diff --git a/draft-ymbk-sidrops-6486bis.txt b/draft-ymbk-sidrops-6486bis.txt index 16c0fb5..250903d 100644 --- a/draft-ymbk-sidrops-6486bis.txt +++ b/draft-ymbk-sidrops-6486bis.txt @@ -6,11 +6,11 @@ Network Working Group R. Austein Internet-Draft Arrcus, Inc. Updates: 6486 (if approved) G. Huston Intended status: Standards Track APNIC -Expires: November 22, 2020 S. Kent +Expires: December 26, 2020 S. Kent Independent M. Lepinski New College Florida - May 21, 2020 + June 24, 2020 Manifests for the Resource Public Key Infrastructure (RPKI) @@ -48,14 +48,14 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 22, 2020. + This Internet-Draft will expire on December 26, 2020. -Austein, et al. Expires November 22, 2020 [Page 1] +Austein, et al. Expires December 26, 2020 [Page 1] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 Copyright Notice @@ -109,9 +109,9 @@ Table of Contents -Austein, et al. Expires November 22, 2020 [Page 2] +Austein, et al. Expires December 26, 2020 [Page 2] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 1. Introduction @@ -165,9 +165,9 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 3] +Austein, et al. Expires December 26, 2020 [Page 3] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 2. Manifest Scope @@ -221,9 +221,9 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 4] +Austein, et al. Expires December 26, 2020 [Page 4] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 4. Manifest Definition @@ -277,9 +277,9 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 5] +Austein, et al. Expires December 26, 2020 [Page 5] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 specified in nextUpdate or until a manifest is issued with a greater @@ -333,9 +333,9 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 6] +Austein, et al. Expires December 26, 2020 [Page 6] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 encompasses a CRL, the nextUpdate field of the manifest MUST match @@ -389,9 +389,9 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 7] +Austein, et al. Expires December 26, 2020 [Page 7] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 5. Manifest Generation @@ -445,9 +445,9 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 8] +Austein, et al. Expires December 26, 2020 [Page 8] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 Note that the manifest does not include a self reference (i.e., @@ -495,15 +495,15 @@ Internet-Draft RPKI Manifests May 2020 6. Relying Party Use of Manifests - Each RP must determine which signed objects it will use for + Each RP MUST determine which signed objects it will use for validating assertions about INRs and their use (e.g., which ROAs to use in the construction of route filters). Manifests are designed to -Austein, et al. Expires November 22, 2020 [Page 9] +Austein, et al. Expires December 26, 2020 [Page 9] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 allow an RP to detect manipulation of repository data and/or errors @@ -536,9 +536,14 @@ Internet-Draft RPKI Manifests May 2020 For a given publication point, an RP MUST perform a series of tests to determine which signed object files at the publication point are - acceptable. The tests described below are to be performed using the - manifest identified by the id-ad-rpkiManifest URI extracted from a CA - certificate's SIA. + acceptable. The tests described below are to be performed using + themanifest identified by the id-ad-rpkiManifest URI extracted from a + CA certificate's SIA. _All_ of the files referenced by the manifest + MUST be be located at the publication point specified by the id-ad- + caRepositoryURI from the (same) certificate's SIA. The manifest and + the files it references MUST reside at the same publication point. + An RP MUST ignore any files that appear on a manifest but do not + reside as the same publication point as the manifest. 1. All of the files referenced by the manifest MUST be be located at the publication point specified by the id-ad-caRepository URI @@ -550,18 +555,16 @@ Internet-Draft RPKI Manifests May 2020 be at the location specified in the CRLDP in the manifest's EE certificate. + + +Austein, et al. Expires December 26, 2020 [Page 10] + +Internet-Draft RPKI Manifests June 2020 + + 3. If more than one .crl file appears in the manifest, only file names matching the CRL specified by the CRLDP will be processed. If more than one .crl entry appears in the manifest, and matches - - - - -Austein, et al. Expires November 22, 2020 [Page 10] - -Internet-Draft RPKI Manifests May 2020 - - the CRLDP, the first one encountered MUST be used. Any other .crl files MUST be ignored and a warning MUST be issued. @@ -607,17 +610,17 @@ Internet-Draft RPKI Manifests May 2020 EE certificate issued by the C, and all subordinate CA and EE certificates. If there are files listed in the manifest that cannot be retrieved from the publication point, or if they fail the validity + + + +Austein, et al. Expires December 26, 2020 [Page 11] + +Internet-Draft RPKI Manifests June 2020 + + tests specified in [RFC6488], the RP SHOULD examine its cache to determine if these files are available locally. If all of the missing/invalid files are available from the RP's cache, i.e., each - - - -Austein, et al. Expires November 22, 2020 [Page 11] - -Internet-Draft RPKI Manifests May 2020 - - file name matches the list extracted from the manifest, the RP SHOULD use the cached files to replace those missing from the publication point, and proceed to Section 6.5. However, if _any_ of the missing/ @@ -663,17 +666,18 @@ Internet-Draft RPKI Manifests May 2020 The RPKI publication system model requires that every publication point be associated with one or more CAs, and be non-empty. Upon creation of the publication point associated with a CA, the CA MUST + + + +Austein, et al. Expires December 26, 2020 [Page 12] + +Internet-Draft RPKI Manifests June 2020 + + create and publish a manifest as well as a CRL. A CA's manifest will always contain at least one entry, namely, the CRL issued by the CA upon repository creation [RFC6481]. - - -Austein, et al. Expires November 22, 2020 [Page 12] - -Internet-Draft RPKI Manifests May 2020 - - Every published signed object in the RPKI [RFC6488] is published in the repository publication point of the CA that issued the EE certificate, and is listed in the manifest associated with that CA @@ -718,18 +722,19 @@ Internet-Draft RPKI Manifests May 2020 The authors would like to acknowledge the contributions from George Michelson and Randy Bush in the preparation of the manifest specification. Additionally, the authors would like to thank Mark + + + +Austein, et al. Expires December 26, 2020 [Page 13] + +Internet-Draft RPKI Manifests June 2020 + + Reynolds and Christopher Small for assistance in clarifying manifest validation and RP behavior. The authors also wish to thank Job Snijders, Oleg Muravskiy, and Sean Turner for their helpful review of this document. - - -Austein, et al. Expires November 22, 2020 [Page 13] - -Internet-Draft RPKI Manifests May 2020 - - 11. References 11.1. Normative References @@ -769,23 +774,24 @@ Internet-Draft RPKI Manifests May 2020 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . + + + + + + + +Austein, et al. Expires December 26, 2020 [Page 14] + +Internet-Draft RPKI Manifests June 2020 + + [X.690] International International Telephone and Telegraph Consultative Committee, "ASN.1 encoding rules: Specification of basic encoding Rules (BER), Canonical encoding rules (CER) and Distinguished encoding rules (DER)", CCITT Recommendation X.690, July 2002. - - - - - - -Austein, et al. Expires November 22, 2020 [Page 14] - -Internet-Draft RPKI Manifests May 2020 - - 11.2. Informative References [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) @@ -831,15 +837,9 @@ Appendix A. ASN.1 Module - - - - - - -Austein, et al. Expires November 22, 2020 [Page 15] +Austein, et al. Expires December 26, 2020 [Page 15] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 RPKIManifest { iso(1) member-body(2) us(840) rsadsi(113549) @@ -893,9 +893,9 @@ Authors' Addresses -Austein, et al. Expires November 22, 2020 [Page 16] +Austein, et al. Expires December 26, 2020 [Page 16] -Internet-Draft RPKI Manifests May 2020 +Internet-Draft RPKI Manifests June 2020 Geoff Huston @@ -949,4 +949,4 @@ Internet-Draft RPKI Manifests May 2020 -Austein, et al. Expires November 22, 2020 [Page 17] +Austein, et al. Expires December 26, 2020 [Page 17] diff --git a/draft-ymbk-sidrops-6486bis.xml b/draft-ymbk-sidrops-6486bis.xml index 3a1411c..e07794f 100644 --- a/draft-ymbk-sidrops-6486bis.xml +++ b/draft-ymbk-sidrops-6486bis.xml @@ -614,9 +614,15 @@ For a given publication point, an RP MUST perform a series of tests to determine which signed object files at the publication - point are acceptable. The tests described below are to be - performed using the manifest identified by the - id-ad-rpkiManifest URI extracted from a CA certificate's SIA. + point are acceptable. The tests described below are to be + performed using themanifest identified by the id-ad-rpkiManifest + URI extracted from a CA certificate's SIA. _All_ of the files + referenced by the manifest MUST be be located at the publication + point specified by the id-ad-caRepositoryURI from the (same) + certificate's SIA. The manifest and the files it references + MUST reside at the same publication point. An RP MUST + ignore any files that appear on a manifest but do not reside as + the same publication point as the manifest.