On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: > The following errata report has been submitted for RFC8182, > "The RPKI Repository Delta Protocol (RRDP)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7239 > > -------------------------------------- > Type: Technical > Reported by: Job Snijders <[email protected]> > > Section: 3.2 > > Original Text > ------------- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Corrected Text > -------------- > Certificate Authorities that use RRDP MUST include an instance of an > SIA AccessDescription extension in CA resource certificates they > produce, in addition to the ones defined in [RFC6487]: > > Notes > ----- > Between draft-ietf-sidr-delta-protocol-04 and > draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps > because it was considered redundant). But, unfortunately that > snippet helped establish important context as to what types of > certificates are expected to contain the id-ad-rpkiNotify > accessMethod inside the Subject Information Access extension. The > text that was removed: > > """ > Relying Parties that do not support this delta protocol MUST MUST NOT > reject a CA certificate merely because it has an SIA extension > containing this new kind of AccessDescription. > """ > >> From the removed text is is clear that id-ad-rpkiNotify was only >> expected to show up on CA certificates. However, without the above >> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >> 'resource certificates' is inclusive of EE certificates or not. > > RFC 6487 Section 4.8.8.2 sets expectations that only > id-ad-signedObject is expected to show up in the SIA of EE > certificates "Other AccessMethods MUST NOT be used for an EE > certificates's SIA." > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify > in the SIA of the EE certificate of all signed objects they produce > (such as ROAs). The RIR indicated they'll work to remove > id-ad-rpkiNotify from all EE certificates their CA implementation > produces.
I agree with the correction provided in this report. -- Oleg Muravskiy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
