"A Profile for X.509 PKIX Resource Certificates", Geoff Huston, George Michaelson, Robert Loomans, 25-Feb-09. ( bytes)

This document defines a standard profile for X.509 certificates for the purposes of supporting validation of assertions of "right-of-use" of an Internet Number Resource (IP Addresses and Autonomous System Numbers). This profile is used to convey the issuer's authorization of the subject to be regarded as the current holder of a "right-of- use" of the IP addresses and AS numbers that are described in the issued certificate.

"Certificate Policy (CP) for the Resource PKI (RPKI)", Stephen Kent, Derrick Kong, Karen Seo, Ronald Watro, 13-Jul-09. ( bytes)

This document describes the certificate policy for a PKI used to support attestations about Internet resource holdings. Each organization that distributes IP addresses or Autonomous System (AS) numbers to an organization will, in parallel, issue a certificate reflecting this distribution. These certificates will enable verification that the holder of the associated private key has been allocated the resources indicated in the certificate, and is the current, unique holder of these resources.

"A Profile for Route Origin Authorizations (ROAs)", Matt Lepinski, Stephen Kent, Derrick Kong, 13-Jul-09. ( bytes)

This document defines a standard profile for Route Origin Authorizations (ROAs). A ROA is a digitally signed object that provides a means of verifying that an IP address block holder has authorized an Autonomous System (AS) to originate routes to that one or more prefixes within the address block.

"An Infrastructure to Support Secure Internet Routing", Matt Lepinski, Stephen Kent, 29-Jul-09. ( bytes)

This document describes an architecture for an infrastructure to support improved security of Internet routing. The foundation of this architecture is a public key infrastructure (PKI) that represents the allocation hierarchy of IP address space and Autonomous System Numbers; and a distributed repository system for storing and disseminating the data objects that comprise the PKI, as well as other signed objects necessary for improved routing security. As an initial application of this architecture, the document describes how a legitimate holder of IP address space can explicitly and verifiably authorize one or more ASes to originate routes to that address space. Such verifiable authorizations could be used, for example, to more securely construct BGP route filters.

"A Protocol for Provisioning Resource Certificates", Geoff Huston, Robert Loomans, Byron Ellacott, Rob Austein, 6-Feb-09. ( bytes)

This document defines a framework for certificate management interactions between a resource issuer ("Internet Registry" or "IR") and a resource recipient ("Internet Service Provider" or "ISP") through the specification of a protocol for interaction between the two parties. The protocol supports the transmission of requests from the ISP, and corresponding responses from the IR encompassing the actions of certificate issuance, certificate revocation and certificate status information reports. This protocol is intended to be limited to the application of resource certificate management and is not intended to be used as part of a more general certificate management framework.

"Manifests for the Resource Public Key Infrastructure", Rob Austein, Geoff Huston, Stephen Kent, Matt Lepinski, 4-Aug-09. ( bytes)

This document defines a "manifest" for use in the Resource Public Key Infrastructure. A manifest is a signed object that contains a listing of all the signed objects in the repository publication point associated with an authority responsible for publishing in the repository. For each certificate, or other forms of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object, and a hash of the file content. Manifests are intended to expose potential attacks against relying parties of the Resource Public Key Infrastructure, such as a man-in-the middle attack of withholding repository data from relying party access, or replaying stale repository data to a relying party's access request.

"Validation of Route Origination in BGP using the Resource Certificate PKI and ROAs", Geoff Huston, George Michaelson, 5-Aug-09. ( bytes)

This document defines an application of the Resource Public Key Infrastructure to validate the origination of routes advertised in the Border Gateway Protocol. The proposed application is intended to fit within the requirement for adding security to inter-domain routing, including the ability to support incremental and piecemeal deployment, and does not require any changes to the specification of BGP.

"A Profile for Bogon Origin Attestations (BOAs)", Terry Manderson, 25-May-09. ( bytes)

This document defines a standard profile for Bogon Origin Attestations (BOAs). A BOA is a digitally signed object that provides a means of verifying that an IP address block holder has not authorised any Autonomous System (AS) to originate routes that are equivalent to any of the addresses listed in the BOA. A BOA also provides a means of verifying that a BGP speaker is not using an AS without appropriate authority. The proposed application of BOAs is intended to fit within the requirements for adding security measures to inter-domain routing, including the ability to support incremental and piecemeal deployment of such measures, and does not require any changes to the specification of the Border Gateway Protocol.

"A Profile for Resource Certificate Repository Structure", Geoff Huston, Robert Loomans, George Michaelson, 4-Aug-09. ( bytes)

This document defines a profile for the structure of repository publication points that contain X.509 / PKIX Resource Certificates, Certificate Revocation Lists and signed objects. This profile contains the proposed object naming scheme, the contents of repository publication points, the contents of publication point manifests and a suggested internal structure of a local repository cache that is intended to facilitate synchronization across a distributed collection of repository publication points and facilitate certification path construction.

"Securing RPSL Objects with RPKI Signatures", Robert Kisteleki, Jos Boumans, 11-Jul-09. ( bytes)

This document describes a method to allow parties to electronically sign RPSL-like objects and validate such electronic signatures. This allows relying parties to detect accidental or malicious modifications on such objects. It also allows parties who run Internet Routing Registries or similar databases, but do not yet have RPSS-like authentication of the maintainers of certain objects, to verify that the additions or modifications of such database objects are done by the legitimate holder(s) of the Internet resources mentioned in those objects.

"A Profile for Trust Anchor Material for the Resource Certificate PKI", George Michaelson, Stephen Kent, Geoff Huston, 26-Feb-09. ( bytes)

This document defines a standard profile for the publication of Trust Anchor material for the Resource Certificate Public Key Infrastructure.

Return to Internet-Draft directory.

Return to IETF home page.