--- 1/draft-ietf-sidr-publication-02.txt 2012-07-17 00:14:21.717426592 +0200
+++ 2/draft-ietf-sidr-publication-03.txt 2012-07-17 00:14:21.749426972 +0200
@@ -1,20 +1,21 @@
Network Working Group S. Weiler
-Internet-Draft A. Sonalker
-Intended status: Standards Track SPARTA, Inc.
-Expires: September 13, 2012 R. Austein
+Internet-Draft SPARTA, Inc.
+Intended status: Standards Track A. Sonalker
+Expires: January 17, 2013 Battelle Memorial Institute
+ R. Austein
Dragon Research Labs
- March 12, 2012
+ July 16, 2012
A Publication Protocol for the Resource Public Key Infrastructure (RPKI)
- draft-ietf-sidr-publication-02
+ draft-ietf-sidr-publication-03
Abstract
This document defines a protocol for publishing Resource Public Key
Infrastructure (RPKI) objects. Even though the RPKI will have many
participants issuing certificates and creating other objects, it is
operationally useful to consolidate the publication of those objects.
This document provides the protocol for doing so.
Status of this Memo
@@ -25,21 +26,21 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on September 13, 2012.
+ This Internet-Draft will expire on January 17, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -212,39 +213,42 @@
3.2.2. Client Object
Unlike the object, the object represents one
client authorized to use the publication server. There may be more
than one object on each publication server. Again, its use
is typically restricted to the respository operator.
The object supports five actions: "create", "set", "get",
"list", and "destroy". Each client has a "client_handle" attribute,
which is used in responses and must be specified in "create", "set",
- "get", or "destroy" actions.
+ "get", or "destroy" actions. The "create" and "set" actions take
+ optional boolean attributes. The only attribute currently defined is
+ used to clear CMS-timestamp-based replay protection, to allow
+ recovery from misconfigured clocks.
Payload data which can be configured in a object include:
o base_uri (attribute): This attribute represents the base URI below
which the client will be allowed to publish data. Additional
constraints may be imposed by the publication server in certain
cases, for e.g., a child publishing directly under its parent.
o bpki_cert (element): This represents the X.509 BPKI CA certificate
for this client. This should be used as part of the certificate
chain when validating incoming CMS messages. Two valid approaches
exist. If the optional bpki_glue certificate is being used, then
the bpki_cert certificate should be issued by the bpki_glue
certificate; otherwise, the bpki_cert certificate should be issued
by the publication engine's bpki_ta certificate.
- o bpki_glue (element): This is an additional (optional) type of
- X.509 certificate for this client. It may be used in certain
+ o bpki_glue (element): This is an additional (optional) X.509
+ certificate for this client. It may be used in certain
pathological cross-certification cases which require a two-
certificate chain due to issuer name conflicts. When being used,
issuing order is that the bpki_glue certificate should be the
issuer of the bpki_cert certificate. Otherwise, it should be
issued by the publication engine's bpki_ta certificate. Since
this is an optional use certificate, it may be left unset if not
needed.
3.3. Publication Sub-Protocol
@@ -343,27 +347,28 @@
config_payload }
config_reply |= element config { attribute action { "set" }, tag? }
config_query |= element config { attribute action { "get" }, tag? }
config_reply |= element config { attribute action { "get" }, tag?,
config_payload }
# element (use restricted to repository operator)
client_handle = attribute client_handle { object_handle }
client_payload = (attribute base_uri { uri_t }?, element bpki_cert {
base64 }?, element bpki_glue { base64 }?)
+ client_bool = attribute clear_replay_protection { "yes" }?
+
client_query |= element client { attribute action { "create" },
- tag?, client_handle, client_payload }
+ tag?, client_handle, client_bool, client_payload }
client_reply |= element client { attribute action { "create" },
tag?, client_handle }
client_query |= element client { attribute action { "set" }, tag?,
- client_handle, client_payload }
-
+ client_handle, client_bool, client_payload }
client_reply |= element client { attribute action { "set" }, tag?,
client_handle }
client_query |= element client { attribute action { "get" }, tag?,
client_handle }
client_reply |= element client { attribute action { "get" }, tag?,
client_handle, client_payload }
client_query |= element client { attribute action { "list" }, tag? }
client_reply |= element client { attribute action { "list" }, tag?,
client_handle, client_payload }
client_query |= element client { attribute action { "destroy" },
@@ -751,23 +756,23 @@
Security considerations: Carries an RPKI Publication Protocol
Message, as defined in this document.
Interoperability considerations: None
Published specification: This document
Applications which use this media type: HTTP
Additional information:
Magic number(s): None
File extension(s):
Macintosh File Type Code(s):
Person & email address to contact for further information:
- Rob Austein
+ Rob Austein
Intended usage: COMMON
- Author/Change controller: Rob Austein
+ Author/Change controller: Rob Austein
7. Security Considerations
The RPKI publication protocol and the data it publishes use entirely
separate PKIs for authentication. The published data is
authenticated within the RPKI, and this protocol has nothing to do
with that authentication, nor does it require that the published
objects be valid in the RPKI. The publication protocol uses a
separate Business PKI (BPKI) to authenticate its messages.
@@ -805,21 +810,20 @@
Samuel Weiler
SPARTA, Inc.
7110 Samuel Morse Drive
Columbia, Maryland 21046
US
Email: weiler@tislabs.com
Anuja Sonalker
- SPARTA, Inc.
- 7110 Samuel Morse Drive
+ Battelle Memorial Institute
Columbia, Maryland 21046
US
- Email: Anuja.Sonalker@sparta.com
+ Email: sonalkera@battelle.org
Rob Austein
Dragon Research Labs
Email: sra@hactrn.net