I noticed a change in the newest revision of the certificate profile
(draft-ietf-sidr-res-certs-19) that could affect relying party software
implementations. This might be a good change, but I just wanted to check.
In section 4.9.8.1, the SIA for CA certs no longer points to a
directory, but instead points to a manifest. (Well, except for some
confusion because the first paragraph still says it points to a directory.)
This extension MUST have an instance of an AccessDescription with an
accessMethod of id-ad-rpkiManifest,
id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
id-ad-rpkiManifest OBJECT IDENTIFIER ::= { id-ad 10 }
with an RSYNC URI [RFC5781] form of accessLocation. The URI points
to the CA's manifest of published objects [ID.sidr-rpki-manifests] as
an object URL. Other accessDescription elements MAY exist for the
id-ad-rpkiManifest accessMethod, where the accessLocation value
indicates alternate access mechanisms for the same manifest object.
If indeed the SIA now points to a manifest, RP implementations need to
conform. This isn't necessarily bad--it may be a good idea during key
rollover when two "instances" of a CA publish files in the same directory.
Was this what we had intended all along (I may have missed the
discussion), or is this new?
-Andrew
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
