draft-ietf-sidr-policy-qualifiers-00.txt   draft-ietf-sidr-policy-qualifiers-01.txt 
Network Working Group A.L. Newton Network Working Group A. Newton
Internet-Draft ARIN Internet-Draft ARIN
Updates: 6487 (if approved) G.I.H. Huston Updates: 6487 (if approved) G. Huston
Intended status: Standards Track APNIC Intended status: Standards Track APNIC
Expires: November 10, 2013 May 09, 2013 Expires: April 05, 2014 October 02, 2013
Policy Qualifiers in RPKI Certificates Policy Qualifiers in RPKI Certificates
draft-ietf-sidr-policy-qualifiers-00 draft-ietf-sidr-policy-qualifiers-01
Abstract Abstract
This document updates RFC 6487 by clarifying the inclusion of policy This document updates RFC 6487 by clarifying the inclusion of policy
qualifiers in the certificate policies extension of RPKI resource qualifiers in the certificate policies extension of RPKI resource
certificates. certificates.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 10, 2013. This Internet-Draft will expire on April 05, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 31 skipping to change at page 3, line 31
The Security Considerations of [RFC6487] apply to this document. The Security Considerations of [RFC6487] apply to this document.
This document updates the RPKI certificate profile to specify that This document updates the RPKI certificate profile to specify that
the certificate policies extension can include a policy qualifier, the certificate policies extension can include a policy qualifier,
which is a URI. Checking of the URI might allow denial-of-service which is a URI. Checking of the URI might allow denial-of-service
(DoS) attacks, where the target host may be subjected to bogus work (DoS) attacks, where the target host may be subjected to bogus work
resolving the URI. However, this specification, like [RFC5280], resolving the URI. However, this specification, like [RFC5280],
places no processing requirements on the URI included in the places no processing requirements on the URI included in the
qualifier. qualifier.
As an update to [RFC6487], this document broadens the class of
certificates that conform to the RPKI profile by explicitly including
within the profile those certificates that contain a policy qualifier
as described here. A relying party that performs a strict validation
based on [RFC6487] and fails to support the updates described in this
document, would incorrectly invalidate RPKI objects that include the
changes in Section 2.
5. Acknowledgements 5. Acknowledgements
Frank Hill and Adam Guyot helped define the scope of this issue and Frank Hill and Adam Guyot helped define the scope of this issue and
identified and worked with RPKI validator implementers to clarify the identified and worked with RPKI validator implementers to clarify the
use of policy qualifiers in resource certificates. use of policy qualifiers in resource certificates.
Sean Turner provided significant text to this document regarding the Sean Turner provided significant text to this document regarding the
processing of the CPS URI and limiting the scope of the allowable processing of the CPS URI and limiting the scope of the allowable
content of the policy qualifier. content of the policy qualifier.
 End of changes. 6 change blocks. 
5 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/