draft-ietf-sidr-publication-02.txt | draft-ietf-sidr-publication-03.txt | |||
---|---|---|---|---|
Network Working Group S. Weiler | Network Working Group S. Weiler | |||
Internet-Draft A. Sonalker | Internet-Draft SPARTA, Inc. | |||
Intended status: Standards Track SPARTA, Inc. | Intended status: Standards Track A. Sonalker | |||
Expires: September 13, 2012 R. Austein | Expires: January 17, 2013 Battelle Memorial Institute | |||
R. Austein | ||||
Dragon Research Labs | Dragon Research Labs | |||
March 12, 2012 | July 16, 2012 | |||
A Publication Protocol for the Resource Public Key Infrastructure (RPKI) | A Publication Protocol for the Resource Public Key Infrastructure (RPKI) | |||
draft-ietf-sidr-publication-02 | draft-ietf-sidr-publication-03 | |||
Abstract | Abstract | |||
This document defines a protocol for publishing Resource Public Key | This document defines a protocol for publishing Resource Public Key | |||
Infrastructure (RPKI) objects. Even though the RPKI will have many | Infrastructure (RPKI) objects. Even though the RPKI will have many | |||
participants issuing certificates and creating other objects, it is | participants issuing certificates and creating other objects, it is | |||
operationally useful to consolidate the publication of those objects. | operationally useful to consolidate the publication of those objects. | |||
This document provides the protocol for doing so. | This document provides the protocol for doing so. | |||
Status of this Memo | Status of this Memo | |||
skipping to change at page 1, line 36 | skipping to change at page 1, line 37 | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on September 13, 2012. | This Internet-Draft will expire on January 17, 2013. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 6, line 10 | skipping to change at page 6, line 10 | |||
3.2.2. Client Object | 3.2.2. Client Object | |||
Unlike the <config/> object, the <client/> object represents one | Unlike the <config/> object, the <client/> object represents one | |||
client authorized to use the publication server. There may be more | client authorized to use the publication server. There may be more | |||
than one <client/> object on each publication server. Again, its use | than one <client/> object on each publication server. Again, its use | |||
is typically restricted to the respository operator. | is typically restricted to the respository operator. | |||
The <client/> object supports five actions: "create", "set", "get", | The <client/> object supports five actions: "create", "set", "get", | |||
"list", and "destroy". Each client has a "client_handle" attribute, | "list", and "destroy". Each client has a "client_handle" attribute, | |||
which is used in responses and must be specified in "create", "set", | which is used in responses and must be specified in "create", "set", | |||
"get", or "destroy" actions. | "get", or "destroy" actions. The "create" and "set" actions take | |||
optional boolean attributes. The only attribute currently defined is | ||||
used to clear CMS-timestamp-based replay protection, to allow | ||||
recovery from misconfigured clocks. | ||||
Payload data which can be configured in a <client/> object include: | Payload data which can be configured in a <client/> object include: | |||
o base_uri (attribute): This attribute represents the base URI below | o base_uri (attribute): This attribute represents the base URI below | |||
which the client will be allowed to publish data. Additional | which the client will be allowed to publish data. Additional | |||
constraints may be imposed by the publication server in certain | constraints may be imposed by the publication server in certain | |||
cases, for e.g., a child publishing directly under its parent. | cases, for e.g., a child publishing directly under its parent. | |||
o bpki_cert (element): This represents the X.509 BPKI CA certificate | o bpki_cert (element): This represents the X.509 BPKI CA certificate | |||
for this client. This should be used as part of the certificate | for this client. This should be used as part of the certificate | |||
chain when validating incoming CMS messages. Two valid approaches | chain when validating incoming CMS messages. Two valid approaches | |||
exist. If the optional bpki_glue certificate is being used, then | exist. If the optional bpki_glue certificate is being used, then | |||
the bpki_cert certificate should be issued by the bpki_glue | the bpki_cert certificate should be issued by the bpki_glue | |||
certificate; otherwise, the bpki_cert certificate should be issued | certificate; otherwise, the bpki_cert certificate should be issued | |||
by the publication engine's bpki_ta certificate. | by the publication engine's bpki_ta certificate. | |||
o bpki_glue (element): This is an additional (optional) type of | o bpki_glue (element): This is an additional (optional) X.509 | |||
X.509 certificate for this client. It may be used in certain | certificate for this client. It may be used in certain | |||
pathological cross-certification cases which require a two- | pathological cross-certification cases which require a two- | |||
certificate chain due to issuer name conflicts. When being used, | certificate chain due to issuer name conflicts. When being used, | |||
issuing order is that the bpki_glue certificate should be the | issuing order is that the bpki_glue certificate should be the | |||
issuer of the bpki_cert certificate. Otherwise, it should be | issuer of the bpki_cert certificate. Otherwise, it should be | |||
issued by the publication engine's bpki_ta certificate. Since | issued by the publication engine's bpki_ta certificate. Since | |||
this is an optional use certificate, it may be left unset if not | this is an optional use certificate, it may be left unset if not | |||
needed. | needed. | |||
3.3. Publication Sub-Protocol | 3.3. Publication Sub-Protocol | |||
skipping to change at page 8, line 46 | skipping to change at page 8, line 49 | |||
config_payload } | config_payload } | |||
config_reply |= element config { attribute action { "set" }, tag? } | config_reply |= element config { attribute action { "set" }, tag? } | |||
config_query |= element config { attribute action { "get" }, tag? } | config_query |= element config { attribute action { "get" }, tag? } | |||
config_reply |= element config { attribute action { "get" }, tag?, | config_reply |= element config { attribute action { "get" }, tag?, | |||
config_payload } | config_payload } | |||
# <client/> element (use restricted to repository operator) | # <client/> element (use restricted to repository operator) | |||
client_handle = attribute client_handle { object_handle } | client_handle = attribute client_handle { object_handle } | |||
client_payload = (attribute base_uri { uri_t }?, element bpki_cert { | client_payload = (attribute base_uri { uri_t }?, element bpki_cert { | |||
base64 }?, element bpki_glue { base64 }?) | base64 }?, element bpki_glue { base64 }?) | |||
client_bool = attribute clear_replay_protection { "yes" }? | ||||
client_query |= element client { attribute action { "create" }, | client_query |= element client { attribute action { "create" }, | |||
tag?, client_handle, client_payload } | tag?, client_handle, client_bool, client_payload } | |||
client_reply |= element client { attribute action { "create" }, | client_reply |= element client { attribute action { "create" }, | |||
tag?, client_handle } | tag?, client_handle } | |||
client_query |= element client { attribute action { "set" }, tag?, | client_query |= element client { attribute action { "set" }, tag?, | |||
client_handle, client_payload } | client_handle, client_bool, client_payload } | |||
client_reply |= element client { attribute action { "set" }, tag?, | client_reply |= element client { attribute action { "set" }, tag?, | |||
client_handle } | client_handle } | |||
client_query |= element client { attribute action { "get" }, tag?, | client_query |= element client { attribute action { "get" }, tag?, | |||
client_handle } | client_handle } | |||
client_reply |= element client { attribute action { "get" }, tag?, | client_reply |= element client { attribute action { "get" }, tag?, | |||
client_handle, client_payload } | client_handle, client_payload } | |||
client_query |= element client { attribute action { "list" }, tag? } | client_query |= element client { attribute action { "list" }, tag? } | |||
client_reply |= element client { attribute action { "list" }, tag?, | client_reply |= element client { attribute action { "list" }, tag?, | |||
client_handle, client_payload } | client_handle, client_payload } | |||
client_query |= element client { attribute action { "destroy" }, | client_query |= element client { attribute action { "destroy" }, | |||
skipping to change at page 18, line 20 | skipping to change at page 18, line 20 | |||
Security considerations: Carries an RPKI Publication Protocol | Security considerations: Carries an RPKI Publication Protocol | |||
Message, as defined in this document. | Message, as defined in this document. | |||
Interoperability considerations: None | Interoperability considerations: None | |||
Published specification: This document | Published specification: This document | |||
Applications which use this media type: HTTP | Applications which use this media type: HTTP | |||
Additional information: | Additional information: | |||
Magic number(s): None | Magic number(s): None | |||
File extension(s): | File extension(s): | |||
Macintosh File Type Code(s): | Macintosh File Type Code(s): | |||
Person & email address to contact for further information: | Person & email address to contact for further information: | |||
Rob Austein <sra@isc.org> | Rob Austein <sra@hactrn.net> | |||
Intended usage: COMMON | Intended usage: COMMON | |||
Author/Change controller: Rob Austein <sra@isc.org> | Author/Change controller: Rob Austein <sra@hactrn.net> | |||
7. Security Considerations | 7. Security Considerations | |||
The RPKI publication protocol and the data it publishes use entirely | The RPKI publication protocol and the data it publishes use entirely | |||
separate PKIs for authentication. The published data is | separate PKIs for authentication. The published data is | |||
authenticated within the RPKI, and this protocol has nothing to do | authenticated within the RPKI, and this protocol has nothing to do | |||
with that authentication, nor does it require that the published | with that authentication, nor does it require that the published | |||
objects be valid in the RPKI. The publication protocol uses a | objects be valid in the RPKI. The publication protocol uses a | |||
separate Business PKI (BPKI) to authenticate its messages. | separate Business PKI (BPKI) to authenticate its messages. | |||
skipping to change at page 19, line 32 | skipping to change at page 19, line 32 | |||
Samuel Weiler | Samuel Weiler | |||
SPARTA, Inc. | SPARTA, Inc. | |||
7110 Samuel Morse Drive | 7110 Samuel Morse Drive | |||
Columbia, Maryland 21046 | Columbia, Maryland 21046 | |||
US | US | |||
Email: weiler@tislabs.com | Email: weiler@tislabs.com | |||
Anuja Sonalker | Anuja Sonalker | |||
SPARTA, Inc. | Battelle Memorial Institute | |||
7110 Samuel Morse Drive | ||||
Columbia, Maryland 21046 | Columbia, Maryland 21046 | |||
US | US | |||
Email: Anuja.Sonalker@sparta.com | Email: sonalkera@battelle.org | |||
Rob Austein | Rob Austein | |||
Dragon Research Labs | Dragon Research Labs | |||
Email: sra@hactrn.net | Email: sra@hactrn.net | |||
End of changes. 13 change blocks. | ||||
17 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |