draft-ietf-sidr-rfc6485bis-00.txt   draft-ietf-sidr-rfc6485bis-01.txt 
SIDR G. Huston SIDR G. Huston
Internet-Draft G. Michaelson, Ed. Internet-Draft G. Michaelson, Ed.
Obsoletes: 6485 (if approved) APNIC Obsoletes: 6485 (if approved) APNIC
Intended status: Standards Track March 7, 2014 Intended status: Standards Track March 28, 2014
Expires: September 8, 2014 Expires: September 29, 2014
The Profile for Algorithms and Key Sizes for use in the Resource Public The Profile for Algorithms and Key Sizes for use in the Resource Public
Key Infrastructure Key Infrastructure
draft-ietf-sidr-rfc6485bis-00.txt draft-ietf-sidr-rfc6485bis-01.txt
Abstract Abstract
This document specifies the algorithms, algorithms' parameters, This document specifies the algorithms, algorithms' parameters,
asymmetric key formats, asymmetric key size and signature format for asymmetric key formats, asymmetric key size and signature format for
the Resource Public Key Infrastructure subscribers that generate the Resource Public Key Infrastructure subscribers that generate
digital signatures on certificates, Certificate Revocation Lists, and digital signatures on certificates, Certificate Revocation Lists, and
signed objects as well as for the Relying Parties (RPs) that verify signed objects as well as for the Relying Parties (RPs) that verify
these digital signatures. these digital signatures.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 8, 2014. This Internet-Draft will expire on September 29, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 7 skipping to change at page 5, line 7
specifications, and also accommodate the orderly deprecation of specifications, and also accommodate the orderly deprecation of
previously specified algorithms and keys. Accordingly, CAs and RPs previously specified algorithms and keys. Accordingly, CAs and RPs
SHOULD be capable of supporting multiple RPKI algorithm and key SHOULD be capable of supporting multiple RPKI algorithm and key
profiles simultaneously within the scope of such anticipated profiles simultaneously within the scope of such anticipated
transitions. The recommended procedures to implement such a transitions. The recommended procedures to implement such a
transition of key sizes and algorithms is not specified in this transition of key sizes and algorithms is not specified in this
document. document.
6. Security Considerations 6. Security Considerations
The Security Considerations of [RFC4055], [RFC5280], and [RFC6487] a The Security Considerations of [RFC4055], [RFC5280], and [RFC6487]
apply to certificate and CRLs. The Security Considerations of apply to certificate and CRLs. The Security Considerations of
[RFC5754] apply to signed objects. No new security are introduced as [RFC5754] apply to signed objects. No new security are introduced as
a result of this specification. a result of this specification.
7. IANA Considerations 7. IANA Considerations
[Remove before publication. There are no IANA considerations in this [Remove before publication. There are no IANA considerations in this
document.] document.]
8. IESG Considerations 8. Changes Aplied to RFC6485
[Remove before publication.
Dear IESG, This is a slight technical change to RFC6485, and the This document represents a slight technical change to [RFC6485] that
advice to the WG from a Routing AD was that this is outside the is considered to be outside the limited scope of an erratum.
limited scope of an erratum.
RFC 6485 defines The Profile for Algorithms and Key Sizes for Use in Section 2 of [RFC6485] specified a single signature algorithm (SHA-
the Resource Public Key Infrastructure (RPKI). Section 2 specifies a 256) and a single CMS OID, sha256withRSAEncryption, to be used for
single signature algorithm (SHA-256) and a single CMS OID, the SignerInfo field of the CMS object. A closer reading of
sha256withRSAEncryption, to be used for the SignerInfo field of the [RFC4055] and [RFC5754] has identified that the CMS SignerInfo field
CMS object. must support use of the rsaEncryption OID for full conformance with
the CMS specifications, and the normative references in [RFC6485]
inherited this requirement.
A closer reading of RFC 4055 and RFC 5754 identified that the CMS This document changes Section 2 of [RFC4055]. By conforming to the
SignerInfo field must support use of the rsaEncryption OID for full CMS specifications as per [RFC4055] and [RFC5754], RPKI CMS objects
conformance with the CMS specifications, and the normative references are less likely to be rejected as non-conformant with the CMS
in RFC 6485 inherits the requirement. This change is applied to
Section 2 of RFC6485, as set forth in this document. By conforming
to the CMS specifications as per this updateed specification, RPKI
CMS objects are less likely to be rejected as non-conformant with the
standards. No change is made to the cryptographic status of the CMS standards. No change is made to the cryptographic status of the CMS
objects produced. This change reflects the behaviour of deployed objects produced. This change reflects the behaviour of deployed
interoperating code. No other changes have been made to this interoperating code. No other changes have been made to the
specification.] specification as described in [RFC6485].
9. Acknowledgments 9. Acknowledgments
The author acknowledges the re-use in this draft of material The author acknowledges the re-use in this draft of material
originally contained in working drafts the RPKI Certificate Policy originally contained in working drafts the RPKI Certificate Policy
and Resource Certificate profile documents. The co-authors of these and Resource Certificate profile documents. The co-authors of these
two documents, namely Stephen Kent, Derrick Kong, Karen Seo, Ronald two documents, namely Stephen Kent, Derrick Kong, Karen Seo, Ronald
Watro, George Michaelson and Robert Loomans, are acknowledged, with Watro, George Michaelson and Robert Loomans, are acknowledged, with
thanks. The constraint on key size noted in this profile is the thanks. The constraint on key size noted in this profile is the
outcome of comments from Stephen Kent and review comments from David outcome of comments from Stephen Kent and review comments from David
Cooper. Sean Turner has provided additional review input to this Cooper. Sean Turner has provided additional review input to this
document. document.
Andrew Chi and David Mandelberg discovered the issue addressed in Andrew Chi and David Mandelberg discovered the issue addressed in
this update to RFC6485, and the changes in this updated specification this update to [RFC6485], and the changes in this updated
reflect the outcome of a discussion between Rob Austein and Matt specification reflect the outcome of a discussion between Rob Austein
Lepinski on the SIDR Working group mailing list. George Michaelson and Matt Lepinski on the SIDR Working group mailing list. George
edited the update to this document. Michaelson edited the update to this document.
10. Normative References 10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986, Request Syntax Specification Version 1.7", RFC 2986,
November 2000. November 2000.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use in Algorithms and Identifiers for RSA Cryptography for use in
skipping to change at page 7, line 13 skipping to change at page 7, line 10
(RPKI)", BCP 173, RFC 6484, February 2012. (RPKI)", BCP 173, RFC 6484, February 2012.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487, X.509 PKIX Resource Certificates", RFC 6487,
February 2012. February 2012.
[SHS] National Institute of Standards and Technology (NIST), [SHS] National Institute of Standards and Technology (NIST),
"FIPS Publication 180-3: Secure Hash Standard", FIPS "FIPS Publication 180-3: Secure Hash Standard", FIPS
Publication 180-3, October 2008. Publication 180-3, October 2008.
10.2. Informative References
[RFC6485] Huston, G., "The Profile for Algorithms and Key Sizes for
Use in the Resource Public Key Infrastructure (RPKI)",
RFC 6485, February 2012.
Authors' Addresses Authors' Addresses
Geoff Huston Geoff Huston
APNIC APNIC
Email: gih@apnic.net Email: gih@apnic.net
George Michaelson (editor) George Michaelson (editor)
APNIC APNIC
 End of changes. 12 change blocks. 
30 lines changed or deleted 33 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/