[DBWG] Nonconformant X.509 issuer+subject names in some Afrinic RPKI CA/EE certs
Frank Habicht
geier at geier.ne.tz
Tue Dec 16 05:59:16 UTC 2025
Dear Yogesh, whole WG,
<nohat>
please see inline...
On 12/15/2025 5:45 AM, Yogesh Chadee via DBWG wrote:
> Dear Mr Snijders,
>
> I hope this email finds you well.
>
> While we understand that a quick resolution is favourable for everyone,
> we believe it would be wise to ensure Certificate holders are aware of
> the issue first.
agreed.
> Re-issuing a Certificate of a person who is unaware of
> the situation, without prior consent, could have undesired consequences.
At this place I would like to ask to be more specific. What consequences?
I believe resource holders can end up with a certificate that they
didn't have before. that they didn't create *themselves*. but it should
reflect the intention of the resource holder when they created the
initial certificate. And it should have the same properties.
> If this method does not yield the desired results,
Here I would like to get clarification about what time-line we look at
for finding out whether the desired results materialised.
I believe when we rely on resource holder action, we have to expect a
"long tail" and a small percentage of ROAs will not be deleted and
re-issued, because of various reasons.
How long should software developers keep work-arounds?
Why should they keep them even now?
Exposing the incorrect data might give much more incentive for resource
holders to take action...
> AFRINIC will then
> consider a quicker resolution, having completed the necessary
> information campaign.
If AfriNIC relies on an information campaign....
... has it started or when will it start?
I personally still think that there is less risk, faster resolution,
more certainty if AfriNIC could re-issue the certificates in question.
If useful, AfriNIC could probably get (informal) support from external
sources when considering the best methodology.
It will be good to inform resource holders as objects are changed.
But this will be (i believe) much less effort than the above mentioned
"information campaign". Which will not be needed if AfriNIC decides to
*correct* the RPKI data on its own initiative.
I understand that we got to this situation *not* because of any fault of
AfriNIC part, nor on resource holders. But AfriNIC has the opportunity
to "go the extra mile" and support resource holders more than absolutely
necessary.
Others are doing unilateral changes to improve database consistency as
well - e.g. "RIPE-NONAUTH" cleanup.
It's a way of proactively doing something "for the good of the internet".
And to be honest, in my personal opinion, if this is not done, it will
be harder for AfriNIC to credibly claim to do all that's needed to
support RPKI adoption.
All of this just my personal opinion without any hat.
Regards,
Frank Habicht
More information about the DBWG
mailing list