Hello. I have a question:
RFC 6488 section 3.1.l (https://tools.ietf.org/html/rfc6488#section-3) wants relying parties (RPs) to validate that all RPKI signed objects are DER-encoded, which (I think) means that they must be BER-encoded with minimal and unique representations. But I have found at least one other requirement that seems to contradict this: RFC 6482 section 3.3, fourth paragraph, second half, claims that a ROA (which is a signed object) is allowed to contain redundant ROAIPAddress elements. Furthermore, RFC 3779 (which is meaningfully referenced by the ROA and RPKI certificate (6487) RFCs) states the following: relying parties do not need to sort the information, or to implement extra code in the subset checking algorithms to handle several boundary cases (adjacent, overlapping, or subsumed ranges). Which seems to be paraphraseable as "RPs can parse signed objects as if they were BER-encoded, without worrying about DER." In fact, my reading of it is that the entirety of RFC 3779 seems to be of the mind that IP and AS extension writers are intended to strictly adhere to DER specifically for the sake of simplifying the task of RPs. RFC 6488, on the other hand, wants both to be strict. So what's the consensus? _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
