On Thu, Jan 07, 2021 at 04:11:47PM +0000, Job Snijders wrote: > On Fri, Jan 08, 2021 at 03:43:18PM +0100, Claudio Jeker wrote: > > rpki-client is currently very strict about the ip ranges and as ranges in > > certificates. If a child certificate has a uncovered range in its list it > > is considered invalid and is removed from the pool (with it all the ROA > > entries as well). > > > > Now rfc8360 relaxes this a bit and mentions that a ROA for 192.0.2.0/24 > > is valid if that prefix is covered in all certs in the chain. > > RFC 8360 makes a lot of sense
Actually after closer inspection RFC 8360 only relaxes this for a new form of certs that include new types of certificate policy, ip address ranges and as number ranges types. So this diff is not correct and I probably need to work on proper RFC 8360 support (even though it seems no CA is using RFC 8360 ids right now). -- :wq Claudio
