rpki-client stricter aging policy for Trust Anchor certificates commited to -current
by from OpenBSD Journal on (#6T1S2)
There has long been some concern in the networking communities, particularly the routing security part, about the use of very long lived Trust Anchor (TA) certificates in routing infrastructure.
Today Job Snijders (job@) commited code torpki-client(8)to implement a gradual phase in of a stricter policy on TA certificates lifetimes.
The commit message reads,
Subject: CVS: cvs.openbsd.org: srcFrom: Job Snijders <job () cvs ! openbsd ! org>Date: 2024-12-18 16:38:40CVSROOT:/cvsModule name:srcChanges by:job@cvs.openbsd.org2024/12/18 09:38:40Modified files:usr.sbin/rpki-client: cert.c Log message:Schedule future rejection of ultra long-lived TA certificatesThe RPKI ecosystem suffers from a partially unmitigated risk related tolong-lived Trust Anchor certificate issuances.