[BACK]Return to 74.html CVS log [TXT][DIR] Up to [local] / www

Diff for /www/74.html between version 1.22 and 1.23

version 1.22, 2023/10/11 15:32:29 version 1.23, 2023/10/11 16:19:33
Line 314 
Line 314 
   </ul>    </ul>
   <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:    <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
   <ul>    <ul>
         <li>...          <li>A 30%-50% performance improvement was achieved through libcrypto's
               partial chains certificate validation feature. Already validated
               non-inheriting CA certificates are now marked as trusted roots. This
               way it can be ensured that a leaf's delegated resources are properly
               covered, and at the same time most validation paths are
               significantly shortened.
           <li>Support for gzip and deflate HTTP Content-Encoding compression was
               added. This allows web servers to send RRDP XML in compressed form,
               saving around 50% of bandwidth.
           <li>ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
               As part of supporting AFI-agnostic ASPAs, the JSON syntax for
               Validated ASPA Payloads changed in both filemode and normal output.
           <li>In filemode (-f option) the applicable manifests are now shown as
               part of the signature path.
           <li>A new -P option was added to manually specify a moment in time
               to use when parsing the validity window of certificates. Useful
               for regression testing. Default is invocation time of rpki-client.
           <li>The -A option will now also exclude ASPA data from the JSON output.
           <li>The synchronisation protocol used to sync the repository is now
               included in the OpenMetrics output.
           <li>Improved accounting by tracking objects both by repo and tal.
           <li>Check whether products listed on a manifest were issued by the same
               authority as the manifest itself.
           <li>File modification timestamps of objects retrieved via RRDP are now
               deterministically set to prepare the on-disk cache for seamless
               failovers from RRDP to RSYNC.
           <li>Improved detection of RRDP session desynchronization: a check was
               added to compare whether the delta hashes associated to previously
               seen serials are different in newly fetched notification files.
           <li>Improved handling of RRDP deltas in which objects are published,
               withdrawn, and published again.
           <li>Disallow X.509 v2 issuer and subject unique identifiers in certs.
               RPKI CAs will never issue certificates with V2 unique identifiers.
           <li>A check to disallow duplicate X.509 certificate extensions was
               added.
           <li>A check to disallow empty sets of IP Addresses or AS numbers in RFC
               3779 extensions was added.
           <li>A warning is printed when the CMS signing-time attribute in a Signed
               Object is missing.
           <li>Warnings about unrecoverable message digest mismatches now include
               the manifestNumber to aid debugging the cause.
           <li>A check was added to disallow multiple RRDP publish elements for the
               same file in RRDP snapshots. If this error condition is encountered,
               the RRDP transfer is failed and the RP falls back to rsync.
           <li>A compliance check for the proper X.509 Certificate version and CRL
               version was added.
           <li>A compliance check was added to ensure CMS Signed Objects contain
               SignedData, in accordance to RFC 6488 section 3 checklist item 1a.
           <li>Compliance checks were added for the version, KeyUsage, and
               ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
               Objects.
           <li>A CMS signing-time value being after the X.509 notAfter timestamp
               was downgraded from an error to a warning.
           <li>A bug was fixed in the handling of CA certificates which inherit IP
               resources.
           <li>A compliance check was added to ensure the X.509 Subject only
               contains commonName and optionally serialNumber.
           <li>A compliance check was added to ensure the CMS SignedData and
               SignerInfo versions to be 3.
           <li>Fisher-Yates shuffle the order in which Manifest entries are
               processed. Previously, work items were enqueued in the order the CA
               intended them to appear on a Manifest. However, there is no obvious
               benefit to third parties deciding the order in which things are
               processed.
   </ul>    </ul>
   
   <li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>,    <li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>,
Legend:
Removed from v.1.22  
changed lines
  Added in v.1.23