On Wed, Aug 10, 2022 at 06:16:30PM +0200, Theo Buehler wrote: > On Wed, Aug 10, 2022 at 03:10:19PM +0000, Job Snijders wrote: > > An errata exists for RFC 6482, which informs us: """The EE certificate > > MUST NOT use "inherit" elements as described in [RFC3779].""" Read the > > full report here: https://www.rfc-editor.org/errata/eid3166 > > > > Although it might seem a bit 'wasteful' to d2i the IP Resources > > extension in multiple places, noodling through parameters when to check > > for inheritance and when not to check didn't improve code readability. > > I'm open to suggestions how to perform this check differently. > > As I understand it, what really is missing isn't a check for inheritance > per se, but rather a check whether the prefixes in the ROA are covered > by the EE cert's IP address delegation extension (the bullet point in > RFC 6482, section 4). If we had such a check, that would be the natural > place for adding an inheritance check for the EE cert. > > Below is my "overclaim" diff from a few weeks back that prepended the EE > cert to the auth chain for ROAs and RSCs so that we check their > resources against the EE cert instead of our currently incorrect checks > that permitted overclaiming. The diff was ok job and claudio told me > that it looked ok - I will need to think it through in detail once more, > however.
Thank you. > I believe that with something like this diff, your desired inheritance > check should be added to valid_roa() above the for() loop. > > Does that make sense? Yes it does. Kind regards, Job
