[RPKI] BPKI TA expiry handling
Tom Harrison
tomh at apnic.net
Wed May 29 23:30:03 UTC 2024
Hi,
At APNIC, we are currently testing how Krill handles the expiry of
BPKI TA material (i.e. RFC 8183's parent_response.parent_bpki_ta and
repository_response.repository_bpki_ta CA certificates). It appears
that Krill will not accept either a parent_response or a
repository_response if the CA certificate in that response is expired,
which makes sense. However, if the CA certificate expires later, it
appears that Krill will continue to successfully make use of the
relevant service notwithstanding the expiry. Assuming that's correct,
is this behaviour that we can rely on into the future, or is there a
chance that this will change such that the expiry of the CA
certificate causes subsequent service interactions to fail?
Separately, it is not clear how a delegated CA operator should update
its repository details to account for the BPKI TA expiry event. On
calling "krillc repo configure" with updated repository_response XML,
Krill prints the error "CA '...' already uses this repository". (The
corresponding "krillc parents add" update operation works as expected,
though.) What does a delegated CA operator need to do (if anything)
to handle the expiry of the repository_response BPKI TA?
-Tom
More information about the RPKI
mailing list