Dear Amanda, I don't think that is necessary.
Kind regards, Job On Thu, Feb 09, 2023 at 03:56:13AM +0000, Amanda Baber via RT wrote: > Hi, > > Does this errata report need to be listed as an additional reference for the > id-ad-rpkiNotify registration? See > > https://www.iana.org/assignments/smi-numbers > > thanks, > > Amanda Baber > IANA Operations Manager > > On Wed Feb 08 17:32:05 2023, [email protected] wrote: > > The following errata report has been verified for RFC8182, > > "The RPKI Repository Delta Protocol (RRDP)". > > > > -------------------------------------- > > You may review the report below and at: > > https://www.rfc-editor.org/errata/eid7239 > > > > -------------------------------------- > > Status: Verified > > Type: Technical > > > > Reported by: Job Snijders <[email protected]> > > Date Reported: 2022-11-04 > > Verified by: John Scudder (IESG) > > > > Section: 3.2 > > > > Original Text > > ------------- > > Certificate Authorities that use RRDP MUST include an instance of an > > SIA AccessDescription extension in resource certificates they > > produce, in addition to the ones defined in [RFC6487]: > > > > Corrected Text > > -------------- > > Certificate Authorities that use RRDP MUST include an instance of an > > SIA AccessDescription extension in CA resource certificates they > > produce, in addition to the ones defined in [RFC6487]: > > > > Notes > > ----- > > Between draft-ietf-sidr-delta-protocol-04 and draft-ietf-sidr-delta- > > protocol-05 a bit of text was removed (perhaps because it was > > considered redundant). But, unfortunately that snippet helped > > establish important context as to what types of certificates are > > expected to contain the id-ad-rpkiNotify accessMethod inside the > > Subject Information Access extension. The text that was removed: > > > > """ > > Relying Parties that do not support this delta protocol MUST MUST NOT > > reject a CA certificate merely because it has an SIA extension > > containing this new kind of AccessDescription. > > """ > > > > From the removed text is is clear that id-ad-rpkiNotify was only > > expected to show up on CA certificates. However, without the above > > text, Section 3.2 of RFC 8182 is somewhat ambiguous whether 'resource > > certificates' is inclusive of EE certificates or not. > > > > RFC 6487 Section 4.8.8.2 sets expectations that only id-ad- > > signedObject is expected to show up in the SIA of EE certificates > > "Other AccessMethods MUST NOT be used for an EE certificates's SIA." > > > > The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify in > > the SIA of the EE certificate of all signed objects they produce (such > > as ROAs). The RIR indicated they'll work to remove id-ad-rpkiNotify > > from all EE certificates their CA implementation produces. > > > > It should be noted that the presence of id-ad-rpkiNotify in EE > > certificates is superfluous; Relying Parties can't use the rpkiNotify > > accessMethod in EE certificates for any purpose in the validation > > decision tree. > > > > (Verifying this Errata does not block a future transition from rsync > > to https; as RFC6487 Section 4.8.8.2 leaves room for additional > > instances of id-ad-signedObject with non-rsync URIs) > > > > -------------------------------------- > > RFC8182 (draft-ietf-sidr-delta-protocol-08) > > -------------------------------------- > > Title : The RPKI Repository Delta Protocol (RRDP) > > Publication Date : July 2017 > > Author(s) : T. Bruijnzeels, O. Muravskiy, B. Weber, R. > > Austein > > Category : PROPOSED STANDARD > > Source : Secure Inter-Domain Routing > > Area : Routing > > Stream : IETF > > Verifying Party : IESG > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
