RFC 6489, "Certification Authority (CA) Key Rollover in the Resource Public Key Infrastructure (RPKI)", February 2012Source of RFC: sidr (rtg)
See Also: RFC 6489 w/ inline errata
Errata ID: 3756
Publication Format(s) : TEXT
Reported By: David Mandelberg
Date Reported: 2013-10-16
Verifier Name: Stewart Bryant
Date Verified: 2013-10-30
Section 2 says:
This request MUST include the same SIA extension that is present in the CURRENT CA certificate.
It should say:
The AccessDescriptions with accessMethods of id-ad-caRepository in the request's SIA extension MUST be the same as the AccessDescriptions with accessMethods of id-ad-caRepository in the CURRENT CA certificate's SIA extension.
An RFC6487-compliant CA certificate's SIA extension has AccessDescriptions for both its repository (id-ad-caRepository) and its manifest (id-ad-rpkiManifest). Section 2 of RFC6489 also states, "While the 'current' and 'new' CA instances share a single repository publication point, each CA has its own CRL and its own manifest." This indicates that only the id-ad-caRepository AccessDescriptions should be identical, not the id-ad-rpkiManifest AccessDescriptions.