| draft-ietf-sidr-publication-02.txt | draft-ietf-sidr-publication-03.txt | |||
|---|---|---|---|---|
| Network Working Group S. Weiler | Network Working Group S. Weiler | |||
| Internet-Draft A. Sonalker | Internet-Draft SPARTA, Inc. | |||
| Intended status: Standards Track SPARTA, Inc. | Intended status: Standards Track A. Sonalker | |||
| Expires: September 13, 2012 R. Austein | Expires: January 17, 2013 Battelle Memorial Institute | |||
| R. Austein | ||||
| Dragon Research Labs | Dragon Research Labs | |||
| March 12, 2012 | July 16, 2012 | |||
| A Publication Protocol for the Resource Public Key Infrastructure (RPKI) | A Publication Protocol for the Resource Public Key Infrastructure (RPKI) | |||
| draft-ietf-sidr-publication-02 | draft-ietf-sidr-publication-03 | |||
| Abstract | Abstract | |||
| This document defines a protocol for publishing Resource Public Key | This document defines a protocol for publishing Resource Public Key | |||
| Infrastructure (RPKI) objects. Even though the RPKI will have many | Infrastructure (RPKI) objects. Even though the RPKI will have many | |||
| participants issuing certificates and creating other objects, it is | participants issuing certificates and creating other objects, it is | |||
| operationally useful to consolidate the publication of those objects. | operationally useful to consolidate the publication of those objects. | |||
| This document provides the protocol for doing so. | This document provides the protocol for doing so. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 37 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 13, 2012. | This Internet-Draft will expire on January 17, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 6, line 10 | skipping to change at page 6, line 10 | |||
| 3.2.2. Client Object | 3.2.2. Client Object | |||
| Unlike the <config/> object, the <client/> object represents one | Unlike the <config/> object, the <client/> object represents one | |||
| client authorized to use the publication server. There may be more | client authorized to use the publication server. There may be more | |||
| than one <client/> object on each publication server. Again, its use | than one <client/> object on each publication server. Again, its use | |||
| is typically restricted to the respository operator. | is typically restricted to the respository operator. | |||
| The <client/> object supports five actions: "create", "set", "get", | The <client/> object supports five actions: "create", "set", "get", | |||
| "list", and "destroy". Each client has a "client_handle" attribute, | "list", and "destroy". Each client has a "client_handle" attribute, | |||
| which is used in responses and must be specified in "create", "set", | which is used in responses and must be specified in "create", "set", | |||
| "get", or "destroy" actions. | "get", or "destroy" actions. The "create" and "set" actions take | |||
| optional boolean attributes. The only attribute currently defined is | ||||
| used to clear CMS-timestamp-based replay protection, to allow | ||||
| recovery from misconfigured clocks. | ||||
| Payload data which can be configured in a <client/> object include: | Payload data which can be configured in a <client/> object include: | |||
| o base_uri (attribute): This attribute represents the base URI below | o base_uri (attribute): This attribute represents the base URI below | |||
| which the client will be allowed to publish data. Additional | which the client will be allowed to publish data. Additional | |||
| constraints may be imposed by the publication server in certain | constraints may be imposed by the publication server in certain | |||
| cases, for e.g., a child publishing directly under its parent. | cases, for e.g., a child publishing directly under its parent. | |||
| o bpki_cert (element): This represents the X.509 BPKI CA certificate | o bpki_cert (element): This represents the X.509 BPKI CA certificate | |||
| for this client. This should be used as part of the certificate | for this client. This should be used as part of the certificate | |||
| chain when validating incoming CMS messages. Two valid approaches | chain when validating incoming CMS messages. Two valid approaches | |||
| exist. If the optional bpki_glue certificate is being used, then | exist. If the optional bpki_glue certificate is being used, then | |||
| the bpki_cert certificate should be issued by the bpki_glue | the bpki_cert certificate should be issued by the bpki_glue | |||
| certificate; otherwise, the bpki_cert certificate should be issued | certificate; otherwise, the bpki_cert certificate should be issued | |||
| by the publication engine's bpki_ta certificate. | by the publication engine's bpki_ta certificate. | |||
| o bpki_glue (element): This is an additional (optional) type of | o bpki_glue (element): This is an additional (optional) X.509 | |||
| X.509 certificate for this client. It may be used in certain | certificate for this client. It may be used in certain | |||
| pathological cross-certification cases which require a two- | pathological cross-certification cases which require a two- | |||
| certificate chain due to issuer name conflicts. When being used, | certificate chain due to issuer name conflicts. When being used, | |||
| issuing order is that the bpki_glue certificate should be the | issuing order is that the bpki_glue certificate should be the | |||
| issuer of the bpki_cert certificate. Otherwise, it should be | issuer of the bpki_cert certificate. Otherwise, it should be | |||
| issued by the publication engine's bpki_ta certificate. Since | issued by the publication engine's bpki_ta certificate. Since | |||
| this is an optional use certificate, it may be left unset if not | this is an optional use certificate, it may be left unset if not | |||
| needed. | needed. | |||
| 3.3. Publication Sub-Protocol | 3.3. Publication Sub-Protocol | |||
| skipping to change at page 8, line 46 | skipping to change at page 8, line 49 | |||
| config_payload } | config_payload } | |||
| config_reply |= element config { attribute action { "set" }, tag? } | config_reply |= element config { attribute action { "set" }, tag? } | |||
| config_query |= element config { attribute action { "get" }, tag? } | config_query |= element config { attribute action { "get" }, tag? } | |||
| config_reply |= element config { attribute action { "get" }, tag?, | config_reply |= element config { attribute action { "get" }, tag?, | |||
| config_payload } | config_payload } | |||
| # <client/> element (use restricted to repository operator) | # <client/> element (use restricted to repository operator) | |||
| client_handle = attribute client_handle { object_handle } | client_handle = attribute client_handle { object_handle } | |||
| client_payload = (attribute base_uri { uri_t }?, element bpki_cert { | client_payload = (attribute base_uri { uri_t }?, element bpki_cert { | |||
| base64 }?, element bpki_glue { base64 }?) | base64 }?, element bpki_glue { base64 }?) | |||
| client_bool = attribute clear_replay_protection { "yes" }? | ||||
| client_query |= element client { attribute action { "create" }, | client_query |= element client { attribute action { "create" }, | |||
| tag?, client_handle, client_payload } | tag?, client_handle, client_bool, client_payload } | |||
| client_reply |= element client { attribute action { "create" }, | client_reply |= element client { attribute action { "create" }, | |||
| tag?, client_handle } | tag?, client_handle } | |||
| client_query |= element client { attribute action { "set" }, tag?, | client_query |= element client { attribute action { "set" }, tag?, | |||
| client_handle, client_payload } | client_handle, client_bool, client_payload } | |||
| client_reply |= element client { attribute action { "set" }, tag?, | client_reply |= element client { attribute action { "set" }, tag?, | |||
| client_handle } | client_handle } | |||
| client_query |= element client { attribute action { "get" }, tag?, | client_query |= element client { attribute action { "get" }, tag?, | |||
| client_handle } | client_handle } | |||
| client_reply |= element client { attribute action { "get" }, tag?, | client_reply |= element client { attribute action { "get" }, tag?, | |||
| client_handle, client_payload } | client_handle, client_payload } | |||
| client_query |= element client { attribute action { "list" }, tag? } | client_query |= element client { attribute action { "list" }, tag? } | |||
| client_reply |= element client { attribute action { "list" }, tag?, | client_reply |= element client { attribute action { "list" }, tag?, | |||
| client_handle, client_payload } | client_handle, client_payload } | |||
| client_query |= element client { attribute action { "destroy" }, | client_query |= element client { attribute action { "destroy" }, | |||
| skipping to change at page 18, line 20 | skipping to change at page 18, line 20 | |||
| Security considerations: Carries an RPKI Publication Protocol | Security considerations: Carries an RPKI Publication Protocol | |||
| Message, as defined in this document. | Message, as defined in this document. | |||
| Interoperability considerations: None | Interoperability considerations: None | |||
| Published specification: This document | Published specification: This document | |||
| Applications which use this media type: HTTP | Applications which use this media type: HTTP | |||
| Additional information: | Additional information: | |||
| Magic number(s): None | Magic number(s): None | |||
| File extension(s): | File extension(s): | |||
| Macintosh File Type Code(s): | Macintosh File Type Code(s): | |||
| Person & email address to contact for further information: | Person & email address to contact for further information: | |||
| Rob Austein <sra@isc.org> | Rob Austein <sra@hactrn.net> | |||
| Intended usage: COMMON | Intended usage: COMMON | |||
| Author/Change controller: Rob Austein <sra@isc.org> | Author/Change controller: Rob Austein <sra@hactrn.net> | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The RPKI publication protocol and the data it publishes use entirely | The RPKI publication protocol and the data it publishes use entirely | |||
| separate PKIs for authentication. The published data is | separate PKIs for authentication. The published data is | |||
| authenticated within the RPKI, and this protocol has nothing to do | authenticated within the RPKI, and this protocol has nothing to do | |||
| with that authentication, nor does it require that the published | with that authentication, nor does it require that the published | |||
| objects be valid in the RPKI. The publication protocol uses a | objects be valid in the RPKI. The publication protocol uses a | |||
| separate Business PKI (BPKI) to authenticate its messages. | separate Business PKI (BPKI) to authenticate its messages. | |||
| skipping to change at page 19, line 32 | skipping to change at page 19, line 32 | |||
| Samuel Weiler | Samuel Weiler | |||
| SPARTA, Inc. | SPARTA, Inc. | |||
| 7110 Samuel Morse Drive | 7110 Samuel Morse Drive | |||
| Columbia, Maryland 21046 | Columbia, Maryland 21046 | |||
| US | US | |||
| Email: weiler@tislabs.com | Email: weiler@tislabs.com | |||
| Anuja Sonalker | Anuja Sonalker | |||
| SPARTA, Inc. | Battelle Memorial Institute | |||
| 7110 Samuel Morse Drive | ||||
| Columbia, Maryland 21046 | Columbia, Maryland 21046 | |||
| US | US | |||
| Email: Anuja.Sonalker@sparta.com | Email: sonalkera@battelle.org | |||
| Rob Austein | Rob Austein | |||
| Dragon Research Labs | Dragon Research Labs | |||
| Email: sra@hactrn.net | Email: sra@hactrn.net | |||
| End of changes. 13 change blocks. | ||||
| 17 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||