[DBWG] issue report - AFRINIC RPKI intermediate CA overclaim
Job Snijders
job at fastly.com
Tue Oct 17 21:36:29 UTC 2023
Dear working group,
It appears the AFRINIC intermediate CA
"2B:57:89:7A:7C:A9:64:C3:C8:B7:F7:BD:DA:A7:A4:DA:34:A9:8F:80" is
overclaiming in the range 154.0.0.0/8.
https://console.rpki-client.org/rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/afrinic-ca.cer.html
This certificate lists 154.0.0.0/8 as subordinate, but it *SHOULD* be
listing the following:
IP: 154.0.0.0/16
IP: 154.16.0.0/16
IP: 154.65.0.0 -- 154.255.255.255
It would be massively helpful if the certificate is re-issued with the
correct listing of subordinate resources. Given the non-tolerance for
overclaiming CAs in the RFC 6487 validation algorithm, this exposes
AFRINIC's RPKI service to some risk in the face of chaining AFRINIC's
PKI to alternative trust anchors.
Help in this matter would very much be appreciated.
Kind regards,
Job
More information about the DBWG
mailing list