draft-ietf-sidr-cps-irs-00.txt   draft-ietf-sidr-cps-irs-01.txt 
Secure Inter-Domain Routing (sidr) Kent, S. Secure Inter-Domain Routing (sidr) Kong, D.
Internet Draft Kong, D. Internet Draft Seo, K.
Expires: April 13, 2007 Seo, K. Expires: August 2007 Kent, S.
BBN Technologies Intended Status: Informational BBN Technologies
October 13, 2006 February 2007
Template for an Template for an
Internet Registry's Certification Practice Statement (CPS) Internet Registry's Certification Practice Statement (CPS)
for the Internet IP Address and AS Number (PKI) for the Internet IP Address and AS Number (PKI)
draft-ietf-sidr-cps-irs-00.txt draft-ietf-sidr-cps-irs-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that By submitting this Internet-Draft, each author represents that
any applicable patent or other IPR claims of which he or she is any applicable patent or other IPR claims of which he or she is
aware have been or will be disclosed, and any of which he or she aware have been or will be disclosed, and any of which he or she
becomes aware will be disclosed, in accordance with Section 6 of becomes aware will be disclosed, in accordance with Section 6 of
BCP 79. BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 13, 2006. This Internet-Draft will expire on July 31, 2007.
Abstract Abstract
This document contains a template to be used for creating a This document contains a template to be used for creating a
Certification Practice Statement (CPS) for an Internet Registry Certification Practice Statement (CPS) for an Internet Registry
(e.g., NIR or RIR) that is part of the Internet IP Address and AS (e.g., NIR or RIR) that is part of the Internet IP Address and
Number Public Key Infrastructure (PKI). Autonomous System (AS) Number Public Key Infrastructure (PKI).
Conventions used in this document Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119]. document are to be interpreted as described in RFC-2119 [RFC2119].
Table of Contents Table of Contents
Preface...........................................................8 Preface...........................................................8
skipping to change at page 2, line 27 skipping to change at page 2, line 25
1.1. Overview.................................................10 1.1. Overview.................................................10
1.2. Document name and identification.........................11 1.2. Document name and identification.........................11
1.3. PKI participants.........................................11 1.3. PKI participants.........................................11
1.3.1. Certification authorities...........................11 1.3.1. Certification authorities...........................11
1.3.2. Registration authorities............................11 1.3.2. Registration authorities............................11
1.3.3. Subscribers.........................................11 1.3.3. Subscribers.........................................11
1.3.4. Relying parties.....................................12 1.3.4. Relying parties.....................................12
1.3.5. Other participants..................................12 1.3.5. Other participants..................................12
1.4. Certificate usage........................................12 1.4. Certificate usage........................................12
1.4.1. Appropriate certificate uses........................12 1.4.1. Appropriate certificate uses........................12
1.4.2. Prohibited certificate uses.........................12 1.4.2. Prohibited certificate uses.........................13
1.5. Policy administration....................................12 1.5. Policy administration....................................13
1.5.1. Organization administering the document.............12 1.5.1. Organization administering the document.............13
1.5.2. Contact person......................................12 1.5.2. Contact person......................................13
1.5.3. Person determining CPS suitability for the policy...13 1.5.3. Person determining CPS suitability for the policy...13
1.5.4. CPS approval procedures.............................13 1.5.4. CPS approval procedures.............................13
1.6. Definitions and acronyms.................................13 1.6. Definitions and acronyms.................................13
2. Publication And Repository Responsibilities...................14 2. Publication And Repository Responsibilities...................15
2.1. Repositories.............................................14 2.1. Repositories.............................................15
2.2. Publication of certification information.................14 2.2. Publication of certification information.................15
2.3. Time or Frequency of Publication.........................14 2.3. Time or Frequency of Publication.........................15
2.4. Access controls on repositories..........................14 2.4. Access controls on repositories..........................15
3. Identification And Authentication.............................15 3. Identification And Authentication.............................16
3.1. Naming...................................................15 3.1. Naming...................................................16
3.1.1. Types of names......................................15 3.1.1. Types of names......................................16
3.1.2. Need for names to be meaningful.....................15 3.1.2. Need for names to be meaningful.....................16
3.1.3. Anonymity or pseudonymity of subscribers............15 3.1.3. Anonymity or pseudonymity of subscribers............16
3.1.4. Rules for interpreting various name forms...........15 3.1.4. Rules for interpreting various name forms...........16
3.1.5. Uniqueness of names.................................15 3.1.5. Uniqueness of names.................................16
3.1.6. Recognition, authentication, and role of trademarks.16 3.1.6. Recognition, authentication, and role of trademarks.17
3.2. Initial identity validation..............................16 3.2. Initial identity validation..............................17
3.2.1. Method to prove possession of private key...........16 3.2.1. Method to prove possession of private key...........17
3.2.2. Authentication of organization identity.............16 3.2.2. Authentication of organization identity.............17
3.2.3. Authentication of individual identity...............16 3.2.3. Authentication of individual identity...............17
3.2.4. Non-verified subscriber information.................17 3.2.4. Non-verified subscriber information.................18
3.2.5. Validation of authority.............................17 3.2.5. Validation of authority.............................18
3.2.6. Criteria for interoperation.........................17 3.2.6. Criteria for interoperation.........................18
3.3. Identification and authentication for re-key requests....17 3.3. Identification and authentication for re-key requests....18
3.3.1. Identification and authentication for routine re-key17 3.3.1. Identification and authentication for routine re-key18
3.3.2. Identification and authentication for re-key after 3.3.2. Identification and authentication for re-key after
revocation.................................................17 revocation.................................................18
3.4. Identification and authentication for revocation request.18 3.4. Identification and authentication for revocation request.19
4. Certificate Life-Cycle Operational Requirements...............19 4. Certificate Life-Cycle Operational Requirements...............20
4.1. Certificate Application..................................19 4.1. Certificate Application..................................20
4.1.1. Who can submit a certificate application............19 4.1.1. Who can submit a certificate application............20
4.1.2. Enrollment process and responsibilities.............19 4.1.2. Enrollment process and responsibilities.............20
4.2. Certificate application processing.......................19 4.2. Certificate application processing.......................20
4.2.1. Performing identification and authentication functions 4.2.1. Performing identification and authentication functions
...........................................................19 ...........................................................20
4.2.2. Approval or rejection of certificate applications...20 4.2.2. Approval or rejection of certificate applications...20
4.2.3. Time to process certificate applications............20 4.2.3. Time to process certificate applications............21
4.3. Certificate issuance.....................................20 4.3. Certificate issuance.....................................21
4.3.1. CA actions during certificate issuance..............20 4.3.1. CA actions during certificate issuance..............21
4.3.2. Notification to subscriber by the CA of issuance of 4.3.2. Notification to subscriber by the CA of issuance of
certificate................................................20 certificate................................................21
4.4. Certificate acceptance...................................21 4.4. Certificate acceptance...................................22
4.4.1. Conduct constituting certificate acceptance.........21 4.4.1. Conduct constituting certificate acceptance.........22
4.4.2. Publication of the certificate by the CA............21 4.4.2. Publication of the certificate by the CA............22
4.5. Key pair and certificate usage...........................21 4.5. Key pair and certificate usage...........................22
4.5.1. Subscriber private key and certificate usage........21 4.5.1. Subscriber private key and certificate usage........22
4.5.2. Relying party public key and certificate usage......21 4.5.2. Relying party public key and certificate usage......22
4.6. Certificate renewal......................................22 4.6. Certificate renewal......................................23
4.6.1. Circumstance for certificate renewal................22 4.6.1. Circumstance for certificate renewal................23
4.6.2. Who may request renewal.............................22 4.6.2. Who may request renewal.............................23
4.6.3. Processing certificate renewal requests.............22 4.6.3. Processing certificate renewal requests.............23
4.6.4. Notification of new certificate issuance to subscriber 4.6.4. Notification of new certificate issuance to subscriber
...........................................................22 ...........................................................23
4.6.5. Conduct constituting acceptance of a renewal 4.6.5. Conduct constituting acceptance of a renewal
certificate................................................23 certificate................................................23
4.6.6. Publication of the renewal certificate by the CA....23 4.6.6. Publication of the renewal certificate by the CA....24
4.6.7. Notification of certificate issuance by the CA to other 4.6.7. Notification of certificate issuance by the CA to other
entities [OMITTED].........................................23 entities [OMITTED].........................................24
4.7. Certificate re-key.......................................23 4.7. Certificate re-key.......................................24
4.7.1. Circumstance for certificate re-key.................23 4.7.1. Circumstance for certificate re-key.................24
4.7.2. Who may request certification of a new public key...23 4.7.2. Who may request certification of a new public key...24
4.7.3. Processing certificate re-keying requests...........24 4.7.3. Processing certificate re-keying requests...........25
4.7.4. Notification of new certificate issuance to subscriber 4.7.4. Notification of new certificate issuance to subscriber
...........................................................24 ...........................................................25
4.7.5. Conduct constituting acceptance of a re-keyed 4.7.5. Conduct constituting acceptance of a re-keyed
certificate................................................24 certificate................................................25
4.7.6. Publication of the re-keyed certificate by the CA...24 4.7.6. Publication of the re-keyed certificate by the CA...25
4.7.7. Notification of certificate issuance by the CA to other 4.7.7. Notification of certificate issuance by the CA to other
entities [OMITTED].........................................24 entities [OMITTED].........................................25
4.8. Certificate modification.................................24 4.8. Certificate modification.................................25
4.8.1. Circumstance for certificate modification...........24 4.8.1. Circumstance for certificate modification...........25
4.8.2. Who may request certificate modification............25 4.8.2. Who may request certificate modification............26
4.8.3. Processing certificate modification requests........25 4.8.3. Processing certificate modification requests........26
4.8.4. Notification of modified certificate issuance to 4.8.4. Notification of modified certificate issuance to
subscriber.................................................25 subscriber.................................................26
4.8.5. Conduct constituting acceptance of modified certificate 4.8.5. Conduct constituting acceptance of modified certificate
...........................................................25 ...........................................................26
4.8.6. Publication of the modified certificate by the CA...25 4.8.6. Publication of the modified certificate by the CA...26
4.8.7. Notification of certificate issuance by the CA to other 4.8.7. Notification of certificate issuance by the CA to other
entities [OMITTED].........................................25 entities [OMITTED].........................................26
4.9. Certificate revocation and suspension....................25 4.9. Certificate revocation and suspension....................27
4.9.1. Circumstances for revocation........................25 4.9.1. Circumstances for revocation........................27
4.9.2. Who can request revocation..........................26 4.9.2. Who can request revocation..........................27
4.9.3. Procedure for revocation request....................26 4.9.3. Procedure for revocation request....................27
4.9.4. Revocation request grace period.....................26 4.9.4. Revocation request grace period.....................27
4.9.5. Time within which CA must process the revocation 4.9.5. Time within which CA must process the revocation
request....................................................26 request....................................................27
4.9.6. Revocation checking requirement for relying parties.26 4.9.6. Revocation checking requirement for relying parties.27
4.9.7. CRL issuance frequency..............................26 4.9.7. CRL issuance frequency..............................28
4.9.8. Maximum latency for CRLs............................27 4.9.8. Maximum latency for CRLs............................28
4.9.9. On-line revocation/status checking availability 4.9.9. On-line revocation/status checking availability
[OMITTED]..................................................27 [OMITTED]..................................................28
4.9.10. On-line revocation checking requirements [OMITTED].27 4.9.10. On-line revocation checking requirements [OMITTED].28
4.9.11. Other forms of revocation advertisements available 4.9.11. Other forms of revocation advertisements available
[OMITTED]..................................................27 [OMITTED]..................................................28
4.9.12. Special requirements re key compromise [OMITTED]...27 4.9.12. Special requirements re key compromise [OMITTED]...28
4.9.13. Circumstances for suspension [OMITTED].............27 4.9.13. Circumstances for suspension [OMITTED].............28
4.9.14. Who can request suspension [OMITTED]...............27 4.9.14. Who can request suspension [OMITTED]...............28
4.9.15. Procedure for suspension request [OMITTED].........27 4.9.15. Procedure for suspension request [OMITTED].........28
4.9.16. Limits on suspension period [OMITTED]..............27 4.9.16. Limits on suspension period [OMITTED]..............28
4.10. Certificate status services.............................27 4.10. Certificate status services.............................28
4.10.1. Operational characteristics [OMITTED]..............27 4.10.1. Operational characteristics [OMITTED]..............29
4.10.2. Service availability [OMITTED].....................27 4.10.2. Service availability [OMITTED].....................29
4.10.3. Optional features [OMITTED]........................27 4.10.3. Optional features [OMITTED]........................29
4.11. End of subscription [OMITTED]...........................27 4.11. End of subscription [OMITTED]...........................29
4.12. Key escrow and recovery [OMITTED].......................27 4.12. Key escrow and recovery [OMITTED].......................29
4.12.1. Key escrow and recovery policy and practices [OMITTED] 4.12.1. Key escrow and recovery policy and practices [OMITTED]
...........................................................27 ...........................................................29
4.12.2. Session key encapsulation and recovery policy and 4.12.2. Session key encapsulation and recovery policy and
practices [OMITTED]........................................27 practices [OMITTED]........................................29
5. Facility, Management, And Operational Controls................28 5. Facility, Management, And Operational Controls................30
5.1. Physical controls........................................28 5.1. Physical controls........................................30
5.1.1. Site location and construction......................28 5.1.1. Site location and construction......................30
5.1.2. Physical access.....................................28 5.1.2. Physical access.....................................30
5.1.3. Power and air conditioning..........................28 5.1.3. Power and air conditioning..........................30
5.1.4. Water exposures.....................................28 5.1.4. Water exposures.....................................30
5.1.5. Fire prevention and protection......................28 5.1.5. Fire prevention and protection......................30
5.1.6. Media storage.......................................28 5.1.6. Media storage.......................................30
5.1.7. Waste disposal......................................28 5.1.7. Waste disposal......................................30
5.1.8. Off-site backup.....................................28 5.1.8. Off-site backup.....................................30
5.2. Procedural controls......................................28 5.2. Procedural controls......................................30
5.2.1. Trusted roles.......................................28 5.2.1. Trusted roles.......................................30
5.2.2. Number of persons required per task.................28 5.2.2. Number of persons required per task.................30
5.2.3. Identification and authentication for each role.....28 5.2.3. Identification and authentication for each role.....30
5.2.4. Roles requiring separation of duties................28 5.2.4. Roles requiring separation of duties................30
5.3. Personnel controls.......................................28 5.3. Personnel controls.......................................30
5.3.1. Qualifications, experience, and clearance requirements 5.3.1. Qualifications, experience, and clearance requirements
...........................................................29 ...........................................................31
5.3.2. Background check procedures.........................29 5.3.2. Background check procedures.........................31
5.3.3. Training requirements...............................29 5.3.3. Training requirements...............................31
5.3.4. Retraining frequency and requirements...............29 5.3.4. Retraining frequency and requirements...............31
5.3.5. Job rotation frequency and sequence.................29 5.3.5. Job rotation frequency and sequence.................31
5.3.6. Sanctions for unauthorized actions..................29 5.3.6. Sanctions for unauthorized actions..................31
5.3.7. Independent contractor requirements.................29 5.3.7. Independent contractor requirements.................31
5.3.8. Documentation supplied to personnel.................29 5.3.8. Documentation supplied to personnel.................31
5.4. Audit logging procedures.................................29 5.4. Audit logging procedures.................................31
5.4.1. Types of events recorded............................29 5.4.1. Types of events recorded............................31
5.4.2. Frequency of processing log.........................29 5.4.2. Frequency of processing log.........................31
5.4.3. Retention period for audit log......................29 5.4.3. Retention period for audit log......................31
5.4.4. Protection of audit log.............................30 5.4.4. Protection of audit log.............................32
5.4.5. Audit log backup procedures.........................30 5.4.5. Audit log backup procedures.........................32
5.4.6. Audit collection system (internal vs. external) 5.4.6. Audit collection system (internal vs. external)
[OMITTED]..................................................30 [OMITTED]..................................................32
5.4.7. Notification to event-causing subject [OMITTED].....30 5.4.7. Notification to event-causing subject [OMITTED].....32
5.4.8. Vulnerability assessments...........................30 5.4.8. Vulnerability assessments...........................32
5.5. Records archival [OMITTED]...............................30 5.5. Records archival [OMITTED]...............................32
5.5.1. Types of records archived [OMITTED].................30 5.5.1. Types of records archived [OMITTED].................32
5.5.2. Retention period for archive [OMITTED]..............30 5.5.2. Retention period for archive [OMITTED]..............32
5.5.3. Protection of archive [OMITTED].....................30 5.5.3. Protection of archive [OMITTED].....................32
5.5.4. Archive backup procedures [OMITTED].................30 5.5.4. Archive backup procedures [OMITTED].................32
5.5.5. Requirements for time-stamping of records [OMITTED].30 5.5.5. Requirements for time-stamping of records [OMITTED].32
5.5.6. Archive collection system (internal or external) 5.5.6. Archive collection system (internal or external)
[OMITTED]..................................................30 [OMITTED]..................................................32
5.5.7. Procedures to obtain and verify archive information 5.5.7. Procedures to obtain and verify archive information
[OMITTED]..................................................30 [OMITTED]..................................................32
5.6. Key changeover...........................................30 5.6. Key changeover...........................................32
5.7. Compromise and disaster recovery [OMITTED]...............31 5.7. Compromise and disaster recovery [OMITTED]...............33
5.7.1. Incident and compromise handling procedures [OMITTED]31 5.7.1. Incident and compromise handling procedures [OMITTED]33
5.7.2. Computing resources, software, and/or data are 5.7.2. Computing resources, software, and/or data are
corrupted [OMITTED]........................................31 corrupted [OMITTED]........................................33
5.7.3. Entity private key compromise procedures [OMITTED]..31 5.7.3. Entity private key compromise procedures [OMITTED]..33
5.7.4. Business continuity capabilities after a disaster 5.7.4. Business continuity capabilities after a disaster
[OMITTED]..................................................31 [OMITTED]..................................................33
5.8. CA or RA termination.....................................31 5.8. CA or RA termination.....................................33
6. Technical Security Controls...................................32 6. Technical Security Controls...................................34
6.1. Key pair generation and installation.....................32 6.1. Key pair generation and installation.....................34
6.1.1. Key pair generation.................................32 6.1.1. Key pair generation.................................34
6.1.2. Private key delivery to subscriber..................32 6.1.2. Private key delivery to subscriber..................34
6.1.3. Public key delivery to certificate issuer...........32 6.1.3. Public key delivery to certificate issuer...........34
6.1.4. CA public key delivery to relying parties...........32 6.1.4. CA public key delivery to relying parties...........34
6.1.5. Key sizes...........................................33 6.1.5. Key sizes...........................................35
6.1.6. Public key parameters generation and quality checking33 6.1.6. Public key parameters generation and quality checking35
6.1.7. Key usage purposes (as per X.509 v3 key usage field)33 6.1.7. Key usage purposes (as per X.509 v3 key usage field)35
6.2. Private Key Protection and Cryptographic Module Engineering 6.2. Private Key Protection and Cryptographic Module Engineering
Controls......................................................33 Controls......................................................35
6.2.1. Cryptographic module standards and controls.........33 6.2.1. Cryptographic module standards and controls.........35
6.2.2. Private key (n out of m) multi-person control.......33 6.2.2. Private key (n out of m) multi-person control.......35
6.2.3. Private key escrow..................................34 6.2.3. Private key escrow..................................35
6.2.4. Private key backup..................................34 6.2.4. Private key backup..................................36
6.2.5. Private key archival................................34 6.2.5. Private key archival................................36
6.2.6. Private key transfer into or from a cryptographic 6.2.6. Private key transfer into or from a cryptographic
module.....................................................34 module.....................................................36
6.2.7. Private key storage on cryptographic module.........34 6.2.7. Private key storage on cryptographic module.........36
6.2.8. Method of activating private key....................34 6.2.8. Method of activating private key....................36
6.2.9. Method of deactivating private key..................34 6.2.9. Method of deactivating private key..................36
6.2.10. Method of destroying private key...................34 6.2.10. Method of destroying private key...................36
6.2.11. Cryptographic Module Rating........................35 6.2.11. Cryptographic Module Rating........................36
6.3. Other aspects of key pair management.....................35 6.3. Other aspects of key pair management.....................37
6.3.1. Public key archival.................................35 6.3.1. Public key archival.................................37
6.3.2. Certificate operational periods and key pair usage 6.3.2. Certificate operational periods and key pair usage
periods....................................................35 periods....................................................37
6.4. Activation data..........................................35 6.4. Activation data..........................................37
6.4.1. Activation data generation and installation.........35 6.4.1. Activation data generation and installation.........37
6.4.2. Activation data protection..........................35 6.4.2. Activation data protection..........................37
6.4.3. Other aspects of activation data....................35 6.4.3. Other aspects of activation data....................37
6.5. Computer security controls...............................35 6.5. Computer security controls...............................37
6.5.1. Specific computer security technical requirement....35 6.5.1. Specific computer security technical requirement....37
6.5.2. Computer security rating [OMITTED]..................36 6.5.2. Computer security rating [OMITTED]..................38
6.6. Life cycle technical controls............................36 6.6. Life cycle technical controls............................38
6.6.1. System development controls.........................36 6.6.1. System development controls.........................38
6.6.2. Security management controls........................36 6.6.2. Security management controls........................38
6.6.3. Life cycle security controls........................36 6.6.3. Life cycle security controls........................38
6.7. Network security controls................................36 6.7. Network security controls................................38
6.8. Time-stamping............................................36 6.8. Time-stamping............................................38
7. Certificate and CRL Profiles..................................37 7. Certificate and CRL Profiles..................................39
7.1. Certificate profile [OMITTED]............................38 Please refer to the Certificate and CRL Profile [draft-ietf-sidr-
7.1.1. Version number(s) [OMITTED].........................38 res-certs-01].................................................39
7.1.2. Certificate extensions [OMITTED]....................38 7.1. Certificate profile [OMITTED]............................39
7.1.3. Algorithm object identifiers [OMITTED]..............38 7.1.1. Version number(s) [OMITTED].........................39
7.1.4. Name forms [OMITTED]................................38 7.1.2. Certificate extensions [OMITTED]....................39
7.1.5. Name constraints [OMITTED]..........................38 7.1.3. Algorithm object identifiers [OMITTED]..............39
7.1.6. Certificate policy object identifier [OMITTED]......38 7.1.4. Name forms [OMITTED]................................39
7.1.7. Usage of Policy Constraints extension [OMITTED].....38 7.1.5. Name constraints [OMITTED]..........................39
7.1.8. Policy qualifiers syntax and semantics [OMITTED]....38 7.1.6. Certificate policy object identifier [OMITTED]......39
7.1.7. Usage of Policy Constraints extension [OMITTED].....39
7.1.8. Policy qualifiers syntax and semantics [OMITTED]....39
7.1.9. Processing semantics for the critical Certificate 7.1.9. Processing semantics for the critical Certificate
Policies extension [OMITTED]...............................38 Policies extension [OMITTED]...............................39
7.2. CRL profile [OMITTED]....................................38 7.2. CRL profile [OMITTED]....................................39
7.2.1. Version number(s) [OMITTED].........................38 7.2.1. Version number(s) [OMITTED].........................39
7.2.2. CRL and CRL entry extensions [OMITTED]..............38 7.2.2. CRL and CRL entry extensions [OMITTED]..............39
7.3. OCSP profile [OMITTED]...................................38 7.3. OCSP profile [OMITTED]...................................39
7.3.1. Version number(s) [OMITTED].........................38 7.3.1. Version number(s) [OMITTED].........................39
7.3.2. OCSP extensions [OMITTED]...........................38 7.3.2. OCSP extensions [OMITTED]...........................40
8. Compliance Audit and Other Assessments........................39 8. Compliance Audit and Other Assessments........................41
8.1. Frequency or circumstances of assessment.................39 8.1. Frequency or circumstances of assessment.................41
8.2. Identity/qualifications of assessor......................39 8.2. Identity/qualifications of assessor......................41
8.3. Assessor's relationship to assessed entity...............39 8.3. Assessor's relationship to assessed entity...............41
8.4. Topics covered by assessment.............................39 8.4. Topics covered by assessment.............................41
8.5. Actions taken as a result of deficiency..................39 8.5. Actions taken as a result of deficiency..................41
8.6. Communication of results.................................39 8.6. Communication of results.................................41
9. Other Business And Legal Matters..............................40 9. Other Business And Legal Matters..............................42
9.1. Fees.....................................................40 9.1. Fees.....................................................42
9.1.1. Certificate issuance or renewal fees................40 9.1.1. Certificate issuance or renewal fees................42
9.1.2. Fees for other services (if applicable).............40 9.1.2. Fees for other services (if applicable).............42
9.1.3. Refund policy.......................................40 9.1.3. Refund policy.......................................42
9.2. Financial responsibility.................................40 9.2. Financial responsibility.................................42
9.2.1. Insurance coverage..................................40 9.2.1. Insurance coverage..................................42
9.2.2. Other assets........................................40 9.2.2. Other assets........................................42
9.2.3. Insurance or warranty coverage for end-entities.....40 9.2.3. Insurance or warranty coverage for end-entities.....42
9.3. Confidentiality of business information..................40 9.3. Confidentiality of business information..................42
9.3.1. Scope of confidential information...................40 9.3.1. Scope of confidential information...................42
9.3.2. Information not within the scope of confidential 9.3.2. Information not within the scope of confidential
information................................................40 information................................................42
9.3.3. Responsibility to protect confidential information..40 9.3.3. Responsibility to protect confidential information..42
9.4. Privacy of personal information..........................40 9.4. Privacy of personal information..........................42
9.4.1. Privacy plan........................................40 9.4.1. Privacy plan........................................42
9.4.2. Information treated as private......................40 9.4.2. Information treated as private......................42
9.4.3. Information not deemed private......................40 9.4.3. Information not deemed private......................42
9.4.4. Responsibility to protect private information.......40 9.4.4. Responsibility to protect private information.......42
9.4.5. Notice and consent to use private information.......40 9.4.5. Notice and consent to use private information.......42
9.4.6. Disclosure pursuant to judicial or administrative 9.4.6. Disclosure pursuant to judicial or administrative
process....................................................41 process....................................................43
9.4.7. Other information disclosure circumstances..........41 9.4.7. Other information disclosure circumstances..........43
9.5. Intellectual property rights (if applicable).............41 9.5. Intellectual property rights (if applicable).............43
9.6. Representations and warranties...........................41 9.6. Representations and warranties...........................43
9.6.1. CA representations and warranties...................41 9.6.1. CA representations and warranties...................43
9.6.2. Subscriber representations and warranties...........41 9.6.2. Subscriber representations and warranties...........43
9.6.3. Relying party representations and warranties........41 9.6.3. Relying party representations and warranties........43
9.6.4. Representations and warranties of other participants 9.6.4. Representations and warranties of other participants
[OMITTED]..................................................41 [OMITTED]..................................................43
9.7. Disclaimers of warranties................................41 9.7. Disclaimers of warranties................................43
9.8. Limitations of liability.................................41 9.8. Limitations of liability.................................43
9.9. Indemnities..............................................41 9.9. Indemnities..............................................43
9.10. Term and termination....................................41 9.10. Term and termination....................................43
9.10.1. Term...............................................41 9.10.1. Term...............................................43
9.10.2. Termination........................................41 9.10.2. Termination........................................43
9.10.3. Effect of termination and survival.................41 9.10.3. Effect of termination and survival.................43
9.11. Individual notices and communications with participants.41 9.11. Individual notices and communications with participants.43
9.12. Amendments..............................................41 9.12. Amendments..............................................43
9.12.1. Procedure for amendment............................41 9.12.1. Procedure for amendment............................43
9.12.2. Notification mechanism and period..................41 9.12.2. Notification mechanism and period..................43
9.12.3. Circumstances under which OID must be changed 9.12.3. Circumstances under which OID must be changed
[OMITTED]..................................................41 [OMITTED]..................................................43
9.13. Dispute resolution provisions...........................41 9.13. Dispute resolution provisions...........................43
9.14. Governing law...........................................41 9.14. Governing law...........................................43
9.15. Compliance with applicable law..........................41 9.15. Compliance with applicable law..........................43
9.16. Miscellaneous provisions................................41 9.16. Miscellaneous provisions................................43
9.16.1. Entire agreement...................................42 9.16.1. Entire agreement...................................44
9.16.2. Assignment.........................................42 9.16.2. Assignment.........................................44
9.16.3. Severability.......................................42 9.16.3. Severability.......................................44
9.16.4. Enforcement (attorneys' fees and waiver of rights).42 9.16.4. Enforcement (attorneys' fees and waiver of rights).44
9.16.5. Force Majeure......................................42 9.16.5. Force Majeure......................................44
9.17. Other provisions [OMITTED]..............................42 9.17. Other provisions [OMITTED]..............................44
10. Security Considerations......................................43 10. Security Considerations......................................45
11. IANA Considerations..........................................43 11. IANA Considerations..........................................45
12. Acknowledgments..............................................43 12. Acknowledgments..............................................45
13. References...................................................43 13. References...................................................45
13.1. Normative References....................................43 13.1. Normative References....................................45
13.2. Informative References..................................44 13.2. Informative References..................................46
Author's Addresses...............................................44 Author's Addresses...............................................46
Intellectual Property Statement..................................45 Intellectual Property Statement..................................47
Disclaimer of Validity...........................................45 Disclaimer of Validity...........................................47
Copyright Statement..............................................45 Copyright Statement..............................................47
Preface Preface
This document contains a template to be used for creating a This document contains a template to be used for creating a
Certification Practice Statement (CPS) for an Internet Registry Certification Practice Statement (CPS) for an Internet Registry
(e.g., an NIR or RIR) that is part of the Internet IP Address and AS (e.g., an NIR or RIR) that is part of the Internet IP Address and
Number Public Key Infrastructure (PKI). The user of this document Autonomous System (AS) Number Public Key Infrastructure (PKI). The
should user of this document should
1. substitute a title page for page 1 saying, e.g., "<Name of 1. substitute a title page for page 1 saying, e.g., "<Name of
Registry> Certification Practice Statement for the Internet IP Registry> Certification Practice Statement for the Internet IP
Address and AS Number Public Key Infrastructure (PKI)" with Address and AS Number Public Key Infrastructure (PKI)" with
date, author, etc. date, author, etc.
2. delete this Preface 2. delete this Preface
3. fill in the information indicated below by <text in angle 3. fill in the information indicated below by <text in angle
brackets> brackets>
4. delete sections 10, 11, 12, 13.1, Acknowledgments, Author's 4. delete sections 10, 11, 12, 13.1, Acknowledgments, Author's
Addresses, Intellectual Property Statement, Disclaimer of Addresses, Intellectual Property Statement, Disclaimer of
Validity, Copyright Statement, Acknowledgments; leaving a Validity, Copyright Statement, Acknowledgments; leaving a
reference section with just the references in 13.2 reference section with just the references in 13.2
5. update the table of contents to reflect the deletions and 5. update the table of contents to reflect the deletions and
additions above. additions above.
skipping to change at page 9, line 18 skipping to change at page 9, line 15
brackets> brackets>
4. delete sections 10, 11, 12, 13.1, Acknowledgments, Author's 4. delete sections 10, 11, 12, 13.1, Acknowledgments, Author's
Addresses, Intellectual Property Statement, Disclaimer of Addresses, Intellectual Property Statement, Disclaimer of
Validity, Copyright Statement, Acknowledgments; leaving a Validity, Copyright Statement, Acknowledgments; leaving a
reference section with just the references in 13.2 reference section with just the references in 13.2
5. update the table of contents to reflect the deletions and 5. update the table of contents to reflect the deletions and
additions above. additions above.
Note: This template is based on the one specified in RFC 3647. A Note: This CPS is based on the template specified in RFC 3647. A
number of sections contained in the template specified in RFC 3647 number of sections contained in the template were omitted from this
were omitted from this template because they did not apply to this CPS because they did not apply to this PKI. However, we have
PKI. However, in order to maintain the section numbering scheme retained section heading "place holders" for these omitted sections,
intact, the relevant section headings are included and marked in order to facilitate comparison with the section numbering scheme
[OMITTED]. In the Table of Contents the relevant sections are also employed in that RFC, i.e., the relevant section headings are
marked [OMITTED]. There is a note to this effect in the included and marked [OMITTED]. In the Table of Contents the relevant
Introduction below. This information should be left in the CPS as sections are also marked [OMITTED]. There is a note to this effect
an explanation to the user. in the Introduction below. This information should be left in the
CPS as an explanation to the user.
1. Introduction 1. Introduction
This document is the Certification Practice Statement (CPS) of <Name This document is the Certification Practice Statement (CPS) of <Name
of Registry>. It describes the practices employed by the <Name of of Registry>. It describes the practices employed by the <Name of
Registry> Certification Authority (CA) in the Internet IP Address Registry> Certification Authority (CA) in the Internet IP Address
and AS Number PKI. These practices are defined in accordance with and Autonomous System (AS) Number PKI. These practices are defined
the requirements of the Certificate Policy (CP, [RFCxxxx]) of this in accordance with the requirements of the Certificate Policy (CP,
PKI. [RFCxxxx]) of this PKI.
The Internet IP Address and AS Number PKI is aimed at supporting The Internet IP Address and AS Number PKI is aimed at supporting
verifiable attestations about resource controls, e.g., for improved verifiable attestations about resource controls, e.g., for improved
routing security. The goal is that each entity that allocates IP routing security. The goal is that each entity that allocates IP
addresses or AS numbers to an entity will, in parallel, issue a addresses or AS numbers to an entity will, in parallel, issue a
certificate reflecting this allocation. These certificates will certificate reflecting this allocation. These certificates will
enable verification that the holder of the associated private key enable verification that the holder of the associated private key
has been allocated the resources indicated in the certificate, and has been allocated the resources indicated in the certificate, and
is the current, unique holder of these resources. The certificates is the current, unique holder of these resources. The certificates
and CRLs, in conjunction with ancillary digitally signed data and CRLs, in conjunction with ancillary digitally signed data
structures, will provide critical inputs for routing security structures, will provide critical inputs for routing security
mechanisms, e.g., generation of route filters by ISPs. mechanisms, e.g., generation of route filters by ISPs.
The most important and distinguishing aspect of the PKI for which The most important and distinguishing aspect of the PKI for which
this CPS was created is that it does not purport to identify an this CPS was created is that it does not purport to identify an
address space holder or AS number holder via the subject name address space holder or AS number holder via the subject name
contained in the certificate issued to that entity. Rather, each contained in the certificate issued to that entity. Rather, each
certificate issued under this policy is intended to enable an entity certificate issued under this policy is intended to enable an entity
to assert in a verifiable fashion, that it is the current holder of to assert in a verifiable fashion, that it is the current holder of
an address block or an AS number, based on the current records of an address block or an AS number, based on the current records of
the CA responsible for the resources in question. Verification of the entity responsible for the resources in question. Verification
the assertion is based on the ability of the entity to digitally of the assertion is based on two criteria: the ability of the entity
sign data producing a signature that is verifiable using the public to digitally sign data producing a signature that is verifiable
key contained in the corresponding certificate, and validation of using the public key contained in the corresponding certificate, and
that certificate in the context of this PKI. This PKI is designed validation of that certificate in the context of this PKI. This PKI
exclusively for use in support of validation of claims related to is designed exclusively for use in support of validation of claims
address space and AS number holdings, with emphasis on support of related to address space and AS number holdings, with emphasis on
routing security mechanisms. Use of the certificates and CRLs support of routing security mechanisms. Use of the certificates and
managed under this PKI for any other purpose is a violation of this CRLs managed under this PKI for any other purpose is a violation of
PKI's CP, and relying parties should reject such uses. this PKI's CP, and relying parties should reject such uses.
Note: This CPS is based on the template specified in RFC 3647. A Note: This CPS is based on the template specified in RFC 3647. A
number of sections contained in the template specified in RFC 3647 number of sections contained in the template were omitted from this
were omitted from this CPS because they did not apply to this PKI. CPS because they did not apply to this PKI. However, we have
However, in order to maintain the section numbering scheme intact, retained section heading "place holders" for these omitted sections,
the relevant section headings are included and marked [OMITTED]. In in order to facilitate comparison with the section numbering scheme
the Table of Contents the relevant sections are also marked employed in that RFC, i.e., the relevant section headings are
[OMITTED]. included and marked [OMITTED]. In the Table of Contents the relevant
sections are also marked [OMITTED].
1.1. Overview 1.1. Overview
This CPS describes: This CPS describes:
. Participants . Participants
. Distribution of the certificates and CRLs . Distribution of the certificates and CRLs
. How certificates are issued, managed, and revoked . How certificates are issued, managed, and revoked
skipping to change at page 10, line 46 skipping to change at page 10, line 46
. Facility management (physical security, personnel, audit, etc.) . Facility management (physical security, personnel, audit, etc.)
. Key management . Key management
. Audit procedures . Audit procedures
. Business and legal issues . Business and legal issues
The PKI encompasses several types of certificates: The PKI encompasses several types of certificates:
CA certificates for each organization allocating address blocks and . CA certificates for each organization allocating address blocks
AS numbers, and for each address space holder and/or AS numbers, and for each address space (AS number) holder
End entity certificates for operations personnel, in support of . End entity ("shadow") certificates for organizations to use in
access control for the repository system
End entity ("shadow") certificates for organizations to use in
verifying signatures of Route Origination Authorizations (ROAs) verifying signatures of Route Origination Authorizations (ROAs)
and other (non-certificate/CRL) signed objects
. In the future, the PKI also may include end entity certificates in
support of access control for the repository system
1.2. Document name and identification 1.2. Document name and identification
The name of this document is "<Name of Registry>'s Certification The name of this document is "<Name of Registry>'s Certification
Practice Statement for the Internet IP Address and AS Number PKI". Practice Statement for the Internet IP Address and AS Number PKI".
1.3. PKI participants 1.3. PKI participants
Note: In a PKI, the term "subscriber" refers to an individual or Note: In a PKI, the term "subscriber" refers to an individual or
organization that is a Subject of a certificate issued by a CA. The organization that is a Subject of a certificate issued by a CA. The
term is used in this fashion throughout this document, without term is used in this fashion throughout this document, without
qualification, and should not be confused with the networking use of qualification, and should not be confused with the networking use of
the term to refer to an individual or organization that receives the term to refer to an individual or organization that receives
service from an ISP. Thus, in this PKI, the term "subscriber" can service from an LIR/ISP. Thus, in this PKI, the term "subscriber"
refer both to ISPs, which can be subscribers of RIRs, NIRs, LIRs and can refer both to LIRs/ISPs, which can be subscribers of RIRs, NIRs,
other ISPs, and also to organizations that are not ISPs, but which and other LIRs, and also to organizations that are not ISPs, but
are subscribers of ISPs in the networking sense of the term. Also which are subscribers of ISPs in the networking sense of the term.
note that, for brevity, this document always refers to subscribers Also note that, for brevity, this document always refers to
as organizations, even though some subscribers are individuals. When subscribers as organizations, even though some subscribers are
necessary, the phrase "network subscriber" is used to refer to an individuals. When necessary, the phrase "network subscriber" is used
organization that receives network services from an ISP. to refer to an organization that receives network services from an
LIR/ISP.
1.3.1. Certification authorities 1.3.1. Certification authorities
<Name of Registry> will operate a CA, the primary function of which <Name of Registry> will operate a CA, the primary function of which
is the issuance of certificates to organizations to which address is the issuance of certificates to organizations to which address
space or AS numbers are allocated by the registry. space or AS numbers are allocated by the registry. In the future,
this CA may also issue other types of end entity (EE) certificates,
e.g., EE certificates to operations personnel in support of
repository maintenance.
1.3.2. Registration authorities 1.3.2. Registration authorities
For the majority of certificates issued by this registry, this For the certificates issued by this registry under this PKI, this
function is provided by the registry per se. The registry already function is provided by the registry per se. The registry already
performs this function -- establishing a relationship with each performs this function -- establishing a formal relationship with
subscriber and assuming responsibility for allocating and tracking each subscriber and assuming responsibility for allocating and
the current allocation of address space and AS numbers. Since the tracking the current allocation of address space and AS numbers.
registry operates the CA, there is no distinct RA. Since the registry operates the CA, there is no distinct RA.
1.3.3. Subscribers 1.3.3. Subscribers
Two types of organizations receive allocations of IP addresses and Two types of organizations receive allocations of IP addresses and
AS numbers from this CA and thus are subscribers in the PKI sense: AS numbers from this CA and thus are subscribers in the PKI sense:
network subscribers and Internet Service Providers (ISPs). network subscribers and Internet Service Providers (ISPs).
<Additionally, this CA issues certificates to <Local/National> <Additionally, this CA issues certificates to <Local/National>
Registries (choose the right term for this RIR, if either applies) Registries (choose the right term for this RIR, if either applies)
who, in turn, issue certificates to network subscribers or ISPs.> who, in turn, issue certificates to network subscribers or
LIRs/ISPs.>
1.3.4. Relying parties 1.3.4. Relying parties
Entities that need to validate claims of address space and/or AS Entities that need to validate claims of address space and/or AS
number current holdings are relying parties. Thus, for example, number current holdings are relying parties. Thus, for example,
entities that make use of address and AS number allocation entities that make use of address and AS number allocation
certificates in support of improved routing security are relying certificates in support of improved routing security are relying
parties. Registries are relying parties because they transfer parties. Registries are relying parties because they transfer
resources between one another and thus will need to verify (cross) resources between one another and thus will need to verify (cross)
certificates issued in conjunction with such transfers. This certificates issued in conjunction with such transfers. This
includes ISPs, multi-homed organizations exchanging BGP [BGP4] includes LIRs/ISPs, multi-homed organizations exchanging BGP [BGP4]
traffic with ISPs, and subscribers who have received an allocation traffic with LIRs/ISPs, and subscribers who have received an
of address space from one ISP or from a registry, but want to allocation of address space from one ISP or from a registry, but
authorize an (or another) ISP to originate routes to this space. want to authorize an (or another) LIR/ISP to originate routes to
this space.
To the extent that repositories make use of certificates for access
control - checking for authorization to upload certificate, CRL, and
ROA update packages -- they too act as relying parties.
1.3.5. Other participants 1.3.5. Other participants
<Name of Registry> will operate a repository that holds <Name of Registry> will operate a repository that holds
certificates, CRLs, and ROAs. certificates, CRLs, and other signed objects, e.g., ROAs.
1.4. Certificate usage 1.4. Certificate usage
1.4.1. Appropriate certificate uses 1.4.1. Appropriate certificate uses
The certificates issued under this hierarchy are for authorization The certificates issued under this hierarchy are for authorization
in support of validation of claims of current holdings of address in support of validation of claims of current holdings of address
space and/or AS numbers, e.g., for routing security. With regard to space and/or AS numbers, e.g., for routing security. With regard to
routing security, the intent is to allow the holder of a set of routing security, an initial goal of this PKI is to allow the holder
address blocks to be able to declare, in a secure fashion, the AS of a set of address blocks to be able to declare, in a secure
number of each entity that is authorized to originate a route to fashion, the AS number of each entity that is authorized to
these addresses, including the context of ISP proxy aggregation. originate a route to these addresses, including the context of ISP
proxy aggregation. Additional uses of the PKI, consistent with the
basic goal cited above, are also permitted under this policy.
Some of the certificates issued under this hierarchy support Some of the certificates that may be issued under this hierarchy
operation of this infrastructure, e.g., access control for the could be used to support operation of this infrastructure, e.g.,
repository system. access control for the repository system. Such uses also are
permitted under this policy.
1.4.2. Prohibited certificate uses 1.4.2. Prohibited certificate uses
Any uses other than those described in Section 1.4.1 are prohibited. Any uses other than those described in Section 1.4.1 are prohibited.
1.5. Policy administration 1.5. Policy administration
1.5.1. Organization administering the document 1.5.1. Organization administering the document
This CPS is administered by <Name of Registry> This CPS is administered by <Name of Registry>
skipping to change at page 13, line 25 skipping to change at page 13, line 39
Not applicable. Each organization issuing a certificate in this PKI Not applicable. Each organization issuing a certificate in this PKI
is attesting to the allocation of resources (IP addresses, AS is attesting to the allocation of resources (IP addresses, AS
numbers) to the holder of the private key corresponding to the numbers) to the holder of the private key corresponding to the
public key in the certificate. The issuing organizations are the public key in the certificate. The issuing organizations are the
same organizations as the ones that perform the allocation hence same organizations as the ones that perform the allocation hence
they are authoritative with respect to the accuracy of this binding. they are authoritative with respect to the accuracy of this binding.
1.6. Definitions and acronyms 1.6. Definitions and acronyms
CP - Certificate Policy. A CP is a named set of rules that indicates CP - Certificate Policy. A CP is a named set of rules that
the applicability of a certificate to a particular community indicates the applicability of a certificate to a particular
and/or class of applications with common security requirements. community and/or class of applications with common security
requirements.
CPS - Certification Practice Statement. A CPS is a document that CPS - Certification Practice Statement. A CPS is a document that
specifies the practices that a Certification Authority employs in specifies the practices that a Certification Authority employs
issuing certificates. in issuing certificates.
ISP - Internet Service Provider. An ISP is an organization managing ISP - Internet Service Provider. An ISP is an organization managing
and selling Internet services to other organizations. and selling Internet services to other organizations.
LIR/NIR - Local/National Internet Registry. An LIR or NIR is an LIR - Local Internet Registry. This is an organization, typically a
organization that manages the assignment of IP address and AS network service provider, that sub-allocates the assignment of
numbers for a portion of the geographic region covered by a IP addresses for a portion of the area covered by a Regional
Regional rd (or National) Registry.
Registry. These form an optional 3 tier in the tree scheme used to
manage IP address and AS number allocation. NIR - National Internet Registry. An NIR is an organization that
manages the assignment of IP address and AS numbers for a
portion of the geopolitical area covered by a Regional
Registry. These form an optional second tier in the tree
scheme used to manage IP address and AS number allocation.
RIR - Regional Internet Registry. An RIR is an organization that RIR - Regional Internet Registry. An RIR is an organization that
manages the assignment of IP address and AS numbers for a specified manages the assignment of IP address and AS numbers for a
geopolitical area. At present, there are five RIRs: ARIN (North specified geopolitical area. At present, there are five RIRs:
America), RIPE NCC (Europe), APNIC (Asia -Pacific), LACNIC (Latin ARIN (North America), RIPE NCC (Europe), APNIC (Asia -
America and Caribbean), and AFRINIC (Africa). Pacific), LACNIC (Latin America and Caribbean), and AFRINIC
(Africa).
ROA - Route Origination Authorization. This is a digitally signed
object that identifies a network operator, identified by an
AS, that is authorized to originate routes to a specified set
of address blocks.
2. Publication And Repository Responsibilities 2. Publication And Repository Responsibilities
2.1. Repositories 2.1. Repositories
As per the CP, certificates and CRLs, will be made available for As per the CP, certificates and CRLs, will be made available for
downloading by all network operators, to enable them to validate downloading by all network operators, to enable them to validate
this data for use in support of routing security. <Name of this data for use in support of routing security.
Registry> will upload certificates and CRLs issued by it to a local
repository system that it operates as part of a world-wide
distributed system of repositories.
<Describe here the basic set up of your local repository system.> <Describe here the basic set up of your local repository system.>
2.2. Publication of certification information 2.2. Publication of certification information
<Name of Registry> will upload certificates and CRLs issued by it to
a local repository system that operates as part of a world-wide
distributed system of repositories.
2.3. Time or Frequency of Publication 2.3. Time or Frequency of Publication
<Describe here your procedures for publication (via the repository) <Describe here your procedures for publication (via the repository)
of the certificates and CRLs that you issue. If you choose to of the certificates and CRLs that you issue. If you choose to
outsource publication of PKI data, you still need to provide this outsource publication of PKI data, you still need to provide this
information for relying parties.> information for relying parties.>
As per the CP, the following standards exist for publication times As per the CP, the following standards exist for publication times
and frequency: and frequency:
skipping to change at page 14, line 41 skipping to change at page 15, line 42
received acknowledgement from the subject of the certificate that received acknowledgement from the subject of the certificate that
the certificate is accurate. the certificate is accurate.
The <Name of Registry> CA will publish its CRL prior to the The <Name of Registry> CA will publish its CRL prior to the
nextScheduledUpdate value in the scheduled CRL previously issued by nextScheduledUpdate value in the scheduled CRL previously issued by
the CA. Within 24 hours of effecting revocation, the CA will publish the CA. Within 24 hours of effecting revocation, the CA will publish
a CRL with an entry for the revoked certificate. a CRL with an entry for the revoked certificate.
2.4. Access controls on repositories 2.4. Access controls on repositories
Access controls for repositories are TBD. Access to the repository system, for modification of entries, must
be controlled to prevent denial of service attacks. All data
(certificates, CRLs and ROAs) uploaded to a repository are digitally
signed. Updates to the repository system must be validated to ensure
that the data being added or replaced is authorized. This document
does not define the means by which updates are verified, but use of
the PKI itself to validate updates is anticipated.
3. Identification And Authentication 3. Identification And Authentication
3.1. Naming 3.1. Naming
3.1.1. Types of names 3.1.1. Types of names
The Subject of each certificate issued by this Registry is The Subject of each certificate issued by this Registry is
identified by an X.500 Distinguished Name (DN). The DN consists of a identified by an X.500 Disinguished Name (DN). For certificates
single attribute of type CommonName. <If the RIR has subordinate issued to LIRs/ISPs and subscribers, the Subject will consist of a
(NIR/LIR) registries, insert the appropriate text: "For an NIR/LIR, single CN attribute with a value generated by the issuer. For
the value of this attribute is the name of the NIR/LIR.> For <insert certificates issued to an NIR, the Subject will be the name of the
"non-registry" if appropriate> subscribers, the value of this NIR.
attribute is selected by the registry so as to be unique among all
certificates issued by this registry, but does not represent a
"meaningful" or "legal" name for the Subject.
3.1.2. Need for names to be meaningful 3.1.2. Need for names to be meaningful
The name of the holder of an address block or AS number need not to The Subject name in each subscriber certificate will be unique
be "meaningful" in the conventional, human-readable sense, since relative to all certificates issued by <Name of LIR/ISP>. However,
certificates issued under this hierarchy are used for authorization there is no guarantee that the subject name will be globally unique
in this PKI.
Note: The name of the holder of an address block or AS number need
not to be "meaningful" in the conventional, human-readable sense,
since certificates issued under this PKI are used for authorization
in support of routing security, not for identification in support of routing security, not for identification
3.1.3. Anonymity or pseudonymity of subscribers 3.1.3. Anonymity or pseudonymity of subscribers
Although Subject names in certificates issued by this registry need Although Subject names in certificates issued by this registry need
not be meaningful, and may appear "random," anonymity is not a not be meaningful, and may appear "random," anonymity is not a
function of this PKI, and thus no explicit support for this feature function of this PKI, and thus no explicit support for this feature
is provided. is provided.
3.1.4. Rules for interpreting various name forms 3.1.4. Rules for interpreting various name forms
None None
3.1.5. Uniqueness of names 3.1.5. Uniqueness of names
<Name of Registry> certifies Subject names that are unique among the <Name of Registry> certifies Subject names that are unique among the
certificates that it issues. It is desirable that these Subject certificates that it issues. Although it is desirable that these
names be unique throughout the PKI, to facilitate certificate path Subject names be unique throughout the PKI, to facilitate
discovery, but such uniqueness is not mandated nor enforced through certificate path discovery, such uniqueness is neither mandated nor
technical means. enforced through technical means.
3.1.6. Recognition, authentication, and role of trademarks 3.1.6. Recognition, authentication, and role of trademarks
Because the Subject names are not intended to be meaningful, there Because the Subject names are not intended to be meaningful, there
is no provision to recognize nor authenticate trademarks, service is no provision to recognize nor authenticate trademarks, service
marks, etc. marks, etc.
3.2. Initial identity validation 3.2. Initial identity validation
3.2.1. Method to prove possession of private key 3.2.1. Method to prove possession of private key
skipping to change at page 16, line 51 skipping to change at page 17, line 51
identity of a resource holder. However, this registry maintains identity of a resource holder. However, this registry maintains
contact information for each resource holder in support of contact information for each resource holder in support of
certificate renewal, re-key, or revocation. certificate renewal, re-key, or revocation.
<Describe the procedures that will be used to identify at least one <Describe the procedures that will be used to identify at least one
individual as a representative of each organization that is an individual as a representative of each organization that is an
address space (or AS number) holder. This is done in support of address space (or AS number) holder. This is done in support of
issuance, renewal, and revocation of the certificate issued to the issuance, renewal, and revocation of the certificate issued to the
organization. The procedures should be commensurate with those you organization. The procedures should be commensurate with those you
already employ in authenticating individuals as representatives for already employ in authenticating individuals as representatives for
address space (or AS number) holders. Note that this individual address space (or AS number) holders. Note that this authentication
authentication is solely for use by you in dealing with the is solely for use by you in dealing with the organizations to which
organizations to which you allocate (or sub-allocate) address space you allocate (or sub-allocate) address space (or AS numbers), and
(or AS numbers), and thus must not be relied upon outside of this thus must not be relied upon outside of this CA-subscriber
CA-subscriber relationship.> relationship.>
3.2.4. Non-verified subscriber information 3.2.4. Non-verified subscriber information
No non-verified subscriber data is included in certificates issued No non-verified subscriber data is included in certificates issued
under this certificate policy. under this certificate policy.
3.2.5. Validation of authority 3.2.5. Validation of authority
<Describe the procedures that will be used to verify that an <Describe the procedures that will be used to verify that an
individual claiming to represent a resource holder to which a individual claiming to represent a resource holder to which a
skipping to change at page 18, line 25 skipping to change at page 19, line 25
legitimate subject still possesses the original private key as legitimate subject still possesses the original private key as
opposed to the case when the subject no longer has access to that opposed to the case when the subject no longer has access to that
key. These procedures should be commensurate with those you already key. These procedures should be commensurate with those you already
employ in the maintenance of resource holder records.> employ in the maintenance of resource holder records.>
Note: If additional IP addresses or AS numbers are being added to Note: If additional IP addresses or AS numbers are being added to
an organization's existing allocation, the old certificate need not an organization's existing allocation, the old certificate need not
be revoked. Instead, a new certificate may be issued with both the be revoked. Instead, a new certificate may be issued with both the
old and the new resources and the old key. If IP addresses or AS old and the new resources and the old key. If IP addresses or AS
numbers are being removed or if there has been a key compromise, numbers are being removed or if there has been a key compromise,
then there will be a revocation and a re-key. A subscriber may then the old certificate will be a revoked (and a re-key will be
performed in the event of a key compromise). A subscriber may
request that its resource holdings be spread over a set of request that its resource holdings be spread over a set of
certificates, rather than consolidating all resources in one certificates, rather than consolidating all resources in one
certificate. This may be appropriate if the subscriber wants to certificate. This may be appropriate if the subscriber wants to
manage his resource allocations as distinct allocations within his manage his resource allocations as distinct allocations within his
organization. organization.
4. Certificate Life-Cycle Operational Requirements 4. Certificate Life-Cycle Operational Requirements
4.1. Certificate Application 4.1. Certificate Application
4.1.1. Who can submit a certificate application 4.1.1. Who can submit a certificate application
The following entities may submit a certificate application to this The following entities may submit a certificate application to this
CA: CA:
<Insert if appropriate: "Any LIR/NIR operating in the geopolitical o <Insert if appropriate: "Any NIR or LIR/ISP operating in the
region served by this registry"> geopolitical region served by this registry">
Any entity that holds AS numbers or address space assigned by this
registry
Individuals or roles associated with this registry and that engage o Any entity that holds AS numbers or address space assigned by
in the maintenance of the repository system for this PKI this registry
4.1.2. Enrollment process and responsibilities 4.1.2. Enrollment process and responsibilities
<Describe your enrollment process for issuing certificates both for <Describe your enrollment process for issuing certificates both for
initial deployment of the PKI and as an ongoing process. Note that initial deployment of the PKI and as an ongoing process. Note that
most of the certificates in this PKI are issued as part of registry most of the certificates in this PKI are issued as part of registry
and ISP normal business practices, as an adjunct to address space and ISP normal business practices, as an adjunct to address space
and AS number allocation, and thus a separate application to request and AS number allocation, and thus a separate application to request
a certificate may not be necessary. If so, reference should be made a certificate may not be necessary. If so, reference should be made
to where these practices are documented.> to where these practices are documented.>
skipping to change at page 21, line 4 skipping to change at page 21, line 46
and subsequent publication (Section 4.4.2) and subsequent publication (Section 4.4.2)
If the draft is rejected, procedure for modification of the rejected If the draft is rejected, procedure for modification of the rejected
certificate (Section 4.8 might be useful) or submission of a new certificate (Section 4.8 might be useful) or submission of a new
certificate request.> certificate request.>
4.3.2. Notification to subscriber by the CA of issuance of certificate 4.3.2. Notification to subscriber by the CA of issuance of certificate
<Describe your procedure for notification of a subscriber when a <Describe your procedure for notification of a subscriber when a
draft certificate is ready for review.> draft certificate is ready for review.>
Notification of certificate issuance by the CA to other entities Notification of certificate issuance by the CA to other entities
[OMITTED> [OMITTED>
4.4. Certificate acceptance 4.4. Certificate acceptance
4.4.1. Conduct constituting certificate acceptance 4.4.1. Conduct constituting certificate acceptance
When a draft certificate is generated and the subscriber is When a draft certificate is generated and the subscriber is
notified, it is required that the subscriber review the proposed notified, it is required that the subscriber review the proposed
certificate and either approve or reject it within <X> days. certificate and either approve or reject it within <X - This should
<Describe what constitutes acceptance or rejection from the be 30 or fewer as per the CP> days. <Describe what constitutes
certificate applicant.> acceptance or rejection from the certificate applicant.>
If a certificate remains unprocessed by the requester after <X> If a certificate remains unprocessed by the requester after <X>
days, <Describe your policy for handling certificates that have not days, <Describe your policy for handling certificates that have not
been acknowledged (either positively or negatively) after X days. been acknowledged (either positively or negatively) after X days.
For example, at your option, you may either cancel the certificate For example, at your option, you may either cancel the certificate
or finalize it and place it in the repository.> or finalize it and place it in the repository.>
4.4.2. Publication of the certificate by the CA 4.4.2. Publication of the certificate by the CA
Certificates will be published in the Repository system once Certificates will be published in the Repository system once
skipping to change at page 21, line 39 skipping to change at page 22, line 37
4.5. Key pair and certificate usage 4.5. Key pair and certificate usage
A summary of the use model for the IP Address and AS Number PKI is A summary of the use model for the IP Address and AS Number PKI is
provided below. provided below.
4.5.1. Subscriber private key and certificate usage 4.5.1. Subscriber private key and certificate usage
The certificates issued by this registry to resource holders are CA The certificates issued by this registry to resource holders are CA
certificates. The private key associated with each of these certificates. The private key associated with each of these
certificates is used to sign subordinate (CA or EE) certificates and certificates is used to sign subordinate (CA or EE) certificates and
CRLs. A (non-registry) subscriber will issue certificates to any CRLs. A subscriber will issue certificates to any organizations to
organizations to which it allocates IP address space and one or more which it allocates IP address space and one or more "shadow"
"shadow" certificates for use in verifying signatures on ROAs signed certificates for use in verifying signatures on ROAs signed by the
by the subscriber. <If appropriate, add "Subscribers that are subscriber. <If appropriate, add "Subscribers that are NIRs issue
registries (LIRs/NIRs) issue certificates to organizations to which certificates to organizations to which they have allocated address
they have allocated address space or AS numbers.> Subscribers also space or AS numbers. Subscribers that are LIRs issue certificates
will issue certificates to operators in support of repository access to organizations to which they have allocated address space.">
control. Subscribers also will issue certificates to operators in support of
repository access control.
4.5.2. Relying party public key and certificate usage 4.5.2. Relying party public key and certificate usage
The primary relying parties in this PKI are ISPs, who will use The primary relying parties in this PKI are LIRs/ISPs, who will use
shadow certificates to verify ROAs, e.g., in support of generating shadow certificates to verify ROAs, e.g., in support of generating
route filters. Repositories will use operator certificates to route filters. Repositories will use operator certificates to
verify the authorization of entities to engage in repository verify the authorization of entities to engage in repository
maintenance activities, and thus repositories represent a secondary maintenance activities, and thus repositories represent a secondary
type of relying party. type of relying party.
4.6. Certificate renewal 4.6. Certificate renewal
4.6.1. Circumstance for certificate renewal 4.6.1. Circumstance for certificate renewal
skipping to change at page 23, line 36 skipping to change at page 24, line 31
private key, or private key, or
(2) the expiration of the cryptographic lifetime of the associated (2) the expiration of the cryptographic lifetime of the associated
key pair key pair
If a certificate is revoked to replace the RFC 3779 extensions, the If a certificate is revoked to replace the RFC 3779 extensions, the
replacement certificate will incorporate the same public key, not a replacement certificate will incorporate the same public key, not a
new key, unless the subscriber requests a re-key at the same time. new key, unless the subscriber requests a re-key at the same time.
If the re-key is based on a suspected compromise, then the previous If the re-key is based on a suspected compromise, then the previous
certificate will be revoked. If the re-key is based on the certificate will be revoked.
expiration of the key pair, then the certificate does not require
revocation, since the certificate should expire on or before the Section 5.6 of the Certificate Policy notes that when a CA signs a
date when the associated key pair expires. certificate, the signing key should have a validity period that
exceeds the validity period of the certificate. This places
additional constraints on when a CA should request a re-key.
4.7.2. Who may request certification of a new public key 4.7.2. Who may request certification of a new public key
The holder of the certificate may request a re-key. In addition, The holder of the certificate may request a re-key. In addition,
<Name of Registry> may initiate a re-key based on receipt and <Name of Registry> may initiate a re-key based on a verified
verification of a compromise report. <Describe what steps will be compromise report. <Describe what steps will be taken to verify the
taken to verify the identity and authorization of a subscriber to identity and authorization of a subscriber to request a re-key when
request a re-key when the private key has been reported as the private key has been reported as compromised. Also describe how
compromised. Also describe how a compromise report received from a compromise report received from other than a subscriber is
other than a subscriber is verified.> verified.>
4.7.3. Processing certificate re-keying requests 4.7.3. Processing certificate re-keying requests
<Describe your process for handling re-keying requests. As per the <Describe your process for handling re-keying requests. As per the
CP, this should be consistent with the process described in Section CP, this should be consistent with the process described in Section
4.3. So reference can be made to that section.> 4.3. So reference can be made to that section.>
4.7.4. Notification of new certificate issuance to subscriber 4.7.4. Notification of new certificate issuance to subscriber
<Describe your policy regarding notifying the subscriber re: <Describe your policy regarding notifying the subscriber re:
skipping to change at page 25, line 5 skipping to change at page 26, line 5
additional resources, or may be explicit. A subscriber also may additional resources, or may be explicit. A subscriber also may
request that its existing set of resources be redistributed among request that its existing set of resources be redistributed among
multiple certificates. This example of certificate modification is multiple certificates. This example of certificate modification is
effected through issuance of new certificates, and revocation of the effected through issuance of new certificates, and revocation of the
previous certificates. previous certificates.
If a subscriber is to be allocated address space or AS numbers in If a subscriber is to be allocated address space or AS numbers in
addition to a current allocation, and if the subscriber does not addition to a current allocation, and if the subscriber does not
request that a new certificate be issued containing only these request that a new certificate be issued containing only these
resources, then this is accomplished through a certificate resources, then this is accomplished through a certificate
modification. When previously allocated address space or AS numbers modification. When a certificate modification is approved, a new
are to be removed from a certificate, then the old certificate MUST certificate is issued. The new certificate will contain the same
be revoked and a new certificate (reflecting the new allocation) public key and the same expiration date as the original certificate,
issued. but with the incidental information corrected and/or the address
space and AS allocations expanded. When previously allocated address
space or AS numbers are to be removed from a certificate, then the
old certificate MUST be revoked and a new certificate (reflecting
the new allocation) issued.
4.8.2. Who may request certificate modification 4.8.2. Who may request certificate modification
The certificate holder or <Name of Registry> may initiate the The certificate holder or <Name of Registry> may initiate the
certificate modification process. <For the case of the certificate certificate modification process. <For the case of the certificate
holder, state here what steps will be taken to verify the identity holder, state here what steps will be taken to verify the identity
and authorization of the entity requesting the modification.> and authorization of the entity requesting the modification.>
4.8.3. Processing certificate modification requests 4.8.3. Processing certificate modification requests
skipping to change at page 26, line 43 skipping to change at page 27, line 50
A subscriber should request revocation as soon as possible after the A subscriber should request revocation as soon as possible after the
need for revocation has been identified. need for revocation has been identified.
4.9.5. Time within which CA must process the revocation request 4.9.5. Time within which CA must process the revocation request
<Describe your policy on the time period within which you will <Describe your policy on the time period within which you will
process a revocation request.> process a revocation request.>
4.9.6. Revocation checking requirement for relying parties 4.9.6. Revocation checking requirement for relying parties
As per the CP, a relying party is responsible for checking the most As per the CP, a relying party is responsible for acquiring and
recent, scheduled CRL whenever it validates a certificate. checking the most recent, scheduled CRL from the issuer of the
certificate, whenever the relying party validates a certificate.
4.9.7. CRL issuance frequency 4.9.7. CRL issuance frequency
<Name of Registry> will publish CRLs approximately every 24 hours. <Name of Registry> will publish CRLs approximately every 24 hours.
Each CRL will carry a nextScheduledUpdate value and a new CRL will Each CRL will carry a nextScheduledUpdate value and a new CRL will
be published at or before that time. <Name of Registry> will modify be published at or before that time. <Name of Registry> will set
the nextScheduledUpdate value when it issues a CRL, to signal when the nextScheduledUpdate value when it issues a CRL, to signal when
the next scheduled CRL will be issued. the next scheduled CRL will be issued.
4.9.8. Maximum latency for CRLs 4.9.8. Maximum latency for CRLs
A CRL will be posted to the repository system with minimal delay A CRL will be posted to the repository system with minimal delay
after generation. after generation.
4.9.9. On-line revocation/status checking availability [OMITTED] 4.9.9. On-line revocation/status checking availability [OMITTED]
skipping to change at page 30, line 48 skipping to change at page 32, line 48
5.5.7. Procedures to obtain and verify archive information [OMITTED] 5.5.7. Procedures to obtain and verify archive information [OMITTED]
5.6. Key changeover 5.6. Key changeover
The <Name of Registry> CA certificate will contain a validity period The <Name of Registry> CA certificate will contain a validity period
that encompasses that of all certificates verifiable using this CA that encompasses that of all certificates verifiable using this CA
certificate. To support this, <Name of Registry> will create a new certificate. To support this, <Name of Registry> will create a new
signature key pair, and acquire and publish a new certificate signature key pair, and acquire and publish a new certificate
containing the public key of the pair, <specify here the minimum containing the public key of the pair, <specify here the minimum
amount of lead time, e.g., "a minimum of 6 months"> in advance of amount of lead time, e.g., "a minimum of 6 months"> in advance of
the expiration date of the current signature key pair. the scheduled change of the current signature key pair.
5.7. Compromise and disaster recovery [OMITTED] 5.7. Compromise and disaster recovery [OMITTED]
5.7.1. Incident and compromise handling procedures [OMITTED] 5.7.1. Incident and compromise handling procedures [OMITTED]
5.7.2. Computing resources, software, and/or data are corrupted 5.7.2. Computing resources, software, and/or data are corrupted
[OMITTED] [OMITTED]
5.7.3. Entity private key compromise procedures [OMITTED] 5.7.3. Entity private key compromise procedures [OMITTED]
skipping to change at page 32, line 15 skipping to change at page 34, line 15
6. Technical Security Controls 6. Technical Security Controls
This section describes the security controls used by <Name of This section describes the security controls used by <Name of
Registry>. Registry>.
6.1. Key pair generation and installation 6.1. Key pair generation and installation
6.1.1. Key pair generation 6.1.1. Key pair generation
<Describe the procedures that will be used to generate the CA key <Describe the procedures that will be used to generate the CA key
pair, and, if applicable, key pairs for subscribers. In most pair, and, if applicable, key pairs for network subscribers. In
instances, public-key pairs will be generated by the subscriber, most instances, public-key pairs will be generated by the
i.e., the organization receiving the allocation of address space or subscriber, i.e., the organization receiving the allocation of
AS numbers. However, your procedures may include one for generating address space or AS numbers. However, your procedures may include
key pairs on behalf of your subscribers if they so request. (This one for generating key pairs on behalf of your subscribers if they
might be done for subscribers who do not have the ability to perform so request. (This might be done for subscribers who do not have the
key generation in a secure fashion or who want a registry to provide ability to perform key generation in a secure fashion or who want a
backup for the subscriber private key.) Since the keys used in this registry to provide backup for the subscriber private key.) Since
PKI are not for non-repudiation purposes, generation of key pairs by the keys used in this PKI are not for non-repudiation purposes,
CAs does not undermine the security of the PKI. > generation of key pairs by CAs does not inherently undermine the
security of the PKI. >
6.1.2. Private key delivery to subscriber 6.1.2. Private key delivery to subscriber
<If the procedures in 6.1.1 include providing key pair generation <If the procedures in 6.1.1 include providing key pair generation
services for subscribers, describe the means by which private keys services for subscribers, describe the means by which private keys
are delivered to subscribers in a secure fashion. Otherwise say this are delivered to subscribers in a secure fashion. Otherwise say this
is not applicable.> is not applicable.>
6.1.3. Public key delivery to certificate issuer 6.1.3. Public key delivery to certificate issuer
skipping to change at page 33, line 4 skipping to change at page 35, line 5
for management of the IP address space and AS numbers.> for management of the IP address space and AS numbers.>
6.1.4. CA public key delivery to relying parties 6.1.4. CA public key delivery to relying parties
CA public keys for all entities other than RIRs are contained in CA public keys for all entities other than RIRs are contained in
certificates issued by other CAs. These certificates plus certificates issued by other CAs. These certificates plus
certificates used to represent inter-RIR transfers of address space certificates used to represent inter-RIR transfers of address space
or AS numbers will be published via a repository system. Relying or AS numbers will be published via a repository system. Relying
parties will download these certificates from this system. Public parties will download these certificates from this system. Public
key values and associated data for the trust anchors (RIRs) will be key values and associated data for the trust anchors (RIRs) will be
distributed out of band, embedded in path validation software that distributed out of band, e.g., embedded in path validation software
will be made available to the Internet community. that will be made available to the Internet community.
[Do you (RIRs) want to make provisions for additional mechanisms for
distribution of your public keys for use as a cross-check on the
downloaded path validation software?]
6.1.5. Key sizes 6.1.5. Key sizes
For the <Name of Registry> CA's certificate and shadow CA For the <Name of Registry> CA's certificate and shadow CA
certificate, the RSA key size will be 2048 bits. For subscriber certificate, the RSA key size will be 2048 bits. For subscriber
certificates, the RSA keys will be <insert key size -- e.g., 2048 or certificates, the RSA keys will be <insert key size -- e.g., 2048 or
1024 bits. If NIR/LIR key size is larger than ISP/subscriber key 1024 bits. If NIR key size is larger than LIR/ISP/subscriber key
size, describe each independently.> size, describe each independently.>
6.1.6. Public key parameters generation and quality checking 6.1.6. Public key parameters generation and quality checking
The RSA algorithm [RSA] is used in this PKI with the public exponent The RSA algorithm [RSA] is used in this PKI with the public exponent
(e) F (65,537). 4 (e) F4 (65,537).
<If the procedures in 6.1.1 include subscriber key pair generation, <If the procedures in 6.1.1 include subscriber key pair generation,
insert here text specifying that the subscriber is responsible for insert here text specifying that the subscriber is responsible for
performing checks on the quality of its key pair and saying that performing checks on the quality of its key pair and saying that
<Name of Registry> is not responsible for performing such checks for <Name of Registry> is not responsible for performing such checks for
subscribers OR describe the procedures used by the CA for checking subscribers OR describe the procedures used by the CA for checking
the quality of these subscriber key pairs.> the quality of these subscriber key pairs.>
6.1.7. Key usage purposes (as per X.509 v3 key usage field) 6.1.7. Key usage purposes (as per X.509 v3 key usage field)
skipping to change at page 37, line 8 skipping to change at page 39, line 8
controls employed for the computers used for managing allocation of controls employed for the computers used for managing allocation of
IP addresses and AS numbers.> IP addresses and AS numbers.>
6.8. Time-stamping 6.8. Time-stamping
The PKI in question does not make use of time stamping. The PKI in question does not make use of time stamping.
7. Certificate and CRL Profiles 7. Certificate and CRL Profiles
Please refer to the Certificate and CRL Profile [draft-ietf-sidr- Please refer to the Certificate and CRL Profile [draft-ietf-sidr-
res-certs-01] res-certs-01].
7.1. Certificate profile [OMITTED] 7.1. Certificate profile [OMITTED]
7.1.1. Version number(s) [OMITTED] 7.1.1. Version number(s) [OMITTED]
7.1.2. Certificate extensions [OMITTED] 7.1.2. Certificate extensions [OMITTED]
7.1.2.1. Required certificate extensions [OMITTED] 7.1.2.1. Required certificate extensions [OMITTED]
7.1.2.2. Deprecated certificate extensions [OMITTED] 7.1.2.2. Deprecated certificate extensions [OMITTED]
skipping to change at page 45, line 26 skipping to change at page 47, line 26
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr. at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf this standard. Please address the information to the IETF at ietf-
ipr@ietf.org. ipr@ietf.org.
Disclaimer of Validity Disclaimer of Validity
This document and the information contained herein are provided on This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
 End of changes. 91 change blocks. 
439 lines changed or deleted 480 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/