Alberto Leiva wrote: > Hello. > > I have a question: > > RFC 6488 section 3.1.l (https://tools.ietf.org/html/rfc6488#section-3) > wants relying parties (RPs) to validate that all RPKI signed objects > are DER-encoded, which (I think) means that they must be BER-encoded > with minimal and unique representations. > > But I have found at least one other requirement that seems to > contradict this: RFC 6482 section 3.3, fourth paragraph, second half, > claims that a ROA (which is a signed object) is allowed to contain > redundant ROAIPAddress elements.
DER is only concerned with encoding, not with the content. Mostly, it forbids indefinite length constructed values and enforces string types to be primitively encoded. Unlike X.680, X.690 is actually quite readable. All of them are now available for free from the ITU. That all said, be warned that at least two RIRs currently produce RPKI signed objects that are not validly DER encoded, but rather seem to be using CER. So in practice, you will need to be able to parse the more generic BER at least at this time or loose a significant part of the RPKI repository. For Routinator, we decided to have a relaxed validation mode and documented all it does[0]. Currently, be default we run in relaxed mode and have a command line option for strict mode. Not sure if the working group needs to address this issue or how. Kind regards, Martin [0] https://github.com/NLnetLabs/rpki-rs/blob/master/doc/relaxed-validation.md _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr