| draft-ietf-sidrops-rpki-rsc.txt | draft-ietf-sidrops-rpki-rsc-03.txt | |||
|---|---|---|---|---|
| Network Working Group J. Snijders | Network Working Group J. Snijders | |||
| Internet-Draft Fastly | Internet-Draft Fastly | |||
| Intended status: Standards Track T. Harrison | Intended status: Standards Track T. Harrison | |||
| Expires: 2 December 2021 APNIC | Expires: November 28, 2021 APNIC | |||
| B. Maddison | B. Maddison | |||
| Workonline | Workonline | |||
| 31 May 2021 | May 27, 2021 | |||
| Resource Public Key Infrastructure (RPKI) object profile for Signed | Resource Public Key Infrastructure (RPKI) object profile for Signed | |||
| Checklist (RSC) | Checklist (RSC) | |||
| draft-ietf-sidrops-rpki-rsc-04 | draft-ietf-sidrops-rpki-rsc-03 | |||
| Abstract | Abstract | |||
| This document defines a Cryptographic Message Syntax (CMS) profile | This document defines a Cryptographic Message Syntax (CMS) profile | |||
| for a general purpose listing of checksums (a 'checklist'), for use | for a general purpose listing of checksums (a 'checklist'), for use | |||
| with the Resource Public Key Infrastructure (RPKI). The objective is | with the Resource Public Key Infrastructure (RPKI). The objective is | |||
| to allow an attestation, in the form of a listing of one or more | to allow an attestation, in the form of a listing of one or more | |||
| checksums of arbitrary digital objects (files), to be signed "with | checksums of arbitrary digital objects (files), to be signed "with | |||
| resources", and for validation to provide a means to confirm a | resources", and for validation to provide a means to confirm a | |||
| specific Internet Resource Holder produced the Signed Checklist. The | specific Internet Resource Holder produced the Signed Checklist. The | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 2 December 2021. | This Internet-Draft will expire on November 28, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Simplified BSD License text | to this document. Code Components extracted from this document must | |||
| as described in Section 4.e of the Trust Legal Provisions and are | include Simplified BSD License text as described in Section 4.e of | |||
| provided without warranty as described in the Simplified BSD License. | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. RSC Profile and Distribution . . . . . . . . . . . . . . . . 3 | 2. RSC Profile and Distribution . . . . . . . . . . . . . . . . 3 | |||
| 3. The RSC ContentType . . . . . . . . . . . . . . . . . . . . . 3 | 3. The RSC ContentType . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. The RSC eContent . . . . . . . . . . . . . . . . . . . . . . 4 | 4. The RSC eContent . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. resources . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.2. resources . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.3. digestAlgorithm . . . . . . . . . . . . . . . . . . . . . 5 | 4.3. digestAlgorithm . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.4. checkList . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.4. checkList . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. RSC Validation . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. RSC Validation . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Operational Considerations . . . . . . . . . . . . . . . . . 6 | 6. Operational Considerations . . . . . . . . . . . . . . . . . 6 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Implementation status - RFC EDITOR: REMOVE BEFORE | 8. Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION 7 | |||
| PUBLICATION . . . . . . . . . . . . . . . . . . . . . . . 7 | ||||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9.1. SMI Security for S/MIME CMS Content Type | 9.1. SMI Security for S/MIME CMS Content Type | |||
| (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 8 | (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 8 | |||
| 9.2. RPKI Signed Objects sub-registry . . . . . . . . . . . . 8 | 9.2. RPKI Signed Objects sub-registry . . . . . . . . . . . . 8 | |||
| 9.3. File Extension . . . . . . . . . . . . . . . . . . . . . 8 | 9.3. File Extension . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9.4. SMI Security for S/MIME Module Identifier | 9.4. SMI Security for S/MIME Module Identifier | |||
| (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 9 | (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 9 | |||
| 9.5. Media Type . . . . . . . . . . . . . . . . . . . . . . . 9 | 9.5. Media Type . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 10 | 10.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix B. Document changelog - RFC EDITOR: REMOVE BEFORE | Appendix B. Document changelog - RFC EDITOR: REMOVE BEFORE | |||
| PUBLICATION . . . . . . . . . . . . . . . . . . . . . . . 11 | PUBLICATION . . . . . . . . . . . . . . . . . . . . 11 | |||
| B.1. changes from -03 -> -04 . . . . . . . . . . . . . . . . . 11 | B.1. changes from -02 -> -03 . . . . . . . . . . . . . . . . . 11 | |||
| B.2. changes from -02 -> -03 . . . . . . . . . . . . . . . . . 12 | B.2. changes from -01 -> -02 . . . . . . . . . . . . . . . . . 11 | |||
| B.3. changes from -01 -> -02 . . . . . . . . . . . . . . . . . 12 | B.3. changes from -00 -> -01 . . . . . . . . . . . . . . . . . 12 | |||
| B.4. changes from -00 -> -01 . . . . . . . . . . . . . . . . . 12 | B.4. individual submission phase . . . . . . . . . . . . . . . 12 | |||
| B.5. individual submission phase . . . . . . . . . . . . . . . 12 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a Cryptographic Message Syntax (CMS) [RFC5652] | This document defines a Cryptographic Message Syntax (CMS) [RFC5652] | |||
| profile for a general purpose listing of checksums (a 'checklist'), | profile for a general purpose listing of checksums (a 'checklist'), | |||
| for use with the Resource Public Key Infrastructure (RPKI) [RFC6480]. | for use with the Resource Public Key Infrastructure (RPKI) [RFC6480]. | |||
| The objective is to allow an attestation, in the form of a listing of | The objective is to allow an attestation, in the form of a listing of | |||
| one or more checksums of arbitrary files, to be signed "with | one or more checksums of arbitrary files, to be signed "with | |||
| resources", and for validation to provide a means to confirm a given | resources", and for validation to provide a means to confirm a given | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 5 ¶ | |||
| OPTIONAL. | OPTIONAL. | |||
| 5. RSC Validation | 5. RSC Validation | |||
| Before a relying party can use an RSC to validate a set of digital | Before a relying party can use an RSC to validate a set of digital | |||
| objects, the relying party MUST first validate the RSC. To validate | objects, the relying party MUST first validate the RSC. To validate | |||
| an RSC, the relying party MUST perform all the validation checks | an RSC, the relying party MUST perform all the validation checks | |||
| specified in [RFC6488] as well as the following additional RSC- | specified in [RFC6488] as well as the following additional RSC- | |||
| specific validation steps. | specific validation steps. | |||
| * The IP Addresses and AS Identifiers extension [RFC3779] is present | o The IP address delegation extension [RFC3779] is present in the | |||
| in the end-entity (EE) certificate (contained within the RSC), and | end-entity (EE) certificate (contained within the RSC), and each | |||
| each IP address prefix(es) and/or AS Identifier(s) in the RSC is | IP address prefix(es) in the RSC is contained within the set of IP | |||
| contained within the set of IP addresses specified by the EE | addresses specified by the EE certificate's IP address delegation | |||
| certificate's IP address delegation extension. | extension. | |||
| * For each FilenameAndHash entry in the RSC, if a filename field is | o For each FilenameAndHash entry in the RSC, if a filename field is | |||
| present, the field's content MUST contain only characters | present, the field's content MUST contain only characters | |||
| specified in the Portable Filename Character Set as defined in | specified in the Portable Filename Character Set as defined in | |||
| [POSIX]. | [POSIX]. | |||
| To validate a set of digital objects against an RSC: | To validate a set of digital objects against an RSC: | |||
| * The message digest of each referenced digital object, using the | o The message digest of each referenced digital object, using the | |||
| digest algorithm specified in the the digestAlgorithm field, MUST | digest algorithm specified in the the digestAlgorithm field, MUST | |||
| be calculated and MUST match the value given in the messageDigest | be calculated and MUST match the value given in the messageDigest | |||
| field of the associated FilenameAndHash, for the digital object to | field of the associated FilenameAndHash, for the digital object to | |||
| be considered valid as against the RSC. | be considered valid as against the RSC. | |||
| 6. Operational Considerations | 6. Operational Considerations | |||
| When creating digital objects of a plain-text nature (such as ASCII, | When creating digital objects of a plain-text nature (such as ASCII, | |||
| UTF-8, HTML, Javascript, XML, etc) it is RECOMMENDED to convert such | UTF-8, HTML, Javascript, XML, etc) it is RECOMMENDED to convert such | |||
| objects into a lossless compressed form. Distributing plain-text | objects into a lossless compressed form. Distributing plain-text | |||
| skipping to change at page 7, line 51 ¶ | skipping to change at page 7, line 51 ¶ | |||
| features. Readers are advised to note that other implementations may | features. Readers are advised to note that other implementations may | |||
| exist. | exist. | |||
| According to RFC 7942, "this will allow reviewers and working groups | According to RFC 7942, "this will allow reviewers and working groups | |||
| to assign due consideration to documents that have the benefit of | to assign due consideration to documents that have the benefit of | |||
| running code, which may serve as evidence of valuable experimentation | running code, which may serve as evidence of valuable experimentation | |||
| and feedback that have made the implemented protocols more mature. | and feedback that have made the implemented protocols more mature. | |||
| It is up to the individual working groups to use this information as | It is up to the individual working groups to use this information as | |||
| they see fit". | they see fit". | |||
| * A signer and validator implementation [rpki-rsc-demo] written in | o A signer and validator implementation [rpki-rsc-demo] written in | |||
| Perl based on OpenSSL was provided by Tom Harrison from APNIC. | Perl based on OpenSSL was provided by Tom Harrison from APNIC. | |||
| * A signer implementation [rpkimancer] written in Python was | o A signer implementation [rpkimancer] written in Python was | |||
| developed by Ben Maddison. | developed by Ben Maddison. | |||
| * Example .sig files were created by Job Snijders with the use of | o Example .sig files were created by Job Snijders with the use of | |||
| OpenSSL. | OpenSSL. | |||
| * A validator implementation based on OpenBSD rpki-client and | o A validator implementation based on OpenBSD rpki-client and | |||
| LibreSSL was developed by Job Snijders. | LibreSSL was developed by Job Snijders. | |||
| * A validator implementation [FORT] based on the FORT validator was | ||||
| developed by Alberto Leiva. | ||||
| 9. IANA Considerations | 9. IANA Considerations | |||
| 9.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) | 9.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) | |||
| The IANA has permanently allocated for this document in the SMI | The IANA has permanently allocated for this document in the SMI | |||
| Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) | Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) | |||
| registry: | registry: | |||
| Decimal Description References | Decimal Description References | |||
| --------------------------------------------------------------- | --------------------------------------------------------------- | |||
| skipping to change at page 10, line 40 ¶ | skipping to change at page 10, line 40 ¶ | |||
| Algorithms and Key Sizes for Use in the Resource Public | Algorithms and Key Sizes for Use in the Resource Public | |||
| Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, | Key Infrastructure", RFC 7935, DOI 10.17487/RFC7935, | |||
| August 2016, <https://www.rfc-editor.org/info/rfc7935>. | August 2016, <https://www.rfc-editor.org/info/rfc7935>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [FORT] LACNIC and NIC.MX, "FORT", May 2021, | ||||
| <https://github.com/NICMx/FORT-validator>. | ||||
| [I-D.ietf-sidrops-rpki-rta] | [I-D.ietf-sidrops-rpki-rta] | |||
| Michaelson, G., Huston, G., Harrison, T., Bruijnzeels, T., | Michaelson, G., Huston, G., Harrison, T., Bruijnzeels, T., | |||
| and M. Hoffmann, "A profile for Resource Tagged | and M. Hoffmann, "A profile for Resource Tagged | |||
| Attestations (RTAs)", Work in Progress, Internet-Draft, | Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work | |||
| draft-ietf-sidrops-rpki-rta-00, 21 January 2021, | in progress), January 2021. | |||
| <https://www.ietf.org/internet-drafts/draft-ietf-sidrops- | ||||
| rpki-rta-00.txt>. | ||||
| [I-D.ymbk-sidrops-rpki-has-no-identity] | [I-D.ymbk-sidrops-rpki-has-no-identity] | |||
| Bush, R. and R. Housley, "The I in RPKI does not stand for | Bush, R. and R. Housley, "The I in RPKI does not stand for | |||
| Identity", Work in Progress, Internet-Draft, draft-ymbk- | Identity", draft-ymbk-sidrops-rpki-has-no-identity-00 | |||
| sidrops-rpki-has-no-identity-00, March 2021, | (work in progress), March 2021. | |||
| <https://www.ietf.org/archive/id/draft-ymbk-sidrops-rpki- | ||||
| has-no-identity-00.txt>. | ||||
| [POSIX] IEEE and The Open Group, "The Open Group's Base | [POSIX] IEEE and The Open Group, "The Open Group's Base | |||
| Specifications, Issue 7", 2016, | Specifications, Issue 7", 2016, | |||
| <https://publications.opengroup.org/standards/unix/c165>. | <https://publications.opengroup.org/standards/unix/c165>. | |||
| [RFC1952] Deutsch, P., "GZIP file format specification version 4.3", | [RFC1952] Deutsch, P., "GZIP file format specification version 4.3", | |||
| RFC 1952, DOI 10.17487/RFC1952, May 1996, | RFC 1952, DOI 10.17487/RFC1952, May 1996, | |||
| <https://www.rfc-editor.org/info/rfc1952>. | <https://www.rfc-editor.org/info/rfc1952>. | |||
| [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | |||
| skipping to change at page 11, line 43 ¶ | skipping to change at page 11, line 36 ¶ | |||
| [signify] Unangst, T. and M. Espie, "signify - cryptographically | [signify] Unangst, T. and M. Espie, "signify - cryptographically | |||
| sign and verify files", May 2014, | sign and verify files", May 2014, | |||
| <https://man.openbsd.org/signify>. | <https://man.openbsd.org/signify>. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| The authors wish to thank George Michaelson, Tom Harrison, Geoff | The authors wish to thank George Michaelson, Tom Harrison, Geoff | |||
| Huston, Randy Bush, Stephen Kent, Matt Lepinski, Rob Austein, Ted | Huston, Randy Bush, Stephen Kent, Matt Lepinski, Rob Austein, Ted | |||
| Unangst, and Marc Espie for prior art. The authors thank Russ | Unangst, and Marc Espie for prior art. The authors thank Russ | |||
| Housley for reviewing the ASN.1 notation and providing suggestions. | Housley for reviewing the ASN.1 notation and providing suggestions. | |||
| The authors would like to thank Nimrod Levy, Tim Bruijnzeels, and | The authors would like to thank Nimrod Levy, and Tim Bruijnzeels for | |||
| Alberto Leiva for document review and suggestions. | document review and suggestions. | |||
| Appendix B. Document changelog - RFC EDITOR: REMOVE BEFORE PUBLICATION | Appendix B. Document changelog - RFC EDITOR: REMOVE BEFORE PUBLICATION | |||
| B.1. changes from -03 -> -04 | B.1. changes from -02 -> -03 | |||
| * Alberto pointed out the asID validation also needs to be | o Reference the IANA assigned OID | |||
| documented. | ||||
| B.2. changes from -02 -> -03 | o Clarify validation rules | |||
| * Reference the IANA assigned OID | B.2. changes from -01 -> -02 | |||
| * Clarify validation rules | o Clarify RSC is part of a puzzle, not panacea. Thanks Randy & Russ | |||
| B.3. changes from -01 -> -02 | B.3. changes from -00 -> -01 | |||
| * Clarify RSC is part of a puzzle, not panacea. Thanks Randy & Russ | o Readability improvements | |||
| B.4. changes from -00 -> -01 | o Update document category to match the registry allocation policy | |||
| * Readability improvements | ||||
| * Update document category to match the registry allocation policy | ||||
| requirement. | requirement. | |||
| B.5. individual submission phase | B.4. individual submission phase | |||
| * On-the-wire change: the 'Filename' switched from 'required' to | o On-the-wire change: the 'Filename' switched from 'required' to | |||
| 'optional'. Some SIDROPS Working Group participants proposed a | 'optional'. Some SIDROPS Working Group participants proposed a | |||
| checksum itself is the most minimal information required to | checksum itself is the most minimal information required to | |||
| address digital objects. | address digital objects. | |||
| Authors' Addresses | Authors' Addresses | |||
| Job Snijders | Job Snijders | |||
| Fastly | Fastly | |||
| Amsterdam | Amsterdam | |||
| Netherlands | Netherlands | |||
| Email: job@fastly.com | Email: job@fastly.com | |||
| Tom Harrison | Tom Harrison | |||
| Asia Pacific Network Information Centre | Asia Pacific Network Information Centre | |||
| 6 Cordelia St | 6 Cordelia St | |||
| South Brisbane QLD 4101 | South Brisbane, QLD 4101 | |||
| Australia | Australia | |||
| Email: tomh@apnic.net | Email: tomh@apnic.net | |||
| Ben Maddison | Ben Maddison | |||
| Workonline Communications | Workonline Communications | |||
| Cape Town | Cape Town | |||
| South Africa | South Africa | |||
| Email: benm@workonline.africa | Email: benm@workonline.africa | |||
| End of changes. 31 change blocks. | ||||
| 62 lines changed or deleted | 47 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||