randy/draft-9092update
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

-09 published

Browse source
This commit is contained in:
Randy Bush 2024-01-20 10:41:30 -08:00
parent a6a0395e92
commit 3923d26be6
1 changed files with 18 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

35
draft-ietf-opsawg-9092-update.xml
View file

@ -8,7 +8,7 @@
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-opsawg-9092-update-08"
<rfc category="std" docName="draft-ietf-opsawg-9092-update-09"
submissionType="IETF" consensus="true" ipr="trust200902"
obsoletes="9092" version="2" >
@ -547,32 +547,33 @@
</li>
<li>
Validation of the signer's certificate MUST ensure that it is
Validating the signer's certificate MUST ensure that it is
part of the current <xref target="RFC9286"/> manifest and that
all resources are covered by the RPKI certificate.
</li>
<li>
Construct the certification path for the signer's certificate.
All of the needed certificates are expected to be readily
available in the RPKI repository. The certification path MUST
be valid according to the validation algorithm in <xref
target="RFC5280"/> and the additional checks specified in
<xref target="RFC3779"/> associated with the IP Address
Delegation certificate extension and the Autonomous System
Identifier Delegation certificate extension. If certification
path validation is unsuccessful, then validation MUST fail.
Constructing the certification path for the signer's
certificate. All of the needed certificates are expected to
be readily available in the RPKI repository. The
certification path MUST be valid according to the validation
algorithm in <xref target="RFC5280"/> and the additional
checks specified in <xref target="RFC3779"/> associated with
the IP Address Delegation certificate extension and the
Autonomous System Identifier Delegation certificate extension.
If certification path validation is unsuccessful, then
validation MUST fail.
</li>
<li>
Validate the CMS SignedData as specified in <xref
Validating the CMS SignedData as specified in <xref
target="RFC5652"/> using the public key from the validated
signer's certificate. If the signature validation is
unsuccessful, then validation MUST fail.
</li>
<li>
Confirm that the eContentType object identifier (OID) is
Confirming that the eContentType object identifier (OID) is
id-ct-geofeedCSVwithCRLF (1.2.840.113549.1.9.16.1.47). This
OID MUST appear within both the eContentType in the
encapContentInfo object and the ContentType signed attribute
@ -580,10 +581,10 @@
</li>
<li>
Verify that the IP Address Delegation certificate extension
<xref target="RFC3779"/> covers all of the address ranges of
the geofeed file. If all of the address ranges are not
covered, then validation MUST fail.
Verifying that the IP Address Delegation certificate
extension <xref target="RFC3779"/> covers all of the address
ranges of the geofeed file. If all of the address ranges are
not covered, then validation MUST fail.
</li>
</ol>