--- 1/draft-ietf-sidr-publication-02.txt 2012-07-17 00:14:21.717426592 +0200 +++ 2/draft-ietf-sidr-publication-03.txt 2012-07-17 00:14:21.749426972 +0200 @@ -1,20 +1,21 @@ Network Working Group S. Weiler -Internet-Draft A. Sonalker -Intended status: Standards Track SPARTA, Inc. -Expires: September 13, 2012 R. Austein +Internet-Draft SPARTA, Inc. +Intended status: Standards Track A. Sonalker +Expires: January 17, 2013 Battelle Memorial Institute + R. Austein Dragon Research Labs - March 12, 2012 + July 16, 2012 A Publication Protocol for the Resource Public Key Infrastructure (RPKI) - draft-ietf-sidr-publication-02 + draft-ietf-sidr-publication-03 Abstract This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. This document provides the protocol for doing so. Status of this Memo @@ -25,21 +26,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 13, 2012. + This Internet-Draft will expire on January 17, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -212,39 +213,42 @@ 3.2.2. Client Object Unlike the object, the object represents one client authorized to use the publication server. There may be more than one object on each publication server. Again, its use is typically restricted to the respository operator. The object supports five actions: "create", "set", "get", "list", and "destroy". Each client has a "client_handle" attribute, which is used in responses and must be specified in "create", "set", - "get", or "destroy" actions. + "get", or "destroy" actions. The "create" and "set" actions take + optional boolean attributes. The only attribute currently defined is + used to clear CMS-timestamp-based replay protection, to allow + recovery from misconfigured clocks. Payload data which can be configured in a object include: o base_uri (attribute): This attribute represents the base URI below which the client will be allowed to publish data. Additional constraints may be imposed by the publication server in certain cases, for e.g., a child publishing directly under its parent. o bpki_cert (element): This represents the X.509 BPKI CA certificate for this client. This should be used as part of the certificate chain when validating incoming CMS messages. Two valid approaches exist. If the optional bpki_glue certificate is being used, then the bpki_cert certificate should be issued by the bpki_glue certificate; otherwise, the bpki_cert certificate should be issued by the publication engine's bpki_ta certificate. - o bpki_glue (element): This is an additional (optional) type of - X.509 certificate for this client. It may be used in certain + o bpki_glue (element): This is an additional (optional) X.509 + certificate for this client. It may be used in certain pathological cross-certification cases which require a two- certificate chain due to issuer name conflicts. When being used, issuing order is that the bpki_glue certificate should be the issuer of the bpki_cert certificate. Otherwise, it should be issued by the publication engine's bpki_ta certificate. Since this is an optional use certificate, it may be left unset if not needed. 3.3. Publication Sub-Protocol @@ -343,27 +347,28 @@ config_payload } config_reply |= element config { attribute action { "set" }, tag? } config_query |= element config { attribute action { "get" }, tag? } config_reply |= element config { attribute action { "get" }, tag?, config_payload } # element (use restricted to repository operator) client_handle = attribute client_handle { object_handle } client_payload = (attribute base_uri { uri_t }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) + client_bool = attribute clear_replay_protection { "yes" }? + client_query |= element client { attribute action { "create" }, - tag?, client_handle, client_payload } + tag?, client_handle, client_bool, client_payload } client_reply |= element client { attribute action { "create" }, tag?, client_handle } client_query |= element client { attribute action { "set" }, tag?, - client_handle, client_payload } - + client_handle, client_bool, client_payload } client_reply |= element client { attribute action { "set" }, tag?, client_handle } client_query |= element client { attribute action { "get" }, tag?, client_handle } client_reply |= element client { attribute action { "get" }, tag?, client_handle, client_payload } client_query |= element client { attribute action { "list" }, tag? } client_reply |= element client { attribute action { "list" }, tag?, client_handle, client_payload } client_query |= element client { attribute action { "destroy" }, @@ -751,23 +756,23 @@ Security considerations: Carries an RPKI Publication Protocol Message, as defined in this document. Interoperability considerations: None Published specification: This document Applications which use this media type: HTTP Additional information: Magic number(s): None File extension(s): Macintosh File Type Code(s): Person & email address to contact for further information: - Rob Austein + Rob Austein Intended usage: COMMON - Author/Change controller: Rob Austein + Author/Change controller: Rob Austein 7. Security Considerations The RPKI publication protocol and the data it publishes use entirely separate PKIs for authentication. The published data is authenticated within the RPKI, and this protocol has nothing to do with that authentication, nor does it require that the published objects be valid in the RPKI. The publication protocol uses a separate Business PKI (BPKI) to authenticate its messages. @@ -805,21 +810,20 @@ Samuel Weiler SPARTA, Inc. 7110 Samuel Morse Drive Columbia, Maryland 21046 US Email: weiler@tislabs.com Anuja Sonalker - SPARTA, Inc. - 7110 Samuel Morse Drive + Battelle Memorial Institute Columbia, Maryland 21046 US - Email: Anuja.Sonalker@sparta.com + Email: sonalkera@battelle.org Rob Austein Dragon Research Labs Email: sra@hactrn.net