RFC 5280 defines the SAI extension, and it says: This profile defines one access method to be used when the subject is a CA and one access method to be used when the subject is an end entity. Additional access methods may be defined in the future in the protocol specifications for other services.
I think it is pretty clear that new access methods are expected to com along over time. Russ > On Dec 7, 2022, at 12:22 AM, Tom Harrison <[email protected]> wrote: > > On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: >> The following errata report has been submitted for RFC8182, >> "The RPKI Repository Delta Protocol (RRDP)". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7239 >> >> -------------------------------------- >> Type: Technical >> Reported by: Job Snijders <[email protected]> >> >> Section: 3.2 >> >> Original Text >> ------------- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Corrected Text >> -------------- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in CA resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Notes >> ----- >> Between draft-ietf-sidr-delta-protocol-04 and >> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps >> because it was considered redundant). But, unfortunately that >> snippet helped establish important context as to what types of >> certificates are expected to contain the id-ad-rpkiNotify >> accessMethod inside the Subject Information Access extension. The >> text that was removed: >> >> """ >> Relying Parties that do not support this delta protocol MUST MUST NOT >> reject a CA certificate merely because it has an SIA extension >> containing this new kind of AccessDescription. >> """ >> >>> From the removed text is is clear that id-ad-rpkiNotify was only >>> expected to show up on CA certificates. However, without the above >>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >>> 'resource certificates' is inclusive of EE certificates or not. >> >> RFC 6487 Section 4.8.8.2 sets expectations that only >> id-ad-signedObject is expected to show up in the SIA of EE >> certificates "Other AccessMethods MUST NOT be used for an EE >> certificates's SIA." >> >> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify >> in the SIA of the EE certificate of all signed objects they produce >> (such as ROAs). The RIR indicated they'll work to remove >> id-ad-rpkiNotify from all EE certificates their CA implementation >> produces. > > I agree with this report. (APNIC is the RIR referred to in this > paragraph, and we also found the text to be unclear when we were > implementing this specification.) > > -Tom > > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
