About eight months ago I discovered a number of issues in the validation
procedure of most RPKI validator softwares (including the RIPE NCC
Validator, Routinator, and OctoRPKI). The impact of improper
verification of Manifests (and associated aspects of the X.509 system)
in the RPKI can have rather dramatic effects in today's Internet routing
landscape. When handling a manifest, make sure everything is accounted
The mitigation guidance is at present is very simple: just make sure all
deployed RPKI validators are updated to the latest version.
Going forward I hope our industry as a whole will be able to respond
faster to issues of this type. A write-up with examples and details is
available here: http://sobornost.net/~job/manifest_handling_issue.txt
Thank you to all involved who helped fix & progress this issue.