CVSROOT: /cvs
Module name: src
Changes by: j...@cvs.openbsd.org 2023/10/13 06:06:49
Modified files:
usr.sbin/rpki-client: Makefile as.c aspa.c cert.c extern.h
filemode.c gbr.c geofeed.c ip.c main.c
mft.c parser.c roa.c rpki-client.8 rsc.c
tak.c
Added files:
usr.sbin/rpki-client: constraints.c rfc3779.c
Log message:
Allow imposing constraints on RPKI trust anchors
The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.
For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
