--- 1/draft-ietf-sidrops-https-tal-04.txt 2018-10-11 04:13:44.182314070 -0700 +++ 2/draft-ietf-sidrops-https-tal-05.txt 2018-10-11 04:13:44.214314832 -0700 @@ -1,25 +1,25 @@ Network Working Group G. Huston Internet-Draft APNIC Obsoletes: 7730 (if approved) S. Weiler Intended status: Standards Track W3C/MIT -Expires: January 27, 2019 G. Michaelson +Expires: April 14, 2019 G. Michaelson APNIC S. Kent Unaffiliated T. Bruijnzeels NLnet Labs - July 26, 2018 + October 11, 2018 Resource Public Key Infrastructure (RPKI) Trust Anchor Locator - draft-ietf-sidrops-https-tal-04 + draft-ietf-sidrops-https-tal-05 Abstract This document defines a Trust Anchor Locator (TAL) for the Resource Public Key Infrastructure (RPKI). This document obsoletes RFC 7730 by adding support for HTTPS URIs in a TAL. Status of This Memo This Internet-Draft is submitted in full conformance with the @@ -28,21 +28,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 27, 2019. + This Internet-Draft will expire on April 14, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -56,25 +56,25 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 2. Trust Anchor Locator . . . . . . . . . . . . . . . . . . . . 2 2.1. Trust Anchor Locator Format . . . . . . . . . . . . . . . 2 2.2. TAL and Trust Anchor Certificate Considerations . . . . . 4 2.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Relying Party Use . . . . . . . . . . . . . . . . . . . . . . 5 4. HTTPS Considerations . . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.1. Normative References . . . . . . . . . . . . . . . . . . 8 7.2. Informative References . . . . . . . . . . . . . . . . . 9 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction This document defines a Trust Anchor Locator (TAL) for the Resource Public Key Infrastructure (RPKI) [RFC6480]. This format may be used to distribute trust anchor material using a mix of out-of-band and online means. Procedures used by Relying Parties (RPs) to verify RPKI signed objects SHOULD support this format to facilitate interoperability between creators of trust anchor material and RPs. This document obsoletes [RFC7730] by adding support for HTTPS URIs in @@ -116,35 +116,39 @@ could be used to represent the TAL, if one defined an rsync or HTTPS URI extension for that data structure. However, the TAL format was adopted by RPKI implementors prior to the PKIX trust anchor work, and the RPKI implementer community has elected to utilize the TAL format, rather than define the requisite extension. The community also prefers the simplicity of the ASCII encoding of the TAL, versus the binary (ASN.1) encoding for TrustAnchorInfo. The TAL is an ordered sequence of: - 1. a URI section, + 1. an optional comment section consisting of one or more lines + starting with the '#' character, containing human readable + informational ASCII text, followed by an empty line using a + "" or "" line break only. - 2. a "" or "" line break, + 2. a URI section, - 3. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded + 3. a "" or "" line break, + + 4. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded in Base64 (see Section 4 of [RFC4648]). To avoid long lines, "" or "" line breaks MAY be inserted into the Base64-encoded string. where the URI section is comprised or one of more of the ordered sequence of: - 1.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230] - - 1.2. a "" or "" line break. + 2.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230] + 2.2. a "" or "" line break. 2.2. TAL and Trust Anchor Certificate Considerations Each URI in the TAL MUST reference a single object. It MUST NOT reference a directory or any other form of collection of objects. The referenced object MUST be a self-signed CA certificate that conforms to the RPKI certificate profile [RFC6487]. This certificate is the trust anchor in certification path discovery [RFC4158] and validation [RFC5280] [RFC3779]. @@ -196,20 +200,23 @@ Where the TAL contains two or more URIs, then the same self- signed CA certificate MUST be found at each referenced location. In order to increase operational resilience, it is RECOMMENDED that the domain name parts of each of these URIs resolve to distinct IP addresses that are used by a diverse set of repository publication points, and these IP addresses be included in distinct Route Origin Authorizations (ROAs) objects signed by different CAs. 2.3. Example + # This TAL is intended for documentation purposes only. + # Do not attempt to use this in a production setting. + rsync://rpki.example.org/rpki/hedgehog/root.cer https://rpki.example.org/rpki/hedgehog/root.cer MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6 Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9 nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9 aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB