Ok, thanks. On Thu, Jan 10, 2019 at 4:39 PM Russ Housley <[email protected]> wrote: > > See the Section on DER encoding at https://en.wikipedia.org/wiki/X.690. > > > On Jan 10, 2019, at 5:26 PM, Alberto Leiva <[email protected]> wrote: > > > > Hello. > > > > I have a question: > > > > RFC 6488 section 3.1.l (https://tools.ietf.org/html/rfc6488#section-3) > > wants relying parties (RPs) to validate that all RPKI signed objects > > are DER-encoded, which (I think) means that they must be BER-encoded > > with minimal and unique representations. > > > > But I have found at least one other requirement that seems to > > contradict this: RFC 6482 section 3.3, fourth paragraph, second half, > > claims that a ROA (which is a signed object) is allowed to contain > > redundant ROAIPAddress elements. > > > > Furthermore, RFC 3779 (which is meaningfully referenced by the ROA and > > RPKI certificate (6487) RFCs) states the following: > > > > relying parties do > > not need to sort the information, or to implement extra code in the > > subset checking algorithms to handle several boundary cases > > (adjacent, overlapping, or subsumed ranges). > > > > Which seems to be paraphraseable as "RPs can parse signed objects as > > if they were BER-encoded, without worrying about DER." > > > > In fact, my reading of it is that the entirety of RFC 3779 seems to be > > of the mind that IP and AS extension writers are intended to strictly > > adhere to DER specifically for the sake of simplifying the task of > > RPs. RFC 6488, on the other hand, wants both to be strict. > > > > So what's the consensus? > > > > _______________________________________________ > > sidr mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/sidr >
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
