| < draft-ietf-sidr-signed-object-00.txt | draft-ietf-sidr-signed-object-01.txt > | |||
|---|---|---|---|---|
| Secure Inter-Domain Routing M. Lepinski | Secure Inter-Domain Routing M. Lepinski | |||
| Internet-Draft A. Chi | Internet-Draft A. Chi | |||
| Intended status: Standards Track S. Kent | Intended status: Standards Track S. Kent | |||
| Expires: April 1, 2011 BBN | Expires: April 7, 2011 BBN | |||
| September 28, 2010 | October 4, 2010 | |||
| Signed Object Template for the Resource Public Key Infrastructure | Signed Object Template for the Resource Public Key Infrastructure | |||
| draft-ietf-sidr-signed-object-00.txt | draft-ietf-sidr-signed-object-01.txt | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 1, 2011. | This Internet-Draft will expire on April 7, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| encapsulation format. | encapsulation format. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Note on Algorithms . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Note on Algorithms . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Signed Object Syntax . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Signed Object Syntax . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Signed-Data Content Type . . . . . . . . . . . . . . . . . 4 | 2.1. Signed-Data Content Type . . . . . . . . . . . . . . . . . 4 | |||
| 2.1.1. version . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1.1. version . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1.2. digestAlgorithms . . . . . . . . . . . . . . . . . . . 4 | 2.1.2. digestAlgorithms . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1.3. encapContentInfo . . . . . . . . . . . . . . . . . . . 5 | 2.1.3. encapContentInfo . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1.3.1. eContentType . . . . . . . . . . . . . . . . . . 5 | 2.1.3.1. eContentType . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1.3.2. eContent . . . . . . . . . . . . . . . . . . . . 5 | 2.1.3.2. eContent . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1.4. certificates . . . . . . . . . . . . . . . . . . . . . 5 | 2.1.4. certificates . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1.5. crls . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.1.5. crls . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.1.6. signerInfos . . . . . . . . . . . . . . . . . . . . . 6 | 2.1.6. signerInfos . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.1.6.1. version . . . . . . . . . . . . . . . . . . . . . 6 | 2.1.6.1. version . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.1.6.2. sid . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.1.6.2. sid . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.1.6.3. digestAlgorithm . . . . . . . . . . . . . . . . . 6 | 2.1.6.3. digestAlgorithm . . . . . . . . . . . . . . . . . 6 | |||
| 2.1.6.4. signedAttrs . . . . . . . . . . . . . . . . . . . 6 | 2.1.6.4. signedAttrs . . . . . . . . . . . . . . . . . . . 6 | |||
| skipping to change at page 4, line 12 ¶ | skipping to change at page 4, line 12 ¶ | |||
| 1.2. Note on Algorithms | 1.2. Note on Algorithms | |||
| Cryptographic Message Syntax is a general format capable of | Cryptographic Message Syntax is a general format capable of | |||
| accommodating a wide variety of signature and digest algorithms. The | accommodating a wide variety of signature and digest algorithms. The | |||
| algorithms used in the RPKI (and associated key sizes) are specified | algorithms used in the RPKI (and associated key sizes) are specified | |||
| in [I-D.sidr-rpki-algs]. | in [I-D.sidr-rpki-algs]. | |||
| 2. Signed Object Syntax | 2. Signed Object Syntax | |||
| The RPKI signed object is a profile of the Cryptographic Message | The RPKI signed object is a profile of the Cryptographic Message | |||
| Syntax (CMS) [RFC5652] signed-data object. The general format of a | Syntax (CMS) [RFC5652] signed-data object, with the restriction that | |||
| CMS object is: | RPKI signed objects MUST be encoded using the ASN.1 Distinguished | |||
| Encoding Rules (DER) [X.509-88]. | ||||
| The general format of a CMS object is: | ||||
| ContentInfo ::= SEQUENCE { | ContentInfo ::= SEQUENCE { | |||
| contentType ContentType, | contentType ContentType, | |||
| content [0] EXPLICIT ANY DEFINED BY contentType } | content [0] EXPLICIT ANY DEFINED BY contentType } | |||
| ContentType ::= OBJECT IDENTIFIER | ContentType ::= OBJECT IDENTIFIER | |||
| The ContentType is the signed-data type of id-data, namely the id- | The ContentType is the signed-data type of id-data, namely the id- | |||
| signedData OID, 1.2.840.113549.1.7.2. [RFC5652] | signedData OID, 1.2.840.113549.1.7.2. [RFC5652] | |||
| skipping to change at page 10, line 13 ¶ | skipping to change at page 10, line 15 ¶ | |||
| i. The unsignedAttrs field in the SignerInfo object is omitted. | i. The unsignedAttrs field in the SignerInfo object is omitted. | |||
| j. The digestAlgorithm in the SignedData and SignerInfo objects | j. The digestAlgorithm in the SignedData and SignerInfo objects | |||
| conforms to the RPKI Algorithms and Key Size Profile | conforms to the RPKI Algorithms and Key Size Profile | |||
| specification [I-D.sidr-rpki-algs]. | specification [I-D.sidr-rpki-algs]. | |||
| k. The signatureAlgorithm in the SignerInfo object conforms to | k. The signatureAlgorithm in the SignerInfo object conforms to | |||
| the RPKI Algorithms and Key Size Profile specification | the RPKI Algorithms and Key Size Profile specification | |||
| [I-D.sidr-rpki-algs]. | [I-D.sidr-rpki-algs]. | |||
| l. The signed object is DER encoded. | ||||
| 2. The public key of the EE certificate (contained within the CMS | 2. The public key of the EE certificate (contained within the CMS | |||
| signed-data object) can be used to successfully verify the | signed-data object) can be used to successfully verify the | |||
| signature on the signed object. | signature on the signed object. | |||
| 3. The EE certificate (contained within the CMS signed-data object) | 3. The EE certificate (contained within the CMS signed-data object) | |||
| is a valid EE certificate in the RPKI as specified by [I-D.sidr- | is a valid EE certificate in the RPKI as specified by [I-D.sidr- | |||
| res-certs]. In particular, there exists a valid certification | res-certs]. In particular, there exists a valid certification | |||
| path from a trust anchor to this EE certificate. | path from a trust anchor to this EE certificate. | |||
| If the above procedure indicates that the signed object is invalid, | If the above procedure indicates that the signed object is invalid, | |||
| skipping to change at page 12, line 16 ¶ | skipping to change at page 12, line 19 ¶ | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, May 2008. | (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC | |||
| 5652, September 2009. | 5652, September 2009. | |||
| [X.208-88] CCITT. Recommendation X.208: Specification of Abstract | [X.208-88] CCITT. Recommendation X.208: Specification of Abstract | |||
| Syntax Notation One (ASN.1), 1988. | Syntax Notation One (ASN.1), 1988. | |||
| [X.209-88] CCITT. Recommendation X.209: Specification of Basic | [X.509-88] CCITT. Recommendation X.509: The Directory Authentication | |||
| Encoding Rules for Abstract Syntax Notation One (ASN.1), | Framework, 1988. | |||
| 1988. | ||||
| 9. Informative References | 9. Informative References | |||
| [I-D.sidr-arch] Lepinski, M. and S. Kent, "An Infrastructure to | [I-D.sidr-arch] Lepinski, M. and S. Kent, "An Infrastructure to | |||
| Support Secure Internet Routing", | Support Secure Internet Routing", | |||
| draft-ietf-sidr-arch-11.txt (work in progress), September | draft-ietf-sidr-arch-11.txt (work in progress), September | |||
| 2010. | 2010. | |||
| [RFC6019] Housley, R., "BinaryTime: An Alternate Format for | [RFC6019] Housley, R., "BinaryTime: An Alternate Format for | |||
| Representing Date and Time in ASN.1", RFC 6019, September | Representing Date and Time in ASN.1", RFC 6019, September | |||
| End of changes. 7 change blocks. | ||||
| 10 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||