draft-ietf-sidrops-6486bis-02.txt   draft-ietf-sidrops-6486bis-03.txt 
Network Working Group R. Austein Network Working Group R. Austein
Internet-Draft Arrcus, Inc. Internet-Draft Arrcus, Inc.
Updates: 6486 (if approved) G. Huston Updates: 6486 (if approved) G. Huston
Intended status: Standards Track APNIC Intended status: Standards Track APNIC
Expires: May 6, 2021 S. Kent Expires: June 3, 2021 S. Kent
Independent Independent
M. Lepinski M. Lepinski
New College Florida New College Florida
November 2, 2020 November 30, 2020
Manifests for the Resource Public Key Infrastructure (RPKI) Manifests for the Resource Public Key Infrastructure (RPKI)
draft-ietf-sidrops-6486bis-02 draft-ietf-sidrops-6486bis-03
Abstract Abstract
This document defines a "manifest" for use in the Resource Public Key This document defines a "manifest" for use in the Resource Public Key
Infrastructure (RPKI). A manifest is a signed object (file) that Infrastructure (RPKI). A manifest is a signed object (file) that
contains a listing of all the signed objects (files) in the contains a listing of all the signed objects (files) in the
repository publication point (directory) associated with an authority repository publication point (directory) associated with an authority
responsible for publishing in the repository. For each certificate, responsible for publishing in the repository. For each certificate,
Certificate Revocation List (CRL), or other type of signed objects Certificate Revocation List (CRL), or other type of signed objects
issued by the authority that are published at this repository issued by the authority that are published at this repository
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 6, 2021. This Internet-Draft will expire on June 3, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Manifest Scope . . . . . . . . . . . . . . . . . . . . . . . 4 2. Manifest Scope . . . . . . . . . . . . . . . . . . . . . . . 4
3. Manifest Signing . . . . . . . . . . . . . . . . . . . . . . 4 3. Manifest Signing . . . . . . . . . . . . . . . . . . . . . . 4
4. Manifest Definition . . . . . . . . . . . . . . . . . . . . . 5 4. Manifest Definition . . . . . . . . . . . . . . . . . . . . . 5
4.1. eContentType . . . . . . . . . . . . . . . . . . . . . . 5 4.1. eContentType . . . . . . . . . . . . . . . . . . . . . . 5
4.2. eContent . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. eContent . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2.1. Manifest . . . . . . . . . . . . . . . . . . . . . . 5 4.2.1. Manifest . . . . . . . . . . . . . . . . . . . . . . 5
4.2.2. Names in FileAndHash objects . . . . . . . . . . . . 7
4.3. Content-Type Attribute . . . . . . . . . . . . . . . . . 7 4.3. Content-Type Attribute . . . . . . . . . . . . . . . . . 7
4.4. Manifest Validation . . . . . . . . . . . . . . . . . . . 7 4.4. Manifest Validation . . . . . . . . . . . . . . . . . . . 7
5. Manifest Generation . . . . . . . . . . . . . . . . . . . . . 8 5. Manifest Generation . . . . . . . . . . . . . . . . . . . . . 8
5.1. Manifest Generation Procedure . . . . . . . . . . . . . . 8 5.1. Manifest Generation Procedure . . . . . . . . . . . . . . 8
5.2. Considerations for Manifest Generation . . . . . . . . . 9 5.2. Considerations for Manifest Generation . . . . . . . . . 9
6. Relying Party Processing of Manifests . . . . . . . . . . . . 9 6. Relying Party Processing of Manifests . . . . . . . . . . . . 10
6.1. Manifest Processing Overview . . . . . . . . . . . . . . 11 6.1. Manifest Processing Overview . . . . . . . . . . . . . . 11
6.2. Acquiring a Manifest for a CA . . . . . . . . . . . . . . 11 6.2. Acquiring a Manifest for a CA . . . . . . . . . . . . . . 11
6.3. Detecting Stale and or Prematurely-issued Manifests . . . 11 6.3. Detecting Stale and or Prematurely-issued Manifests . . . 11
6.4. Acquiring Files Referenced by a Manifest . . . . . . . . 12 6.4. Acquiring Files Referenced by a Manifest . . . . . . . . 12
6.5. Matching File Names and Hashes . . . . . . . . . . . . . 12 6.5. Matching File Names and Hashes . . . . . . . . . . . . . 12
6.6. Out of Scope Manifest Entries . . . . . . . . . . . . . . 12 6.6. Out of Scope Manifest Entries . . . . . . . . . . . . . . 12
6.7. Failed Fetches . . . . . . . . . . . . . . . . . . . . . 12 6.7. Failed Fetches . . . . . . . . . . . . . . . . . . . . . 12
7. Publication Repositories . . . . . . . . . . . . . . . . . . 13 7. Publication Repositories . . . . . . . . . . . . . . . . . . 13
8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14 11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 15 11.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 16 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
The Resource Public Key Infrastructure (RPKI) [RFC6480] makes use of The Resource Public Key Infrastructure (RPKI) [RFC6480] makes use of
skipping to change at page 7, line 26 skipping to change at page 7, line 26
Profile specification [RFC6485]. Profile specification [RFC6485].
fileList: fileList:
This field is a sequence of FileAndHash objects. There is one This field is a sequence of FileAndHash objects. There is one
FileAndHash entry for each currently valid signed object that has FileAndHash entry for each currently valid signed object that has
been published by the authority (at this publication point). Each been published by the authority (at this publication point). Each
FileAndHash is an ordered pair consisting of the name of the file FileAndHash is an ordered pair consisting of the name of the file
in the repository publication point (directory) that contains the in the repository publication point (directory) that contains the
object in question and a hash of the file's contents. object in question and a hash of the file's contents.
4.2.2. Names in FileAndHash objects
Names that appear in the fileList MUST consist of one or more
characters chosen from the set a-z, A-Z, 0-9, - (HYPHEN), or _
(UNDERSCORE), followed by a single . (DOT), followed by a three-
letter extension. The extension MUST be one of those enumerated in
the "RPKI Repository Naming Scheme" registry maintained by IANA
[IANA-NAMING].
As an example, 'vixxBTS_TVXQ-2pmGOT7.cer' is a valid filename.
4.3. Content-Type Attribute 4.3. Content-Type Attribute
The mandatory content-type attribute MUST have its attrValues field The mandatory content-type attribute MUST have its attrValues field
set to the same OID as eContentType. This OID is id-ct-rpkiManifest set to the same OID as eContentType. This OID is id-ct-rpkiManifest
and has the numerical value of 1.2.840.113549.1.9.16.1.26. and has the numerical value of 1.2.840.113549.1.9.16.1.26.
4.4. Manifest Validation 4.4. Manifest Validation
To determine whether a manifest is valid, the RP MUST perform the To determine whether a manifest is valid, the RP MUST perform the
following checks in addition to those specified in [RFC6488]: following checks in addition to those specified in [RFC6488]:
skipping to change at page 14, line 19 skipping to change at page 14, line 25
specification. Additionally, the authors would like to thank Mark specification. Additionally, the authors would like to thank Mark
Reynolds and Christopher Small for assistance in clarifying manifest Reynolds and Christopher Small for assistance in clarifying manifest
validation and RP behavior. The authors also wish to thank Job validation and RP behavior. The authors also wish to thank Job
Snijders, Oleg Muravskiy, and Sean Turner for their helpful review of Snijders, Oleg Muravskiy, and Sean Turner for their helpful review of
this document. this document.
11. References 11. References
11.1. Normative References 11.1. Normative References
[IANA-NAMING]
"RPKI Repository Name Schemes",
<https://www.iana.org/assignments/rpki/rpki.xhtml#name-
schemes>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
 End of changes. 9 change blocks. 
6 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/