randy/draft-6486bis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sk revises to ensure all objects within ca's pub point

Browse source
This commit is contained in:
Randy Bush 2020-06-24 08:14:09 -07:00
parent 380b5f8583
commit 166c20ddb1
2 changed files with 87 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

156
draft-ymbk-sidrops-6486bis.txt
View file

@ -6,11 +6,11 @@ Network Working Group R. Austein
Internet-Draft Arrcus, Inc. Internet-Draft Arrcus, Inc.
Updates: 6486 (if approved) G. Huston Updates: 6486 (if approved) G. Huston
Intended status: Standards Track APNIC Intended status: Standards Track APNIC
Expires: November 22, 2020 S. Kent Expires: December 26, 2020 S. Kent
Independent Independent
M. Lepinski M. Lepinski
New College Florida New College Florida
May 21, 2020 June 24, 2020
Manifests for the Resource Public Key Infrastructure (RPKI) Manifests for the Resource Public Key Infrastructure (RPKI)
@ -48,14 +48,14 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 22, 2020. This Internet-Draft will expire on December 26, 2020.
Austein, et al. Expires November 22, 2020 [Page 1] Austein, et al. Expires December 26, 2020 [Page 1]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
Copyright Notice Copyright Notice
@ -109,9 +109,9 @@ Table of Contents
Austein, et al. Expires November 22, 2020 [Page 2] Austein, et al. Expires December 26, 2020 [Page 2]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
1. Introduction 1. Introduction
@ -165,9 +165,9 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 3] Austein, et al. Expires December 26, 2020 [Page 3]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
2. Manifest Scope 2. Manifest Scope
@ -221,9 +221,9 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 4] Austein, et al. Expires December 26, 2020 [Page 4]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
4. Manifest Definition 4. Manifest Definition
@ -277,9 +277,9 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 5] Austein, et al. Expires December 26, 2020 [Page 5]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
specified in nextUpdate or until a manifest is issued with a greater specified in nextUpdate or until a manifest is issued with a greater
@ -333,9 +333,9 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 6] Austein, et al. Expires December 26, 2020 [Page 6]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
encompasses a CRL, the nextUpdate field of the manifest MUST match encompasses a CRL, the nextUpdate field of the manifest MUST match
@ -389,9 +389,9 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 7] Austein, et al. Expires December 26, 2020 [Page 7]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
5. Manifest Generation 5. Manifest Generation
@ -445,9 +445,9 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 8] Austein, et al. Expires December 26, 2020 [Page 8]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
Note that the manifest does not include a self reference (i.e., Note that the manifest does not include a self reference (i.e.,
@ -495,15 +495,15 @@ Internet-Draft RPKI Manifests May 2020
6. Relying Party Use of Manifests 6. Relying Party Use of Manifests
Each RP must determine which signed objects it will use for Each RP MUST determine which signed objects it will use for
validating assertions about INRs and their use (e.g., which ROAs to validating assertions about INRs and their use (e.g., which ROAs to
use in the construction of route filters). Manifests are designed to use in the construction of route filters). Manifests are designed to
Austein, et al. Expires November 22, 2020 [Page 9] Austein, et al. Expires December 26, 2020 [Page 9]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
allow an RP to detect manipulation of repository data and/or errors allow an RP to detect manipulation of repository data and/or errors
@ -536,9 +536,14 @@ Internet-Draft RPKI Manifests May 2020
For a given publication point, an RP MUST perform a series of tests For a given publication point, an RP MUST perform a series of tests
to determine which signed object files at the publication point are to determine which signed object files at the publication point are
acceptable. The tests described below are to be performed using the acceptable. The tests described below are to be performed using
manifest identified by the id-ad-rpkiManifest URI extracted from a CA themanifest identified by the id-ad-rpkiManifest URI extracted from a
certificate's SIA. CA certificate's SIA. _All_ of the files referenced by the manifest
MUST be be located at the publication point specified by the id-ad-
caRepositoryURI from the (same) certificate's SIA. The manifest and
the files it references MUST reside at the same publication point.
An RP MUST ignore any files that appear on a manifest but do not
reside as the same publication point as the manifest.
1. All of the files referenced by the manifest MUST be be located at 1. All of the files referenced by the manifest MUST be be located at
the publication point specified by the id-ad-caRepository URI the publication point specified by the id-ad-caRepository URI
@ -550,18 +555,16 @@ Internet-Draft RPKI Manifests May 2020
be at the location specified in the CRLDP in the manifest's EE be at the location specified in the CRLDP in the manifest's EE
certificate. certificate.
Austein, et al. Expires December 26, 2020 [Page 10]
Internet-Draft RPKI Manifests June 2020
3. If more than one .crl file appears in the manifest, only file 3. If more than one .crl file appears in the manifest, only file
names matching the CRL specified by the CRLDP will be processed. names matching the CRL specified by the CRLDP will be processed.
If more than one .crl entry appears in the manifest, and matches If more than one .crl entry appears in the manifest, and matches
Austein, et al. Expires November 22, 2020 [Page 10]
Internet-Draft RPKI Manifests May 2020
the CRLDP, the first one encountered MUST be used. Any other the CRLDP, the first one encountered MUST be used. Any other
.crl files MUST be ignored and a warning MUST be issued. .crl files MUST be ignored and a warning MUST be issued.
@ -607,17 +610,17 @@ Internet-Draft RPKI Manifests May 2020
EE certificate issued by the C, and all subordinate CA and EE EE certificate issued by the C, and all subordinate CA and EE
certificates. If there are files listed in the manifest that cannot certificates. If there are files listed in the manifest that cannot
be retrieved from the publication point, or if they fail the validity be retrieved from the publication point, or if they fail the validity
Austein, et al. Expires December 26, 2020 [Page 11]
Internet-Draft RPKI Manifests June 2020
tests specified in [RFC6488], the RP SHOULD examine its cache to tests specified in [RFC6488], the RP SHOULD examine its cache to
determine if these files are available locally. If all of the determine if these files are available locally. If all of the
missing/invalid files are available from the RP's cache, i.e., each missing/invalid files are available from the RP's cache, i.e., each
Austein, et al. Expires November 22, 2020 [Page 11]
Internet-Draft RPKI Manifests May 2020
file name matches the list extracted from the manifest, the RP SHOULD file name matches the list extracted from the manifest, the RP SHOULD
use the cached files to replace those missing from the publication use the cached files to replace those missing from the publication
point, and proceed to Section 6.5. However, if _any_ of the missing/ point, and proceed to Section 6.5. However, if _any_ of the missing/
@ -663,17 +666,18 @@ Internet-Draft RPKI Manifests May 2020
The RPKI publication system model requires that every publication The RPKI publication system model requires that every publication
point be associated with one or more CAs, and be non-empty. Upon point be associated with one or more CAs, and be non-empty. Upon
creation of the publication point associated with a CA, the CA MUST creation of the publication point associated with a CA, the CA MUST
Austein, et al. Expires December 26, 2020 [Page 12]
Internet-Draft RPKI Manifests June 2020
create and publish a manifest as well as a CRL. A CA's manifest will create and publish a manifest as well as a CRL. A CA's manifest will
always contain at least one entry, namely, the CRL issued by the CA always contain at least one entry, namely, the CRL issued by the CA
upon repository creation [RFC6481]. upon repository creation [RFC6481].
Austein, et al. Expires November 22, 2020 [Page 12]
Internet-Draft RPKI Manifests May 2020
Every published signed object in the RPKI [RFC6488] is published in Every published signed object in the RPKI [RFC6488] is published in
the repository publication point of the CA that issued the EE the repository publication point of the CA that issued the EE
certificate, and is listed in the manifest associated with that CA certificate, and is listed in the manifest associated with that CA
@ -718,18 +722,19 @@ Internet-Draft RPKI Manifests May 2020
The authors would like to acknowledge the contributions from George The authors would like to acknowledge the contributions from George
Michelson and Randy Bush in the preparation of the manifest Michelson and Randy Bush in the preparation of the manifest
specification. Additionally, the authors would like to thank Mark specification. Additionally, the authors would like to thank Mark
Austein, et al. Expires December 26, 2020 [Page 13]
Internet-Draft RPKI Manifests June 2020
Reynolds and Christopher Small for assistance in clarifying manifest Reynolds and Christopher Small for assistance in clarifying manifest
validation and RP behavior. The authors also wish to thank Job validation and RP behavior. The authors also wish to thank Job
Snijders, Oleg Muravskiy, and Sean Turner for their helpful review of Snijders, Oleg Muravskiy, and Sean Turner for their helpful review of
this document. this document.
Austein, et al. Expires November 22, 2020 [Page 13]
Internet-Draft RPKI Manifests May 2020
11. References 11. References
11.1. Normative References 11.1. Normative References
@ -769,23 +774,24 @@ Internet-Draft RPKI Manifests May 2020
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Austein, et al. Expires December 26, 2020 [Page 14]
Internet-Draft RPKI Manifests June 2020
[X.690] International International Telephone and Telegraph [X.690] International International Telephone and Telegraph
Consultative Committee, "ASN.1 encoding rules: Consultative Committee, "ASN.1 encoding rules:
Specification of basic encoding Rules (BER), Canonical Specification of basic encoding Rules (BER), Canonical
encoding rules (CER) and Distinguished encoding rules encoding rules (CER) and Distinguished encoding rules
(DER)", CCITT Recommendation X.690, July 2002. (DER)", CCITT Recommendation X.690, July 2002.
Austein, et al. Expires November 22, 2020 [Page 14]
Internet-Draft RPKI Manifests May 2020
11.2. Informative References 11.2. Informative References
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
@ -831,15 +837,9 @@ Appendix A. ASN.1 Module
Austein, et al. Expires December 26, 2020 [Page 15]
Austein, et al. Expires November 22, 2020 [Page 15]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
RPKIManifest { iso(1) member-body(2) us(840) rsadsi(113549) RPKIManifest { iso(1) member-body(2) us(840) rsadsi(113549)
@ -893,9 +893,9 @@ Authors' Addresses
Austein, et al. Expires November 22, 2020 [Page 16] Austein, et al. Expires December 26, 2020 [Page 16]
Internet-Draft RPKI Manifests May 2020 Internet-Draft RPKI Manifests June 2020
Geoff Huston Geoff Huston
@ -949,4 +949,4 @@ Internet-Draft RPKI Manifests May 2020
Austein, et al. Expires November 22, 2020 [Page 17] Austein, et al. Expires December 26, 2020 [Page 17]

10
draft-ymbk-sidrops-6486bis.xml
View file

@ -615,8 +615,14 @@
For a given publication point, an RP MUST perform a series of For a given publication point, an RP MUST perform a series of
tests to determine which signed object files at the publication tests to determine which signed object files at the publication
point are acceptable. The tests described below are to be point are acceptable. The tests described below are to be
performed using the manifest identified by the performed using themanifest identified by the id-ad-rpkiManifest
id-ad-rpkiManifest URI extracted from a CA certificate's SIA. URI extracted from a CA certificate's SIA. _All_ of the files
referenced by the manifest MUST be be located at the publication
point specified by the id-ad-caRepositoryURI from the (same)
certificate's SIA. The manifest and the files it references
MUST reside at the same publication point. An RP MUST
ignore any files that appear on a manifest but do not reside as
the same publication point as the manifest.
</t> </t>
<t> <t>