I concur with the clarifying errata.
Steve
------
On 10/30/13 1:58 PM, RFC Errata System wrote:
The following errata report has been verified for RFC6489,
"Certification Authority (CA) Key Rollover in the Resource Public Key Infrastructure
(RPKI)".
--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6489&eid=3756
--------------------------------------
Status: Verified
Type: Technical
Reported by: David Mandelberg <[email protected]>
Date Reported: 2013-10-16
Verified by: Stewart Bryant (IESG)
Section: 2
Original Text
-------------
This
request MUST include the same SIA extension that is present in
the CURRENT CA certificate.
Corrected Text
--------------
The AccessDescriptions with accessMethods of id-ad-caRepository in the
request's SIA extension MUST be the same as the AccessDescriptions with
accessMethods of id-ad-caRepository in the CURRENT CA certificate's SIA
extension.
Notes
-----
An RFC6487-compliant CA certificate's SIA extension has AccessDescriptions for both its
repository (id-ad-caRepository) and its manifest (id-ad-rpkiManifest). Section 2 of
RFC6489 also states, "While the 'current' and 'new' CA instances share a single
repository publication point, each CA has its own CRL and its own manifest." This
indicates that only the id-ad-caRepository AccessDescriptions should be identical, not
the id-ad-rpkiManifest AccessDescriptions.
--------------------------------------
RFC6489 (draft-ietf-sidr-keyroll-08)
--------------------------------------
Title : Certification Authority (CA) Key Rollover in the Resource
Public Key Infrastructure (RPKI)
Publication Date : February 2012
Author(s) : G. Huston, G. Michaelson, S. Kent
Category : BEST CURRENT PRACTICE
Source : Secure Inter-Domain Routing
Area : Routing
Stream : IETF
Verifying Party : IESG
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
