Tim,
Thanks for providing the description of the processing you employ in
your RP software.
...
Okay, let me elaborate a bit on how we do this..
We don't use openssl for this. We have our own implementation and the way we do
this is fully top-down. We don't pass the content of the ROA we are interested
in around at all. We just keep track of the resources we *accept* at each stage
in the top-down validation. We then insist (as know) that the ROA EE
certificate has the resources (we accepted) for all the prefixes mentioned on
it, and if not we reject it.
In the 3779 spec, it is not necessary to maintain a list of valid INRs
at each tier, so long as one
caches only valid certs. It suffices to compare the INRs in a
subordinate cert against those in
the parent.
Resource certificates can already have the inherit flag in RFC3779. In such
cases we already implicitly copy the parent resources, rather than reading them
from the certificate itself. So we are already keeping a set of validated
resources for each step in the chain in the context of a top-down validation.
Yes, the inherit flag does require creating a list of INRs for a cert
that contains such a flag.
The change is that rather than rejecting an over-claiming cert and everything
below, we will only accept the intersection of resources mentioned on an
otherwise valid child certificate and its parent certificate. And this is
applied recursively down the chain. In other words: we don't necessarily
believe what the certificate says, but we always evaluate this in the context
of a top-down walk.
The main idea here is that these certificates do nothing more than tying a set
of validated resources to validated keys. Whether over-claiming actually is a
problem is only relevant when we look at other statements about these
resources, such as ROAs, router certificates etc. If they refer to a resource
that was over-claimed, they are rejected.
From an operational perspective I agree that over claiming is a problem
when an EE cert
for a ROA (or a Manifest, or a GB record, etc.) includes the INRs in
question. But, a CA
that issues a cert containing resources that have not been allocated to
it by its parent is
violating the CP. That bothers me, as it undermines a fundamental tenet
of the RPKI.
Steve
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr