Policy Qualifiers in RPKI Certificates

profiles certificates, certificate revocation lists, and certificate signing requests specified in for use in routing public key infrastructure. defines an extension to certificates for the listing of policy information (See section 4.2.1.4). states in Section 4.8.9: "This extension MUST be present and MUST be marked critical. It MUST include exactly one policy, as specified in the RPKI CP ". This references the CertPolicyId of the sequence allowed in PolicyInformation as defined by . also specifies that PolicyInformation may optionally have a sequence of PolicyQualifierInfo objects. does not specifically allow or disallow these PolicyQualifierInfo objects although it also states in section 4: "Unless specifically noted as being OPTIONAL, all the fields listed here MUST be present, and any other fields MUST NOT appear in a conforming resource certificate." This document updates , Section 4.8.9, to explicitly allow optional PolicyQualifierInfo objects in the PolicyInformation specified by . As noted in , section 4.2.1.4: "Optional qualifiers, which MAY be present, are not expected to change the definition of the policy." In this case any optional policy qualifiers that MAY be present in a resource certificate MUST NOT change the definition of the RPKI CP .