diff --git a/draft-ietf-opsawg-9092-update.xml b/draft-ietf-opsawg-9092-update.xml index 1372197..3a5c7ae 100644 --- a/draft-ietf-opsawg-9092-update.xml +++ b/draft-ietf-opsawg-9092-update.xml @@ -8,7 +8,7 @@ - @@ -82,9 +82,10 @@ This document specifies how to augment the Routing Policy Specification Language inetnum: class to refer specifically to - geofeed data files and describes an optional scheme that uses - the Resource Public Key Infrastructure to authenticate the - geofeed datafiles. + geofeed comma-separated values (CSV) data files and describes an + optional scheme that uses the Resource Public Key Infrastructure + to authenticate the geofeed data files. This document obsoletes + RFC 9092. @@ -381,16 +382,10 @@ inetnum: 192.0.2.0/24 # example remarks: Geofeed https://example.com/geofeed_2 ]]> - and the file geofeed_1 contains geolocation data about - 192.0.2.0/29, this MUST be discarded because 192.0.2.0/24 is - within the more specific inetnum: covering the address range and - that inetnum: has a geofeed reference. - - - - If an inetnum: object has both remarks: with geofeed data and - also has a geofeed: attribute, the geofeed: attribute SHOULD be - used and the remarks: ignored. + Since geofeed_1 contains geolocation data about 192.0.2.0/29, + it is discarded because 192.0.2.0/24 is within the more + specific inetnum: covering the address range and that inetnum: + has a geofeed reference. @@ -518,13 +513,13 @@ - The CA SHOULD sign only one geofeed file with each generated - private key and SHOULD generate a new key pair for each new - version of a perticular geofeed file. The CA MUST generate a - new EE certificate for each signing of a particular geofeed - file. An associated EE certificate used in this fashion is - termed a "one-time-use" EE certificate (see Section 3 of ). + The Certificate Authority (CA) SHOULD sign only one geofeed file + with each generated private key and SHOULD generate a new key + pair for each new version of a perticular geofeed file. The CA + MUST generate a new End Entity (EE) certificate for each signing + of a particular geofeed file. An associated EE certificate used + in this fashion is termed a "one-time-use" EE certificate (see + Section 3 of ). @@ -551,7 +546,7 @@
  • Validation of the signer's certificate MUST ensure that it is - part of the current manifest and that + part of the current manifest and that all resources are covered by the RPKI certificate.
    • @@ -652,7 +647,7 @@     The geofeed files MUST be published via and fetched using - HTTPS . + HTTPS . When using data from a geofeed file, one MUST ignore data @@ -824,15 +819,15 @@ and Erik Kline who was too shy to agree to coauthorship. Additionally, we express our gratitude to early implementors, including Menno Schepers; Flavio Luciani; Eric Dugas; and Kevin - Pack. Also, thanks to the following geolocation providers who - are consuming geofeeds with this described solution: Jonathan - Kosgei (ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat - (bigdatacloud.com). For an amazing number of helpful reviews, - we thank Job Snijders, who also found an ASN.1 'inherit' issue; + Pack. Also, thanks to the following geolocation providers who are + consuming geofeeds with this described solution: Jonathan Kosgei + (ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat + (bigdatacloud.com). For an amazing number of helpful reviews, we + thank Job Snijders, who also found an ASN.1 'inherit' issue; Adrian Farrel; Antonio Prado; Francesca Palombini; Jean-Michel Combes (INTDIR); John Scudder; Kyle Rose (SECDIR); Martin Duke; - Murray Kucherawy; Paul Kyzivat (GENART); Rob Wilton; Roman - Danyliw; and Ties de Kock. + Mohamed Boucadair; Murray Kucherawy; Paul Kyzivat (GENART); Rob + Wilton; Roman Danyliw; and Ties de Kock. @@ -841,7 +836,6 @@ - @@ -850,11 +844,12 @@ - + + @@ -888,7 +883,6 @@ - RIPE Database Documentation @@ -943,15 +937,17 @@
    - This appendix provides an example, including a trust anchor, - a CRL signed by the trust anchor, a CA certificate subordinate to - the trust anchor, a CRL signed by the CA, an end-entity certificate - subordinate to the CA for signing the geofeed, and a detached signature. + This appendix provides an example, including a trust anchor, a + Certificate Revocation List (CRL) signed by the trust anchor, a CA + certificate subordinate to the trust anchor, a CRL signed by the CA, + an end-entity certificate subordinate to the CA for signing the + geofeed, and a detached signature. - The trust anchor is represented by a self-signed certificate. As usual in - the RPKI, the trust anchor has authority over all IPv4 address blocks, - all IPv6 address blocks, and all AS numbers. + The trust anchor is represented by a self-signed certificate. As + usual in the RPKI, the trust anchor has authority over all IPv4 + address blocks, all IPv6 address blocks, and all Autonomous Systam + (AS) numbers.