The following are unclear to me.
-
Following up on validating AS numbers for certificates. The specification is not clear on what happens with empty AS extensions in a chain of certificates. Do we consider that inheritence? If so, what's the point of having an inheritence clause?
-
I get that ASid 0 has special meaning for ROAs (see RFC 6483 sec 4), but it doesn't make sense that some top-level certificates (e.g., Afrinic) have a range inclusive of zero, since it's reserved. In this system, I let the range through but don't let a specific ASid of 0 in certificates---only ROAs.
-
VRP duplication. When run as-is, there are duplicate VRPs and that doesn't seem right. It happens when two ROAs have their validity period overlap. I need to see if there's a more programmatic way to check before commiting the routes to output.
-
(Not a particular helpful security measure, but...) The validators should all be run in their own process: the syntax parser should not be performing the route validation. This is a mechanical step, as all the logic to do so is in place.
-
(Important.) Stipulating
X509_V_FLAG_IGNORE_CRITICALmight be dangerous. Which extensions are being ignored should be double-checked.