draft-ietf-sidrops-https-tal-04.txt   draft-ietf-sidrops-https-tal-05.txt 
Network Working Group G. Huston Network Working Group G. Huston
Internet-Draft APNIC Internet-Draft APNIC
Obsoletes: 7730 (if approved) S. Weiler Obsoletes: 7730 (if approved) S. Weiler
Intended status: Standards Track W3C/MIT Intended status: Standards Track W3C/MIT
Expires: January 27, 2019 G. Michaelson Expires: April 14, 2019 G. Michaelson
APNIC APNIC
S. Kent S. Kent
Unaffiliated Unaffiliated
T. Bruijnzeels T. Bruijnzeels
NLnet Labs NLnet Labs
July 26, 2018 October 11, 2018
Resource Public Key Infrastructure (RPKI) Trust Anchor Locator Resource Public Key Infrastructure (RPKI) Trust Anchor Locator
draft-ietf-sidrops-https-tal-04 draft-ietf-sidrops-https-tal-05
Abstract Abstract
This document defines a Trust Anchor Locator (TAL) for the Resource This document defines a Trust Anchor Locator (TAL) for the Resource
Public Key Infrastructure (RPKI). This document obsoletes RFC 7730 Public Key Infrastructure (RPKI). This document obsoletes RFC 7730
by adding support for HTTPS URIs in a TAL. by adding support for HTTPS URIs in a TAL.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 27, 2019. This Internet-Draft will expire on April 14, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2
2. Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . 2 2. Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . 2
2.1. Trust Anchor Locator Format . . . . . . . . . . . . . . . 2 2.1. Trust Anchor Locator Format . . . . . . . . . . . . . . . 2
2.2. TAL and Trust Anchor Certificate Considerations . . . . . 4 2.2. TAL and Trust Anchor Certificate Considerations . . . . . 4
2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Relying Party Use . . . . . . . . . . . . . . . . . . . . . . 5 3. Relying Party Use . . . . . . . . . . . . . . . . . . . . . . 5
4. HTTPS Considerations . . . . . . . . . . . . . . . . . . . . 6 4. HTTPS Considerations . . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 8 7.1. Normative References . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
This document defines a Trust Anchor Locator (TAL) for the Resource This document defines a Trust Anchor Locator (TAL) for the Resource
Public Key Infrastructure (RPKI) [RFC6480]. This format may be used Public Key Infrastructure (RPKI) [RFC6480]. This format may be used
to distribute trust anchor material using a mix of out-of-band and to distribute trust anchor material using a mix of out-of-band and
online means. Procedures used by Relying Parties (RPs) to verify online means. Procedures used by Relying Parties (RPs) to verify
RPKI signed objects SHOULD support this format to facilitate RPKI signed objects SHOULD support this format to facilitate
interoperability between creators of trust anchor material and RPs. interoperability between creators of trust anchor material and RPs.
This document obsoletes [RFC7730] by adding support for HTTPS URIs in This document obsoletes [RFC7730] by adding support for HTTPS URIs in
skipping to change at page 3, line 33 skipping to change at page 3, line 33
could be used to represent the TAL, if one defined an rsync or HTTPS could be used to represent the TAL, if one defined an rsync or HTTPS
URI extension for that data structure. However, the TAL format was URI extension for that data structure. However, the TAL format was
adopted by RPKI implementors prior to the PKIX trust anchor work, and adopted by RPKI implementors prior to the PKIX trust anchor work, and
the RPKI implementer community has elected to utilize the TAL format, the RPKI implementer community has elected to utilize the TAL format,
rather than define the requisite extension. The community also rather than define the requisite extension. The community also
prefers the simplicity of the ASCII encoding of the TAL, versus the prefers the simplicity of the ASCII encoding of the TAL, versus the
binary (ASN.1) encoding for TrustAnchorInfo. binary (ASN.1) encoding for TrustAnchorInfo.
The TAL is an ordered sequence of: The TAL is an ordered sequence of:
1. a URI section, 1. an optional comment section consisting of one or more lines
starting with the '#' character, containing human readable
informational ASCII text, followed by an empty line using a
"<CRLF>" or "<LF>" line break only.
2. a "<CRLF>" or "<LF>" line break, 2. a URI section,
3. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded 3. a "<CRLF>" or "<LF>" line break,
4. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded
in Base64 (see Section 4 of [RFC4648]). To avoid long lines, in Base64 (see Section 4 of [RFC4648]). To avoid long lines,
"<CRLF>" or "<LF>" line breaks MAY be inserted into the "<CRLF>" or "<LF>" line breaks MAY be inserted into the
Base64-encoded string. Base64-encoded string.
where the URI section is comprised or one of more of the ordered where the URI section is comprised or one of more of the ordered
sequence of: sequence of:
1.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230] 2.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230]
2.2. a "<CRLF>" or "<LF>" line break.
1.2. a "<CRLF>" or "<LF>" line break.
2.2. TAL and Trust Anchor Certificate Considerations 2.2. TAL and Trust Anchor Certificate Considerations
Each URI in the TAL MUST reference a single object. It MUST NOT Each URI in the TAL MUST reference a single object. It MUST NOT
reference a directory or any other form of collection of objects. reference a directory or any other form of collection of objects.
The referenced object MUST be a self-signed CA certificate that The referenced object MUST be a self-signed CA certificate that
conforms to the RPKI certificate profile [RFC6487]. This certificate conforms to the RPKI certificate profile [RFC6487]. This certificate
is the trust anchor in certification path discovery [RFC4158] and is the trust anchor in certification path discovery [RFC4158] and
validation [RFC5280] [RFC3779]. validation [RFC5280] [RFC3779].
skipping to change at page 5, line 20 skipping to change at page 5, line 24
Where the TAL contains two or more URIs, then the same self- signed Where the TAL contains two or more URIs, then the same self- signed
CA certificate MUST be found at each referenced location. In order CA certificate MUST be found at each referenced location. In order
to increase operational resilience, it is RECOMMENDED that the domain to increase operational resilience, it is RECOMMENDED that the domain
name parts of each of these URIs resolve to distinct IP addresses name parts of each of these URIs resolve to distinct IP addresses
that are used by a diverse set of repository publication points, and that are used by a diverse set of repository publication points, and
these IP addresses be included in distinct Route Origin these IP addresses be included in distinct Route Origin
Authorizations (ROAs) objects signed by different CAs. Authorizations (ROAs) objects signed by different CAs.
2.3. Example 2.3. Example
rsync://rpki.example.org/rpki/hedgehog/root.cer # This TAL is intended for documentation purposes only.
https://rpki.example.org/rpki/hedgehog/root.cer # Do not attempt to use this in a production setting.
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx rsync://rpki.example.org/rpki/hedgehog/root.cer
GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6 https://rpki.example.org/rpki/hedgehog/root.cer
Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx
BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6
ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9 Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa
BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG
ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9
aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB
3. Relying Party Use 3. Relying Party Use
In order to use the TAL to retrieve and validate a (putative) trust In order to use the TAL to retrieve and validate a (putative) trust
anchor, an RP SHOULD: anchor, an RP SHOULD:
1. Retrieve the object referenced by (one of) the URI(s) contained 1. Retrieve the object referenced by (one of) the URI(s) contained
in the TAL. in the TAL.
2. Confirm that the retrieved object is a current, self-signed RPKI 2. Confirm that the retrieved object is a current, self-signed RPKI
 End of changes. 12 change blocks. 
21 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/