< draft-ietf-sidrops-rpki-rsc-06.txt   draft-ietf-sidrops-rpki-rsc-07.txt >
Network Working Group J. Snijders Network Working Group J. Snijders
Internet-Draft Fastly Internet-Draft Fastly
Intended status: Standards Track T. Harrison Intended status: Standards Track T. Harrison
Expires: 16 August 2022 APNIC Expires: 20 November 2022 APNIC
B. Maddison B. Maddison
Workonline Workonline
12 February 2022 19 May 2022
Resource Public Key Infrastructure (RPKI) object profile for Signed A profile for Resource Public Key Infrastructure (RPKI) Signed
Checklist (RSC) Checklists (RSC)
draft-ietf-sidrops-rpki-rsc-06 draft-ietf-sidrops-rpki-rsc-07
Abstract Abstract
This document defines a Cryptographic Message Syntax (CMS) profile This document defines a Cryptographic Message Syntax (CMS) profile
for a general purpose listing of checksums (a 'checklist'), for use for a general purpose listing of checksums (a 'checklist'), for use
with the Resource Public Key Infrastructure (RPKI). The objective is with the Resource Public Key Infrastructure (RPKI). The objective is
to allow an attestation, in the form of a listing of one or more to allow an attestation, in the form of a listing of one or more
checksums of arbitrary digital objects (files), to be signed "with checksums of arbitrary digital objects (files), to be signed "with
resources", and for validation to provide a means to confirm a resources", and for validation to provide a means to confirm a
specific Internet Resource Holder produced the Signed Checklist. The specific Internet Resource Holder produced the Signed Checklist. The
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 August 2022. This Internet-Draft will expire on 20 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 29 skipping to change at page 2, line 29
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. RSC Profile and Distribution . . . . . . . . . . . . . . . . 3 2. RSC Profile and Distribution . . . . . . . . . . . . . . . . 3
2.1. RSC End-Entity Certificates . . . . . . . . . . . . . . . 4 2.1. RSC End-Entity Certificates . . . . . . . . . . . . . . . 4
3. The RSC ContentType . . . . . . . . . . . . . . . . . . . . . 4 3. The RSC ContentType . . . . . . . . . . . . . . . . . . . . . 4
4. The RSC eContent . . . . . . . . . . . . . . . . . . . . . . 4 4. The RSC eContent . . . . . . . . . . . . . . . . . . . . . . 4
4.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2. resources . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. resources . . . . . . . . . . . . . . . . . . . . . . . . 5
4.3. digestAlgorithm . . . . . . . . . . . . . . . . . . . . . 5 4.2.1. ConstrainedASIdentifiers type . . . . . . . . . . . . 6
4.4. checkList . . . . . . . . . . . . . . . . . . . . . . . . 6 4.2.2. ConstrainedIPAddrBlocks type . . . . . . . . . . . . 6
5. RSC Validation . . . . . . . . . . . . . . . . . . . . . . . 6 4.3. digestAlgorithm . . . . . . . . . . . . . . . . . . . . . 7
6. Operational Considerations . . . . . . . . . . . . . . . . . 7 4.4. checkList . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. RSC Validation . . . . . . . . . . . . . . . . . . . . . . . 7
8. Implementation status . . . . . . . . . . . . . . . . . . . . 8 6. Operational Considerations . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8. Implementation status . . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
9.1. SMI Security for S/MIME CMS Content Type 9.1. SMI Security for S/MIME CMS Content Type
(1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 9 (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 10
9.2. RPKI Signed Objects sub-registry . . . . . . . . . . . . 9 9.2. RPKI Signed Objects sub-registry . . . . . . . . . . . . 10
9.3. File Extension . . . . . . . . . . . . . . . . . . . . . 10 9.3. File Extension . . . . . . . . . . . . . . . . . . . . . 11
9.4. SMI Security for S/MIME Module Identifier 9.4. SMI Security for S/MIME Module Identifier
(1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 10 (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 11
9.5. Media Type . . . . . . . . . . . . . . . . . . . . . . . 10 9.5. Media Type . . . . . . . . . . . . . . . . . . . . . . . 11
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 12
10.2. Informative References . . . . . . . . . . . . . . . . . 12 10.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 13 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14
Appendix B. Document changelog . . . . . . . . . . . . . . . . . 13 Appendix B. Document changelog . . . . . . . . . . . . . . . . . 14
B.1. changes from -05 -> -06 . . . . . . . . . . . . . . . . . 13 B.1. changes from -06 -> -07 . . . . . . . . . . . . . . . . . 14
B.2. changes from -04 -> -05 . . . . . . . . . . . . . . . . . 13 B.2. changes from -05 -> -06 . . . . . . . . . . . . . . . . . 14
B.3. changes from -03 -> -04 . . . . . . . . . . . . . . . . . 13 B.3. changes from -04 -> -05 . . . . . . . . . . . . . . . . . 14
B.4. changes from -02 -> -03 . . . . . . . . . . . . . . . . . 14 B.4. changes from -03 -> -04 . . . . . . . . . . . . . . . . . 15
B.5. changes from -01 -> -02 . . . . . . . . . . . . . . . . . 14 B.5. changes from -02 -> -03 . . . . . . . . . . . . . . . . . 15
B.6. changes from -00 -> -01 . . . . . . . . . . . . . . . . . 14 B.6. changes from -01 -> -02 . . . . . . . . . . . . . . . . . 15
B.7. individual submission phase . . . . . . . . . . . . . . . 14 B.7. changes from -00 -> -01 . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 B.8. individual submission phase . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines a Cryptographic Message Syntax (CMS) [RFC5652] This document defines a Cryptographic Message Syntax (CMS) [RFC5652]
profile for a general purpose listing of checksums (a 'checklist'), profile for a general purpose listing of checksums (a 'checklist'),
for use with the Resource Public Key Infrastructure (RPKI) [RFC6480]. for use with the Resource Public Key Infrastructure (RPKI) [RFC6480].
The objective is to allow an attestation, in the form of a listing of The objective is to allow an attestation, in the form of a listing of
one or more checksums of arbitrary files, to be signed "with one or more checksums of arbitrary files, to be signed "with
resources", and for validation to provide a means to confirm a given resources", and for validation to provide a means to confirm a given
Internet Resource Holder produced the RPKI Signed Checklist (RSC). Internet Resource Holder produced the RPKI Signed Checklist (RSC).
skipping to change at page 4, line 27 skipping to change at page 4, line 27
This OID MUST appear both within the eContentType in the This OID MUST appear both within the eContentType in the
encapContentInfo object as well as the ContentType signed attribute encapContentInfo object as well as the ContentType signed attribute
in the signerInfo object (see [RFC6488]). in the signerInfo object (see [RFC6488]).
4. The RSC eContent 4. The RSC eContent
The content of an RSC indicates that a checklist for arbitrary The content of an RSC indicates that a checklist for arbitrary
digital objects has been signed "with resources". An RSC is formally digital objects has been signed "with resources". An RSC is formally
defined as: defined as:
RpkiSignedChecklist-2021 RpkiSignedChecklist-2022
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs9(9) smime(16) mod(0) TBD } pkcs(1) pkcs9(9) smime(16) mod(0) TBD }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
CONTENT-TYPE, Digest, DigestAlgorithmIdentifier CONTENT-TYPE, Digest, DigestAlgorithmIdentifier
FROM CryptographicMessageSyntax-2010 -- in [RFC6268] FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
ASIdOrRange, IPAddressOrRange IPAddressOrRange, ASIdOrRange
FROM IPAddrAndASCertExtn -- in [RFC3779] FROM IPAddrAndASCertExtn -- in [RFC3779]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) mod(0) security(5) mechanisms(5) pkix(7) mod(0)
id-mod-ip-addr-and-as-ident(30) } ; id-mod-ip-addr-and-as-ident(30) } ;
ct-rpkiSignedChecklist CONTENT-TYPE ::= ct-rpkiSignedChecklist CONTENT-TYPE ::=
{ TYPE RpkiSignedChecklist IDENTIFIED BY { TYPE RpkiSignedChecklist IDENTIFIED BY
id-ct-signedChecklist } id-ct-signedChecklist }
id-ct-signedChecklist OBJECT IDENTIFIER ::= id-ct-signedChecklist OBJECT IDENTIFIER ::=
skipping to change at page 5, line 16 skipping to change at page 5, line 16
version [0] INTEGER DEFAULT 0, version [0] INTEGER DEFAULT 0,
resources ResourceBlock, resources ResourceBlock,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
checkList SEQUENCE SIZE (1..MAX) OF FileNameAndHash } checkList SEQUENCE SIZE (1..MAX) OF FileNameAndHash }
FileNameAndHash ::= SEQUENCE { FileNameAndHash ::= SEQUENCE {
fileName IA5String OPTIONAL, fileName IA5String OPTIONAL,
hash Digest } hash Digest }
ResourceBlock ::= SEQUENCE { ResourceBlock ::= SEQUENCE {
asID [0] AsList OPTIONAL, asID [0] ConstrainedASIdentifiers OPTIONAL,
ipAddrBlocks [1] IPList OPTIONAL } ipAddrBlocks [1] ConstrainedIPAddrBlocks OPTIONAL }
-- at least one of asID or ipAddrBlocks MUST be present -- at least one of asID or ipAddrBlocks MUST be present
( WITH COMPONENTS { ..., asID PRESENT} | ( WITH COMPONENTS { ..., asID PRESENT} |
WITH COMPONENTS { ..., ipAddrBlocks PRESENT } ) WITH COMPONENTS { ..., ipAddrBlocks PRESENT } )
AsList ::= SEQUENCE (SIZE(1..MAX)) OF ASIdOrRange ConstrainedIPAddrBlocks ::= SEQUENCE (SIZE(1..MAX)) OF ConstrainedIPAddressFamily
IPList ::= SEQUENCE (SIZE(1..MAX)) OF IPAddressFamilyItem ConstrainedIPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI --
addressFamily OCTET STRING (SIZE (2)),
addressesOrRanges SEQUENCE (SIZE(1..MAX)) OF IPAddressOrRange }
IPAddressFamilyItem ::= SEQUENCE { -- AFI &amp; optional SAFI -- ConstrainedASIdentifiers ::= SEQUENCE {
addressFamily OCTET STRING (SIZE (2..3)), asnum [0] SEQUENCE (SIZE(1..MAX)) OF ASIdOrRange }
iPAddressOrRange IPAddressOrRange }
END END
4.1. version 4.1. version
The version number of the RpkiSignedChecklist MUST be 0. The version number of the RpkiSignedChecklist MUST be 0.
4.2. resources 4.2. resources
The resources contained here are the resources used to mark the The resources contained here are the resources used to mark the
attestation, and MUST match the set of resources listed by the EE attestation, and MUST be a subset of the set of resources listed by
Certificate carried in the CMS certificates field. the EE Certificate carried in the CMS certificates field.
If the asID field is present, it MUST contain an instance of
ConstrainedASIdentifiers.
If the ipAddrBlocks field is present, it MUST contain an instance of
ConstrainedIPAddrBlocks.
Each of ConstrainedASIdentifiers and ConstrainedIPAddrBlocks are
specified such that the resulting DER encoded data instances are
binary compatible with, respectively, ASIdentifiers and IPAddrBlocks
defined in [RFC3779].
4.2.1. ConstrainedASIdentifiers type
ConstrainedASIdentifiers is a SEQUENCE, constisting of a single field
"asnum", itself containing a SEQUENCE OF one or more ASIdOrRange
instances as defined in [RFC3779].
ConstrainedASIdentifiers is defined such that the resulting DER
encoded data are binary compatible with ASIdentifiers defined in
[RFC3779].
4.2.2. ConstrainedIPAddrBlocks type
ConstrainedIPAddrBlocks is a SEQUENCE OF one or more instances of
ConstrainedIPAddressFamily.
There MUST be only one instance of ConstrainedIPAddressFamily per
unique AFI.
The elements of ConstrainedIPAddressFamily MUST be ordered by
ascending addressFamily values (treating the octets as unsigned
numbers). Thus, when both IPv4 and IPv6 addresses are specified, the
IPv4 addresses MUST precede the IPv6 addresses (since the IPv4 AFI of
0001 is less than the IPv6 AFI of 0002).
ConstrainedIPAddrBlocks is defined such that the resulting DER
encoded data are binary compatible with IPAddrBlocks defined in
[RFC3779].
4.2.2.1. ConstrainedIPAddressFamily type
4.2.2.1.1. addressFamily field
The addressFamily field is an OCTET STRING containing a two-octet
Address Family Identifier (AFI), in network byte order. Unlike
IPAddrBlocks [RFC3779], a third octet containing a SAFI MUST NOT be
present. AFIs and SAFIs are specified in [IANA-AFI] and [IANA-SAFI],
respectively.
4.2.2.1.2. addressesOrRanges field
The addressesOrRanges element is a SEQUENCE OF (one or more)
IPAddressOrRange values, as defined in [RFC3779]. The rules for
canonicalization and encoding defined in section 2.2.3.6 [RFC3779]
apply of the value of addressesOrRanges.
4.3. digestAlgorithm 4.3. digestAlgorithm
The digest algorithm used to create the message digest of the The digest algorithm used to create the message digest of the
attested digital object. This algorithm MUST be a hashing algorithm attested digital object. This algorithm MUST be a hashing algorithm
defined in [RFC7935]. defined in [RFC7935].
4.4. checkList 4.4. checkList
This field is a sequence of FileNameAndHash objects. There is one This field is a sequence of FileNameAndHash objects. There is one
skipping to change at page 13, line 28 skipping to change at page 14, line 28
[rpkimancer] [rpkimancer]
Maddison, B., "rpkimancer", May 2021, Maddison, B., "rpkimancer", May 2021,
<https://github.com/benmaddison/rpkimancer>. <https://github.com/benmaddison/rpkimancer>.
[signify] Unangst, T. and M. Espie, "signify - cryptographically [signify] Unangst, T. and M. Espie, "signify - cryptographically
sign and verify files", May 2014, sign and verify files", May 2014,
<https://man.openbsd.org/signify>. <https://man.openbsd.org/signify>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
The authors wish to thank George Michaelson, Tom Harrison, Geoff The authors wish to thank George Michaelson, Geoff Huston, Randy
Huston, Randy Bush, Stephen Kent, Matt Lepinski, Rob Austein, Ted Bush, Stephen Kent, Matt Lepinski, Rob Austein, Ted Unangst, and Marc
Unangst, and Marc Espie for prior art. The authors thank Russ Espie for prior art. The authors thank Russ Housley for reviewing
Housley for reviewing the ASN.1 notation and providing suggestions. the ASN.1 notation and providing suggestions. The authors would like
The authors would like to thank Nimrod Levy, Tim Bruijnzeels, Alberto to thank Nimrod Levy, Tim Bruijnzeels, Alberto Leiva, Ties de Kock,
Leiva, Ties de Kock, and Peter Peele for document review and Peter Peele, Claudio Jeker, and Theo Buehler for document review and
suggestions. suggestions.
Appendix B. Document changelog Appendix B. Document changelog
This section is to be removed before publishing as an RFC. This section is to be removed before publishing as an RFC.
B.1. changes from -05 -> -06 B.1. changes from -06 -> -07
* Change wire format to allow use of commonly deployed libcrypto
APIs.
B.2. changes from -05 -> -06
* Non-content-related updates. * Non-content-related updates.
B.2. changes from -04 -> -05 B.3. changes from -04 -> -05
* Ties contributed clarifications. * Ties contributed clarifications.
B.3. changes from -03 -> -04 B.4. changes from -03 -> -04
* Alberto pointed out the asID validation also needs to be * Alberto pointed out the asID validation also needs to be
documented. documented.
B.4. changes from -02 -> -03 B.5. changes from -02 -> -03
* Reference the IANA assigned OID * Reference the IANA assigned OID
* Clarify validation rules * Clarify validation rules
B.5. changes from -01 -> -02 B.6. changes from -01 -> -02
* Clarify RSC is part of a puzzle, not panacea. Thanks Randy & * Clarify RSC is part of a puzzle, not panacea. Thanks Randy &
Russ. Russ.
B.6. changes from -00 -> -01 B.7. changes from -00 -> -01
* Readability improvements * Readability improvements
* Update document category to match the registry allocation policy * Update document category to match the registry allocation policy
requirement. requirement.
B.7. individual submission phase B.8. individual submission phase
* On-the-wire change: the 'Filename' switched from 'required' to * On-the-wire change: the 'Filename' switched from 'required' to
'optional'. Some SIDROPS Working Group participants proposed a 'optional'. Some SIDROPS Working Group participants proposed a
checksum itself is the most minimal information required to checksum itself is the most minimal information required to
address digital objects. address digital objects.
Authors' Addresses Authors' Addresses
Job Snijders Job Snijders
Fastly Fastly
 End of changes. 22 change blocks. 
58 lines changed or deleted 123 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/