===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/74.html,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- www/74.html 2023/10/11 15:32:29 1.22
+++ www/74.html 2023/10/11 16:19:33 1.23
@@ -314,7 +314,70 @@
rpki-client(8) saw some changes:
- - ...
+
- A 30%-50% performance improvement was achieved through libcrypto's
+ partial chains certificate validation feature. Already validated
+ non-inheriting CA certificates are now marked as trusted roots. This
+ way it can be ensured that a leaf's delegated resources are properly
+ covered, and at the same time most validation paths are
+ significantly shortened.
+
- Support for gzip and deflate HTTP Content-Encoding compression was
+ added. This allows web servers to send RRDP XML in compressed form,
+ saving around 50% of bandwidth.
+
- ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
+ As part of supporting AFI-agnostic ASPAs, the JSON syntax for
+ Validated ASPA Payloads changed in both filemode and normal output.
+
- In filemode (-f option) the applicable manifests are now shown as
+ part of the signature path.
+
- A new -P option was added to manually specify a moment in time
+ to use when parsing the validity window of certificates. Useful
+ for regression testing. Default is invocation time of rpki-client.
+
- The -A option will now also exclude ASPA data from the JSON output.
+
- The synchronisation protocol used to sync the repository is now
+ included in the OpenMetrics output.
+
- Improved accounting by tracking objects both by repo and tal.
+
- Check whether products listed on a manifest were issued by the same
+ authority as the manifest itself.
+
- File modification timestamps of objects retrieved via RRDP are now
+ deterministically set to prepare the on-disk cache for seamless
+ failovers from RRDP to RSYNC.
+
- Improved detection of RRDP session desynchronization: a check was
+ added to compare whether the delta hashes associated to previously
+ seen serials are different in newly fetched notification files.
+
- Improved handling of RRDP deltas in which objects are published,
+ withdrawn, and published again.
+
- Disallow X.509 v2 issuer and subject unique identifiers in certs.
+ RPKI CAs will never issue certificates with V2 unique identifiers.
+
- A check to disallow duplicate X.509 certificate extensions was
+ added.
+
- A check to disallow empty sets of IP Addresses or AS numbers in RFC
+ 3779 extensions was added.
+
- A warning is printed when the CMS signing-time attribute in a Signed
+ Object is missing.
+
- Warnings about unrecoverable message digest mismatches now include
+ the manifestNumber to aid debugging the cause.
+
- A check was added to disallow multiple RRDP publish elements for the
+ same file in RRDP snapshots. If this error condition is encountered,
+ the RRDP transfer is failed and the RP falls back to rsync.
+
- A compliance check for the proper X.509 Certificate version and CRL
+ version was added.
+
- A compliance check was added to ensure CMS Signed Objects contain
+ SignedData, in accordance to RFC 6488 section 3 checklist item 1a.
+
- Compliance checks were added for the version, KeyUsage, and
+ ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
+ Objects.
+
- A CMS signing-time value being after the X.509 notAfter timestamp
+ was downgraded from an error to a warning.
+
- A bug was fixed in the handling of CA certificates which inherit IP
+ resources.
+
- A compliance check was added to ensure the X.509 Subject only
+ contains commonName and optionally serialNumber.
+
- A compliance check was added to ensure the CMS SignedData and
+ SignerInfo versions to be 3.
+
- Fisher-Yates shuffle the order in which Manifest entries are
+ processed. Previously, work items were enqueued in the order the CA
+ intended them to appear on a Manifest. However, there is no obvious
+ benefit to third parties deciding the order in which things are
+ processed.
In snmpd(8),