| < draft-ietf-sidrops-6486bis-10.txt | draft-ietf-sidrops-6486bis-11.txt > | |||
|---|---|---|---|---|
| SIDROPS R. Austein | SIDROPS R. Austein | |||
| Internet-Draft Arrcus, Inc. | Internet-Draft Arrcus, Inc. | |||
| Obsoletes: 6486 (if approved) G. Huston | Obsoletes: 6486 (if approved) G. Huston | |||
| Intended status: Standards Track APNIC | Intended status: Standards Track APNIC | |||
| Expires: 21 September 2022 S. Kent | Expires: 25 September 2022 S. Kent | |||
| Independent | Independent | |||
| M. Lepinski | M. Lepinski | |||
| New College Florida | New College Florida | |||
| 20 March 2022 | 24 March 2022 | |||
| Manifests for the Resource Public Key Infrastructure (RPKI) | Manifests for the Resource Public Key Infrastructure (RPKI) | |||
| draft-ietf-sidrops-6486bis-10 | draft-ietf-sidrops-6486bis-11 | |||
| Abstract | Abstract | |||
| This document defines a "manifest" for use in the Resource Public Key | This document defines a "manifest" for use in the Resource Public Key | |||
| Infrastructure (RPKI). A manifest is a signed object (file) that | Infrastructure (RPKI). A manifest is a signed object (file) that | |||
| contains a listing of all the signed objects (files) in the | contains a listing of all the signed objects (files) in the | |||
| repository publication point (directory) associated with an authority | repository publication point (directory) associated with an authority | |||
| responsible for publishing in the repository. For each certificate, | responsible for publishing in the repository. For each certificate, | |||
| Certificate Revocation List (CRL), or other type of signed objects | Certificate Revocation List (CRL), or other type of signed objects | |||
| issued by the authority that are published at this repository | issued by the authority that are published at this repository | |||
| skipping to change at page 1, line 49 ¶ | skipping to change at page 1, line 49 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 21 September 2022. | This Internet-Draft will expire on 25 September 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 8, line 5 ¶ | skipping to change at page 8, line 5 ¶ | |||
| To determine whether a manifest is valid, the RP MUST perform the | To determine whether a manifest is valid, the RP MUST perform the | |||
| following checks in addition to those specified in [RFC6488]: | following checks in addition to those specified in [RFC6488]: | |||
| 1. The eContentType in the EncapsulatedContentInfo is id-ad- | 1. The eContentType in the EncapsulatedContentInfo is id-ad- | |||
| rpkiManifest (OID 1.2.840.113549.1.9.16.1.26). | rpkiManifest (OID 1.2.840.113549.1.9.16.1.26). | |||
| 2. The version of the rpkiManifest is 0. | 2. The version of the rpkiManifest is 0. | |||
| 3. In the rpkiManifest, thisUpdate precedes nextUpdate. | 3. In the rpkiManifest, thisUpdate precedes nextUpdate. | |||
| Note: Although it is RECOMMENDED that the thisUpdate and nextUpdate | Note: Although the thisUpdate and nextUpdate fields in the Manifest | |||
| fields in the manifest match the corresponding fields in the CRL | eContent MUST match the corresponding fields in the CRL associated | |||
| associated with the manifest, RPs SHOULD NOT reject a manifest if | with the Manifest, RPs MUST NOT reject a manifest solely because | |||
| these fields do not match. | these fields are not identical. | |||
| If the above procedure indicates that the manifest is invalid, then | If the above procedure indicates that the manifest is invalid, then | |||
| the manifest MUST be discarded and treated as though no manifest were | the manifest MUST be discarded and treated as though no manifest were | |||
| present. | present. | |||
| 5. Manifest Generation | 5. Manifest Generation | |||
| 5.1. Manifest Generation Procedure | 5.1. Manifest Generation Procedure | |||
| For a CA publication point in the RPKI repository system, a CA MUST | For a CA publication point in the RPKI repository system, a CA MUST | |||
| skipping to change at page 17, line 11 ¶ | skipping to change at page 17, line 11 ¶ | |||
| clarify the innovative concept and application of RPKI Manifests in | clarify the innovative concept and application of RPKI Manifests in | |||
| light of real-world deployment experience in the global Internet | light of real-world deployment experience in the global Internet | |||
| routing system, to avoid future problematic cases. | routing system, to avoid future problematic cases. | |||
| The following list summarizes the changes between RFC 6486 and this | The following list summarizes the changes between RFC 6486 and this | |||
| document: | document: | |||
| * Forbid "sequential-use" EE certificates, instead mandate "one- | * Forbid "sequential-use" EE certificates, instead mandate "one- | |||
| time-use" EE certificates. | time-use" EE certificates. | |||
| * Emphasize a recommendation for EE certificates to have a validity | * Clarify that Manifest EE certificates are to be issued with a | |||
| period that coincides with the interval specified in the Manifest | validity period which coincides with the interval specified in the | |||
| eContent. | Manifest eContent, which coincides with the CRL's thisUpdate and | |||
| nextUpdate. | ||||
| * Clarify the manifestNumber is monotonically incremented in steps | * Clarify the manifestNumber is monotonically incremented in steps | |||
| of 1. | of 1. | |||
| * Recommend CA issuers to coincidence the applicable CRL's | * Recommend CA issuers to coincidence the applicable CRL's | |||
| nextUpdate with the Manifest's nextUpdate. | nextUpdate with the Manifest's nextUpdate. | |||
| * The set of valid characters in FileAndHash filenames was | * The set of valid characters in FileAndHash filenames was | |||
| constrained. | constrained. | |||
| End of changes. 6 change blocks. | ||||
| 11 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||