| < draft-ietf-sidr-res-certs-03.txt | draft-ietf-sidr-res-certs-04.txt > | |||
|---|---|---|---|---|
| SIDR G. Huston | SIDR G. Huston | |||
| Internet-Draft G. Michaelson | Internet-Draft G. Michaelson | |||
| Intended status: Standards Track R. Loomans | Intended status: Standards Track R. Loomans | |||
| Expires: August 15, 2007 APNIC | Expires: August 24, 2007 APNIC | |||
| February 11, 2007 | February 20, 2007 | |||
| A Profile for X.509 PKIX Resource Certificates | A Profile for X.509 PKIX Resource Certificates | |||
| draft-ietf-sidr-res-certs-03.txt | draft-ietf-sidr-res-certs-04.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 15, 2007. | This Internet-Draft will expire on August 24, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| the purposes of supporting validation of assertions of "right-to-use" | the purposes of supporting validation of assertions of "right-to-use" | |||
| of an Internet Number Resource (IP Addresses and Autonomous System | of an Internet Number Resource (IP Addresses and Autonomous System | |||
| skipping to change at page 2, line 30 ¶ | skipping to change at page 2, line 30 ¶ | |||
| 3.9.1. Basic Constraints . . . . . . . . . . . . . . . . . . 9 | 3.9.1. Basic Constraints . . . . . . . . . . . . . . . . . . 9 | |||
| 3.9.2. Subject Key Identifier . . . . . . . . . . . . . . . . 9 | 3.9.2. Subject Key Identifier . . . . . . . . . . . . . . . . 9 | |||
| 3.9.3. Authority Key Identifier . . . . . . . . . . . . . . . 9 | 3.9.3. Authority Key Identifier . . . . . . . . . . . . . . . 9 | |||
| 3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10 | 3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10 | 3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10 | |||
| 3.9.6. Authority Information Access . . . . . . . . . . . . . 10 | 3.9.6. Authority Information Access . . . . . . . . . . . . . 10 | |||
| 3.9.7. Subject Information Access . . . . . . . . . . . . . . 11 | 3.9.7. Subject Information Access . . . . . . . . . . . . . . 11 | |||
| 3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12 | 3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12 | |||
| 3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12 | 3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12 | |||
| 3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12 | 3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 12 | 3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. Resource Certificate Revocation List Profile . . . . . . . . . 13 | 4. Resource Certificate Revocation List Profile . . . . . . . . . 13 | |||
| 4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 13 | 4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 13 | 4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14 | 4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14 | |||
| 4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14 | 4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14 | 4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 14 | 4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.7.1. Authority Key Identifier . . . . . . . . . . . . . . . 14 | 4.7.1. Authority Key Identifier . . . . . . . . . . . . . . . 15 | |||
| 4.7.2. CRL Number . . . . . . . . . . . . . . . . . . . . . . 15 | 4.7.2. CRL Number . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5. Resource Certificate Request Profile . . . . . . . . . . . . . 15 | 5. Resource Certificate Request Profile . . . . . . . . . . . . . 15 | |||
| 5.1. PCKS#10 Profile . . . . . . . . . . . . . . . . . . . . . 15 | 5.1. PCKS#10 Profile . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.1.1. PKCS#10 Resource Certificate Request Template | 5.1.1. PKCS#10 Resource Certificate Request Template | |||
| Fields . . . . . . . . . . . . . . . . . . . . . . . . 15 | Fields . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.2. CRMF Profile . . . . . . . . . . . . . . . . . . . . . . . 16 | 5.2. CRMF Profile . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.2.1. CRMF Resource Certificate Request Template Fields . . 16 | 5.2.1. CRMF Resource Certificate Request Template Fields . . 17 | |||
| 5.2.2. Resource Certificate Request Control Fields . . . . . 17 | 5.2.2. Resource Certificate Request Control Fields . . . . . 17 | |||
| 5.3. Certificate Extension Attributes in Certificate | 5.3. Certificate Extension Attributes in Certificate | |||
| Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18 | Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 6. Resource Certificate Validation . . . . . . . . . . . . . . . 20 | 6. Resource Certificate Validation . . . . . . . . . . . . . . . 21 | |||
| 6.1. Trust Anchors for Resource Certificates . . . . . . . . . 21 | 6.1. Trust Anchors for Resource Certificates . . . . . . . . . 21 | |||
| 6.2. Resource Extension Validation . . . . . . . . . . . . . . 21 | 6.2. Resource Extension Validation . . . . . . . . . . . . . . 22 | |||
| 6.3. Resource Certificate Path Validation . . . . . . . . . . . 22 | 6.3. Resource Certificate Path Validation . . . . . . . . . . . 22 | |||
| 7. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 23 | 7. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11. Normative References . . . . . . . . . . . . . . . . . . . . . 24 | 11. Normative References . . . . . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. Example Resource Certificate . . . . . . . . . . . . 25 | Appendix A. Example Resource Certificate . . . . . . . . . . . . 25 | |||
| Appendix B. Example Certificate Revocation List . . . . . . . . . 27 | Appendix B. Example Certificate Revocation List . . . . . . . . . 27 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 29 | Intellectual Property and Copyright Statements . . . . . . . . . . 30 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| use in the context of certification of IP Addresses and AS Numbers. | use in the context of certification of IP Addresses and AS Numbers. | |||
| These Resource Certificates are X.509 certificates that conform to | These Resource Certificates are X.509 certificates that conform to | |||
| the PKIX profile [RFC3280] and also conform to the constraints | the PKIX profile [RFC3280] and also conform to the constraints | |||
| specified in this profile. Resource Certificates attest that the | specified in this profile. Resource Certificates attest that the | |||
| issuer has granted the subject a "right-to-use" for a listed set of | issuer has granted the subject a "right-to-use" for a listed set of | |||
| IP addresses and Autonomous System numbers. | IP addresses and Autonomous System numbers. | |||
| skipping to change at page 12, line 15 ¶ | skipping to change at page 12, line 15 ¶ | |||
| This profile uses a URI form of location identification. The | This profile uses a URI form of location identification. The | |||
| preferred URI access mechanism is "rsync", and an RSYNC URI MUST be | preferred URI access mechanism is "rsync", and an RSYNC URI MUST be | |||
| specified, with an access method value of id-ad-caRepository when the | specified, with an access method value of id-ad-caRepository when the | |||
| subject of the certificate is a CA. The RSYNC URI must reference an | subject of the certificate is a CA. The RSYNC URI must reference an | |||
| object collection rather than an individual object and MUST use a | object collection rather than an individual object and MUST use a | |||
| trailing '/' in the URI. Other access method URIs that reference the | trailing '/' in the URI. Other access method URIs that reference the | |||
| same location MAY also be included in the value sequence of this | same location MAY also be included in the value sequence of this | |||
| extension. | extension. | |||
| This field MUST be present when the subject is a CA, and is non- | This field MUST be present when the subject is a CA, and is non- | |||
| critical. For End Entity certificates, where the subject is not a | critical. | |||
| CA, this field MUST NOT be present. | ||||
| For End Entity certificates, where the subject is not a CA, this | ||||
| field MAY be present, and is non-critical. If present, it references | ||||
| the location where objects signed by the key pair associated with the | ||||
| End Entity certificate can be accessed. The id-ad- | ||||
| signedObjectRepository OID is used when the subject is an End Entity | ||||
| and it publishes objects signed with the matching private key in a | ||||
| repository. | ||||
| id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | ||||
| id-ad-signedObjectRepositor OBJECT IDENTIFIER ::= { id-ad 9 } | ||||
| 3.9.8. Certificate Policies | 3.9.8. Certificate Policies | |||
| This extension MUST reference the Resource Certificate Policy, using | This extension MUST reference the Resource Certificate Policy, using | |||
| the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field | the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field | |||
| MUST be present and MUST contain only this value for Resource | MUST be present and MUST contain only this value for Resource | |||
| Certificates. | Certificates. | |||
| PolicyQualifiers MUST NOT be used in this profile. | PolicyQualifiers MUST NOT be used in this profile. | |||
| End of changes. 12 change blocks. | ||||
| 16 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||