From: Theo Buehler Subject: Re: rpki-client: revert trust anchor validity period check To: Job Snijders Cc: tech@openbsd.org Date: Fri, 21 Mar 2025 19:33:30 +0100 On Fri, Mar 21, 2025 at 06:25:37PM +0000, Job Snijders wrote: > Dear all, > > Had a super interesting converstion with beck@ in which he convinced me > that it'll be better to revert course here and go a different direction. > > There is a lot of complexity around fetching RPKI TA certifcates and > automatically selecting one that probably^Hhopefully doesn't mess up the > tree (such as the still-valid olden narrowly rfc3779-constrained trust > anchor certificate issuances). Instead, we can work towards maintaining > this aspect as a more traditional rootstore (/etc/rpki/certs.pem). I don't really follow the reasoning since one thing does not preclude the other but I always hated this code, so I'm fine with removing it.