RPKI objects can have multiple parents in a few cases. This should be supported such that if any path to a trust anchor is valid, the object is considered valid.
In an "evil twin" attack, a malicious CA tweaks, re-signs, and publishes another CA's certificate. The re-signed copy appears to be a parent of the victim CA's children: the issuer, AKI, etc. in the victim CA's children match the subject, SKI, etc. of the re-signed CA cert. However, one or both of the following will be true of the re-signed copy if it is an "evil twin" CA certificate:
If a relying party only attempts to validate the victim CA's children via the evil twin, the RP will incorrectly consider the children to be invalid.
Certain circumstances can cause RPSTIR to only attempt to validate an object via an evil twin, which makes it possible for an attacker to effectively invalidate another party's objects.
Migrated to github.