===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.22
retrieving revision 1.23
diff -c -r1.22 -r1.23
*** www/74.html 2023/10/11 15:32:29 1.22
--- www/74.html 2023/10/11 16:19:33 1.23
***************
*** 314,320 ****
rpki-client(8) saw some changes:
In snmpd(8),
--- 314,383 ----
rpki-client(8) saw some changes:
! - A 30%-50% performance improvement was achieved through libcrypto's
! partial chains certificate validation feature. Already validated
! non-inheriting CA certificates are now marked as trusted roots. This
! way it can be ensured that a leaf's delegated resources are properly
! covered, and at the same time most validation paths are
! significantly shortened.
!
- Support for gzip and deflate HTTP Content-Encoding compression was
! added. This allows web servers to send RRDP XML in compressed form,
! saving around 50% of bandwidth.
!
- ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
! As part of supporting AFI-agnostic ASPAs, the JSON syntax for
! Validated ASPA Payloads changed in both filemode and normal output.
!
- In filemode (-f option) the applicable manifests are now shown as
! part of the signature path.
!
- A new -P option was added to manually specify a moment in time
! to use when parsing the validity window of certificates. Useful
! for regression testing. Default is invocation time of rpki-client.
!
- The -A option will now also exclude ASPA data from the JSON output.
!
- The synchronisation protocol used to sync the repository is now
! included in the OpenMetrics output.
!
- Improved accounting by tracking objects both by repo and tal.
!
- Check whether products listed on a manifest were issued by the same
! authority as the manifest itself.
!
- File modification timestamps of objects retrieved via RRDP are now
! deterministically set to prepare the on-disk cache for seamless
! failovers from RRDP to RSYNC.
!
- Improved detection of RRDP session desynchronization: a check was
! added to compare whether the delta hashes associated to previously
! seen serials are different in newly fetched notification files.
!
- Improved handling of RRDP deltas in which objects are published,
! withdrawn, and published again.
!
- Disallow X.509 v2 issuer and subject unique identifiers in certs.
! RPKI CAs will never issue certificates with V2 unique identifiers.
!
- A check to disallow duplicate X.509 certificate extensions was
! added.
!
- A check to disallow empty sets of IP Addresses or AS numbers in RFC
! 3779 extensions was added.
!
- A warning is printed when the CMS signing-time attribute in a Signed
! Object is missing.
!
- Warnings about unrecoverable message digest mismatches now include
! the manifestNumber to aid debugging the cause.
!
- A check was added to disallow multiple RRDP publish elements for the
! same file in RRDP snapshots. If this error condition is encountered,
! the RRDP transfer is failed and the RP falls back to rsync.
!
- A compliance check for the proper X.509 Certificate version and CRL
! version was added.
!
- A compliance check was added to ensure CMS Signed Objects contain
! SignedData, in accordance to RFC 6488 section 3 checklist item 1a.
!
- Compliance checks were added for the version, KeyUsage, and
! ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
! Objects.
!
- A CMS signing-time value being after the X.509 notAfter timestamp
! was downgraded from an error to a warning.
!
- A bug was fixed in the handling of CA certificates which inherit IP
! resources.
!
- A compliance check was added to ensure the X.509 Subject only
! contains commonName and optionally serialNumber.
!
- A compliance check was added to ensure the CMS SignedData and
! SignerInfo versions to be 3.
!
- Fisher-Yates shuffle the order in which Manifest entries are
! processed. Previously, work items were enqueued in the order the CA
! intended them to appear on a Manifest. However, there is no obvious
! benefit to third parties deciding the order in which things are
! processed.
In snmpd(8),