| < draft-ietf-sidr-rfc6485bis-04.txt | draft-ietf-sidr-rfc6485bis-05.txt > | |||
|---|---|---|---|---|
| SIDR G. Huston | SIDR G. Huston | |||
| Internet-Draft G. Michaelson, Ed. | Internet-Draft G. Michaelson, Ed. | |||
| Obsoletes: 6485 (if approved) APNIC | Obsoletes: 6485 (if approved) APNIC | |||
| Intended status: Standards Track October 16, 2015 | Intended status: Standards Track March 8, 2016 | |||
| Expires: April 18, 2016 | Expires: September 9, 2016 | |||
| The Profile for Algorithms and Key Sizes for use in the Resource Public | The Profile for Algorithms and Key Sizes for use in the Resource Public | |||
| Key Infrastructure | Key Infrastructure | |||
| draft-ietf-sidr-rfc6485bis-04.txt | draft-ietf-sidr-rfc6485bis-05.txt | |||
| Abstract | Abstract | |||
| This document specifies the algorithms, algorithms' parameters, | This document specifies the algorithms, algorithms' parameters, | |||
| asymmetric key formats, asymmetric key size, and signature format for | asymmetric key formats, asymmetric key size, and signature format for | |||
| the Resource Public Key Infrastructure (RPKI) subscribers that | the Resource Public Key Infrastructure (RPKI) subscribers that | |||
| generate digital signatures on certificates, Certificate Revocation | generate digital signatures on certificates, Certificate Revocation | |||
| Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and | Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and | |||
| certification requests as well as for the relying parties (RPs) that | certification requests as well as for the relying parties (RPs) that | |||
| verify these digital signatures. | verify these digital signatures. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 18, 2016. | This Internet-Draft will expire on September 9, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . . 4 | 3. Asymmetric Key Pair Formats . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Public Key Format . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Public Key Format . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Private Key Format . . . . . . . . . . . . . . . . . . . . 5 | 3.2. Private Key Format . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Signature Format . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Signature Format . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Additional Requirements . . . . . . . . . . . . . . . . . . . . 5 | 5. Additional Requirements . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. Changes Aplied to RFC6485 . . . . . . . . . . . . . . . . . . . 6 | 8. Changes Aplied to RFC6485 . . . . . . . . . . . . . . . . . . 5 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 7 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 8 | 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies: | This document specifies: | |||
| * the digital signature algorithm and parameters; | * the digital signature algorithm and parameters; | |||
| * the hash algorithm and parameters; | * the hash algorithm and parameters; | |||
| * the public and private key formats; and, | * the public and private key formats; and, | |||
| * the signature format | * the signature format | |||
| used by Resource Public Key Infrastructure (RPKI) [RFC6480] | used by Resource Public Key Infrastructure (RPKI) [RFC6480] | |||
| subscribers when they apply digital signatures to certificates and | subscribers when they apply digital signatures to certificates and | |||
| Certificate Revocation Lists (CRLs) [RFC5280], Cryptographic Message | Certificate Revocation Lists (CRLs) [RFC5280], Cryptographic Message | |||
| Syntax (CMS) signed objects [RFC5652] (e.g., Route Origin | Syntax (CMS) signed objects [RFC5652] (e.g., Route Origin | |||
| Authorizations (ROAs) [RFC6482] and manifests [RFC6486]), and | Authorizations (ROAs) [RFC6482] and manifests [RFC6486]), and | |||
| certification requests [RFC2986][RFC4211]. Relying parties (RPs) | certification requests [RFC2986][RFC4211]. Relying parties (RPs) | |||
| also use the algorithms defined in this document to verify RPKI | also use the algorithms defined in this document to verify RPKI | |||
| subscribers' digital signatures [RFC6480]. | subscribers' digital signatures [RFC6480]. | |||
| This document is referenced by other RPKI profiles and | This document is referenced by other RPKI profiles and | |||
| skipping to change at page 5, line 28 ¶ | skipping to change at page 5, line 20 ¶ | |||
| 5. Additional Requirements | 5. Additional Requirements | |||
| It is anticipated that the RPKI will require the adoption of updated | It is anticipated that the RPKI will require the adoption of updated | |||
| key sizes and a different set of signature and hash algorithms over | key sizes and a different set of signature and hash algorithms over | |||
| time, in order to maintain an acceptable level of cryptographic | time, in order to maintain an acceptable level of cryptographic | |||
| security to protect the integrity of signed products in the RPKI. | security to protect the integrity of signed products in the RPKI. | |||
| This profile should be replaced to specify such future requirements, | This profile should be replaced to specify such future requirements, | |||
| as and when appropriate. | as and when appropriate. | |||
| Certification Authorities (CAs) and RPs SHOULD be capable of | The procedures to implement such a transition of key sizes and | |||
| supporting a transition to allow for the phased introduction of | algorithms is specified in [RFC6916] | |||
| additional encryption algorithms and key specifications, and also | ||||
| accommodate the orderly deprecation of previously specified | ||||
| algorithms and keys. Accordingly, CAs and RPs SHOULD be capable of | ||||
| supporting multiple RPKI algorithm and key profiles simultaneously | ||||
| within the scope of such anticipated transitions. The recommended | ||||
| procedures to implement such a transition of key sizes and algorithms | ||||
| is specified in [RFC6916] | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| The Security Considerations of [RFC4055], [RFC5280], and [RFC6487] | The Security Considerations of [RFC4055], [RFC5280], and [RFC6487] | |||
| apply to certificate and CRLs. The Security Considerations of | apply to certificate and CRLs. The Security Considerations of | |||
| [RFC2986], [RFC4211], and [RFC6487] apply to certification /> | [RFC2986], [RFC4211], and [RFC6487] apply to certification /> | |||
| requests. The Security Considerations of [RFC5754] apply to CMS | requests. The Security Considerations of [RFC5754] apply to CMS | |||
| signed objects. No new security threats are introduced as a result | signed objects. No new security threats are introduced as a result | |||
| of this specification. | of this specification. | |||
| skipping to change at page 6, line 40 ¶ | skipping to change at page 6, line 18 ¶ | |||
| certification requests, CMS signed objects have a separate algorithm | certification requests, CMS signed objects have a separate algorithm | |||
| identifier field for the hash (digest) algorithm, and that field is | identifier field for the hash (digest) algorithm, and that field is | |||
| already required to contain the id-sha256 OID per Section 2.) | already required to contain the id-sha256 OID per Section 2.) | |||
| To avoid compatibility problems, RPs are still required to accept | To avoid compatibility problems, RPs are still required to accept | |||
| sha256WithRSAEncryption if encountered. | sha256WithRSAEncryption if encountered. | |||
| Other changes include: | Other changes include: | |||
| * Minor wording and typo fixes. | * Minor wording and typo fixes. | |||
| * Some incorrect references were fixed ([RFC5652] instead of | * Some incorrect references were fixed ([RFC5652] instead of | |||
| [RFC3370], [RFC3447] instead of [RFC4055]). | [RFC3370], [RFC3447] instead of [RFC4055]). | |||
| * Additional citations were added to the Introduction. | * Additional citations were added to the Introduction. | |||
| * Section 2 now references the correct CRMF POPOSigningKey field | * Section 2 now references the correct CRMF POPOSigningKey field | |||
| (algorithmIdentifier instead of signature). | (algorithmIdentifier instead of signature). | |||
| * Certification requests are now mentioned along with | * Certification requests are now mentioned along with | |||
| certificates, CRLs, and CMS signed objects. | certificates, CRLs, and CMS signed objects. | |||
| * Section 5 now cites [RFC6916] (algorithm agility). | ||||
| * Section 5 now cites [RFC6916] (algorithm agility) and has been | ||||
| updated to reflect the procedures mentioned there. | ||||
| * "Signed object" is now "CMS signed object" everywhere. | * "Signed object" is now "CMS signed object" everywhere. | |||
| 9. Acknowledgments | 9. Acknowledgments | |||
| The authors acknowledge the reuse in this document of material | The authors acknowledge the reuse in this document of material | |||
| originally contained in working drafts the RPKI Certificate Policy | originally contained in working drafts the RPKI Certificate Policy | |||
| [RFC6484] and resource certificate profile [RFC6487] documents. The | [RFC6484] and resource certificate profile [RFC6487] documents. The | |||
| co-authors of these two documents, namely Stephen Kent, Derrick Kong, | co-authors of these two documents, namely Stephen Kent, Derrick Kong, | |||
| Karen Seo, Ronald Watro, George Michaelson and Robert Loomans, are | Karen Seo, Ronald Watro, George Michaelson and Robert Loomans, are | |||
| acknowledged, with thanks. The constraint on key size noted in this | acknowledged, with thanks. The constraint on key size noted in this | |||
| skipping to change at page 7, line 28 ¶ | skipping to change at page 7, line 12 ¶ | |||
| this update to [RFC6485], and the changes in this updated | this update to [RFC6485], and the changes in this updated | |||
| specification reflect the outcome of a discussion between Rob Austein | specification reflect the outcome of a discussion between Rob Austein | |||
| and Matt Lepinski on the SIDR Working group mailing list. Richard | and Matt Lepinski on the SIDR Working group mailing list. Richard | |||
| Hansen edited this update to the document. | Hansen edited this update to the document. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | |||
| Request Syntax Specification Version 1.7", RFC 2986, | Request Syntax Specification Version 1.7", RFC 2986, | |||
| DOI 10.17487/RFC2986, November 2000, | DOI 10.17487/RFC2986, November 2000, | |||
| <http://www.rfc-editor.org/info/rfc2986>. | <http://www.rfc-editor.org/info/rfc2986>. | |||
| [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) | [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) | |||
| Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002, | Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002, | |||
| <http://www.rfc-editor.org/info/rfc3370>. | <http://www.rfc-editor.org/info/rfc3370>. | |||
| [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography | [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography | |||
| Standards (PKCS) #1: RSA Cryptography Specifications | Standards (PKCS) #1: RSA Cryptography Specifications | |||
| Version 2.1", RFC 3447, DOI 10.17487/RFC3447, | Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February | |||
| February 2003, <http://www.rfc-editor.org/info/rfc3447>. | 2003, <http://www.rfc-editor.org/info/rfc3447>. | |||
| [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional | [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional | |||
| Algorithms and Identifiers for RSA Cryptography for use in | Algorithms and Identifiers for RSA Cryptography for use in | |||
| the Internet X.509 Public Key Infrastructure Certificate | the Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile", RFC 4055, | and Certificate Revocation List (CRL) Profile", RFC 4055, | |||
| DOI 10.17487/RFC4055, June 2005, | DOI 10.17487/RFC4055, June 2005, | |||
| <http://www.rfc-editor.org/info/rfc4055>. | <http://www.rfc-editor.org/info/rfc4055>. | |||
| [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | |||
| Certificate Request Message Format (CRMF)", RFC 4211, | Certificate Request Message Format (CRMF)", RFC 4211, | |||
| skipping to change at page 8, line 21 ¶ | skipping to change at page 8, line 6 ¶ | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <http://www.rfc-editor.org/info/rfc5280>. | <http://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
| <http://www.rfc-editor.org/info/rfc5652>. | <http://www.rfc-editor.org/info/rfc5652>. | |||
| [RFC5754] Turner, S., "Using SHA2 Algorithms with Cryptographic | [RFC5754] Turner, S., "Using SHA2 Algorithms with Cryptographic | |||
| Message Syntax", RFC 5754, DOI 10.17487/RFC5754, | Message Syntax", RFC 5754, DOI 10.17487/RFC5754, January | |||
| January 2010, <http://www.rfc-editor.org/info/rfc5754>. | 2010, <http://www.rfc-editor.org/info/rfc5754>. | |||
| [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support | |||
| Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, | Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, | |||
| February 2012, <http://www.rfc-editor.org/info/rfc6480>. | February 2012, <http://www.rfc-editor.org/info/rfc6480>. | |||
| [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate | [RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate | |||
| Policy (CP) for the Resource Public Key Infrastructure | Policy (CP) for the Resource Public Key Infrastructure | |||
| (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, | (RPKI)", BCP 173, RFC 6484, DOI 10.17487/RFC6484, February | |||
| February 2012, <http://www.rfc-editor.org/info/rfc6484>. | 2012, <http://www.rfc-editor.org/info/rfc6484>. | |||
| [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for | |||
| X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/ | X.509 PKIX Resource Certificates", RFC 6487, | |||
| RFC6487, February 2012, | DOI 10.17487/RFC6487, February 2012, | |||
| <http://www.rfc-editor.org/info/rfc6487>. | <http://www.rfc-editor.org/info/rfc6487>. | |||
| [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object | [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object | |||
| Template for the Resource Public Key Infrastructure | Template for the Resource Public Key Infrastructure | |||
| (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, | (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, | |||
| <http://www.rfc-editor.org/info/rfc6488>. | <http://www.rfc-editor.org/info/rfc6488>. | |||
| [SHS] National Institute of Standards and Technology (NIST), | [SHS] National Institute of Standards and Technology (NIST), | |||
| "FIPS Publication 180-3: Secure Hash Standard", FIPS | "FIPS Publication 180-3: Secure Hash Standard", FIPS | |||
| Publication 180-3, October 2008. | Publication 180-3, October 2008. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route | [RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route | |||
| Origin Authorizations (ROAs)", RFC 6482, DOI 10.17487/ | Origin Authorizations (ROAs)", RFC 6482, | |||
| RFC6482, February 2012, | DOI 10.17487/RFC6482, February 2012, | |||
| <http://www.rfc-editor.org/info/rfc6482>. | <http://www.rfc-editor.org/info/rfc6482>. | |||
| [RFC6485] Huston, G., "The Profile for Algorithms and Key Sizes for | [RFC6485] Huston, G., "The Profile for Algorithms and Key Sizes for | |||
| Use in the Resource Public Key Infrastructure (RPKI)", | Use in the Resource Public Key Infrastructure (RPKI)", | |||
| RFC 6485, DOI 10.17487/RFC6485, February 2012, | RFC 6485, DOI 10.17487/RFC6485, February 2012, | |||
| <http://www.rfc-editor.org/info/rfc6485>. | <http://www.rfc-editor.org/info/rfc6485>. | |||
| [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, | [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, | |||
| "Manifests for the Resource Public Key Infrastructure | "Manifests for the Resource Public Key Infrastructure | |||
| (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, | (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, | |||
| <http://www.rfc-editor.org/info/rfc6486>. | <http://www.rfc-editor.org/info/rfc6486>. | |||
| [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility | [RFC6916] Gagliano, R., Kent, S., and S. Turner, "Algorithm Agility | |||
| Procedure for the Resource Public Key Infrastructure | Procedure for the Resource Public Key Infrastructure | |||
| (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, | (RPKI)", BCP 182, RFC 6916, DOI 10.17487/RFC6916, April | |||
| April 2013, <http://www.rfc-editor.org/info/rfc6916>. | 2013, <http://www.rfc-editor.org/info/rfc6916>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Geoff Huston | Geoff Huston | |||
| APNIC | APNIC | |||
| Email: gih@apnic.net | Email: gih@apnic.net | |||
| George Michaelson (editor) | George Michaelson (editor) | |||
| APNIC | APNIC | |||
| End of changes. 23 change blocks. | ||||
| 46 lines changed or deleted | 50 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||