--- 1/draft-ietf-sidrops-https-tal-04.txt	2018-10-11 04:13:44.182314070 -0700
+++ 2/draft-ietf-sidrops-https-tal-05.txt	2018-10-11 04:13:44.214314832 -0700
@@ -1,25 +1,25 @@
 
 Network Working Group                                          G. Huston
 Internet-Draft                                                     APNIC
 Obsoletes: 7730 (if approved)                                  S. Weiler
 Intended status: Standards Track                                 W3C/MIT
-Expires: January 27, 2019                                  G. Michaelson
+Expires: April 14, 2019                                    G. Michaelson
                                                                    APNIC
                                                                  S. Kent
                                                             Unaffiliated
                                                           T. Bruijnzeels
                                                               NLnet Labs
-                                                           July 26, 2018
+                                                        October 11, 2018
 
      Resource Public Key Infrastructure (RPKI) Trust Anchor Locator
-                    draft-ietf-sidrops-https-tal-04
+                    draft-ietf-sidrops-https-tal-05
 
 Abstract
 
    This document defines a Trust Anchor Locator (TAL) for the Resource
    Public Key Infrastructure (RPKI).  This document obsoletes RFC 7730
    by adding support for HTTPS URIs in a TAL.
 
 Status of This Memo
 
    This Internet-Draft is submitted in full conformance with the
@@ -28,21 +28,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at https://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on January 27, 2019.
+   This Internet-Draft will expire on April 14, 2019.
 
 Copyright Notice
 
    Copyright (c) 2018 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (https://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -56,25 +56,25 @@
 
    1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
      1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   2
    2.  Trust Anchor Locator  . . . . . . . . . . . . . . . . . . . .   2
      2.1.  Trust Anchor Locator Format . . . . . . . . . . . . . . .   2
      2.2.  TAL and Trust Anchor Certificate Considerations . . . . .   4
      2.3.  Example . . . . . . . . . . . . . . . . . . . . . . . . .   5
    3.  Relying Party Use . . . . . . . . . . . . . . . . . . . . . .   5
    4.  HTTPS Considerations  . . . . . . . . . . . . . . . . . . . .   6
    5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
-   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
+   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
    7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
      7.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
      7.2.  Informative References  . . . . . . . . . . . . . . . . .   9
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10
 
 1.  Introduction
 
    This document defines a Trust Anchor Locator (TAL) for the Resource
    Public Key Infrastructure (RPKI) [RFC6480].  This format may be used
    to distribute trust anchor material using a mix of out-of-band and
    online means.  Procedures used by Relying Parties (RPs) to verify
    RPKI signed objects SHOULD support this format to facilitate
    interoperability between creators of trust anchor material and RPs.
    This document obsoletes [RFC7730] by adding support for HTTPS URIs in
@@ -116,35 +116,39 @@
    could be used to represent the TAL, if one defined an rsync or HTTPS
    URI extension for that data structure.  However, the TAL format was
    adopted by RPKI implementors prior to the PKIX trust anchor work, and
    the RPKI implementer community has elected to utilize the TAL format,
    rather than define the requisite extension.  The community also
    prefers the simplicity of the ASCII encoding of the TAL, versus the
    binary (ASN.1) encoding for TrustAnchorInfo.
 
    The TAL is an ordered sequence of:
 
-   1.  a URI section,
+   1.  an optional comment section consisting of one or more lines
+       starting with the '#' character, containing human readable
+       informational ASCII text, followed by an empty line using a
+       "<CRLF>" or "<LF>" line break only.
 
-   2.  a "<CRLF>" or "<LF>" line break,
+   2.  a URI section,
 
-   3.  a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded
+   3.  a "<CRLF>" or "<LF>" line break,
+
+   4.  a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded
        in Base64 (see Section 4 of [RFC4648]).  To avoid long lines,
        "<CRLF>" or "<LF>" line breaks MAY be inserted into the
        Base64-encoded string.
 
    where the URI section is comprised or one of more of the ordered
    sequence of:
 
-   1.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230]
-
-   1.2. a "<CRLF>" or "<LF>" line break.
+   2.1. either an rsync URI [RFC5781], or an HTTPS URI [RFC7230]
+   2.2. a "<CRLF>" or "<LF>" line break.
 
 2.2.  TAL and Trust Anchor Certificate Considerations
 
    Each URI in the TAL MUST reference a single object.  It MUST NOT
    reference a directory or any other form of collection of objects.
 
    The referenced object MUST be a self-signed CA certificate that
    conforms to the RPKI certificate profile [RFC6487].  This certificate
    is the trust anchor in certification path discovery [RFC4158] and
    validation [RFC5280] [RFC3779].
@@ -196,20 +200,23 @@
    Where the TAL contains two or more URIs, then the same self- signed
    CA certificate MUST be found at each referenced location.  In order
    to increase operational resilience, it is RECOMMENDED that the domain
    name parts of each of these URIs resolve to distinct IP addresses
    that are used by a diverse set of repository publication points, and
    these IP addresses be included in distinct Route Origin
    Authorizations (ROAs) objects signed by different CAs.
 
 2.3.  Example
 
+           # This TAL is intended for documentation purposes only.
+           # Do not attempt to use this in a production setting.
+
          rsync://rpki.example.org/rpki/hedgehog/root.cer
          https://rpki.example.org/rpki/hedgehog/root.cer
 
          MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx
          GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6
          Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
          nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa
          BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG
          ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9
          aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB