On Thu, May 30, 2024 at 10:14:55PM +0200, Theo Buehler wrote:
> On Thu, May 30, 2024 at 10:01:23PM +0200, Claudio Jeker wrote:
> > On Thu, May 30, 2024 at 04:43:42PM +0200, Theo Buehler wrote:
> > > This slightly generalizes x509_valid_subject() into a Name validating
> > > function, applies it to both subject and issuer of certs and uses it for
> > > CRLs as well.
> > > 
> > > Now the verifier does check that the issuer's subject matches the
> > > subject's issuer when building chains, but what exactly it checks
> > > on the CRL side of things is not quite so obvious.
> > > 
> > > I think we're better off checking both, as the check is simple and
> > > cheap enough. I haven't looked into adding some smarts for avoiding
> > > the afrinic special #if 0, but I'm not sure it's worth it.
> > 
> > Looks good to me. Is the afrinic special still needed or did they fail
> > to re-issue CA certs in the last year?
> 
> They improved their infra, but the special is still needed. It's no
> longer all CA certs but the check would still knock out 44% of ROAs:

So it seems they fixed their CA certs but many of their EE certs are
still non-compliant. So we could avoid the afrinic special for CA certs
now. Happy to send a diff if you guys think it's worth it.

> 
> Route Origin Authorizations: 6880 (3039 failed parse, 0 invalid)
> 
> See also:
> 
> https://validator.afrinic.net/rpki/rcynic/rpki.afrinic.net.html
>