[DBWG] issue report - AFRINIC RPKI intermediate CA overclaim
David Njuki
david.njuki at afrinic.net
Wed Oct 18 07:20:16 UTC 2023
Hi Job,
We usually do issue the CA with the resources from the IANA assignment. I do acknowledge that it is indeed an overclaim and this should be fixed.
We’ve discussed internally and we’ll schedule to re-issue the intermediate CA with the correct listing of 154.x
Additionally, we’ll update our internal processes to have a clear distinction between the IANA assignments and resources covered by RPKI.
Regards,
David
> On 18 Oct 2023, at 01:36, Job Snijders via DBWG <dbwg at afrinic.net> wrote:
>
> Dear working group,
>
> It appears the AFRINIC intermediate CA
> "2B:57:89:7A:7C:A9:64:C3:C8:B7:F7:BD:DA:A7:A4:DA:34:A9:8F:80" is
> overclaiming in the range 154.0.0.0/8.
>
> https://console.rpki-client.org/rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/afrinic-ca.cer.html
>
> This certificate lists 154.0.0.0/8 as subordinate, but it *SHOULD* be
> listing the following:
>
> IP: 154.0.0.0/16
> IP: 154.16.0.0/16
> IP: 154.65.0.0 -- 154.255.255.255
>
> It would be massively helpful if the certificate is re-issued with the
> correct listing of subordinate resources. Given the non-tolerance for
> overclaiming CAs in the RFC 6487 validation algorithm, this exposes
> AFRINIC's RPKI service to some risk in the face of chaining AFRINIC's
> PKI to alternative trust anchors.
>
> Help in this matter would very much be appreciated.
>
> Kind regards,
>
> Job
>
> _______________________________________________
> DBWG mailing list
> DBWG at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/dbwg
More information about the DBWG
mailing list