From: Theo Buehler <tb@theobuehler.org>
Subject: Re: rpki-client: mandate presence of CMS signing-time and disallow binary-signing-time
To: Job Snijders <job@openbsd.org>
Cc: tech@openbsd.org
Date: Sun, 21 Apr 2024 09:13:47 +0200

On Sat, Apr 20, 2024 at 11:52:45PM +0000, Job Snijders wrote:
> Dear all,
> 
> For the last 13 months, rpki-client would've emitted a warning if the
> CMS signing-time attribute were to be missing from a RPKI Signed Object,
> and if the binary-signing-time attribute were to be present. A
> retrospective based on rpkiviews.org data from June 2022 onwards
> indicates neither condition ever existed in recent years.
> 
> RFC-to-be draft-ietf-sidrops-cms-signing-time updates RFC 6488 by
> mandating the presence of the CMS signing-time attribute and disallowing
> the use of the CMS binary-signing-time attribute. There was consensus in
> SIDROPS for time now, and - as of this week - also approval from the
> IESG for RFC publication of this internet-draft.
> 
> I think it is time to flip from warning to fatal error.

Yes.

ok tb