In response to Russ: On Thu, Dec 08, 2022 at 10:20:54AM -0500, Russ Housley wrote: > RFC 5280 defines the SAI extension, and it says: > > This profile defines one access method to be used when the subject is > a CA and one access method to be used when the subject is an end > entity. Additional access methods may be defined in the future in > the protocol specifications for other services. > > I think it is pretty clear that new access methods are expected to com > along over time.
Sure, but that's not what RFC 8182 intended to accomplish in context of RPKI EE certificates. RFC 8182 did not update RFC 6487 section 4.8.8.2. RPKI EE certificates only contain one or more instances of id-ad-signedObject in their SIA extension. The point of this Errata is to clarify that only CA certificates are expected to (optionally) contain an instance of the rpkiNotify AccessDescription; EE certificates are not expected to contain an instance of rpkiNotify. Preparing for future extensibility is easier in a tidy house. Kind regards, Job _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr