draft-ietf-sidr-signed-object-00.txt   draft-ietf-sidr-signed-object-01.txt 
Secure Inter-Domain Routing M. Lepinski Secure Inter-Domain Routing M. Lepinski
Internet-Draft A. Chi Internet-Draft A. Chi
Intended status: Standards Track S. Kent Intended status: Standards Track S. Kent
Expires: April 1, 2011 BBN Expires: April 7, 2011 BBN
September 28, 2010 October 4, 2010
Signed Object Template for the Resource Public Key Infrastructure Signed Object Template for the Resource Public Key Infrastructure
draft-ietf-sidr-signed-object-00.txt draft-ietf-sidr-signed-object-01.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 1, 2011. This Internet-Draft will expire on April 7, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 13
encapsulation format. encapsulation format.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Note on Algorithms . . . . . . . . . . . . . . . . . . . . 3 1.2. Note on Algorithms . . . . . . . . . . . . . . . . . . . . 3
2. Signed Object Syntax . . . . . . . . . . . . . . . . . . . . . . 4 2. Signed Object Syntax . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Signed-Data Content Type . . . . . . . . . . . . . . . . . 4 2.1. Signed-Data Content Type . . . . . . . . . . . . . . . . . 4
2.1.1. version . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. version . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2. digestAlgorithms . . . . . . . . . . . . . . . . . . . 4 2.1.2. digestAlgorithms . . . . . . . . . . . . . . . . . . . 5
2.1.3. encapContentInfo . . . . . . . . . . . . . . . . . . . 5 2.1.3. encapContentInfo . . . . . . . . . . . . . . . . . . . 5
2.1.3.1. eContentType . . . . . . . . . . . . . . . . . . 5 2.1.3.1. eContentType . . . . . . . . . . . . . . . . . . 5
2.1.3.2. eContent . . . . . . . . . . . . . . . . . . . . 5 2.1.3.2. eContent . . . . . . . . . . . . . . . . . . . . 5
2.1.4. certificates . . . . . . . . . . . . . . . . . . . . . 5 2.1.4. certificates . . . . . . . . . . . . . . . . . . . . . 5
2.1.5. crls . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.5. crls . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.6. signerInfos . . . . . . . . . . . . . . . . . . . . . 6 2.1.6. signerInfos . . . . . . . . . . . . . . . . . . . . . 6
2.1.6.1. version . . . . . . . . . . . . . . . . . . . . . 6 2.1.6.1. version . . . . . . . . . . . . . . . . . . . . . 6
2.1.6.2. sid . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.6.2. sid . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.6.3. digestAlgorithm . . . . . . . . . . . . . . . . . 6 2.1.6.3. digestAlgorithm . . . . . . . . . . . . . . . . . 6
2.1.6.4. signedAttrs . . . . . . . . . . . . . . . . . . . 6 2.1.6.4. signedAttrs . . . . . . . . . . . . . . . . . . . 6
skipping to change at page 4, line 12 skipping to change at page 4, line 12
1.2. Note on Algorithms 1.2. Note on Algorithms
Cryptographic Message Syntax is a general format capable of Cryptographic Message Syntax is a general format capable of
accommodating a wide variety of signature and digest algorithms. The accommodating a wide variety of signature and digest algorithms. The
algorithms used in the RPKI (and associated key sizes) are specified algorithms used in the RPKI (and associated key sizes) are specified
in [I-D.sidr-rpki-algs]. in [I-D.sidr-rpki-algs].
2. Signed Object Syntax 2. Signed Object Syntax
The RPKI signed object is a profile of the Cryptographic Message The RPKI signed object is a profile of the Cryptographic Message
Syntax (CMS) [RFC5652] signed-data object. The general format of a Syntax (CMS) [RFC5652] signed-data object, with the restriction that
CMS object is: RPKI signed objects MUST be encoded using the ASN.1 Distinguished
Encoding Rules (DER) [X.509-88].
The general format of a CMS object is:
ContentInfo ::= SEQUENCE { ContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType } content [0] EXPLICIT ANY DEFINED BY contentType }
ContentType ::= OBJECT IDENTIFIER ContentType ::= OBJECT IDENTIFIER
The ContentType is the signed-data type of id-data, namely the id- The ContentType is the signed-data type of id-data, namely the id-
signedData OID, 1.2.840.113549.1.7.2. [RFC5652] signedData OID, 1.2.840.113549.1.7.2. [RFC5652]
skipping to change at page 10, line 13 skipping to change at page 10, line 15
i. The unsignedAttrs field in the SignerInfo object is omitted. i. The unsignedAttrs field in the SignerInfo object is omitted.
j. The digestAlgorithm in the SignedData and SignerInfo objects j. The digestAlgorithm in the SignedData and SignerInfo objects
conforms to the RPKI Algorithms and Key Size Profile conforms to the RPKI Algorithms and Key Size Profile
specification [I-D.sidr-rpki-algs]. specification [I-D.sidr-rpki-algs].
k. The signatureAlgorithm in the SignerInfo object conforms to k. The signatureAlgorithm in the SignerInfo object conforms to
the RPKI Algorithms and Key Size Profile specification the RPKI Algorithms and Key Size Profile specification
[I-D.sidr-rpki-algs]. [I-D.sidr-rpki-algs].
l. The signed object is DER encoded.
2. The public key of the EE certificate (contained within the CMS 2. The public key of the EE certificate (contained within the CMS
signed-data object) can be used to successfully verify the signed-data object) can be used to successfully verify the
signature on the signed object. signature on the signed object.
3. The EE certificate (contained within the CMS signed-data object) 3. The EE certificate (contained within the CMS signed-data object)
is a valid EE certificate in the RPKI as specified by [I-D.sidr- is a valid EE certificate in the RPKI as specified by [I-D.sidr-
res-certs]. In particular, there exists a valid certification res-certs]. In particular, there exists a valid certification
path from a trust anchor to this EE certificate. path from a trust anchor to this EE certificate.
If the above procedure indicates that the signed object is invalid, If the above procedure indicates that the signed object is invalid,
skipping to change at page 12, line 16 skipping to change at page 12, line 19
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
5652, September 2009. 5652, September 2009.
[X.208-88] CCITT. Recommendation X.208: Specification of Abstract [X.208-88] CCITT. Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1), 1988. Syntax Notation One (ASN.1), 1988.
[X.209-88] CCITT. Recommendation X.209: Specification of Basic [X.509-88] CCITT. Recommendation X.509: The Directory Authentication
Encoding Rules for Abstract Syntax Notation One (ASN.1), Framework, 1988.
1988.
9. Informative References 9. Informative References
[I-D.sidr-arch] Lepinski, M. and S. Kent, "An Infrastructure to [I-D.sidr-arch] Lepinski, M. and S. Kent, "An Infrastructure to
Support Secure Internet Routing", Support Secure Internet Routing",
draft-ietf-sidr-arch-11.txt (work in progress), September draft-ietf-sidr-arch-11.txt (work in progress), September
2010. 2010.
[RFC6019] Housley, R., "BinaryTime: An Alternate Format for [RFC6019] Housley, R., "BinaryTime: An Alternate Format for
Representing Date and Time in ASN.1", RFC 6019, September Representing Date and Time in ASN.1", RFC 6019, September
 End of changes. 7 change blocks. 
10 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.39. The latest version is available from http://tools.ietf.org/tools/rfcdiff/