< draft-ietf-sidrops-6486bis-10.txt   draft-ietf-sidrops-6486bis-11.txt >
SIDROPS R. Austein SIDROPS R. Austein
Internet-Draft Arrcus, Inc. Internet-Draft Arrcus, Inc.
Obsoletes: 6486 (if approved) G. Huston Obsoletes: 6486 (if approved) G. Huston
Intended status: Standards Track APNIC Intended status: Standards Track APNIC
Expires: 21 September 2022 S. Kent Expires: 25 September 2022 S. Kent
Independent Independent
M. Lepinski M. Lepinski
New College Florida New College Florida
20 March 2022 24 March 2022
Manifests for the Resource Public Key Infrastructure (RPKI) Manifests for the Resource Public Key Infrastructure (RPKI)
draft-ietf-sidrops-6486bis-10 draft-ietf-sidrops-6486bis-11
Abstract Abstract
This document defines a "manifest" for use in the Resource Public Key This document defines a "manifest" for use in the Resource Public Key
Infrastructure (RPKI). A manifest is a signed object (file) that Infrastructure (RPKI). A manifest is a signed object (file) that
contains a listing of all the signed objects (files) in the contains a listing of all the signed objects (files) in the
repository publication point (directory) associated with an authority repository publication point (directory) associated with an authority
responsible for publishing in the repository. For each certificate, responsible for publishing in the repository. For each certificate,
Certificate Revocation List (CRL), or other type of signed objects Certificate Revocation List (CRL), or other type of signed objects
issued by the authority that are published at this repository issued by the authority that are published at this repository
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 September 2022. This Internet-Draft will expire on 25 September 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 8, line 5 skipping to change at page 8, line 5
To determine whether a manifest is valid, the RP MUST perform the To determine whether a manifest is valid, the RP MUST perform the
following checks in addition to those specified in [RFC6488]: following checks in addition to those specified in [RFC6488]:
1. The eContentType in the EncapsulatedContentInfo is id-ad- 1. The eContentType in the EncapsulatedContentInfo is id-ad-
rpkiManifest (OID 1.2.840.113549.1.9.16.1.26). rpkiManifest (OID 1.2.840.113549.1.9.16.1.26).
2. The version of the rpkiManifest is 0. 2. The version of the rpkiManifest is 0.
3. In the rpkiManifest, thisUpdate precedes nextUpdate. 3. In the rpkiManifest, thisUpdate precedes nextUpdate.
Note: Although it is RECOMMENDED that the thisUpdate and nextUpdate Note: Although the thisUpdate and nextUpdate fields in the Manifest
fields in the manifest match the corresponding fields in the CRL eContent MUST match the corresponding fields in the CRL associated
associated with the manifest, RPs SHOULD NOT reject a manifest if with the Manifest, RPs MUST NOT reject a manifest solely because
these fields do not match. these fields are not identical.
If the above procedure indicates that the manifest is invalid, then If the above procedure indicates that the manifest is invalid, then
the manifest MUST be discarded and treated as though no manifest were the manifest MUST be discarded and treated as though no manifest were
present. present.
5. Manifest Generation 5. Manifest Generation
5.1. Manifest Generation Procedure 5.1. Manifest Generation Procedure
For a CA publication point in the RPKI repository system, a CA MUST For a CA publication point in the RPKI repository system, a CA MUST
skipping to change at page 17, line 11 skipping to change at page 17, line 11
clarify the innovative concept and application of RPKI Manifests in clarify the innovative concept and application of RPKI Manifests in
light of real-world deployment experience in the global Internet light of real-world deployment experience in the global Internet
routing system, to avoid future problematic cases. routing system, to avoid future problematic cases.
The following list summarizes the changes between RFC 6486 and this The following list summarizes the changes between RFC 6486 and this
document: document:
* Forbid "sequential-use" EE certificates, instead mandate "one- * Forbid "sequential-use" EE certificates, instead mandate "one-
time-use" EE certificates. time-use" EE certificates.
* Emphasize a recommendation for EE certificates to have a validity * Clarify that Manifest EE certificates are to be issued with a
period that coincides with the interval specified in the Manifest validity period which coincides with the interval specified in the
eContent. Manifest eContent, which coincides with the CRL's thisUpdate and
nextUpdate.
* Clarify the manifestNumber is monotonically incremented in steps * Clarify the manifestNumber is monotonically incremented in steps
of 1. of 1.
* Recommend CA issuers to coincidence the applicable CRL's * Recommend CA issuers to coincidence the applicable CRL's
nextUpdate with the Manifest's nextUpdate. nextUpdate with the Manifest's nextUpdate.
* The set of valid characters in FileAndHash filenames was * The set of valid characters in FileAndHash filenames was
constrained. constrained.
 End of changes. 6 change blocks. 
11 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/