On Thu, May 30, 2024 at 10:01:23PM +0200, Claudio Jeker wrote:
> On Thu, May 30, 2024 at 04:43:42PM +0200, Theo Buehler wrote:
> > This slightly generalizes x509_valid_subject() into a Name validating
> > function, applies it to both subject and issuer of certs and uses it for
> > CRLs as well.
> > 
> > Now the verifier does check that the issuer's subject matches the
> > subject's issuer when building chains, but what exactly it checks
> > on the CRL side of things is not quite so obvious.
> > 
> > I think we're better off checking both, as the check is simple and
> > cheap enough. I haven't looked into adding some smarts for avoiding
> > the afrinic special #if 0, but I'm not sure it's worth it.
> 
> Looks good to me. Is the afrinic special still needed or did they fail
> to re-issue CA certs in the last year?

They improved their infra, but the special is still needed. It's no
longer all CA certs but the check would still knock out 44% of ROAs:

Route Origin Authorizations: 6880 (3039 failed parse, 0 invalid)

See also:

https://validator.afrinic.net/rpki/rcynic/rpki.afrinic.net.html