RFC Errata
RFC 9286, "Manifests for the Resource Public Key Infrastructure (RPKI)", June 2022
Source of RFC: sidrops (ops)
Errata ID: 7243
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Ties de Kock
Date Reported: 2022-11-07
Section 4.2.1. Manifest says:
thisUpdate: This field contains the time when the manifest was created. This field has the same format constraints as specified in [RFC5280] for the CRL field of the same name. The issuer MUST ensure that the value of this field is more recent than any previously generated manifest. Each RP MUST verify that this field value is greater (more recent) than the most recent manifest it has validated. If this field in a purported "new" manifest is smaller (less recent) than previously validated manifests, the RP SHOULD use locally cached versions of objects, as described in Section 6.6.
It should say:
thisUpdate: This field contains the time when the manifest was created. This field has the same format constraints as specified in [RFC5280] for the CRL field of the same name. The issuer MUST ensure that the value of this field is equal to the current time and higher or equal to the thisUpdate of any previously generated manifest. Each RP MUST verify that this field value is greater or equal to (as, or more recent) than the most recent manifest it has validated. Suppose this field in a purported "new" manifest is smaller (less recent) than previously validated manifests. In that case, the RP SHOULD use locally cached versions of objects, as described in Section 6.6.
Notes:
First of all: The previous text was not explicit that thisUpdate MUST contain the current time.
Second, in practice (e.g. multiple calls to a synchronous API) multiple manifests can be issued with the same thisUpdate. Under the previous text this would technically be misissuance. The propose text allows multiple manifests to be issued in the same second.