9zNK2hZRlfBa32HRvVRf47A=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P195MB1420.EURP195.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(39850400004)(376002)(396003)(346002)(136003)(366004)(41300700001)(5660300002)(966005)(33656002)(2906002)(2616005)(122000001)(38070700005)(186003)(6506007)(6512007)(86362001)(41320700001)(38100700002)(53546011)(8936002)(478600001)(66446008)(76116006)(4326008)(66946007)(83380400001)(91956017)(71200400001)(6486002)(6916009)(64756008)(19627235002)(786003)(316002)(66476007)(66556008)(8676002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 05oAKlxaESwUj4yMI2aWaXmYxIVgvrjvLnlx1zUqEI8zli8X6cAO/iOlFfn0jxzBUUEhOusHEuD9n9JVewBSjoSOMnOEn7nyH0A7Da9zv7VSzLJCfxwYlPl6qJo8YbnuR3ANbtgkgp2j1uqgTcblNkkuRv2Irp16dPhamdK8z+iG+cCiKc8vZyiLDMIO9fxwkSke21UWXpzc/q1uy+EdJSwoZZk+gBsffVPEt7TTPxc270rPcQjzfagnGoxKccIOXTA0mP/IF+/YwkWUTQP9vX/7+Ogos8wogQ2RHhE+reIPKr6K7XYmrb9NP+IxNO2wCpV7rPk6z6OboCUHcXFsrD6HD5pUGC30/FO5ULkknRegpAnrD9q+OGVXAHK2taNQUzgERm8blJ0n1A6qdqDN0ygbY1w9KxRLVtjRbuJLXFkrGOo6DjvB9jJluICgUvlxKF7rDXf9V6ijKD46FK40/Iu9p7uVzXCxTpKC7/vPTW1XdngP+tBm0O7+czC1Gh/9kpwrTjknB8CTDuOc0FZC/wm7/e7VLF+NbRBJPZXFyaIYK3iaKD8PNS+oVwjAJpCnd4i533a9Fl/Sk6Y0+ZI75FwGs+JayF7Q7tCmh8DTlW2ibxrHae0DnEoFruHtFCxuHFJVB32aOiRfOrsR23UnneCzhXhrZG0u2OpJZFBZKE8wdMDk9cxV40LXUecbpv94fCbwvHOzDDIUdeoQi7zgIp0j1Asr6i6RBXDPl8RBsl0DAd5mZF86du5qKqNcBGvPmckH2Brwb5EbSFID32f28eQK0c9qUF73kmPgvJKTUOX4VFLR8euyfkdroGBap9DB+sb5oQrgc/XIHOc/BTX6zlG+6iB6bVPVA6qhavXAhWBl7qZeSsBUw/gKr5HWCrsJQlFmQdSDsA5bppySNwxVHy/z40srO7nTjsZnOWpCS0LizREQh84Rwafa1hEr6n1XCzIJBNDSNhi9ze/qs+YmwZithKYpDbl6m3T2CfHJ+bys2wOecsVEUPCKDUYOrn/HUQWonqqCm3IF7GybuW4JTgwCTV/xOLvKJDioxHT/eRw3+Ce8Noj8R9en2PboxL/+Y6J8XIprZ81tR6pgOye0XV1OxEG9NOfCzZtUSrSevaz5pQH+Hp39a7yIiIKulZ5D90M3OliA5PVYzrUwuyE9/nJMrs1k/EuN8QPtyrd1M0ioSBvXwNFJOsTT0bqYdKX2jl5TvIikI3hZ9/xsY4/tEDXQHXiqozwKjNDU0nN+pub374C7Wr1Fd2xNqgS9hkPV8WDT3usDFvNEJb3ibiOBNrMOxzIVF3RHTYQnklsZFziLmOf6aLJXWKFYHwBrQKyEJDhpXPz73P+bVSxJdOBBHvzArDAyb9rUjn8JvoUnO4UEBxLpSk5Ik9MXW0do2DQqg6h6e4zA4qrbN/MdTAlQ7XJiod97ohy8hlqF/63tv8Oqo/AdVoBrIjRIJTYNuggEVg/nzkMNNFGW6LpWqHZe2O7k74IsjGKntM7LDECgjnVcDwjq61VNUEXeXKE0BwkT90nqcKIBblgTViwLbj56vwcRodp6pD/1sNsvlHuYAQpnuPzHvb5Adrx6Hf0YtiUeqhJ/womKahZWyDnL2rwsUWfRk+06pqnr8QwGQRzcZ3eNolC7E1w8qdM8iK1EmIZv
Content-Type: text/plain; charset="utf-8"
Content-ID: <1131ACC554D4C942A4898D217EF67BFF@EURP195.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9P195MB1420.EURP195.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2db94df6-59d2-43e1-7c0e-08da7221f0c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2022 11:52:12.4733 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 723246a1-c3f5-43c5-acdc-43adb404ac4d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yHlAR/kUNU/CUoYtLrGDKN510In+UKFlP4HuITqLYKcdjrlZBAGvzadbFGqv060t00KxTgUD8eOYC9/WgMknEes6CpFkFJXc1S5UbLYcWb4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2P195MB1965
X-OriginatorOrg: student.utwente.nl
X-Bayes-Prob: 0.5 (Score 0, tokens from: utwente-out:default, utwente:default, base:default, @@RPTN)
X-CanIt-Geo: ip=130.89.9.12; country=NL; latitude=52.3824; longitude=4.8995; http://maps.google.com/maps?q=52.3824,4.8995&z=6
X-CanItPRO-Stream: utwente-out:default (inherits from utwente:default, base:default)
X-Canit-Stats-ID: 0b81nQfAC - 884512e4eb0c - 20220730
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/xeutvDM2sGmG3lF2sNWEyoiE_DI>
Subject: Re: [Sidrops] Multiple publication points in certificate
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jul 2022 11:52:25 -0000

Hi all,

On request I also created a TAL and certificate with the publication points in the reverse order (i.e. broken one first, working one last). It can be found here: https://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/koenvh-P.tal I am not sure whether I mentioned it last time (and whether it needs mentioning), but it is available over IPv6 only. The working one contains one ROA that authorizes AS 1 for 1.2.3.0/24 and AS 1 for 2001:db9::/64.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            42:33:f9:10:1f:c8:01:fe:cc:8b:18:b6:3a:f5:c2:b8:7d:bf:9b:d7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=593cba02eb7f5483858028cfe972e4c3602362be
        Validity
            Not Before: Jul 30 10:31:54 2022 GMT
            Not After : May 18 10:31:54 2032 GMT
        Subject: CN=593cba02eb7f5483858028cfe972e4c3602362be
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b7:34:eb:a0:a5:f4:82:ad:0a:2b:ea:80:9b:65:
                    2b:3a:d8:45:0b:9f:41:2c:6e:c0:74:c3:e0:d4:f3:
                    a3:09:17:7b:70:b0:d9:ab:44:27:49:09:d4:43:19:
                    57:8f:9a:0e:8d:90:b7:4a:d2:04:93:cd:6f:85:ad:
                    be:e2:bd:e9:e3:cd:c4:45:c7:51:fc:27:2a:4f:d8:
                    8c:53:a3:df:4b:8e:ec:de:f8:65:9c:31:f8:c3:09:
                    8d:a6:e1:98:e1:2c:d3:1d:ed:b4:01:7f:2d:91:d1:
                    91:3a:b8:b6:4b:b2:3e:57:89:21:dc:f4:78:60:51:
                    4c:65:74:56:97:9b:6b:8f:d1:b7:bd:8a:7f:02:8c:
                    ed:05:d6:69:05:00:8c:27:eb:da:17:e2:5a:5a:8a:
                    2c:d3:30:a3:7b:02:27:c4:03:9f:92:e0:64:5d:79:
                    da:2e:2b:96:74:d1:47:81:25:c7:15:b2:c0:fb:dd:
                    62:55:37:fe:c3:39:ec:62:9c:2c:3d:30:57:5f:07:
                    f9:b6:c4:3c:20:91:a3:cd:01:87:04:a8:18:b0:c2:
                    b4:0d:9b:a9:b9:14:f3:db:7d:a2:c3:27:b6:74:6d:
                    67:91:88:35:45:44:a9:b2:28:b5:9b:17:40:bb:44:
                    8e:64:19:07:c0:3c:53:59:3c:d0:55:15:cc:19:55:
                    f9:b3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                69:1E:BB:12:05:70:F0:91:68:8E:87:6E:D4:1E:40:D2:E1:7B:5D:8D
            X509v3 Authority Key Identifier: 
                keyid:69:1E:BB:12:05:70:F0:91:68:8E:87:6E:D4:1E:40:D2:E1:7B:5D:8D

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Subject Information Access: 
                1.3.6.1.5.5.7.48.10 - URI:rsync://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/repository/koenvh.mft
                1.3.6.1.5.5.7.48.13 - URI:https://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/notification2.xml
                1.3.6.1.5.5.7.48.13 - URI:https://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/notification.xml
                CA Repository - URI:rsync://p-f80ea498-d034-4544-aba1-d56ad9949db6.rpki.koenvh.nl/repository/

            X509v3 Certificate Policies: critical
                Policy: 1.3.6.1.5.5.7.14.2

            sbgp-ipAddrBlock: critical
                0.0.....0....0.....0....
            sbgp-autonomousSysNum: critical
                0...0.0
..........
    Signature Algorithm: sha256WithRSAEncryption
         6c:be:a3:fa:1b:da:7c:a1:db:d6:ce:01:80:67:7e:fc:4b:8e:
         d7:3c:aa:25:4e:1f:3b:6a:99:6a:07:8c:fd:3b:2e:1c:4f:67:
         b7:2c:c3:bb:1c:7f:10:4d:a8:02:93:65:9a:41:1e:2f:69:15:
         e9:19:82:01:86:ca:2d:fb:88:8f:07:9a:f4:c7:74:82:7d:bc:
         fb:0d:f9:31:b0:ad:58:c0:58:24:01:77:ca:cb:7a:72:e7:24:
         78:b3:05:fe:76:d3:79:8a:63:97:a0:aa:59:47:fd:ea:44:40:
         e9:27:89:dd:cc:4d:c4:56:ea:f7:58:73:7a:22:1b:51:bc:10:
         b6:2d:81:88:72:14:eb:76:42:02:49:8e:12:de:1f:b1:d1:33:
         4a:ae:69:25:3e:91:fd:a2:db:36:9a:af:d3:42:5b:23:2e:11:
         bc:07:cb:ef:46:81:6e:62:72:53:58:28:d3:d6:14:06:0d:4a:
         69:a8:7f:27:d0:34:64:87:0c:09:41:bd:bb:1f:60:24:48:ac:
         3c:e3:0c:eb:37:32:47:81:39:a7:63:ac:e2:f7:bc:1a:3b:cd:
         fb:2c:0a:b1:fe:33:ab:09:c9:4c:d5:d7:4c:e5:75:5d:77:53:
         1d:76:59:e6:bc:cc:5b:30:ee:da:95:c8:e7:88:fb:00:61:67:
         b6:88:70:e5

Cordially,
Koen van Hove

On 28/07/2022, 13:38, "Sidrops on behalf of Hove, K.W. van (Koen, Student M-CS)" <sidrops-bounces@ietf.org on behalf of k.w.vanhove@student.utwente.nl> wrote:

    Hi Job, all,

    I did indeed see that draft from sidr. If it is possible, then it might make the repository migrations as touched upon by Tim yesterday far simpler (as you could go from "A" to "A and B" to "B").

    I quickly created a certificate with two RRDP points. The TAL for it can be found here: https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/koenvh-P.tal 

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                79:6a:49:49:3d:05:6d:17:2a:ba:b5:79:65:d8:46:82:16:52:77:ef
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=226f435fd04b482d853462ad40735c05bd34b8f2
            Validity
                Not Before: Jul 28 09:25:51 2022 GMT
                Not After : May 16 09:25:51 2032 GMT
            Subject: CN=226f435fd04b482d853462ad40735c05bd34b8f2
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d3:0f:ca:b4:9c:2b:0b:c2:3b:22:6f:1e:bb:52:
                        08:06:72:6b:1f:29:99:83:38:6d:af:fd:2e:ad:de:
                        e4:7f:ab:fd:8c:92:4e:4d:4d:b3:b3:5f:83:49:3a:
                        f1:83:d8:48:0f:5a:45:91:5a:e2:b2:ba:5e:bc:a9:
                        a2:6d:7d:af:85:94:81:6e:59:c1:0f:17:8e:ad:ff:
                        40:35:74:ac:72:75:a2:72:dc:99:ae:1f:d2:89:56:
                        86:aa:55:ef:22:1d:25:7b:e5:77:0a:a6:1a:de:55:
                        39:10:57:f9:4f:53:21:ed:c3:01:39:6f:09:d0:7a:
                        16:26:71:86:3d:0b:dd:99:25:73:63:d5:84:df:f5:
                        30:15:b0:bd:60:bf:41:33:3f:3f:b1:82:04:ac:4b:
                        cc:ac:56:c6:81:4a:db:40:a7:04:8c:1c:68:32:de:
                        4d:e2:4a:ed:77:27:1c:24:b8:cf:4b:df:94:43:ce:
                        6c:a9:8f:86:ff:d7:c3:e4:78:15:15:ee:f7:89:01:
                        f2:04:eb:35:1b:a9:6d:19:c0:5a:d3:5f:d4:52:9f:
                        cc:9f:e0:57:bf:a1:a2:8f:e0:e4:e8:64:8e:bb:d1:
                        f9:0b:62:a5:8c:90:62:c5:6c:7e:52:34:b1:81:1a:
                        b7:35:ca:49:86:9d:19:90:25:62:29:aa:a8:e6:af:
                        84:5f
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09
                X509v3 Authority Key Identifier: 
                    keyid:22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09

                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: critical
                    Certificate Sign, CRL Sign
                Subject Information Access: 
                    1.3.6.1.5.5.7.48.10 - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/koenvh.mft
                    1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification.xml
                    1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification2.xml
                    CA Repository - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/

                X509v3 Certificate Policies: critical
                    Policy: 1.3.6.1.5.5.7.14.2

                sbgp-ipAddrBlock: critical
                    0.0.....0....0.....0....
                sbgp-autonomousSysNum: critical
                    0...0.0
    ..........
        Signature Algorithm: sha256WithRSAEncryption
             6f:36:7d:e7:81:68:46:b4:1c:af:b6:13:8e:ff:30:2f:a1:c9:
             aa:a8:98:60:a9:68:0c:21:64:c4:90:48:f9:e3:c6:89:c9:f0:
             da:0f:82:af:3f:c6:75:d0:82:43:b1:1f:2d:47:10:57:c0:77:
             4b:6f:70:ba:b9:9d:c4:e2:1d:0c:4e:9a:2c:88:6a:39:83:c2:
             c0:48:73:fa:f1:2c:c6:87:0c:cb:14:37:d9:71:2b:7b:1e:d5:
             5b:89:ea:9d:aa:ce:9c:8d:bd:7a:fa:41:51:d2:eb:ed:83:2a:
             18:14:9c:bf:be:a6:2e:86:b5:4f:9a:11:4a:9e:da:b9:97:f2:
             1e:90:43:d4:2d:9f:21:fe:a0:16:b3:e0:3a:a3:41:a6:c1:cf:
             4d:6d:35:f2:d5:00:de:05:ee:68:bf:69:36:b4:1f:e2:69:27:
             ba:da:34:a7:52:48:7e:ff:68:7f:20:c5:e4:32:da:24:fb:01:
             cb:93:a9:dd:6c:d1:a1:dd:08:11:f3:17:01:82:ff:95:cf:89:
             bb:ee:60:39:b6:fc:0a:c9:df:c1:c9:c2:52:ef:ad:03:39:9c:
             8d:12:6b:42:ef:6e:01:5e:01:32:18:41:91:b6:3b:e2:ec:dd:
             fa:84:9e:a4:0e:54:56:35:fa:cc:e5:3f:24:dc:bd:33:25:ef:
             53:bd:e8:df

    So far it seems that:
    - Routinator only visits the first
    - OctoRPKI only visits the second
    - rpki-client outputs "RFC 6487 section 4.8: SIA: rpkiNotify already specified" and visits neither
    - FORT outputs "Extension 'SIA' has multiple 'rpkiNotify' HTTPS URIs." and visits neither

    So current behaviour seems to be quite diverging. 

    Cordially,
    Koen van Hove

    From: Job Snijders <job@fastly.com>
    Date: Wednesday, 27 July 2022 at 22:51
    To: Hove, K.W. van (Koen, Student M-CS) <k.w.vanhove@student.utwente.nl>
    Cc: sidrops@ietf.org <sidrops@ietf.org>
    Subject: Re: [Sidrops] Multiple publication points in certificate
    Hi Koen,

    On Wed, Jul 27, 2022 at 08:17:03PM +0000, Hove, K.W. van (Koen, Student M-CS) wrote:
    > Recently I investigated strategies to make ROAs more resilient to
    > outages by publishing them at multiple publication points. During the
    > discussion, I noticed that the SIA AccessDescription extension on
    > certificates, specifically the id-ad-rpkiNotify accessMethod
    > referenced in RFC 8182 section 3.2, does not mention that there can
    > only be one. As far as I can see, there is no restriction in the
    > standard that there must be at most one for each type. In theory
    > multiple RRDP URIs (or rsync URIs for that matter) should be possible.
    > Is this correct, or did I overlook something? And if so, what is the
    > expected behaviour when multiple are defined? 

    There is some prior work that might be of interest to you:

        https://datatracker.ietf.org/doc/html/draft-ietf-sidr-multiple-publication-points

    Specifically section 4, which notes:

        "The support for multiple operators in the RPKI Certificate
        Authority (CA) and End Entity (EE) certificates is supported as the
        RFC 5082 allows multiple repository publication point operators as
        the SIA, AIA and CRLDP are implemented as sequences. Consequently,
        no changes are needed on the existing RPKI standard and this section
        could be considered informative."

    I am not sure what the expected behavior would be when multiple are
    specified in the Subject Information Access extension.

    I believe rpki-client (at the moment of writing) only uses a single
    id-ad-rpkiNotify access description entry (if encountered) and will
    ignore additional entries (if multiple exist).

    Reviving draft-ietf-sidr-multiple-publication-points (or starting from
    scratch in a new document); outlining what the desired strategy is, is
    a possibility. I suspect an argument can be made that if multiple
    id-ad-rpkiNotify are specified, an RP has to contact *all* publication
    points, to increase its chances of finding the Manifest with the highest
    ManifestNumber (I imagine multiple pubpoints existing, increases the
    chances of them those being out-of-sync with each other.

    I look forward to your findings.

    Kind regards,

    Job

    _______________________________________________
    Sidrops mailing list
    Sidrops@ietf.org
    https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email