randy/draft-9092update
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

-09 published

Browse source
This commit is contained in:
Randy Bush 2024-01-20 10:41:30 -08:00
parent a6a0395e92
commit 3923d26be6
1 changed files with 18 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

35
draft-ietf-opsawg-9092-update.xml
View file

@ -8,7 +8,7 @@
<?rfc compact="yes"?> <?rfc compact="yes"?>
<?rfc subcompact="no"?> <?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-opsawg-9092-update-08" <rfc category="std" docName="draft-ietf-opsawg-9092-update-09"
submissionType="IETF" consensus="true" ipr="trust200902" submissionType="IETF" consensus="true" ipr="trust200902"
obsoletes="9092" version="2" > obsoletes="9092" version="2" >
@ -547,32 +547,33 @@
</li> </li>
<li> <li>
Validation of the signer's certificate MUST ensure that it is Validating the signer's certificate MUST ensure that it is
part of the current <xref target="RFC9286"/> manifest and that part of the current <xref target="RFC9286"/> manifest and that
all resources are covered by the RPKI certificate. all resources are covered by the RPKI certificate.
</li> </li>
<li> <li>
Construct the certification path for the signer's certificate. Constructing the certification path for the signer's
All of the needed certificates are expected to be readily certificate. All of the needed certificates are expected to
available in the RPKI repository. The certification path MUST be readily available in the RPKI repository. The
be valid according to the validation algorithm in <xref certification path MUST be valid according to the validation
target="RFC5280"/> and the additional checks specified in algorithm in <xref target="RFC5280"/> and the additional
<xref target="RFC3779"/> associated with the IP Address checks specified in <xref target="RFC3779"/> associated with
Delegation certificate extension and the Autonomous System the IP Address Delegation certificate extension and the
Identifier Delegation certificate extension. If certification Autonomous System Identifier Delegation certificate extension.
path validation is unsuccessful, then validation MUST fail. If certification path validation is unsuccessful, then
validation MUST fail.
</li> </li>
<li> <li>
Validate the CMS SignedData as specified in <xref Validating the CMS SignedData as specified in <xref
target="RFC5652"/> using the public key from the validated target="RFC5652"/> using the public key from the validated
signer's certificate. If the signature validation is signer's certificate. If the signature validation is
unsuccessful, then validation MUST fail. unsuccessful, then validation MUST fail.
</li> </li>
<li> <li>
Confirm that the eContentType object identifier (OID) is Confirming that the eContentType object identifier (OID) is
id-ct-geofeedCSVwithCRLF (1.2.840.113549.1.9.16.1.47). This id-ct-geofeedCSVwithCRLF (1.2.840.113549.1.9.16.1.47). This
OID MUST appear within both the eContentType in the OID MUST appear within both the eContentType in the
encapContentInfo object and the ContentType signed attribute encapContentInfo object and the ContentType signed attribute
@ -580,10 +581,10 @@
</li> </li>
<li> <li>
Verify that the IP Address Delegation certificate extension Verifying that the IP Address Delegation certificate
<xref target="RFC3779"/> covers all of the address ranges of extension <xref target="RFC3779"/> covers all of the address
the geofeed file. If all of the address ranges are not ranges of the geofeed file. If all of the address ranges are
covered, then validation MUST fail. not covered, then validation MUST fail.
</li> </li>
</ol> </ol>