blob: d8b4708f42549f267476dc1834ec0d02815737f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
The following are unclear to me.
- Following up on validating AS numbers for certificates. The
specification is not clear on what happens with empty AS extensions in
a chain of certificates. Do we consider that inheritence? If so,
what's the point of having an inheritence clause?
- I get that ASid 0 has special meaning for ROAs (see RFC 6483 sec 4),
but it doesn't make sense that some top-level certificates (e.g.,
Afrinic) have a range inclusive of zero, since it's reserved. In this
system, I let the range through but don't let a specific ASid of 0 in
certificates---only ROAs.
- VRP duplication. When run as-is, there are duplicate VRPs and
that doesn't seem right. It happens when two ROAs have their validity
period overlap. I need to see if there's a more programmatic way to
check before commiting the routes to output.
- (**Important**.) Stipulating `X509_V_FLAG_IGNORE_CRITICAL` might be
dangerous. Which extensions are being ignored should be
double-checked.
|
