draft-ietf-sidrops-https-tal-04.txt		draft-ietf-sidrops-https-tal-05.txt
	Network Working Group G. Huston		Network Working Group G. Huston
	Internet-Draft APNIC		Internet-Draft APNIC
	Obsoletes: 7730 (if approved) S. Weiler		Obsoletes: 7730 (if approved) S. Weiler
	Intended status: Standards Track W3C/MIT		Intended status: Standards Track W3C/MIT
	Expires: January 27, 2019 G. Michaelson		Expires: April 14, 2019 G. Michaelson
	APNIC		APNIC
	S. Kent		S. Kent
	Unaffiliated		Unaffiliated
	T. Bruijnzeels		T. Bruijnzeels
	NLnet Labs		NLnet Labs
	July 26, 2018		October 11, 2018
	Resource Public Key Infrastructure (RPKI) Trust Anchor Locator		Resource Public Key Infrastructure (RPKI) Trust Anchor Locator
	draft-ietf-sidrops-https-tal-04		draft-ietf-sidrops-https-tal-05
	Abstract		Abstract
	This document defines a Trust Anchor Locator (TAL) for the Resource		This document defines a Trust Anchor Locator (TAL) for the Resource
	Public Key Infrastructure (RPKI). This document obsoletes RFC 7730		Public Key Infrastructure (RPKI). This document obsoletes RFC 7730
	by adding support for HTTPS URIs in a TAL.		by adding support for HTTPS URIs in a TAL.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This Internet-Draft is submitted in full conformance with the
	skipping to change at page 1, line 39 ¶		skipping to change at page 1, line 39 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on January 27, 2019.		This Internet-Draft will expire on April 14, 2019.
	Copyright Notice		Copyright Notice
	Copyright (c) 2018 IETF Trust and the persons identified as the		Copyright (c) 2018 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 21 ¶		skipping to change at page 2, line 21 ¶
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
	1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2		1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
	2. Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . 2		2. Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . 2
	2.1. Trust Anchor Locator Format . . . . . . . . . . . . . . . 2		2.1. Trust Anchor Locator Format . . . . . . . . . . . . . . . 2
	2.2. TAL and Trust Anchor Certificate Considerations . . . . . 4		2.2. TAL and Trust Anchor Certificate Considerations . . . . . 4
	2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5		2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5
	3. Relying Party Use . . . . . . . . . . . . . . . . . . . . . . 5		3. Relying Party Use . . . . . . . . . . . . . . . . . . . . . . 5
	4. HTTPS Considerations . . . . . . . . . . . . . . . . . . . . 6		4. HTTPS Considerations . . . . . . . . . . . . . . . . . . . . 6
	5. Security Considerations . . . . . . . . . . . . . . . . . . . 7		5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
	6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7		6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
	7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8		7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
	7.1. Normative References . . . . . . . . . . . . . . . . . . 8		7.1. Normative References . . . . . . . . . . . . . . . . . . 8
	7.2. Informative References . . . . . . . . . . . . . . . . . 9		7.2. Informative References . . . . . . . . . . . . . . . . . 9
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
	1. Introduction		1. Introduction
	This document defines a Trust Anchor Locator (TAL) for the Resource		This document defines a Trust Anchor Locator (TAL) for the Resource
	Public Key Infrastructure (RPKI) [RFC6480]. This format may be used		Public Key Infrastructure (RPKI) [RFC6480]. This format may be used
	to distribute trust anchor material using a mix of out-of-band and		to distribute trust anchor material using a mix of out-of-band and
	online means. Procedures used by Relying Parties (RPs) to verify		online means. Procedures used by Relying Parties (RPs) to verify
	RPKI signed objects SHOULD support this format to facilitate		RPKI signed objects SHOULD support this format to facilitate
	interoperability between creators of trust anchor material and RPs.		interoperability between creators of trust anchor material and RPs.
	This document obsoletes [RFC7730] by adding support for HTTPS URIs in		This document obsoletes [RFC7730] by adding support for HTTPS URIs in
	skipping to change at page 3, line 33 ¶		skipping to change at page 3, line 33 ¶
	could be used to represent the TAL, if one defined an rsync or HTTPS		could be used to represent the TAL, if one defined an rsync or HTTPS
	URI extension for that data structure. However, the TAL format was		URI extension for that data structure. However, the TAL format was
	adopted by RPKI implementors prior to the PKIX trust anchor work, and		adopted by RPKI implementors prior to the PKIX trust anchor work, and
	the RPKI implementer community has elected to utilize the TAL format,		the RPKI implementer community has elected to utilize the TAL format,
	rather than define the requisite extension. The community also		rather than define the requisite extension. The community also
	prefers the simplicity of the ASCII encoding of the TAL, versus the		prefers the simplicity of the ASCII encoding of the TAL, versus the
	binary (ASN.1) encoding for TrustAnchorInfo.		binary (ASN.1) encoding for TrustAnchorInfo.
	The TAL is an ordered sequence of:		The TAL is an ordered sequence of:
	1. a URI section,		1. an optional comment section consisting of one or more lines
			starting with the '#' character, containing human readable
			informational ASCII text, followed by an empty line using a
			"<CRLF>" or "<LF>" line break only.
	2. a "<CRLF>" or "<LF>" line break,		2. a URI section,
	3. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded		3. a "<CRLF>" or "<LF>" line break,
			4. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded
	in Base64 (see Section 4 of [RFC4648]). To avoid long lines,		in Base64 (see Section 4 of [RFC4648]). To avoid long lines,
	"<CRLF>" or "<LF>" line breaks MAY be inserted into the		"<CRLF>" or "<LF>" line breaks MAY be inserted into the
	Base64-encoded string.		Base64-encoded string.
	where the URI section is comprised or one of more of the ordered		where the URI section is comprised or one of more of the ordered
	sequence of:		sequence of:
	1.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230]		2.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230]
			2.2. a "<CRLF>" or "<LF>" line break.
	1.2. a "<CRLF>" or "<LF>" line break.
	2.2. TAL and Trust Anchor Certificate Considerations		2.2. TAL and Trust Anchor Certificate Considerations
	Each URI in the TAL MUST reference a single object. It MUST NOT		Each URI in the TAL MUST reference a single object. It MUST NOT
	reference a directory or any other form of collection of objects.		reference a directory or any other form of collection of objects.
	The referenced object MUST be a self-signed CA certificate that		The referenced object MUST be a self-signed CA certificate that
	conforms to the RPKI certificate profile [RFC6487]. This certificate		conforms to the RPKI certificate profile [RFC6487]. This certificate
	is the trust anchor in certification path discovery [RFC4158] and		is the trust anchor in certification path discovery [RFC4158] and
	validation [RFC5280] [RFC3779].		validation [RFC5280] [RFC3779].
	skipping to change at page 5, line 20 ¶		skipping to change at page 5, line 24 ¶
	Where the TAL contains two or more URIs, then the same self- signed		Where the TAL contains two or more URIs, then the same self- signed
	CA certificate MUST be found at each referenced location. In order		CA certificate MUST be found at each referenced location. In order
	to increase operational resilience, it is RECOMMENDED that the domain		to increase operational resilience, it is RECOMMENDED that the domain
	name parts of each of these URIs resolve to distinct IP addresses		name parts of each of these URIs resolve to distinct IP addresses
	that are used by a diverse set of repository publication points, and		that are used by a diverse set of repository publication points, and
	these IP addresses be included in distinct Route Origin		these IP addresses be included in distinct Route Origin
	Authorizations (ROAs) objects signed by different CAs.		Authorizations (ROAs) objects signed by different CAs.
	2.3. Example		2.3. Example
	rsync://rpki.example.org/rpki/hedgehog/root.cer		# This TAL is intended for documentation purposes only.
	https://rpki.example.org/rpki/hedgehog/root.cer		# Do not attempt to use this in a production setting.
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx		rsync://rpki.example.org/rpki/hedgehog/root.cer
	GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6		https://rpki.example.org/rpki/hedgehog/root.cer
	Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
	nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa		MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx
	BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG		GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6
	ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9		Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
	aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB		nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa
			BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG
			ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9
			aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB
	3. Relying Party Use		3. Relying Party Use
	In order to use the TAL to retrieve and validate a (putative) trust		In order to use the TAL to retrieve and validate a (putative) trust
	anchor, an RP SHOULD:		anchor, an RP SHOULD:
	1. Retrieve the object referenced by (one of) the URI(s) contained		1. Retrieve the object referenced by (one of) the URI(s) contained
	in the TAL.		in the TAL.
	2. Confirm that the retrieved object is a current, self-signed RPKI		2. Confirm that the retrieved object is a current, self-signed RPKI
End of changes. 12 change blocks.
	21 lines changed or deleted		28 lines changed or added
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/