draft-ietf-sidr-publication-02.txt   draft-ietf-sidr-publication-03.txt 
Network Working Group S. Weiler Network Working Group S. Weiler
Internet-Draft A. Sonalker Internet-Draft SPARTA, Inc.
Intended status: Standards Track SPARTA, Inc. Intended status: Standards Track A. Sonalker
Expires: September 13, 2012 R. Austein Expires: January 17, 2013 Battelle Memorial Institute
R. Austein
Dragon Research Labs Dragon Research Labs
March 12, 2012 July 16, 2012
A Publication Protocol for the Resource Public Key Infrastructure (RPKI) A Publication Protocol for the Resource Public Key Infrastructure (RPKI)
draft-ietf-sidr-publication-02 draft-ietf-sidr-publication-03
Abstract Abstract
This document defines a protocol for publishing Resource Public Key This document defines a protocol for publishing Resource Public Key
Infrastructure (RPKI) objects. Even though the RPKI will have many Infrastructure (RPKI) objects. Even though the RPKI will have many
participants issuing certificates and creating other objects, it is participants issuing certificates and creating other objects, it is
operationally useful to consolidate the publication of those objects. operationally useful to consolidate the publication of those objects.
This document provides the protocol for doing so. This document provides the protocol for doing so.
Status of this Memo Status of this Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2012. This Internet-Draft will expire on January 17, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 10 skipping to change at page 6, line 10
3.2.2. Client Object 3.2.2. Client Object
Unlike the <config/> object, the <client/> object represents one Unlike the <config/> object, the <client/> object represents one
client authorized to use the publication server. There may be more client authorized to use the publication server. There may be more
than one <client/> object on each publication server. Again, its use than one <client/> object on each publication server. Again, its use
is typically restricted to the respository operator. is typically restricted to the respository operator.
The <client/> object supports five actions: "create", "set", "get", The <client/> object supports five actions: "create", "set", "get",
"list", and "destroy". Each client has a "client_handle" attribute, "list", and "destroy". Each client has a "client_handle" attribute,
which is used in responses and must be specified in "create", "set", which is used in responses and must be specified in "create", "set",
"get", or "destroy" actions. "get", or "destroy" actions. The "create" and "set" actions take
optional boolean attributes. The only attribute currently defined is
used to clear CMS-timestamp-based replay protection, to allow
recovery from misconfigured clocks.
Payload data which can be configured in a <client/> object include: Payload data which can be configured in a <client/> object include:
o base_uri (attribute): This attribute represents the base URI below o base_uri (attribute): This attribute represents the base URI below
which the client will be allowed to publish data. Additional which the client will be allowed to publish data. Additional
constraints may be imposed by the publication server in certain constraints may be imposed by the publication server in certain
cases, for e.g., a child publishing directly under its parent. cases, for e.g., a child publishing directly under its parent.
o bpki_cert (element): This represents the X.509 BPKI CA certificate o bpki_cert (element): This represents the X.509 BPKI CA certificate
for this client. This should be used as part of the certificate for this client. This should be used as part of the certificate
chain when validating incoming CMS messages. Two valid approaches chain when validating incoming CMS messages. Two valid approaches
exist. If the optional bpki_glue certificate is being used, then exist. If the optional bpki_glue certificate is being used, then
the bpki_cert certificate should be issued by the bpki_glue the bpki_cert certificate should be issued by the bpki_glue
certificate; otherwise, the bpki_cert certificate should be issued certificate; otherwise, the bpki_cert certificate should be issued
by the publication engine's bpki_ta certificate. by the publication engine's bpki_ta certificate.
o bpki_glue (element): This is an additional (optional) type of o bpki_glue (element): This is an additional (optional) X.509
X.509 certificate for this client. It may be used in certain certificate for this client. It may be used in certain
pathological cross-certification cases which require a two- pathological cross-certification cases which require a two-
certificate chain due to issuer name conflicts. When being used, certificate chain due to issuer name conflicts. When being used,
issuing order is that the bpki_glue certificate should be the issuing order is that the bpki_glue certificate should be the
issuer of the bpki_cert certificate. Otherwise, it should be issuer of the bpki_cert certificate. Otherwise, it should be
issued by the publication engine's bpki_ta certificate. Since issued by the publication engine's bpki_ta certificate. Since
this is an optional use certificate, it may be left unset if not this is an optional use certificate, it may be left unset if not
needed. needed.
3.3. Publication Sub-Protocol 3.3. Publication Sub-Protocol
skipping to change at page 8, line 46 skipping to change at page 8, line 49
config_payload } config_payload }
config_reply |= element config { attribute action { "set" }, tag? } config_reply |= element config { attribute action { "set" }, tag? }
config_query |= element config { attribute action { "get" }, tag? } config_query |= element config { attribute action { "get" }, tag? }
config_reply |= element config { attribute action { "get" }, tag?, config_reply |= element config { attribute action { "get" }, tag?,
config_payload } config_payload }
# <client/> element (use restricted to repository operator) # <client/> element (use restricted to repository operator)
client_handle = attribute client_handle { object_handle } client_handle = attribute client_handle { object_handle }
client_payload = (attribute base_uri { uri_t }?, element bpki_cert { client_payload = (attribute base_uri { uri_t }?, element bpki_cert {
base64 }?, element bpki_glue { base64 }?) base64 }?, element bpki_glue { base64 }?)
client_bool = attribute clear_replay_protection { "yes" }?
client_query |= element client { attribute action { "create" }, client_query |= element client { attribute action { "create" },
tag?, client_handle, client_payload } tag?, client_handle, client_bool, client_payload }
client_reply |= element client { attribute action { "create" }, client_reply |= element client { attribute action { "create" },
tag?, client_handle } tag?, client_handle }
client_query |= element client { attribute action { "set" }, tag?, client_query |= element client { attribute action { "set" }, tag?,
client_handle, client_payload } client_handle, client_bool, client_payload }
client_reply |= element client { attribute action { "set" }, tag?, client_reply |= element client { attribute action { "set" }, tag?,
client_handle } client_handle }
client_query |= element client { attribute action { "get" }, tag?, client_query |= element client { attribute action { "get" }, tag?,
client_handle } client_handle }
client_reply |= element client { attribute action { "get" }, tag?, client_reply |= element client { attribute action { "get" }, tag?,
client_handle, client_payload } client_handle, client_payload }
client_query |= element client { attribute action { "list" }, tag? } client_query |= element client { attribute action { "list" }, tag? }
client_reply |= element client { attribute action { "list" }, tag?, client_reply |= element client { attribute action { "list" }, tag?,
client_handle, client_payload } client_handle, client_payload }
client_query |= element client { attribute action { "destroy" }, client_query |= element client { attribute action { "destroy" },
skipping to change at page 18, line 20 skipping to change at page 18, line 20
Security considerations: Carries an RPKI Publication Protocol Security considerations: Carries an RPKI Publication Protocol
Message, as defined in this document. Message, as defined in this document.
Interoperability considerations: None Interoperability considerations: None
Published specification: This document Published specification: This document
Applications which use this media type: HTTP Applications which use this media type: HTTP
Additional information: Additional information:
Magic number(s): None Magic number(s): None
File extension(s): File extension(s):
Macintosh File Type Code(s): Macintosh File Type Code(s):
Person & email address to contact for further information: Person & email address to contact for further information:
Rob Austein <sra@isc.org> Rob Austein <sra@hactrn.net>
Intended usage: COMMON Intended usage: COMMON
Author/Change controller: Rob Austein <sra@isc.org> Author/Change controller: Rob Austein <sra@hactrn.net>
7. Security Considerations 7. Security Considerations
The RPKI publication protocol and the data it publishes use entirely The RPKI publication protocol and the data it publishes use entirely
separate PKIs for authentication. The published data is separate PKIs for authentication. The published data is
authenticated within the RPKI, and this protocol has nothing to do authenticated within the RPKI, and this protocol has nothing to do
with that authentication, nor does it require that the published with that authentication, nor does it require that the published
objects be valid in the RPKI. The publication protocol uses a objects be valid in the RPKI. The publication protocol uses a
separate Business PKI (BPKI) to authenticate its messages. separate Business PKI (BPKI) to authenticate its messages.
skipping to change at page 19, line 32 skipping to change at page 19, line 32
Samuel Weiler Samuel Weiler
SPARTA, Inc. SPARTA, Inc.
7110 Samuel Morse Drive 7110 Samuel Morse Drive
Columbia, Maryland 21046 Columbia, Maryland 21046
US US
Email: weiler@tislabs.com Email: weiler@tislabs.com
Anuja Sonalker Anuja Sonalker
SPARTA, Inc. Battelle Memorial Institute
7110 Samuel Morse Drive
Columbia, Maryland 21046 Columbia, Maryland 21046
US US
Email: Anuja.Sonalker@sparta.com Email: sonalkera@battelle.org
Rob Austein Rob Austein
Dragon Research Labs Dragon Research Labs
Email: sra@hactrn.net Email: sra@hactrn.net
 End of changes. 13 change blocks. 
17 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/