draft-ietf-sidr-ghostbusters-01.txt   draft-ietf-sidr-ghostbusters-02.txt 
Network Working Group R. Bush Network Working Group R. Bush
Internet-Draft Internet Initiative Japan Internet-Draft Internet Initiative Japan
Intended status: Standards Track March 10, 2011 Intended status: Standards Track March 11, 2011
Expires: September 11, 2011 Expires: September 12, 2011
The RPKI Ghostbusters Record The RPKI Ghostbusters Record
draft-ietf-sidr-ghostbusters-01 draft-ietf-sidr-ghostbusters-02
Abstract Abstract
In the Resource Public Key Infrastructure (RPKI), resource In the Resource Public Key Infrastructure (RPKI), resource
certificates completely obscure names or any other information which certificates completely obscure names or any other information which
might be useful for contacting responsible parties to deal with might be useful for contacting responsible parties to deal with
issues of certificate expiration, maintenance, roll-overs, issues of certificate expiration, maintenance, roll-overs,
compromises, etc. This draft describes the RPKI Ghostbusters Record compromises, etc. This draft describes the RPKI Ghostbusters Record
containing human contact information to be signed (indirectly) by a containing human contact information to be signed (indirectly) by a
resource-owning certificate. The data in the record are those of a resource-owning certificate. The data in the record are those of a
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 11, 2011. This Internet-Draft will expire on September 12, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . . 3 2. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . . 3
3. RPKI Ghostbusters Record Payload Example . . . . . . . . . . . 4 3. RPKI Ghostbusters Record Payload Example . . . . . . . . . . . 4
4. vCARD Profile . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. vCARD Profile . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. CMS Packaging . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. CMS Packaging . . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Validation . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Validation . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
10.1. Normative References . . . . . . . . . . . . . . . . . . . 6 10.1. Normative References . . . . . . . . . . . . . . . . . . . 6
10.2. Informative References . . . . . . . . . . . . . . . . . . 6 10.2. Informative References . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
In the operational use of the RPKI it can become necessary to In the operational use of the RPKI it can become necessary to
contact, human to human, the party responsible for a resource-owning contact, human to human, the party responsible for a resource-owning
certificate. An important example is when the owner of a Route certificate. An important example is when the owner of a Route
Origin Authorization (ROA) sees a problem, or an impending problem, Origin Authorization (ROA) sees a problem, or an impending problem,
with a certificate or CRL in the path between the ROA and a trust with a certificate or CRL in the path between the ROA and a trust
anchor. E.g., a certificate along that path has expired, is soon to anchor. E.g., a certificate along that path has expired, is soon to
skipping to change at page 4, line 7 skipping to change at page 4, line 7
2. Suggested Reading 2. Suggested Reading
It is assumed that the reader understands the RPKI, It is assumed that the reader understands the RPKI,
[I-D.ietf-sidr-arch], the RPKI Repository Structure, [I-D.ietf-sidr-arch], the RPKI Repository Structure,
[I-D.ietf-sidr-repos-struct], Signed RPKI Objects, [I-D.ietf-sidr-repos-struct], Signed RPKI Objects,
[I-D.ietf-sidr-signed-object], and vCARDs [RFC2426]. [I-D.ietf-sidr-signed-object], and vCARDs [RFC2426].
3. RPKI Ghostbusters Record Payload Example 3. RPKI Ghostbusters Record Payload Example
An example of an RPKI Ghostbusters Record payload with all fields An example of an RPKI Ghostbusters Record payload with all types
populated is as follows: populated is as follows:
BEGIN:vCard BEGIN:vCard
VERSION:3.0 VERSION:3.0
FN:Human's Name FN:Human's Name
N:Name;Human's;Ms.;Dr.;OCD;ADD
ORG:Organizational Entity ORG:Organizational Entity
ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A. ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern; WA; 98666;U.S.A.
TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212 TEL;TYPE=VOICE,MSG,WORK:+1-666-555-1212
TEL;TYPE=FAX,WORK:+1-666-555-1213 TEL;TYPE=FAX,WORK:+1-666-555-1213
EMAIL;TYPE=INTERNET:human@example.com EMAIL;TYPE=INTERNET:human@example.com
END:vCard END:vCard
4. vCARD Profile 4. vCARD Profile
The goal in profiling the vCARD is not to include as much information The goal in profiling the vCARD is not to include as much information
as possible, but rather to include as few fields as possible while as possible, but rather to include as few types as possible while
providing the minimal necessary data to enable one to contact the providing the minimal necessary data to enable one to contact the
maintainer of the RPKI data which threatens the ROA[s] of concern. maintainer of the RPKI data which threatens the ROA[s] of concern.
The Ghostbusters vCARD payload is a minimalist subset of the vCARD as The Ghostbusters vCARD payload is a minimalist subset of the vCARD as
described in [RFC2426]. described in [RFC2426].
BEGIN - pro forma packaging which MUST be the first line in the BEGIN - pro forma packaging which MUST be the first line in the
vCARD and MUST have the value "BEGIN:vCARD" as described in vCARD and MUST have the value "BEGIN:vCARD" as described in
[RFC2426]. [RFC2426].
VERSION - pro forma packaging which MUST be the second line in the VERSION - pro forma packaging which MUST be the second line in the
vCARD and MUST have the value "VERSION:3.0" as described in 3.6.9 vCARD and MUST have the value "VERSION:3.0" as described in 3.6.9
of [RFC2426]. of [RFC2426].
FN - the name, as described in 3.1.1 of [RFC2426], of a contactable FN - the name, as described in 3.1.1 of [RFC2426], of a contactable
person who responsible for the certificate. person who responsible for the certificate.
N - the components of the name of the object the vCard represents,
as described in 3.1.2 of [RFC2426].
ORG - an organization as described in 3.5.5 of [RFC2426]. ORG - an organization as described in 3.5.5 of [RFC2426].
ADR - a postal address as described in 3.2.1 of [RFC2426]. ADR - a postal address as described in 3.2.1 of [RFC2426].
TEL - a voice and/or fax phone as described in 3.3.1 of [RFC2426]. TEL - a voice and/or fax phone as described in 3.3.1 of [RFC2426].
EMAIL - an Email address as described in 3.3.2 of [RFC2426] EMAIL - an Email address as described in 3.3.2 of [RFC2426]
END - pro forma packaging which MUST be the last line in the vCARD END - pro forma packaging which MUST be the last line in the vCARD
and MUST have the value "END:vCARD" as described in [RFC2426]. and MUST have the value "END:vCARD" as described in [RFC2426].
The BEGIN, VERSION, and END lines MUST be included in a record. To Per [RFC2426], the BEGIN, VERSION, FN, N, and END types MUST be
be useful, FN and one or more of ADR, TEL, and EMAIL SHOULD be included in a record. To be useful, one or more of ADR, TEL, and
included. EMAIL MUST be included. Other types MAY NOT be included.
5. CMS Packaging 5. CMS Packaging
The Ghostbusters Record is a CMS signed-data object conforming to the The Ghostbusters Record is a CMS signed-data object conforming to the
RPKI Signed Data Object Template, [I-D.ietf-sidr-signed-object]. RPKI Signed Data Object Template, [I-D.ietf-sidr-signed-object].
The ContentType of a Ghostbusters Record is defined as The ContentType of a Ghostbusters Record is defined as
rpkiGhostbusters, and has the numerical value of [TO BE ASSIGNED]. rpkiGhostbusters, and has the numerical value of [TO BE ASSIGNED].
This OID MUST appear both within the eContentType in the This OID MUST appear both within the eContentType in the
encapContentInfo object as well as the ContentType signed attribute encapContentInfo object as well as the ContentType signed attribute
skipping to change at page 5, line 38 skipping to change at page 5, line 43
vCARD. vCARD.
The EE certificate used to verify the Ghostbusters Record is the one The EE certificate used to verify the Ghostbusters Record is the one
that appears in the CMS data structure that contains the payload that appears in the CMS data structure that contains the payload
defined above. defined above.
6. Validation 6. Validation
The validation procedure defined in Section 3 of The validation procedure defined in Section 3 of
[I-D.ietf-sidr-signed-object] is applied to a Ghostbusters Record. [I-D.ietf-sidr-signed-object] is applied to a Ghostbusters Record.
After this procedure has been performed, the Version number field After this procedure has been performed, the Version number type
within the payload is checked, and the OCTET STRING containing the within the payload is checked, and the OCTET STRING containing the
vCARD data is extracted. These data are checked against the profile vCARD data is extracted. These data are checked against the profile
defined in Section 4 of this document. Only if all of these checks defined in Section 4 of this document. Only if all of these checks
pass is the Ghostbusters payload deemed valid and made available to pass is the Ghostbusters payload deemed valid and made available to
the application that requested the payload. the application that requested the payload.
7. Security Considerations 7. Security Considerations
Though there is no on the wire protocol in this specification, there Though there is no on the wire protocol in this specification, there
are attacks which could abuse the data described. As the data, to be are attacks which could abuse the data described. As the data, to be
skipping to change at page 6, line 23 skipping to change at page 6, line 28
self-asserted. These data have not been verified by the CA that self-asserted. These data have not been verified by the CA that
issued a (CA) certificate to the entity that issued the EE issued a (CA) certificate to the entity that issued the EE
certificate used to validate the Ghostbusters Record. certificate used to validate the Ghostbusters Record.
8. IANA Considerations 8. IANA Considerations
This document has no IANA Considerations. This document has no IANA Considerations.
9. Acknowledgments 9. Acknowledgments
The author wishes to thank Russ Housley for suggesting profiling the The author wishes to thank Russ Housley, the authors of
vCARD specification, the authors of [I-D.ietf-sidr-signed-object], [I-D.ietf-sidr-signed-object], Stephen Kent, and Michael Elkins for
and particularly Stephen Kent. their contributions.
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-sidr-signed-object] [I-D.ietf-sidr-signed-object]
Lepinski, M., Chi, A., and S. Kent, "Signed Object Lepinski, M., Chi, A., and S. Kent, "Signed Object
Template for the Resource Public Key Infrastructure", Template for the Resource Public Key Infrastructure",
draft-ietf-sidr-signed-object-03 (work in progress), draft-ietf-sidr-signed-object-03 (work in progress),
February 2011. February 2011.
 End of changes. 13 change blocks. 
15 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/