Dear all, While authoring an implementation of the RFC 9092 scheme that uses the Routing Public Key Infrastructure (RPKI) to authenticate the geofeed data CSV files, I stumbled upon a curiosity.
RFC 9092 is silent on the matter of whether RFC 3779 'inherit' elements are permitted in the End-Entity certificate or not; however the example certificate in Appendix A uses 'inherit'. I consider the explicit listing of internet number resource identifiers in RFC 3779 extensions very advantagous when debugging. The use of 'inherit' elements literally reduces the information density of the signature. I think by now a pattern has established in the collective body of work related to RPKI: * When the signed payload relates to Internet Number Resources; explicit listing in the RFC 3779 extension is required. Examples are: ROA (RFC 6482), ASPA (draft-ietf-sidrops-aspa-profile), BGPsec (RFC 8209), and RSC (RFC 9323). * When a signed payload relates to the Certificate Authority itself; 'inherit' is used, because there is no appropriate resource to list. Examples are: MFT (RFC 9286), GBR (RFC 6493), and TAK (draft-ietf-sidrops-signed-tal). Because Geofeed authenticators relate to IP prefixes; it seems obvious to me it is a member of the first category; however the RFC's silence on this aspect and the example EE introduce a degree of ambiguity. Additionally, Geofeed implementers might benefit from similarity to other RPKI-based object profiles (such as ROA, ASPA, BGPsec & RSC). Related discussion on the topic of 'inherit' happened in Errata 3166: https://www.rfc-editor.org/rfc/inline-errata/rfc6482.html#eid3166 How do we move forward? Would the working group appreciate a small internet-draft that updates RFC 9092 section 4 along the lines of: ----- Section 4. Authenticating Geofeed Data [snip] Step 4: The IP Address Delegation extension [RFC3779] is present in the end-entity (EE) certificate (contained within the CMS signature) and every IP address prefix(es) in the Geofeed payload is contained within the set of IP addresses specified by the EE certificate's IP Address Delegation extension. The EE certificate MUST NOT use "inherit" elements as described in [RFC3779]. The Autonomous System Identifier Delegation Extension described in [RFC3779] is not used in Geofeed authenticators and MUST NOT be present. ----- Thoughts? Kind regards, Job _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
