Rework trust anchor handling
Mimick the approach already taken from manifests and compare the trust
anchor fetched from the net with the one in the cache (if any). This
allows us to choose which one to use and pick the one we like better.
We currently look at the notBefore date and pick the TA later one or
pick the new one if the serialNumber changed. These conditions will
be tweaked in tree.
This prevents replay attacks where a man in the middle could feed us
still valid TA certificates with outdated internet number resources.
This is not currently an issue since all currently valid TA certs from
the RIRs have the same set of resources. Some TA certificates in the RPKI
expire so far in the future that its 32-bit time is again positive.
Things may well change in the next 100 years...
Problem pointed out to us by Ties de Kock a long time ago.
with and ok claudio
ok job
projects / openbsd / commit