[RPKI] BPKI TA expiry handling

Alex Band alex at nlnetlabs.nl
Wed Jun 5 08:33:45 UTC 2024


Hi Tom,

Apologies for the delayed reply. Tim wanted to respond to this email, but then realised he was not subscribed to this list with his current email address. 

I’m including the list to keep the thread and context intact. 

Cheers,

Alex

> On 30 May 2024, at 01:30, Tom Harrison via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> 
> Hi,
> 
> At APNIC, we are currently testing how Krill handles the expiry of
> BPKI TA material (i.e. RFC 8183's parent_response.parent_bpki_ta and
> repository_response.repository_bpki_ta CA certificates).  It appears
> that Krill will not accept either a parent_response or a
> repository_response if the CA certificate in that response is expired,
> which makes sense.  However, if the CA certificate expires later, it
> appears that Krill will continue to successfully make use of the
> relevant service notwithstanding the expiry.  Assuming that's correct,
> is this behaviour that we can rely on into the future, or is there a
> chance that this will change such that the expiry of the CA
> certificate causes subsequent service interactions to fail?
> 
> Separately, it is not clear how a delegated CA operator should update
> its repository details to account for the BPKI TA expiry event.  On
> calling "krillc repo configure" with updated repository_response XML,
> Krill prints the error "CA '...' already uses this repository".  (The
> corresponding "krillc parents add" update operation works as expected,
> though.)  What does a delegated CA operator need to do (if anything)
> to handle the expiry of the repository_response BPKI TA?
> 
> -Tom
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki



More information about the RPKI mailing list