--- 1/draft-ietf-sidr-cps-irs-01.txt 2007-07-10 20:12:16.000000000 +0200 +++ 2/draft-ietf-sidr-cps-irs-02.txt 2007-07-10 20:12:16.000000000 +0200 @@ -1,20 +1,18 @@ Secure Inter-Domain Routing (sidr) Kong, D. Internet Draft Seo, K. -Expires: August 2007 Kent, S. +Expires: January 2008 Kent, S. Intended Status: Informational BBN Technologies - February 2007 - Template for an Internet Registry's Certification Practice Statement (CPS) for the Internet IP Address and AS Number (PKI) - draft-ietf-sidr-cps-irs-01.txt + draft-ietf-sidr-cps-irs-02.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering @@ -26,21 +24,21 @@ months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html - This Internet-Draft will expire on July 31, 2007. + This Internet-Draft will expire on January 8, 2008. Abstract This document contains a template to be used for creating a Certification Practice Statement (CPS) for an Internet Registry (e.g., NIR or RIR) that is part of the Internet IP Address and Autonomous System (AS) Number Public Key Infrastructure (PKI). Conventions used in this document @@ -100,273 +98,273 @@ 4.1.2. Enrollment process and responsibilities.............20 4.2. Certificate application processing.......................20 4.2.1. Performing identification and authentication functions ...........................................................20 4.2.2. Approval or rejection of certificate applications...20 4.2.3. Time to process certificate applications............21 4.3. Certificate issuance.....................................21 4.3.1. CA actions during certificate issuance..............21 4.3.2. Notification to subscriber by the CA of issuance of certificate................................................21 - 4.4. Certificate acceptance...................................22 - 4.4.1. Conduct constituting certificate acceptance.........22 - 4.4.2. Publication of the certificate by the CA............22 - 4.5. Key pair and certificate usage...........................22 + 4.4. Certificate acceptance...................................21 + 4.4.1. Conduct constituting certificate acceptance.........21 + 4.4.2. Publication of the certificate by the CA............21 + 4.5. Key pair and certificate usage...........................21 4.5.1. Subscriber private key and certificate usage........22 4.5.2. Relying party public key and certificate usage......22 - 4.6. Certificate renewal......................................23 - 4.6.1. Circumstance for certificate renewal................23 + 4.6. Certificate renewal......................................22 + 4.6.1. Circumstance for certificate renewal................22 4.6.2. Who may request renewal.............................23 4.6.3. Processing certificate renewal requests.............23 4.6.4. Notification of new certificate issuance to subscriber ...........................................................23 4.6.5. Conduct constituting acceptance of a renewal certificate................................................23 - 4.6.6. Publication of the renewal certificate by the CA....24 + 4.6.6. Publication of the renewal certificate by the CA....23 4.6.7. Notification of certificate issuance by the CA to other - entities [OMITTED].........................................24 - 4.7. Certificate re-key.......................................24 - 4.7.1. Circumstance for certificate re-key.................24 + entities [OMITTED].........................................23 + 4.7. Certificate re-key.......................................23 + 4.7.1. Circumstance for certificate re-key.................23 4.7.2. Who may request certification of a new public key...24 - 4.7.3. Processing certificate re-keying requests...........25 + 4.7.3. Processing certificate re-keying requests...........24 4.7.4. Notification of new certificate issuance to subscriber - ...........................................................25 + ...........................................................24 4.7.5. Conduct constituting acceptance of a re-keyed - certificate................................................25 - 4.7.6. Publication of the re-keyed certificate by the CA...25 + certificate................................................24 + 4.7.6. Publication of the re-keyed certificate by the CA...24 4.7.7. Notification of certificate issuance by the CA to other entities [OMITTED].........................................25 4.8. Certificate modification.................................25 4.8.1. Circumstance for certificate modification...........25 - 4.8.2. Who may request certificate modification............26 - 4.8.3. Processing certificate modification requests........26 + 4.8.2. Who may request certificate modification............25 + 4.8.3. Processing certificate modification requests........25 4.8.4. Notification of modified certificate issuance to subscriber.................................................26 4.8.5. Conduct constituting acceptance of modified certificate ...........................................................26 4.8.6. Publication of the modified certificate by the CA...26 4.8.7. Notification of certificate issuance by the CA to other entities [OMITTED].........................................26 - 4.9. Certificate revocation and suspension....................27 - 4.9.1. Circumstances for revocation........................27 - 4.9.2. Who can request revocation..........................27 - 4.9.3. Procedure for revocation request....................27 + 4.9. Certificate revocation and suspension....................26 + 4.9.1. Circumstances for revocation........................26 + 4.9.2. Who can request revocation..........................26 + 4.9.3. Procedure for revocation request....................26 4.9.4. Revocation request grace period.....................27 4.9.5. Time within which CA must process the revocation request....................................................27 4.9.6. Revocation checking requirement for relying parties.27 - 4.9.7. CRL issuance frequency..............................28 - 4.9.8. Maximum latency for CRLs............................28 + 4.9.7. CRL issuance frequency..............................27 + 4.9.8. Maximum latency for CRLs............................27 4.9.9. On-line revocation/status checking availability [OMITTED]..................................................28 4.9.10. On-line revocation checking requirements [OMITTED].28 4.9.11. Other forms of revocation advertisements available [OMITTED]..................................................28 4.9.12. Special requirements re key compromise [OMITTED]...28 4.9.13. Circumstances for suspension [OMITTED].............28 4.9.14. Who can request suspension [OMITTED]...............28 4.9.15. Procedure for suspension request [OMITTED].........28 4.9.16. Limits on suspension period [OMITTED]..............28 4.10. Certificate status services.............................28 - 4.10.1. Operational characteristics [OMITTED]..............29 - 4.10.2. Service availability [OMITTED].....................29 - 4.10.3. Optional features [OMITTED]........................29 - 4.11. End of subscription [OMITTED]...........................29 - 4.12. Key escrow and recovery [OMITTED].......................29 + 4.10.1. Operational characteristics [OMITTED]..............28 + 4.10.2. Service availability [OMITTED].....................28 + 4.10.3. Optional features [OMITTED]........................28 + 4.11. End of subscription [OMITTED]...........................28 + 4.12. Key escrow and recovery [OMITTED].......................28 4.12.1. Key escrow and recovery policy and practices [OMITTED] - ...........................................................29 + ...........................................................28 4.12.2. Session key encapsulation and recovery policy and - practices [OMITTED]........................................29 - 5. Facility, Management, And Operational Controls................30 - 5.1. Physical controls........................................30 - 5.1.1. Site location and construction......................30 - 5.1.2. Physical access.....................................30 - 5.1.3. Power and air conditioning..........................30 - 5.1.4. Water exposures.....................................30 - 5.1.5. Fire prevention and protection......................30 - 5.1.6. Media storage.......................................30 - 5.1.7. Waste disposal......................................30 - 5.1.8. Off-site backup.....................................30 - 5.2. Procedural controls......................................30 - 5.2.1. Trusted roles.......................................30 - 5.2.2. Number of persons required per task.................30 - 5.2.3. Identification and authentication for each role.....30 - 5.2.4. Roles requiring separation of duties................30 - 5.3. Personnel controls.......................................30 + practices [OMITTED]........................................28 + 5. Facility, Management, And Operational Controls................29 + 5.1. Physical controls........................................29 + 5.1.1. Site location and construction......................29 + 5.1.2. Physical access.....................................29 + 5.1.3. Power and air conditioning..........................29 + 5.1.4. Water exposures.....................................29 + 5.1.5. Fire prevention and protection......................29 + 5.1.6. Media storage.......................................29 + 5.1.7. Waste disposal......................................29 + 5.1.8. Off-site backup.....................................29 + 5.2. Procedural controls......................................29 + 5.2.1. Trusted roles.......................................29 + 5.2.2. Number of persons required per task.................29 + 5.2.3. Identification and authentication for each role.....29 + 5.2.4. Roles requiring separation of duties................29 + 5.3. Personnel controls.......................................29 5.3.1. Qualifications, experience, and clearance requirements - ...........................................................31 - 5.3.2. Background check procedures.........................31 - 5.3.3. Training requirements...............................31 - 5.3.4. Retraining frequency and requirements...............31 - 5.3.5. Job rotation frequency and sequence.................31 - 5.3.6. Sanctions for unauthorized actions..................31 - 5.3.7. Independent contractor requirements.................31 - 5.3.8. Documentation supplied to personnel.................31 - 5.4. Audit logging procedures.................................31 - 5.4.1. Types of events recorded............................31 - 5.4.2. Frequency of processing log.........................31 - 5.4.3. Retention period for audit log......................31 - 5.4.4. Protection of audit log.............................32 - 5.4.5. Audit log backup procedures.........................32 + ...........................................................30 + 5.3.2. Background check procedures.........................30 + 5.3.3. Training requirements...............................30 + 5.3.4. Retraining frequency and requirements...............30 + 5.3.5. Job rotation frequency and sequence.................30 + 5.3.6. Sanctions for unauthorized actions..................30 + 5.3.7. Independent contractor requirements.................30 + 5.3.8. Documentation supplied to personnel.................30 + 5.4. Audit logging procedures.................................30 + 5.4.1. Types of events recorded............................30 + 5.4.2. Frequency of processing log.........................30 + 5.4.3. Retention period for audit log......................30 + 5.4.4. Protection of audit log.............................31 + 5.4.5. Audit log backup procedures.........................31 5.4.6. Audit collection system (internal vs. external) - [OMITTED]..................................................32 - 5.4.7. Notification to event-causing subject [OMITTED].....32 - 5.4.8. Vulnerability assessments...........................32 - 5.5. Records archival [OMITTED]...............................32 - 5.5.1. Types of records archived [OMITTED].................32 - 5.5.2. Retention period for archive [OMITTED]..............32 - 5.5.3. Protection of archive [OMITTED].....................32 - 5.5.4. Archive backup procedures [OMITTED].................32 - 5.5.5. Requirements for time-stamping of records [OMITTED].32 + [OMITTED]..................................................31 + 5.4.7. Notification to event-causing subject [OMITTED].....31 + 5.4.8. Vulnerability assessments...........................31 + 5.5. Records archival [OMITTED]...............................31 + 5.5.1. Types of records archived [OMITTED].................31 + 5.5.2. Retention period for archive [OMITTED]..............31 + 5.5.3. Protection of archive [OMITTED].....................31 + 5.5.4. Archive backup procedures [OMITTED].................31 + 5.5.5. Requirements for time-stamping of records [OMITTED].31 5.5.6. Archive collection system (internal or external) - [OMITTED]..................................................32 + [OMITTED]..................................................31 5.5.7. Procedures to obtain and verify archive information - [OMITTED]..................................................32 - 5.6. Key changeover...........................................32 - 5.7. Compromise and disaster recovery [OMITTED]...............33 - 5.7.1. Incident and compromise handling procedures [OMITTED]33 + [OMITTED]..................................................31 + 5.6. Key changeover...........................................31 + 5.7. Compromise and disaster recovery [OMITTED]...............32 + 5.7.1. Incident and compromise handling procedures [OMITTED]32 5.7.2. Computing resources, software, and/or data are - corrupted [OMITTED]........................................33 - 5.7.3. Entity private key compromise procedures [OMITTED]..33 + corrupted [OMITTED]........................................32 + 5.7.3. Entity private key compromise procedures [OMITTED]..32 5.7.4. Business continuity capabilities after a disaster - [OMITTED]..................................................33 - 5.8. CA or RA termination.....................................33 - 6. Technical Security Controls...................................34 - 6.1. Key pair generation and installation.....................34 - 6.1.1. Key pair generation.................................34 - 6.1.2. Private key delivery to subscriber..................34 - 6.1.3. Public key delivery to certificate issuer...........34 - 6.1.4. CA public key delivery to relying parties...........34 - 6.1.5. Key sizes...........................................35 - 6.1.6. Public key parameters generation and quality checking35 - 6.1.7. Key usage purposes (as per X.509 v3 key usage field)35 + [OMITTED]..................................................32 + 5.8. CA or RA termination.....................................32 + 6. Technical Security Controls...................................33 + 6.1. Key pair generation and installation.....................33 + 6.1.1. Key pair generation.................................33 + 6.1.2. Private key delivery to subscriber..................33 + 6.1.3. Public key delivery to certificate issuer...........33 + 6.1.4. CA public key delivery to relying parties...........33 + 6.1.5. Key sizes...........................................34 + 6.1.6. Public key parameters generation and quality checking34 + 6.1.7. Key usage purposes (as per X.509 v3 key usage field)34 6.2. Private Key Protection and Cryptographic Module Engineering - Controls......................................................35 - 6.2.1. Cryptographic module standards and controls.........35 - 6.2.2. Private key (n out of m) multi-person control.......35 - 6.2.3. Private key escrow..................................35 - 6.2.4. Private key backup..................................36 - 6.2.5. Private key archival................................36 + Controls......................................................34 + 6.2.1. Cryptographic module standards and controls.........34 + 6.2.2. Private key (n out of m) multi-person control.......34 + 6.2.3. Private key escrow..................................34 + 6.2.4. Private key backup..................................35 + 6.2.5. Private key archival................................35 6.2.6. Private key transfer into or from a cryptographic - module.....................................................36 - 6.2.7. Private key storage on cryptographic module.........36 - 6.2.8. Method of activating private key....................36 - 6.2.9. Method of deactivating private key..................36 - 6.2.10. Method of destroying private key...................36 - 6.2.11. Cryptographic Module Rating........................36 - 6.3. Other aspects of key pair management.....................37 - 6.3.1. Public key archival.................................37 + module.....................................................35 + 6.2.7. Private key storage on cryptographic module.........35 + 6.2.8. Method of activating private key....................35 + 6.2.9. Method of deactivating private key..................35 + 6.2.10. Method of destroying private key...................35 + 6.2.11. Cryptographic Module Rating........................35 + 6.3. Other aspects of key pair management.....................36 + 6.3.1. Public key archival.................................36 6.3.2. Certificate operational periods and key pair usage - periods....................................................37 - 6.4. Activation data..........................................37 - 6.4.1. Activation data generation and installation.........37 - 6.4.2. Activation data protection..........................37 - 6.4.3. Other aspects of activation data....................37 - 6.5. Computer security controls...............................37 - 6.5.1. Specific computer security technical requirement....37 - 6.5.2. Computer security rating [OMITTED]..................38 - 6.6. Life cycle technical controls............................38 - 6.6.1. System development controls.........................38 - 6.6.2. Security management controls........................38 - 6.6.3. Life cycle security controls........................38 - 6.7. Network security controls................................38 - 6.8. Time-stamping............................................38 - 7. Certificate and CRL Profiles..................................39 + periods....................................................36 + 6.4. Activation data..........................................36 + 6.4.1. Activation data generation and installation.........36 + 6.4.2. Activation data protection..........................36 + 6.4.3. Other aspects of activation data....................36 + 6.5. Computer security controls...............................36 + 6.5.1. Specific computer security technical requirement....36 + 6.5.2. Computer security rating [OMITTED]..................37 + 6.6. Life cycle technical controls............................37 + 6.6.1. System development controls.........................37 + 6.6.2. Security management controls........................37 + 6.6.3. Life cycle security controls........................37 + 6.7. Network security controls................................37 + 6.8. Time-stamping............................................37 + 7. Certificate and CRL Profiles..................................38 Please refer to the Certificate and CRL Profile [draft-ietf-sidr- - res-certs-01].................................................39 - 7.1. Certificate profile [OMITTED]............................39 - 7.1.1. Version number(s) [OMITTED].........................39 - 7.1.2. Certificate extensions [OMITTED]....................39 - 7.1.3. Algorithm object identifiers [OMITTED]..............39 - 7.1.4. Name forms [OMITTED]................................39 - 7.1.5. Name constraints [OMITTED]..........................39 - 7.1.6. Certificate policy object identifier [OMITTED]......39 - 7.1.7. Usage of Policy Constraints extension [OMITTED].....39 - 7.1.8. Policy qualifiers syntax and semantics [OMITTED]....39 + res-certs-01].................................................38 + 7.1. Certificate profile [OMITTED]............................38 + 7.1.1. Version number(s) [OMITTED].........................38 + 7.1.2. Certificate extensions [OMITTED]....................38 + 7.1.3. Algorithm object identifiers [OMITTED]..............38 + 7.1.4. Name forms [OMITTED]................................38 + 7.1.5. Name constraints [OMITTED]..........................38 + 7.1.6. Certificate policy object identifier [OMITTED]......38 + 7.1.7. Usage of Policy Constraints extension [OMITTED].....38 + 7.1.8. Policy qualifiers syntax and semantics [OMITTED]....38 7.1.9. Processing semantics for the critical Certificate - Policies extension [OMITTED]...............................39 - 7.2. CRL profile [OMITTED]....................................39 - 7.2.1. Version number(s) [OMITTED].........................39 - 7.2.2. CRL and CRL entry extensions [OMITTED]..............39 - 7.3. OCSP profile [OMITTED]...................................39 - 7.3.1. Version number(s) [OMITTED].........................39 - 7.3.2. OCSP extensions [OMITTED]...........................40 - 8. Compliance Audit and Other Assessments........................41 - 8.1. Frequency or circumstances of assessment.................41 - 8.2. Identity/qualifications of assessor......................41 - 8.3. Assessor's relationship to assessed entity...............41 - 8.4. Topics covered by assessment.............................41 - 8.5. Actions taken as a result of deficiency..................41 - 8.6. Communication of results.................................41 - 9. Other Business And Legal Matters..............................42 - 9.1. Fees.....................................................42 - 9.1.1. Certificate issuance or renewal fees................42 - 9.1.2. Fees for other services (if applicable).............42 - 9.1.3. Refund policy.......................................42 - 9.2. Financial responsibility.................................42 - 9.2.1. Insurance coverage..................................42 - 9.2.2. Other assets........................................42 - 9.2.3. Insurance or warranty coverage for end-entities.....42 - 9.3. Confidentiality of business information..................42 - 9.3.1. Scope of confidential information...................42 + Policies extension [OMITTED]...............................38 + 7.2. CRL profile [OMITTED]....................................38 + 7.2.1. Version number(s) [OMITTED].........................38 + 7.2.2. CRL and CRL entry extensions [OMITTED]..............38 + 7.3. OCSP profile [OMITTED]...................................38 + 7.3.1. Version number(s) [OMITTED].........................38 + 7.3.2. OCSP extensions [OMITTED]...........................38 + 8. Compliance Audit and Other Assessments........................39 + 8.1. Frequency or circumstances of assessment.................39 + 8.2. Identity/qualifications of assessor......................39 + 8.3. Assessor's relationship to assessed entity...............39 + 8.4. Topics covered by assessment.............................39 + 8.5. Actions taken as a result of deficiency..................39 + 8.6. Communication of results.................................39 + 9. Other Business And Legal Matters..............................40 + 9.1. Fees.....................................................40 + 9.1.1. Certificate issuance or renewal fees................40 + 9.1.2. Fees for other services (if applicable).............40 + 9.1.3. Refund policy.......................................40 + 9.2. Financial responsibility.................................40 + 9.2.1. Insurance coverage..................................40 + 9.2.2. Other assets........................................40 + 9.2.3. Insurance or warranty coverage for end-entities.....40 + 9.3. Confidentiality of business information..................40 + 9.3.1. Scope of confidential information...................40 9.3.2. Information not within the scope of confidential - information................................................42 - 9.3.3. Responsibility to protect confidential information..42 - 9.4. Privacy of personal information..........................42 - 9.4.1. Privacy plan........................................42 - 9.4.2. Information treated as private......................42 - 9.4.3. Information not deemed private......................42 - 9.4.4. Responsibility to protect private information.......42 - 9.4.5. Notice and consent to use private information.......42 + information................................................40 + 9.3.3. Responsibility to protect confidential information..40 + 9.4. Privacy of personal information..........................40 + 9.4.1. Privacy plan........................................40 + 9.4.2. Information treated as private......................40 + 9.4.3. Information not deemed private......................40 + 9.4.4. Responsibility to protect private information.......40 + 9.4.5. Notice and consent to use private information.......40 9.4.6. Disclosure pursuant to judicial or administrative - process....................................................43 - 9.4.7. Other information disclosure circumstances..........43 - 9.5. Intellectual property rights (if applicable).............43 - 9.6. Representations and warranties...........................43 - 9.6.1. CA representations and warranties...................43 - 9.6.2. Subscriber representations and warranties...........43 - 9.6.3. Relying party representations and warranties........43 + process....................................................41 + 9.4.7. Other information disclosure circumstances..........41 + 9.5. Intellectual property rights (if applicable).............41 + 9.6. Representations and warranties...........................41 + 9.6.1. CA representations and warranties...................41 + 9.6.2. Subscriber representations and warranties...........41 + 9.6.3. Relying party representations and warranties........41 9.6.4. Representations and warranties of other participants - [OMITTED]..................................................43 - 9.7. Disclaimers of warranties................................43 - 9.8. Limitations of liability.................................43 - 9.9. Indemnities..............................................43 - 9.10. Term and termination....................................43 - 9.10.1. Term...............................................43 - 9.10.2. Termination........................................43 - 9.10.3. Effect of termination and survival.................43 - 9.11. Individual notices and communications with participants.43 - 9.12. Amendments..............................................43 - 9.12.1. Procedure for amendment............................43 - 9.12.2. Notification mechanism and period..................43 + [OMITTED]..................................................41 + 9.7. Disclaimers of warranties................................41 + 9.8. Limitations of liability.................................41 + 9.9. Indemnities..............................................41 + 9.10. Term and termination....................................41 + 9.10.1. Term...............................................41 + 9.10.2. Termination........................................41 + 9.10.3. Effect of termination and survival.................41 + 9.11. Individual notices and communications with participants.41 + 9.12. Amendments..............................................41 + 9.12.1. Procedure for amendment............................41 + 9.12.2. Notification mechanism and period..................41 9.12.3. Circumstances under which OID must be changed - [OMITTED]..................................................43 - 9.13. Dispute resolution provisions...........................43 - 9.14. Governing law...........................................43 - 9.15. Compliance with applicable law..........................43 - 9.16. Miscellaneous provisions................................43 - 9.16.1. Entire agreement...................................44 - 9.16.2. Assignment.........................................44 - 9.16.3. Severability.......................................44 - 9.16.4. Enforcement (attorneys' fees and waiver of rights).44 - 9.16.5. Force Majeure......................................44 - 9.17. Other provisions [OMITTED]..............................44 - 10. Security Considerations......................................45 - 11. IANA Considerations..........................................45 - 12. Acknowledgments..............................................45 - 13. References...................................................45 - 13.1. Normative References....................................45 - 13.2. Informative References..................................46 - Author's Addresses...............................................46 - Intellectual Property Statement..................................47 - Disclaimer of Validity...........................................47 - Copyright Statement..............................................47 + [OMITTED]..................................................41 + 9.13. Dispute resolution provisions...........................41 + 9.14. Governing law...........................................41 + 9.15. Compliance with applicable law..........................41 + 9.16. Miscellaneous provisions................................41 + 9.16.1. Entire agreement...................................42 + 9.16.2. Assignment.........................................42 + 9.16.3. Severability.......................................42 + 9.16.4. Enforcement (attorneys' fees and waiver of rights).42 + 9.16.5. Force Majeure......................................42 + 9.17. Other provisions [OMITTED]..............................42 + 10. Security Considerations......................................43 + 11. IANA Considerations..........................................43 + 12. Acknowledgments..............................................43 + 13. References...................................................43 + 13.1. Normative References....................................43 + 13.2. Informative References..................................44 + Author's Addresses...............................................44 + Intellectual Property Statement..................................45 + Disclaimer of Validity...........................................45 + Copyright Statement..............................................45 Preface This document contains a template to be used for creating a Certification Practice Statement (CPS) for an Internet Registry (e.g., an NIR or RIR) that is part of the Internet IP Address and Autonomous System (AS) Number Public Key Infrastructure (PKI). The user of this document should 1. substitute a title page for page 1 saying, e.g., ". It describes the practices employed by the Certification Authority (CA) in the Internet IP Address and Autonomous System (AS) Number PKI. These practices are defined in accordance with the requirements of the Certificate Policy (CP, - [RFCxxxx]) of this PKI. + [CP]) of this PKI. The Internet IP Address and AS Number PKI is aimed at supporting verifiable attestations about resource controls, e.g., for improved routing security. The goal is that each entity that allocates IP addresses or AS numbers to an entity will, in parallel, issue a certificate reflecting this allocation. These certificates will enable verification that the holder of the associated private key has been allocated the resources indicated in the certificate, and is the current, unique holder of these resources. The certificates and CRLs, in conjunction with ancillary digitally signed data @@ -656,23 +654,21 @@ 2.3. Time or Frequency of Publication As per the CP, the following standards exist for publication times and frequency: - A certificate will be published within 24 hours after a CA has - received acknowledgement from the subject of the certificate that - the certificate is accurate. + A certificate will be published within 24 hours after issuance. The CA will publish its CRL prior to the nextScheduledUpdate value in the scheduled CRL previously issued by the CA. Within 24 hours of effecting revocation, the CA will publish a CRL with an entry for the revoked certificate. 2.4. Access controls on repositories Access to the repository system, for modification of entries, must be controlled to prevent denial of service attacks. All data @@ -907,72 +903,44 @@ 4.2.3. Time to process certificate applications 4.3. Certificate issuance 4.3.1. CA actions during certificate issuance - + 4.3.2. Notification to subscriber by the CA of issuance of certificate - + - Notification of certificate issuance by the CA to other entities - [OMITTED> +4.3.3. Notification of certificate issuance by the CA to other entities +[OMITTED] 4.4. Certificate acceptance 4.4.1. Conduct constituting certificate acceptance - When a draft certificate is generated and the subscriber is - notified, it is required that the subscriber review the proposed - certificate and either approve or reject it within days. - - If a certificate remains unprocessed by the requester after - days, + When a certificate is issued, the CA will place it in the repository + and notify the subscriber. This will be done without subscriber + review and acceptance. 4.4.2. Publication of the certificate by the CA - Certificates will be published in the Repository system once - approved. + Certificates will be published in the Repository system once issued + following the conduct described in 4.4.1. 4.5. Key pair and certificate usage A summary of the use model for the IP Address and AS Number PKI is provided below. 4.5.1. Subscriber private key and certificate usage The certificates issued by this registry to resource holders are CA certificates. The private key associated with each of these @@ -1031,22 +999,23 @@ This must include verification that the certificate in question has not been revoked.> 4.6.4. Notification of new certificate issuance to subscriber 4.6.5. Conduct constituting acceptance of a renewal certificate - + When a renewal certificate is issued, the CA will place it in the + repository and notify the subscriber. This will be done without + subscriber review and acceptance. 4.6.6. Publication of the renewal certificate by the CA 4.6.7. Notification of certificate issuance by the CA to other entities [OMITTED] 4.7. Certificate re-key @@ -1092,23 +1060,23 @@ 4.7.4. Notification of new certificate issuance to subscriber 4.7.5. Conduct constituting acceptance of a re-keyed certificate - + When a re-keyed certificate is issued, the CA will place it in the + repository and notify the subscriber. This will be done without + subscriber review and acceptance. 4.7.6. Publication of the re-keyed certificate by the CA 4.7.7. Notification of certificate issuance by the CA to other entities [OMITTED] @@ -1156,23 +1124,23 @@ and 4.3.1.> 4.8.4. Notification of modified certificate issuance to subscriber 4.8.5. Conduct constituting acceptance of modified certificate - + When a modified certificate is issued, the CA will place it in the + repository and notify the subscriber. This will be done without + subscriber review and acceptance. 4.8.6. Publication of the modified certificate by the CA 4.8.7. Notification of certificate issuance by the CA to other entities [OMITTED] @@ -1643,22 +1611,21 @@ operation. These should be commensurate with the network security controls employed for the computers used for managing allocation of IP addresses and AS numbers.> 6.8. Time-stamping The PKI in question does not make use of time stamping. 7. Certificate and CRL Profiles - Please refer to the Certificate and CRL Profile [draft-ietf-sidr- - res-certs-01]. + Please refer to the Certificate and CRL Profile [RESCERT]. 7.1. Certificate profile [OMITTED] 7.1.1. Version number(s) [OMITTED] 7.1.2. Certificate extensions [OMITTED] 7.1.2.1. Required certificate extensions [OMITTED] 7.1.2.2. Deprecated certificate extensions [OMITTED] @@ -1845,40 +1812,40 @@ the PKI entities such as CA, RA, repository, subscriber systems, and relying party systems. 11. IANA Considerations None. 12. Acknowledgments The authors would like to thank Geoff Huston for reviewing this - document. + document and Matt Houston for his help with the formatting. 13. References 13.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3280] Housley, R., Polk, W. Ford, W., Solo, D., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", BCP 14, RFC 2119, March 1997. - [RFCxxxx] Seo, K., Watro, R., Kong, D., and Kent, S. , - "Certificate Policy for the Internet IP Address and AS Number - PKI", RFC xxxx. + [CP] Seo, K., Watro, R., Kong, D., and Kent, S., "Certificate + Policy for the Internet IP Address and AS Number PKI", draft- + ietf-sidr-cp, July 2007 (work in progress). - [draft-ietf-sidr-res-certs-01] Huston, G., Loomans, R., - Michaelson, G., "A Profile for X.509 PKIX Resource - Certificates", work in progress, June 19, 2006. + [RESCERT] Huston, G., Loomans, R., Michaelson, G., "A Profile for + X.509 PKIX Resource Certificates", draft-ietf-sidr-res-certs, + June 2007 (work in progress). 13.2. Informative References [BGP4] Y. Rekhter, T. Li (editors), A Border Gateway Protocol 4 (BGP-4). IETF RFC 1771, March 1995. [FIPS] Federal Information Processing Standards Publication 140-2 (FIPS PUB 140-2), "Security Requirements for Cryptographic Modules", Information Technology Laboratory, National Institute of Standards and Technology, May 25, 2001.