I agree that the proposed errata would be a good clarification. Thanks, Bryan
> On Dec 7, 2022, at 12:22 AM, Tom Harrison <t...@apnic.net> wrote: > > On Fri, Nov 04, 2022 at 04:38:12AM -0700, RFC Errata System wrote: >> The following errata report has been submitted for RFC8182, >> "The RPKI Repository Delta Protocol (RRDP)". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7239 >> >> -------------------------------------- >> Type: Technical >> Reported by: Job Snijders <j...@fastly.com> >> >> Section: 3.2 >> >> Original Text >> ------------- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Corrected Text >> -------------- >> Certificate Authorities that use RRDP MUST include an instance of an >> SIA AccessDescription extension in CA resource certificates they >> produce, in addition to the ones defined in [RFC6487]: >> >> Notes >> ----- >> Between draft-ietf-sidr-delta-protocol-04 and >> draft-ietf-sidr-delta-protocol-05 a bit of text was removed (perhaps >> because it was considered redundant). But, unfortunately that >> snippet helped establish important context as to what types of >> certificates are expected to contain the id-ad-rpkiNotify >> accessMethod inside the Subject Information Access extension. The >> text that was removed: >> >> """ >> Relying Parties that do not support this delta protocol MUST MUST NOT >> reject a CA certificate merely because it has an SIA extension >> containing this new kind of AccessDescription. >> """ >> >>> From the removed text is is clear that id-ad-rpkiNotify was only >>> expected to show up on CA certificates. However, without the above >>> text, Section 3.2 of RFC 8182 is somewhat ambiguous whether >>> 'resource certificates' is inclusive of EE certificates or not. >> >> RFC 6487 Section 4.8.8.2 sets expectations that only >> id-ad-signedObject is expected to show up in the SIA of EE >> certificates "Other AccessMethods MUST NOT be used for an EE >> certificates's SIA." >> >> The ambiguity in RFC8182 led to one RIR including id-ad-rpkiNotify >> in the SIA of the EE certificate of all signed objects they produce >> (such as ROAs). The RIR indicated they'll work to remove >> id-ad-rpkiNotify from all EE certificates their CA implementation >> produces. > > I agree with this report. (APNIC is the RIR referred to in this > paragraph, and we also found the text to be unclear when we were > implementing this specification.) > > -Tom
_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr