idnits 2.17.1 

draft-ietf-sidr-ltamgmt-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 254 has weird spacing: '...ntifier    unc...'

  == Line 257 has weird spacing: '... points   repl...'

  == Line 330 has weird spacing: '...lagname  boole...'

  == Line 360 has weird spacing: '...tagname  tagva...'

  -- The document date (November 9, 2010) is 4909 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'I-D.sidr-arch' is mentioned on line 120, but not
     defined

  == Missing Reference: 'I-D.sidr-res-cert-prof' is mentioned on line 124,
     but not defined

  == Missing Reference: 'ID.sidr-res-cert-prof' is mentioned on line 454, but
     not defined

  == Unused Reference: 'RFC2119' is defined on line 1076, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC3513' is defined on line 1079, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC5396' is defined on line 1090, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 3513 (Obsoleted by RFC 4291)


     Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Secure Inter-Domain Routing                                  M. Reynolds
3	Internet-Draft                                                   S. Kent
4	Intended status: Standards Track                                     BBN
5	Expires: May 13, 2011                                   November 9, 2010

7	Local Trust Anchor Management for the Resource Public Key Infrastructure
8	                    <draft-ietf-sidr-ltamgmt-00.txt>

10	Status of this Memo

12	   This Internet-Draft is submitted to IETF in full conformance with the
13	   provisions of BCP 78 and BCP 79.

15	   Internet-Drafts are working documents of the Internet Engineering
16	   Task Force (IETF), its areas, and its working groups.  Note that
17	   other groups may also distribute working documents as
18	   Internet-Drafts.

20	   Internet-Drafts are draft documents valid for a maximum of six months
21	   and may be updated, replaced, or obsoleted by other documents at any
22	   time.  It is inappropriate to use Internet-Drafts as reference
23	   material or to cite them other than as "work in progress."

25	   The list of current Internet-Drafts can be accessed at
26	   http://www.ietf.org/1id-abstracts.html

28	   The list of Internet-Draft Shadow Directories can be accessed at
29	   http://www.ietf.org/shadow.html

31	   This Internet-Draft will expire on May 13, 2011.

33	Copyright and License Notice

35	   Copyright (c) 2010 IETF Trust and the persons identified as the
36	   document authors. All rights reserved.

38	   This document is subject to BCP 78 and the IETF Trust's Legal
39	   Provisions Relating to IETF Documents
40	   (http://trustee.ietf.org/license-info) in effect on the date of
41	   publication of this document. Please review these documents
42	   carefully, as they describe your rights and restrictions with respect
43	   to this document.  Code Components extracted from this document must
44	   include Simplified BSD License text as described in Section 4.e of
45	   the Trust Legal Provisions and are provided without warranty as
46	   described in the Simplified BSD License.

48	Abstract

50	   This document describes a facility to enable a relying party (RP) to
51	   manage trust anchors (TAs) in the context of the Resource Public Key
52	   Infrastructure (RPKI). It is common to allow an RP to import TA
53	   material in the form of self-signed certificates. The facility
54	   described in this document allows an RP to impose constraints on such
55	   TAs. Because this mechanism is designed to operate in the RPKI
56	   context, the relevant constraints are the RFC 3779 extensions that
57	   bind address spaces and/or autonomous system (AS) numbers to
58	   entities. The primary motivation for this facility is to enable an RP
59	   to ensure that resource allocation information that it has acquired
60	   via some trusted channel is not overridden by the information
61	   acquired from the RPKI repository system or by the putative TAs that
62	   the RP imports. Specifically, the mechanism allows an RP to specify a
63	   set of bindings between public key identifiers and RFC 3779 extension
64	   data and will override any conflicting bindings expressed via the
65	   putative TAs and the certificates downloaded from the RPKI repository
66	   system. Although this mechanism is designed for local use by an RP,
67	   an entity that is accorded administrative control over a set of RPs
68	   may use this mechanism to convey its view of the RPKI to a set of RPs
69	   within its jurisdiction. The means by which this latter use case is
70	   effected is outside the scope of this document.

72	Table of Contents

74	   1  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 4
75	      1.1  Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5
76	   2  Overview of Certificate Processing . . . . . . . . . . . . . . . 5
77	      2.1  Target Certificate Processing . . . . . . . . . . . . . . . 5
78	      2.2  Perforation . . . . . . . . . . . . . . . . . . . . . . . . 5
79	      2.3  TA Re-parenting . . . . . . . . . . . . . . . . . . . . . . 6
80	      2.4  Paracertificates  . . . . . . . . . . . . . . . . . . . . . 6
81	   3  Format of the constraints file . . . . . . . . . . . . . . . . . 8
82	      3.1  Relying party subsection  . . . . . . . . . . . . . . . . . 8
83	      3.2  Flags subsection  . . . . . . . . . . . . . . . . . . . . . 8
84	      3.3  Tags subsection . . . . . . . . . . . . . . . . . . . . . . 9
85	         3.3.1  Xvalidity_dates tag  . . . . . . . . . . . . . . . .  10
86	         3.3.2  Xcrldp tag . . . . . . . . . . . . . . . . . . . . .  10
87	         3.3.3  Xcp tag  . . . . . . . . . . . . . . . . . . . . . .  11
88	         3.3.4  Xaia tag . . . . . . . . . . . . . . . . . . . . . .  11
89	      3.4  Blocks subsection . . . . . . . . . . . . . . . . . . . .  12
90	   4  Certificate Processing Algorithm . . . . . . . . . . . . . . .  13
91	      4.1  Proofreading algorithm  . . . . . . . . . . . . . . . . .  14
92	      4.2  TA processing algorithm . . . . . . . . . . . . . . . . .  15
93	         4.2.1  Preparatory processing (stage 0) . . . . . . . . . .  16
94	         4.2.2  Target processing (stage 1)  . . . . . . . . . . . .  17
95	         4.2.3  Ancestor processing (stage 2)  . . . . . . . . . . .  18
96	         4.2.4  Tree processing (stage 3)  . . . . . . . . . . . . .  19
97	         4.2.5  TA re-parenting (stage 4)  . . . . . . . . . . . . .  20
98	      4.3  Discussion  . . . . . . . . . . . . . . . . . . . . . . .  21
99	   5  Implications for Path Discovery  . . . . . . . . . . . . . . .  21
100	      5.1  Two answers . . . . . . . . . . . . . . . . . . . . . . .  21
101	      5.2  One answer  . . . . . . . . . . . . . . . . . . . . . . .  22
102	      5.3  No answer . . . . . . . . . . . . . . . . . . . . . . . .  22
103	   6  Implications for Revocation  . . . . . . . . . . . . . . . . .  22
104	      6.1  No state bits set . . . . . . . . . . . . . . . . . . . .  22
105	      6.2  ORIGINAL state bit set  . . . . . . . . . . . . . . . . .  23
106	      6.3  PARA state bit set  . . . . . . . . . . . . . . . . . . .  23
107	      6.4  Both ORIGINAL and PARA state bits set . . . . . . . . . .  23
108	   7  Security Considerations  . . . . . . . . . . . . . . . . . . .  24
109	   8  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  24
110	   9  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  24
111	   10  References  . . . . . . . . . . . . . . . . . . . . . . . . .  24
112	      10.1  Normative References . . . . . . . . . . . . . . . . . .  24
113	      10.2  Informative References . . . . . . . . . . . . . . . . .  25
114	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  25
115	   Appendix A: Sample Constraints File . . . . . . . . . . . . . . .  26
116	   Appendix B: Optional Sorting Algorithm for Ancestor Processing  .  27

118	1  Introduction

120	   The Resource Public Key Infrastructure (RPKI) [I-D.sidr-arch] is a
121	   PKI in which certificates are issued to facilitate management of IP
122	   addresses and autonomous system number resources. Such resources are
123	   expressed in the form of X.509v3 "resource" certificates with
124	   extensions as defined by RFC 3779 [I-D.sidr-res-cert-prof].
125	   Validation of a resource certificate is preceded by path discovery.
126	   Path discovery is effected by constructing a certificate path
127	   (upward) from a target certificate to a trust anchor. Path validation
128	   proceeds from the TA in question to the target certificate, using the
129	   public key from each certificate along the path to verify the
130	   signature of its subordinate certificate. In the RPKI it is
131	   anticipated that one or more putative TAs, aligned with the resource
132	   allocation hierarchy, will be available in the form of self-signed
133	   certificates configured by an RP. There are circumstances under which
134	   an RP may wish to override the resource specifications obtained
135	   through the RPKI distributed repository system [I-D.sidr-repos-
136	   struct]. This document describes a mechanism by which an RP may
137	   override any conflicting information expressed via the putative TAs
138	   and the certificates downloaded from the RPKI repository system.

140	   To effect this local control, this document calls for a relying party
141	   to specify a set of bindings between public key identifiers and
142	   resources (IP resources and/or AS number resources) through a text
143	   file known as a constraints file. The constraints expressed in this
144	   file then take precedence over any competing claims expressed by
145	   resource certificates acquired from the distributed repository
146	   system. (The means by which a relying party acquires the key
147	   identifier and the RFC 3779 extension data used to populate the
148	   constraints file is outside the scope of this document.) The relying
149	   party also may use a local publication point (the root of a local
150	   directory tree that is made available as if it were a remote
151	   repository) as a source of certificates and CRLs (and other RPKI
152	   signed objects, e.g. ROAs and manifests) that do not appear in the
153	   RPKI repository system.

155	   In order to allow reuse of existing, standard path validation
156	   mechanisms, the RP-imposed constraints are realized by having the RP
157	   itself represented as the only TA known in the local certificate
158	   validation context. To ensure that all RPKI certificates can be
159	   validated relative to this TA, this RP TA certificate must contain
160	   all-encompassing resource allocations, i.e. 0/0 for IPv4, 0::/0 for
161	   IPv6 and 0-4294967295 for AS numbers. Thus, a conforming
162	   implementation of this mechanism must be able to cause a self-signed
163	   certification authority (CA) certificate to be created with a locally
164	   generated key pair. It also must be able to issue CA certificates
165	   subordinate to this TA. Finally, a conforming implementation of this
166	   mechanism must process the constraints file and modify certificates
167	   as needed in order to enforce the constraints asserted in the file.

169	   The remainder of this document describes in detail the types of
170	   certificate modification that may occur, the semantics of the
171	   constraints file, and the implications of certificate modification on
172	   path discovery and revocation.

174	1.1  Terminology

176	   It is assumed that the reader is familiar with the terms and concepts
177	   described in "Internet X.509 Public Key Infrastructure Certificate
178	   and Certificate Revocation List (CRL) Profile" [RFC5280] and "X.509
179	   Extensions for IP Addresses and AS Identifiers" [RFC3779].

181	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
182	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
183	   document are to be interpreted as described in RFC 2119.

185	2  Overview of Certificate Processing

187	   The fundamental aspect of the facility described in this document is
188	   one of certificate modification. The constraints file, described in
189	   more detail in the next section, contains assertions about resources
190	   that are to be specially processed. As a result of this processing,
191	   certificates in the local copy of the RPKI repository are transformed
192	   into new certificates satisfying the resource constraints so
193	   specified. This enables the RP to override conflicting assertions
194	   about resource holdings as acquired from the RPKI repository system.
195	   Three forms of certificate modification can occur.

197	2.1  Target Certificate Processing

199	   If a certificate is acquired from the RPKI repository system and it's
200	   SKI is listed in the constraints file, it will be reissued directly
201	   under the RP TA certificate, with (possibly) modified RFC 3779
202	   extensions. The modified extensions will include any RFC 3779 data
203	   expressed in the constraints file. In Section 4.2, target certificate
204	   processing corresponds to stage one of the algorithm.

206	2.2  Perforation

208	   Any certificate acquired from the RPKI repository that contains an
209	   RFC 3779 extension that intersects the resource data in the
210	   constraints file will be reissued directly under the RP TA, with
211	   modified RFC 3779 extensions. We refer to the process of modifying
212	   the RFC 3779 extension in an affected certificate as "perforation"
213	   (because the process will create "holes" in these extensions). The
214	   modified extensions will exclude any RFC 3779 data expressed in the
215	   constraints file. In the certificate processing algorithm described
216	   in Section 4.2, perforation corresponds to stage two of the algorithm
217	   ("ancestor processing") and also to stage three of the algorithm
218	   ("tree processing").

220	2.3  TA Re-parenting

222	   For consistency, all valid, self-signed certificates that would have
223	   been regarded as TAs in the public RPKI certificate hierarchy, e.g.
224	   self-signed certificates issued by IANA or the RIRs, will be re-
225	   issued under the RP TA certificate. This processing is done even
226	   though all but one of these certificates might not intersect any
227	   resources specified in the constraints file. We refer to this
228	   reissuance as "re-parenting" since the Issuer (parent) of the
229	   certificate has been changed. In the certificate processing algorithm
230	   described in Section 4.2, TA re-parenting corresponds to stage four
231	   of the algorithm.

233	2.4  Paracertificates

235	   If a certificate is subject to any of the three forms of processing
236	   just described, that certificate will be referred to as an "original"
237	   certificate and the processed (output) certificate will be referred
238	   to as a paracertificate. When an original certificate is transformed
239	   into a paracertificate all the fields and extensions from the
240	   original certificate will be retained, except as indicated in Table
241	   1, below.

243	      Original Certificate Field         Action

245	          Version                     unchanged
246	          Serial number               created per note A
247	          Signature                   replaced if needed
248	                                        with RP's signing alg
249	          Issuer                      replaced with RP's name
250	          Validity dates              replaced per note B
251	          Subject                     unchanged
252	          Subject public key info     unchanged
253	          Extensions
254	            Subject key identifier    unchanged
255	            Key usage                 unchanged
256	            Basic constraints         unchanged
257	            CRL distribution points   replaced per note B
258	            Certificate policy        replaced per note B
259	            Authority info access     replaced per note B
260	            Authority key ident       replaced with RP's
261	            IP address block          modified as described
262	            AS number block           modified as described
263	            Subject info access       unchanged
264	            All other extensions      unchanged
265	          Signature Algorithm         same as above
266	          Signature value             new

268	                Table 1  Certificate Field Modifications

270	   Note A. The serial number will be created by concatenating the
271	   current time (the number of seconds since Jan 1, 1970) with a count
272	   of the certificates created in the current run.

274	   Note B. These fields are derived (as described in section 3.3 below)
275	   from parameters in the constraints file (if present); otherwise, they
276	   take on values from the certificates from which the paracertificates
277	   are derived.

279	3  Format of the constraints file

281	   This section describes a general model for the syntax of the
282	   constraints file. The model described below is nominal;
283	   implementations need not match details of this model as presented,
284	   but the external behavior of implementations MUST correspond to the
285	   externally observable characteristics of this model in order to be
286	   compliant.

288	   The constraints file consists of four logical subsections: the
289	   replying party subsection, the flags subsection, the tags subsection
290	   and the blocks subsection. The relying party subsection and the
291	   blocks subsection are REQUIRED and MUST be present; the flags and
292	   tags subsections are OPTIONAL. Each subsection is described in more
293	   detail below. Note that the semicolon (;) character acts as the
294	   comment character, to enable annotating constraints files. All
295	   characters from a semicolon to the end of that line are ignored. In
296	   addition, lines consisting only of whitespace are ignored. The
297	   subsections MUST occur in the order indicated. An example constraints
298	   file is given in Appendix A.

300	3.1  Relying party subsection

302	   The relying party subsection is a REQUIRED subsection of the
303	   constraints file. It MUST be the first subsection of the constraints
304	   file, and it MUST consist of two lines of the form:

306	      PRIVATEKEYMETHOD      value [ ... value ]
307	      TOPLEVELCERTIFICATE   value

309	   The first line provides guidance to the certificate processing
310	   algorithm on the method that will be used to gain access to the RP's
311	   private key. This line consists of the string literal
312	   PRIVATEKEYMETHOD, followed by one or more whitespace delimited string
313	   values. These values are passed to the certificate processing
314	   algorithm as described below. Note that this entry, as for all
315	   entries in the constraints file, is case sensitive.

317	   The second line of this subsection consists of the string literal
318	   TOPLEVELCERTIFICATE, followed by exactly one string value. This value
319	   is the name of a file containing the relying party's TA certificate.
320	   The file name is passed to the certificate processing algorithm as
321	   described below.

323	3.2  Flags subsection

325	   The flags subsection of the constraints file is an OPTIONAL
326	   subsection. If present it MUST immediately follow the relying party
327	   subsection. The flags subsection consists of one or more lines of the
328	   form

330	      CONTROL  flagname  booleanvalue

332	   Each such line is referred to as a control line. Each control line
333	   MUST contain exactly three whitespace delimited strings. The first
334	   string MUST be the literal CONTROL. The second string MUST be one of
335	   the following three literals:

337	            resource_nounion
338	            intersection_always
339	            treegrowth

341	   The third string denotes a boolean value, and MUST be one of the
342	   literals TRUE or FALSE. Control flags influence the global operation
343	   of the certificate processing algorithm; the semantics of the flags
344	   is described in detail in Section 4.2. Note that each flag has a
345	   default value, so that if the corresponding CONTROL line does not
346	   appear in the constraints file, the algorithm flag is considered to
347	   take the corresponding default value. The default value for each flag
348	   is FALSE. Thus, if any flag is not named in a control line it takes
349	   the value FALSE. Further, if the flags subsection is absent, all
350	   three flags take the value FALSE.

352	3.3  Tags subsection

354	   The tags subsection is an OPTIONAL subsection in the constraints
355	   file. If present it MUST immediately follow the relying party
356	   subsection (if the flags subsection is absent) or the flags
357	   subsection (if it is present). The tags subsection consists of one or
358	   more lines of the form

360	      TAG  tagname  tagvalue [ ... tagvalue ]

362	   Each such line is referred to as a tag line. Each tag line MUST
363	   consist of at least three whitespace delimited string values, the
364	   first of which must be the literal TAG. The second string value gives
365	   the name of the tag, and subsequent string(s) give the value(s) of
366	   the tag. The tag name MUST be one of the following four string
367	   literals:

369	            Xvalidity_dates
370	            Xcrldp
371	            Xcp
372	            Xaia

374	   The purpose of the tag lines is to provide an indication of the means
375	   by which paracertificate fields, specifically those indicated above
376	   under "Note B", are constructed. Each tag has a default, so that if
377	   the corresponding tag line is not present in the constraints file,
378	   the default behavior is used when constructing the paracertificates.
379	   The syntax and semantics of each tag line is described next.

381	   Note that the tag lines are considered to be global; the action of
382	   each tag line (or the default action, if that tag line is not
383	   present) applies to all paracertificates that are created as part of
384	   the certificate processing algorithm.

386	3.3.1  Xvalidity_dates tag

388	   This tag line is used to control the value of the notBefore and
389	   notAfter fields in paracertificates. If this tag line is specified
390	   and there is a single tagvalue which is the literal string C, the
391	   paracertificate validity interval is copied from the original
392	   certificate validity interval from which it is derived. If this tag
393	   is specified and there is a single tagvalue which is the literal
394	   string R, the paracertificate validity interval is copied from the
395	   validity interval of the relying party's top level (TA) certificate.
396	   If this tag is specified and the tagvalue is neither of these
397	   literals, then exactly two tagvalues MUST be specified. Each must be
398	   a Generalized Time string of the form YYYYMMDDHHMMSSZ. The first
399	   tagvalue is assigned to the notBefore field and the second tagvalue
400	   is assigned to the notAfter field. It MUST be the case that the
401	   tagvalues may be parsed as valid Generalized Time strings such that
402	   notBefore is less than notAfter, and also such that notAfter
403	   represents a time in the future (i.e., the paracertificate has not
404	   already expired).

406	   If this tag line is not present in the constraints file the default
407	   behavior is to copy the validity interval from the original
408	   certificate to the corresponding paracertificate.

410	3.3.2  Xcrldp tag

412	   This tag line is used to control the value of the CRL distribution
413	   point extension in paracertificates. If this tag line is specified
414	   and there is a single tagvalue that is the string literal C, the
415	   CRLDP of the paracertificate is copied from the CRLDP of the original
416	   certificate from which it is derived. If this tag line is specified
417	   and there is a single tagvalue that is the string literal R, the
418	   CRLDP of the paracertificate is copied from the CRLDP of the RP's top
419	   level certificate. If this tag line is specified and there is a
420	   single tagvalue that is not one of these two reserved literals, or if
421	   there is more than one tagvalue, then each tagvalue is interpreted as
422	   a URL that will be placed in the CRLDP sequence in the
423	   paracertificate.

425	   If this tag line is not present in the constraints file the default
426	   behavior is to copy the CRLDP from the original certificate to the
427	   corresponding paracertificate.

429	3.3.3  Xcp tag

431	   This tag line is used to control the value of the policyQualifierId
432	   field in paracertificates. If this tag line is specified there MUST
433	   be exactly one tagvalue. If the tagvalue is the string literal C, the
434	   paracertificate value is copied from the value in the corresponding
435	   original certificate. If the tagvalue is the string literal R, the
436	   paracertificate value is copied from the value in the RP's top level
437	   TA certificate. If the tagvalue is the string literal D, the
438	   paracertificate value is set to the default OID. If the tagvalue is
439	   not one of these reserved string literals, then the tagvalue MUST be
440	   an OID specified using the standard dotted notation. The value in the
441	   paracertificate's policyQualifierId field is set to this OID. Note
442	   the RFC 5280 specifies that only a single policy may be specified in
443	   a certificate, so only a single tagvalue is permitted in this tag
444	   line, even though the CertificatePolicy field is an ASN.1 sequence.

446	   If this tag line is not specified the default behavior is to use the
447	   default OID in creating the paracertificate.

449	   This option permits the RP to convert a value of the
450	   policyQualifierId field in a certificate (that would not be in
451	   conformance with the RPKI CP) to a conforming value in the
452	   paracertificate. This conversion enables use of RPKI validation
453	   software that checks the policy field against that specified in the
454	   RPKI CP [ID.sidr-res-cert-prof].

456	3.3.4  Xaia tag

458	   This tag line is used to control the value of the Authority
459	   Information Access (AIA) extension in the paracertificate. If this
460	   tag line is present then it MUST have exactly one tagvalue. If this
461	   tagvalue is the string literal C, then the AIA field in the
462	   paracertificate is copied from the AIA field in the original
463	   certificate from which it is derived. If this tag line is present and
464	   the tagvalue is not the reserved string literal, then the tagvalue
465	   MUST be a URL. This URL is set as the AIA extension of the
466	   paracertificates that are created.

468	   If this tag line is not specified the default behavior is to use copy
469	   the AIA field from the original certificate to the AIA field of the
470	   paracertificate.

472	3.4  Blocks subsection

474	   The blocks subsection is a REQUIRED subsection of the constraints
475	   file. If the tags subsection is present, the blocks subsection MUST
476	   appear immediately after it. If the tags subsection is absent, but
477	   the flags subsection is present, the block subsection MUST appear
478	   immediately after it. Otherwise, the blocks subsection MUST appear
479	   immediately after the relying party subsection. The blocks subsection
480	   consists of one or more blocks, known as target blocks. A target
481	   block is used to specify an association between a certificate (given
482	   by a hash of its public key information) and a set of resource
483	   assertions. Each target block contains four regions, an SKI region,
484	   an IPv4 region, an IPv6 region and an AS number region. All regions
485	   are REQUIRED to be present in a target block.

487	   The SKI region contains a single line beginning with the string
488	   literal SKI and followed by forty hexadecimal characters giving the
489	   subject key identifier of a certificate, known as the target
490	   certificate. The hex character string MAY contain embedded whitespace
491	   or colon characters (included to improve readability), which are
492	   ignored. The IPv4 region consists of a line containing only the
493	   string literal IPv4. This line is followed by zero or more lines
494	   containing IPv4 prefixes in the format described in RFC 3779. The
495	   IPv6 region consists of a line containing only the string literal
496	   IPv6, followed by zero or more lines containing IPv6 prefixes using
497	   the format described in RFC 3513. (The presence of the IPv4 and IPv6
498	   literals is to simplify parsing of the constraints file.) Finally,
499	   the AS number region consists of a line containing only the string
500	   literal AS#, followed by zero or more lines containing AS numbers
501	   (one per line). The AS numbers are specified in decimal notation as
502	   recommended in RFC 5396. A target block is terminated by either the
503	   end of the constraints file, or by the beginning of the next target
504	   block, as signaled by its opening SKI region line. An example target
505	   block is shown below. See also the complete constraints file example
506	   given in Appendix A. Note that whitespace, as always, is ignored.

508	        SKI 00:12:33:44:00:BA:BA:DE:EB:EE:00:99:88:77:66:55:44:33:22:11
509	        IPv4
510	          10.2.3/24
511	          10.8/16
512	        IPv6
513	          1:2:3:4:5:6/112
514	        AS#
515	          123
516	          567

518	   The blocks subsection MUST contain at least one target block. Note
519	   that it is OPTIONAL that the SKI refer to a certificate that is known
520	   or resolvable within the context of the local RPKI repository. Also,
521	   there is no REQUIRED or implied ordering of target blocks within the
522	   block subsection. As a result of the fact that blocks may occur in
523	   any order, it MAY result that the outcome of processing a constraints
524	   file depends on the order in which target blocks occur within the
525	   constraints file. The next section of this document contains a
526	   detailed description of the certificate processing algorithm.

528	4  Certificate Processing Algorithm

530	   The section describes the certificate processing algorithm through
531	   which paracertificates are created from original certificates in the
532	   local RPKI repository. For the purposes of describing this algorithm,
533	   it will be assumed that certificates may be persistently associated
534	   with state (or metadata) information. This state information will be
535	   further construed as having the form of any array of named bits that
536	   are associated with each certificate. No specific implementation of
537	   this functionality is mandated by this document. Any implementation
538	   that provides the indicated functionality is acceptable, and need not
539	   actually consist of a bit field associated with each certificate.

541	   The state bits used in certificate processing are

543	         NOCHAIN
544	         ORIGINAL
545	         PARA
546	         TARGET

548	   If the NOCHAIN bit is set, this indicates that a full path between
549	   the given certificate and a TA has not yet been discovered. If the
550	   ORIGINAL bit is set, this indicates that the certificate is question
551	   has been processed by some part of the processing algorithm described
552	   in Section 4.2. If it was processed as part of stage one processing,
553	   as described in section 4.2.2, the TARGET bit will also be set.
554	   Finally, any paracertificate will have the PARA bit set.

556	   At the beginning of algorithm processing each certificate in the
557	   local RPKI repository has the ORIGINAL, PARA and TARGET bits clear.
558	   If a certificate has a complete, validated path to a TA, or is itself
559	   a TA, then that certificate will have the NOCHAIN bit clear,
560	   otherwise it will have the NOCHAIN bit set. As the certificate
561	   processing algorithm is executed, the bit state of original
562	   certificates may changed. In addition, since the certificate
563	   processing algorithm may also be creating paracertificates, it is
564	   responsible for actively setting or clearing the state of these four
565	   bits on those paracertificates.

567	   The certificate processing algorithm consists of two sub-algorithms:

569	   "proofreading" and "TA processing". Conceptually, the proofreading
570	   sub-algorithm performs syntactic checks on the constraints file,
571	   while the TA processing sub-algorithm performs the actual certificate
572	   transformation processing. If the proofreading sub-algorithm does not
573	   succeed in parsing the constraints file, the TA processing sub-
574	   algorithm is not executed. Note also that if the constraints file is
575	   not present, neither sub-algorithm is executed and the local RPKI
576	   repository is not modified. Each of the constituent algorithms will
577	   now be described in detail.

579	4.1  Proofreading algorithm

581	   The goal of the proofreading algorithm is to check the constraints
582	   file for syntactic errors, such as missing REQUIRED subsections, or
583	   malformed addresses such as 1.2.300/24. It also performs a set of
584	   heuristic checks, such as checking for prefixes that are too large
585	   (larger than /8). The proofreading algorithm SHOULD also examine
586	   resource regions (IPv4, IPv6 and AS# regions) within the blocks
587	   subsection, and reorder such resources within a region in ascending
588	   numeric order. On encountering any error the proofreading algorithm
589	   SHOULD provide an error message indicating the line on which the
590	   error occurred as well as informative text that is sufficiently
591	   descriptive as to allow the user to identify and correct the error.
592	   An implementation of the proofreading algorithm MUST NOT assume that
593	   is has access to the local RPKI repository (even read-only access).
594	   An implementation of the proofreading algorithm MUST NOT alter the
595	   local RPKI repository in any way; it also MUST NOT change any of the
596	   state/metadata information associated with certificates in that
597	   repository. (Recall that the processing described here is creating a
598	   copy of that local repository.) Finally, the proofreading algorithm
599	   MAY produce a transformed output file containing the same syntactic
600	   information as in the text version of the constraints file, so long
601	   as the format of the transformed file is understood by the TA
602	   processing algorithm.

604	   The proofreading algorithm performs the following syntactic checks on
605	   the constraints file. It checks for the presence of the REQUIRED
606	   relying party subsection and the REQUIRED blocks subsection. It
607	   checks that the order of the two, three or four subsections is as
608	   stated above. It checks that the relying party subsection conforms to
609	   the specification given in section 3.1 above. If present, it checks
610	   that the tags and flags subsections conform to the specifications in
611	   sections 3.2 and 3.3 above. It then checks the blocks subsection. It
612	   splits the blocks subsection into constituent target blocks, as
613	   delimited by the SKI region line(s), and verifies that at least one
614	   target block is present. It verifies that each SKI region line
615	   contains exactly forty hexadecimal digits and contains no additional
616	   characters other than whitespace or colon characters. For each target
617	   block, it then verifies the presence of the IPv4, IPv6 and AS#
618	   regions, and also verifies that at least one such resource is
619	   present. For each IPv4 prefix, IPv6 prefix and autonomous system
620	   number given, it checks that the indicated resource is syntactically
621	   valid according to the appropriate RFC definition, as described in
622	   section 3.4. It also verifies that no IPv4 resource has a prefix
623	   larger than /8. The proofreading algorithm SHOULD performing
624	   reordering within each of the three resource regions so that stated
625	   resource occur in ascending numerical order. If the proofreading
626	   algorithm has performed any reordering of information it MAY
627	   overwrite the constraints file. If it does so, however, it MUST
628	   preserve all information contained within the file, including
629	   information that is not parsed (such as comments). If the
630	   proofreading algorithm has performed any reordering of information
631	   but has not overwritten the constraints file, it MAY produce a
632	   transformed output file, as described above. If the proofreading
633	   algorithm has performed any reordering of information, but has
634	   neither overwritten the constraints file nor produced a transformed
635	   output file, it MUST provide an error message to the user indicating
636	   what reordering was performed.

638	4.2  TA processing algorithm

640	   The TA processing algorithm acts on the constraints file (or the
641	   output file produced by the proofreading algorithm) and the contents
642	   of the local RPKI repository to produce paracertificates for the
643	   purpose of enforcing the resource allocations as expressed in the
644	   constraints file. The TA processing algorithm operates in five
645	   stages, a preparatory stage (stage 0), target processing (stage 1),
646	   ancestor processing (stage 2), tree processing (state 3) and TA re-
647	   parenting (stage 4). Conceptually, during the preparatory stage the
648	   constraints (or proofreader output) file is read and a set of
649	   internal RP, tag and flag variables are set based on the contents of
650	   that file. (If the constraint file has not specified one or more of
651	   the tags and/or flags, those tags and flags are set to default
652	   values). During target processing all certificates specified by a
653	   target block are processed, and the resources for those certificates
654	   are (potentially) expanded; for each target found a new
655	   paracertificate is manufactured with its various fields set, as shown
656	   in Table 1, using the values of the internal variables set in the
657	   preparatory stage and also, of course, the fields of the original
658	   certificate (and, potentially, fields of the RP's TA certificate). In
659	   stage 2 (ancestor) processing, all ancestors of the each target
660	   certificate are found, and the claimed resources are then removed
661	   (perforated). A new paracertificate with these diminished resources
662	   is crafted, with its fields generated based on internal variable
663	   settings, original certificate field values, and, potentially, the
664	   fields of the RP's TA certificate. In tree processing (stage 3), the
665	   entire local RPKI repository is searching for any other certificates
666	   that have resources that intersect a target resource, and that were
667	   not otherwise processed during a preceding stage. Perforation is
668	   again performed for any such intersecting certificates, and
669	   paracertificates created as in stage 2. Finally, in the fourth and
670	   last stage, TA re-parenting, any TA certificates in the local RPKI
671	   repository that have not already been processed are now re-parented
672	   under the RP's TA certificate. This transformation will create
673	   paracertificates; however, these paracertificates may have RFC 3779
674	   resources that were not altered during algorithm processing. The
675	   final output of algorithm processing will be threefold. First, the
676	   state/metadata information on some (original) certificates in the
677	   repository MAY be altered. Second, paracertificates will be created,
678	   with the appropriate metadata, and entered into the repository.
679	   Finally, the TA processing algorithm SHOULD produce a human readable
680	   log of its actions, indicating which paracertificates were created
681	   and why. The remainder of this section describes the processing
682	   stages of the algorithm in detail.

684	4.2.1  Preparatory processing (stage 0)

686	   During preparatory processing, the constraints file, or the
687	   corresponding output file of the proofreader algorithm, is read.
688	   Internal variables are set corresponding to each tag and flag, if
689	   present, or to their defaults, if absent. Internal variables are also
690	   set corresponding to the PRIVATEKEYMETHOD value string(s) and the
691	   TOPLEVELCERTIFICATE string. The TA processing algorithm is queried to
692	   determine if it supports the indicated private key access
693	   methodology. This query is performed in an implementation-specific
694	   manner. In particular, an implementation is free to vacuously return
695	   success to this query. The TA processing algorithm next uses the
696	   value string for the TOPLEVELCERTIFICATE to locate this certificate,
697	   again in an implementation=specific manner. The certificate in
698	   question may already be present in the local RPKI repository, or it
699	   may be located elsewhere. The implementation is also free to create
700	   the top level certificate at this time, and then assign to this
701	   newly-created certificate the name indicated. It is necessary only
702	   that, at the conclusion of this processing, a valid trust anchor
703	   certificate for the relying party has been created or otherwise
704	   obtained.

706	   Some form of access to the RP's private key and top level certificate
707	   are required for subsequent correct operation of the algorithm.
708	   Therefore, stage 0 processing MUST terminate if one or both
709	   conditions are not satisfied. In the error case, the implementation
710	   SHOULD provide an error message of sufficient detail that the user
711	   can correct the error(s). If stage 0 processing does not succeed, no
712	   further stages of TA processing are executed.

714	4.2.2  Target processing (stage 1)

716	   During target processing, the TA processing algorithm reads all
717	   target blocks in the constraints file or corresponding proofreader
718	   output file. It then processes each target block in the order
719	   specified in the file. In the description that follows, except where
720	   noted, the operation of the algorithm on a single target block will
721	   be described. Note, however, that all stage 1 processing is executed
722	   before any processing in subsequent stages is performed.

724	   The algorithm first obtains the SKI region of the target block. It
725	   then locates, in an implementation-dependent manner, the certificate
726	   the SKI extension field of which contains that value. Note that if
727	   paracertificates have been created by virtue of previous target
728	   blocks being processed, those paracertificates are not searched in
729	   attempting to locate a certificate with a matching SKI; only original
730	   certificates are searched. If more than one original certificate is
731	   found matching this SKI, there are two possible scenarios. If a
732	   resource holder has two certificates issued by the same CA, with
733	   overlapping validity intervals and the same key, but distinct subject
734	   names (typically, by virtue of the SerialNumber parts being
735	   different), then these two certificates are both consider to be
736	   (distinct) targets, and are both processed. If, however, a resource
737	   holder has certificates issued by two different CAs, containing
738	   different resources, but using the same key, there is no unambiguous
739	   method to decide which of the certificates is intended as the target.
740	   In this latter case the algorithm MUST issue a warning to that
741	   effect, mark the target block in question as unavailable for
742	   processing by subsequent stages and proceed to the next target block.
743	   If no certificate is found then the algorithm SHOULD issue a warning
744	   to that effect and proceed to process the next target block.

746	   If a single original certificate is found matching the indicated SKI,
747	   then the algorithm takes the following actions. First, it sets the
748	   ORIGINAL state bit for the certificate found. Second, it sets the
749	   TARGET state bit for the certificate found. Third, it extracts the
750	   RFC 3779 resources from the certificate. If the global
751	   resource_nounion flag is TRUE, it compares the extracted certificate
752	   resources with the resources specified in the constraints file. If
753	   the two resource sets are different, the algorithm SHOULD issue a
754	   warning noting the difference. An output resource set is then formed
755	   that is identical to the resource set extracted from the certificate.
756	   If, however, the resource_nounion flag is FALSE, then the output
757	   resource set is calculated by forming the union of the resources
758	   extracted from the certificate and the resources specified for this
759	   target block in the constraints file. A paracertificate is then
760	   constructed according to Table 1, using fields from the original
761	   certificate, the tags that had been set during stage 0, and, if
762	   necessary, fields from the RP's TA certificate. The RFC 3779
763	   resources of the paracertificate are equated to the derived output
764	   resource set. The PARA state bit is set for the newly created
765	   paracertificate.

767	4.2.3  Ancestor processing (stage 2)

769	   The goal of ancestor processing is to discover all ancestors of
770	   target certificates and remove from those ancestors the resources
771	   specified in the target blocks corresponding to the targets being
772	   processed. Note that it is possible that, for a given chain from a
773	   target certificate to a trust anchor, another target might be
774	   encountered. This is handled by removing all the target resources of
775	   all descendents. The set of all targets that are descendants of the
776	   given certificate is formed. The union of all the target resources of
777	   the corresponding target blocks is computed, and this union in then
778	   removed from the shared ancestor.

780	   In detail, the algorithm is as follows. First, all original target
781	   certificates processed during stage 1 processing are collected.
782	   Second, any such certificates that have the NOCHAIN state bit set are
783	   eliminated from the collection. (Note that, as a result of
784	   eliminating such certificates, the resulting collection may be empty,
785	   in which case this stage of algorithm processing terminates, and
786	   processing advances to stage 3.) Next, an implementation MAY sort the
787	   collection. The optional sorting algorithm is described in Appendix
788	   B. Note that all stage 2 processing is completed before any stage 3
789	   processing.

791	   Two levels of nested iteration are performed. The outer iteration is
792	   effected over all certificates in the collection; the inner iteration
793	   is over all ancestors of the designated certificate being processed.
794	   The first certificate in the collection is chosen, and a resource set
795	   R is initialized based on the resources of the target block for that
796	   certificate (since the certificate is in collection, it must be a
797	   target certificate, and thus correspond to a target block). The
798	   parent of the certificate is then located using ordinary path
799	   discovery over original certificates only. The ancestor's certificate
800	   resources A are then extracted. These resources are then perforated
801	   with respect to R. That is, an output set of resources is created by
802	   forming the intersection I of A and R, and then taking the set
803	   difference A - I as the output resources. A paracertificate is then
804	   created containing resources tat are these output resources, and
805	   containing other fields and extensions from the original certificate
806	   (and possibly the RP's TA certificate) according to the procedure
807	   given in Table 1. The PARA state bit is set on this paracertificate
808	   and the ORIGINAL state bit is set on A. If A is also a target
809	   certificate, as indicated by its TARGET state bit being set, then
810	   there will already have been a paracertificate created for it. This
811	   previous paracertificate is destroyed in favor of the newly created
812	   paracertificate. In this case also, the set R is augmented by adding
813	   into it the set of resources of the target block for A. The algorithm
814	   then proceeds to process the parent of A. This inner iteration
815	   continues until the self-signed certificate at the root of the path
816	   is encountered and processed. The outer iteration then continues by
817	   clearing R and proceeding to the next certificate in the target
818	   collection.

820	   Note that ancestor processing has the potential for order dependency
821	   as mentioned earlier in this document. If sorting is not implemented,
822	   or if the sorting algorithm fails to completely process the
823	   collection of target certificates because the allotted maximum number
824	   of iterations has been realized, it may be the case that an ancestor
825	   of a certificate logically occurs before that certificate in the
826	   collection. Whenever an existing paracertificate is replaced by a
827	   newly created paracertificate during ancestor processing, the
828	   algorithm SHOULD alert the user, and SHOULD log sufficient detail
829	   such that the user is able to determine which resources were
830	   perforated from the original certificate in order to create the (new)
831	   paracertificate.

833	   In addition, implementations MUST provide for conflict detection and
834	   notification during ancestor processing. In particular, if a
835	   certificate is encountered two or more times during any part of the
836	   ancestor processing algorithm, and the modifications dictated by the
837	   ancestor processing algorithm are in conflict, the implementation
838	   MUST refrain from processing that certificate. Further, the
839	   implementation MUST present the user with an error message that
840	   contains enough detail that the user can locate those directives in
841	   the constraints file that are creating the conflict. For example,
842	   during one stage of the processing algorithm it may be directed that
843	   resources R1 be added to a certificate C, while during a different
844	   stage of the processing algorithm it may be directed that resources
845	   R2 be removed from certificate C. If the resource sets R1 and R2 have
846	   a non-empty intersection, that is a conflict.

848	4.2.4  Tree processing (stage 3)

850	   The goal of tree processing is to locate other certificates the
851	   resources of which might conflict with the resources allocated to a
852	   target by virtue of their being mentioned in the constraints file. In
853	   this stage of processing, certificates that are not ancestors of any
854	   target are considered. In detail, the algorithm used is as follows.
855	   First, all target certificates are again collected. Second, all
856	   target certificates that have the NOCHAIN state bit set are
857	   eliminated from this collection. Third, if the intersection_always
858	   global flag is set, those target blocks that occur in the constraints
859	   file, but that did not correspond to a certificate in the local
860	   repository, are also added to the collection. In tree processing,
861	   unlike ancestor processing, this collection is not sorted. An
862	   iteration is now performed over each certificate (or set of target
863	   block resources) in the collection. Note that the collection may be
864	   empty, in which case this stage of algorithm processing terminates,
865	   and processing advances to stage 4. Note also that all stage 3
866	   processing is performed before any stage 4 processing.

868	   Given a certificate or target resource block, each top level original
869	   TA certificate is examined. If that TA certificate has an
870	   intersection with the target block resources, then the certificate is
871	   perforated with respect to those resources. A paracertificate is
872	   created based on the contents of the original certificate (and
873	   possibly the RP's TA certificate, as indicated in Table 1) using the
874	   perforated resources. The ORIGINAL state bit is set on the original
875	   certificate processed in this manner, and the PARA state bit is set
876	   on the paracertificate just created. An inner iteration then begins
877	   on the descendants of the original certificate just processed. There
878	   are two ways in which this iteration may proceed. If the treegrowth
879	   global flag is clear, then examination of the children proceeds until
880	   all children are exhausted, or until one child is found with
881	   intersecting resources. If the treegrowth global flag is set, all
882	   children are examined. Since a transfer of resources may be in
883	   process such that more than one child possesses intersecting
884	   resources, it is RECOMMENDED that the treegrowth flag be set. The
885	   inner iteration proceeds until all descendants have been examined and
886	   no further intersecting resources are found. The outer iteration then
887	   continues with the next certificate or target resource block in the
888	   collection. Note that unlike ancestor processing, there is no concept
889	   of a potentially cumulating resource collection R; only the resources
890	   in the target block are used for perforation.

892	4.2.5  TA re-parenting (stage 4)

894	   In the final stage of TA algorithm processing, all TA certificates
895	   (other than the RP's TA certificate) that have not already been
896	   processed in a previous stage are now processed. It will be the case
897	   that all such unprocessed TA certificates have no intersection with
898	   any target resource blocks. As such, in creating the corresponding
899	   paracertificates, the output resource set is identical to the input
900	   resource set. Other transformations as described in Table 1 are
901	   performed. The original TA certificates have the ORIGINAL state bit
902	   set; the newly created paracertificates have the PARA state bit set.
903	   Note that once stage four processing is completely, only a single TA
904	   certificate will remain in an unprocessed state, namely the relying
905	   party's own TA certificate.

907	4.3  Discussion

909	   The algorithm described in this document effectively creates two
910	   coexisting certificate hierarchies: the original certificate
911	   hierarchy and the paracertificate hierarchy. Note that original
912	   certificates are not removed during any of the processing described
913	   in the previous section. Some original certificates may move from
914	   having no state bits set (or only the NOCHAIN state bit set) to
915	   having one or both of the ORIGINAL and TARGET state bits set. In
916	   addition, the NOCHAIN state bit will still be set if it was set
917	   before any processing. The paracertificate hierarchy, however, is
918	   intended to supersede the original hierarchy for the purposes of ROA
919	   validation. The presence of two hierarchies has implications for the
920	   handling of path discovery, and also for the handling of revocation.
921	   If one thinks of a certificate as being "named" by its SKI, then
922	   there can now be two certificates with the same name, one an original
923	   certificate and the other a paracertificate. The next two sections
924	   discuss the implications of this duality in detail. Before
925	   proceeding, it is worth noting that even without the existence of the
926	   paracertificate hierarchy, cases may exist in which two or more
927	   original certificates have the same SKI. As noted earlier, in Section
928	   4.2.2, these cases may be subdivided into the case in which such
929	   certificates are distinguishable by virtue of having different
930	   subject names, but identical issuers and resource sets, versus all
931	   other cases. In the distinguishable case, the path discovery
932	   algorithm treats the original certificates as separate certificates,
933	   and processes them separately. In all other cases, the original
934	   certificates should be treated as indistinguishable, and path
935	   validation should fail.

937	5  Implications for Path Discovery

939	   Path discovery proceeds from a child certificate C by asking for a
940	   parent certificate P such that the AKI of C is equal to the SKI of P.
941	   With one hierarchy this question would produce at most one answer.
942	   With two hierarchies, the original certificate hierarchy and the
943	   paracertificate hierarchy, the question may produce two answers, one
944	   answer, or no answer. Each of these cases is considered in turn.

946	5.1  Two answers

948	   In this case, it SHOULD be the case that one of the matches is a
949	   certificate with the ORIGINAL state bit set and the PARA state bit
950	   clear, while the other match inversely has the ORIGINAL state bit
951	   clear and the PARA state bit set. If any other combination of
952	   ORIGINAL and PARA state bits obtains, the path discovery algorithm
953	   MUST alert the user. In addition, the path discovery algorithm SHOULD
954	   refrain from attempting to make a choice as to which of the two
955	   certificates is the putative parent. In the no-error case, with the
956	   state bits are as indicated, the certificate with the PARA state bit
957	   set is chosen as the parent P. Note this means, in effect, that all
958	   children of the original certificate have been re-parented under the
959	   paracertificate.

961	5.2  One answer

963	   If the matching certificate has neither the ORIGINAL state bit set
964	   nor the PARA state bit set, this certificate is the parent. If the
965	   matching certificate has the PARA state bit set but the ORIGINAL
966	   state bit not set, this certificate is the parent. (This situation
967	   would arise, for example, if the original certificate had been
968	   revoked by its issuer but the paracertificate had not been revoked by
969	   the RP.) If the matching certificate has the ORIGINAL state bit set
970	   but the PARA state bit not set, this is not an error but it is a
971	   situation in which path discovery MUST be forced to fail. The parent
972	   P MUST be set to NULL, and the NOCHAIN state bit must be set on C and
973	   all its descendants; the user SHOULD be warned. Even if the RP has
974	   revoked the paracertificate, the original certificate MAY persist.
975	   Forcing path discovery to unsuccessfully terminate is a reflection of
976	   the RP's preference for path discovery to fail as opposed to using
977	   the original hierarchy. Finally, if the matching certificate has both
978	   the ORIGINAL and PARA state bits set, this is an error. The parent P
979	   MUST be set to NULL, and the user MUST be warned.

981	5.3  No answer

983	   This situation occurs when C has no parent in either the original
984	   hierarchy or the paracertificate hierarchy. In this case the parent P
985	   is NULL and path discovery terminates unsuccessfully. The NOCHAIN
986	   state bit must be set on C and all its descendants.

988	6  Implications for Revocation

990	   In a standard implementation of revocation in a PKI, a valid CRL
991	   names a (sibling) certificate by serial number. That certificate is
992	   revoked and is purged from the local RPKI repository. In the
993	   mechanism described in this document, the original certificate
994	   hierarchy and the paracertificate hierarchy are closely related. It
995	   can thus be asked how revocation is handled in the presence of these
996	   two hierarchies, in particular with regard to whether changes in one
997	   of the hierarchies triggers corresponding changes in the other
998	   hierarchy. There are four cases.

1000	6.1  No state bits set

1002	   If the CRL names a certificate that has neither the ORIGINAL state
1003	   bit set nor the PARA state bit set, revocation proceeds normally. All
1004	   children of the revoked certificate have their state modified so that
1005	   the NOCHAIN state bit is set.

1007	6.2  ORIGINAL state bit set

1009	   If the CRL names a certificate with the ORIGINAL state bit set and
1010	   the PARA state bit clear, then this certificate is revoked as usual.
1011	   If this original certificate also has the TARGET state bit set, then
1012	   the corresponding paracertificate (if it exists) is not revoked; if
1013	   this original certificate has the TARGET state bit clear, then the
1014	   corresponding paracertificate is revoked as well. Note that since all
1015	   the children of the original certificate have been re-parented to be
1016	   children of the corresponding paracertificate, as described above,
1017	   the revocation algorithm MUST NOT set the NOCHAIN state bit on these
1018	   children unless the paracertificate is also revoked. Note also that
1019	   if the original certificate is revoked but the paracertificate is not
1020	   revoked, the paracertificate retains its PARA state bit. This is to
1021	   ensure that path discovery proceeds preferentially through the
1022	   paracertificate hierarchy, as described above.

1024	6.3  PARA state bit set

1026	   If the CRL names a certificate with the PARA state bit set and the
1027	   ORIGINAL state bit clear, this CRL must have been issued, perforce,
1028	   by the RP itself. This is because all the paracertificates are
1029	   children of the RP's TA certificate. (Recall that a TA is not revoked
1030	   via a CRL; it is merely removed from the repository.) The
1031	   paracertificate is revoked and all children of the paracertificate
1032	   have the NOCHAIN state bit set. No action is taken on the
1033	   corresponding original certificate; in particular, its ORIGINAL state
1034	   bit is not cleared.

1036	   Note that the serial numbers of paracertificates are synthesized
1037	   according to the procedure given in Table 1, rather than being
1038	   assigned by an algorithm under the control of the (original) issuer.

1040	6.4  Both ORIGINAL and PARA state bits set

1042	   This is an error. The revocation algorithm MUST alert the user and
1043	   take no further action.

1045	7  Security Considerations

1047	   The goal of the algorithm described in this document is to enable an
1048	   RP to impose its own constraints on its view of the RPKI, which
1049	   itself is a security function. An RP using a constraints file is
1050	   trusting the assertions made in that file. Errors in the constraints
1051	   file used by an RP can undermine the security offered by the RPKI, to
1052	   that RP. In particular, since the paracertificate hierarchy is
1053	   intended to trump the original certificate hierarchy for the purposes
1054	   of path discovery, an improperly constructed paracertificate
1055	   hierarchy could validate origin attestations that would otherwise be
1056	   invalid, or could declare as invalid origin attestations that would
1057	   otherwise be valid. As a result, an RP must carefully consider the
1058	   security implications of the constraints file being used.

1060	8  IANA Considerations

1062	   [Note to IANA, to be removed prior to publication: there are no IANA
1063	   considerations stated in this version of the document.]

1065	9  Acknowledgements

1067	   The authors would like to acknowledge the significant contributions
1068	   of Charles Gardiner, who was the original author of an internal
1069	   version of this document, and who contributed significantly to its
1070	   evolution into the current version.

1072	10  References

1074	10.1  Normative References

1076	   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
1077	               Requirement Levels", BCP 14, RFC 2119, March 1997.

1079	   [RFC3513]   Hinden, R., and S. Deering, "Internet Protocol Version 6
1080	               (IPv6) Addressing Architecture", RFC 3513, April 2003.

1082	   [RFC3779]   Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
1083	               Addresses and AS Identifiers", RFC 3779, June 2004.

1085	   [RFC5280]   Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1086	               Housley, R., and W. Polk, "Internet X.509 Public Key
1087	               Infrastructure Certificate and Certificate Revocation
1088	               List (CRL) Profile", RFC 5280, May 2008.

1090	   [RFC5396]   Huston, G., and G. Michaelson, "Textual Representation of
1091	               Autonomous System (AS) Numbers", RFC 5396, December 2008.

1093	   [I-D. sidr-arch]
1094	               Lepinski, M. and S. Kent, "An Infrastructure to Support
1095	               Secure Internet Routing", draft-ietf-sidr-arch-11.txt
1096	               (work in progress), September 2010.

1098	   [I-D. sidr-repos-struct]
1099	               Huston, G., Loomans, R., and G. Michaelson, "A Profile
1100	               for Resource Certificate Policy Structure", draft-ietf-
1101	               sidr-repos-struct-05.txt (work in progress), October
1102	               2010.

1104	   [I-D. sidr-res-cert-prof]
1105	               Huston, G., Michaelson, G., and R. Loomans, "A Profile
1106	               for X.509 PKIX Resource Certificates", draft-ietf-sidr-
1107	               res-certs-19.txt (work in progress), October 2010.

1109	10.2  Informative References

1111	   None.

1113	Authors' Addresses

1115	     Stephen Kent
1116	     BBN Technologies
1117	     10 Moulton St.
1118	     Cambridge, MA 02138

1120	     Email: kent@bbn.com

1122	     Mark Reynolds
1123	     BBN Technologies
1124	     10 Moulton St.
1125	     Cambridge, MA 02138

1127	     Email: mreynold@bbn.com

1129	Appendix A: Sample Constraints File

1131	   ;
1132	   ; Sample constraints file for TBO LTA Test Corporation.
1133	   ;
1134	   ; TBO manages its own local (10.x.x.x) address space
1135	   ; via the target blocks in this file.
1136	   ;

1138	   ;
1139	   ; Relying party subsection. TBO uses ssh-agent as
1140	   ; a software cryptographic agent.
1141	   ;

1143	   PRIVATEKEYMETHOD         OBO(ssh-agent)
1144	   TOPLEVELCERTIFICATE      tbomaster.cer

1146	   ;
1147	   ; Flags subsection
1148	   ;
1149	   ; Always use the resources in this file to augment
1150	   ;   certificate resources.
1151	   ; Always process resource conflicts in the tree, even
1152	   ;   if the target certificate is missing.
1153	   ; Always search the entire tree.
1154	   ;

1156	   CONTROL  resource_nounion      FALSE
1157	   CONTROL  intersection_always   TRUE
1158	   CONTROL  treegrowth            TRUE

1160	   ;
1161	   ; Tags subsection
1162	   ;
1163	   ; Copy the original cert's validity dates.
1164	   ; Use the default policy OID.
1165	   ; Use our own CRLDP.
1166	   ; Use our own AIA.
1167	   ;

1169	   TAG   Xvalidity_dates         C
1170	   TAG   Xcp                     D
1171	   TAG   Xcrldp       rsync://tbo_lta_test.com/pub/CRLs
1172	   TAG   Xaia         rsync://tbo_lta_test.com/pub/repos

1174	   ;
1175	   ; Block subsection
1176	   ;

1178	   ;
1179	   ; First block: TBO corporate
1180	   ;

1182	   SKI 00112233445566778899998877665544332211
1183	     IPv4
1184	       10.2.3/24
1185	       10.8/16
1186	     IPv6
1187	       2000:2:3:4:5:6/112
1188	     AS#
1189	       60123
1190	       5507

1192	   ;
1193	   ; Second block: TBO LTA Test enforcement division
1194	   ;

1196	   SKI 653420AF758421CF600029FF857422AA6833299F
1197	     IPv4
1198	       10.2.8/24
1199	       10.47/16
1200	     IPv6
1201	     AS#
1202	       60124

1204	   ;
1205	   ; Third block: TBO LTA Test Acceptance Corporation
1206	   ; Quality financial services since sometime
1207	   ; late yesterday.
1208	   ;

1210	   SKI 19:82:34:90:8b:a0:9c:ef:00:af:a0:98:23:09:82:4b:ef:ab:98:09
1211	     IPv4
1212	       10.3.3/24
1213	     IPv6
1214	     AS#
1215	       60125

1217	   ; End of TBO constraints file

1219	Appendix B: Optional Sorting Algorithm for Ancestor Processing

1221	   Sorting is performed in an effort to eliminate any order dependencies
1222	   in ancestor processing, as described in section 4.2.3 of this
1223	   document. The sorting algorithm does this by rearranging the
1224	   processing of certificates such that if A is an ancestor of B, B is
1225	   processed before A. The sorting algorithm is an OPTIONAL part of
1226	   ancestor processing. Sorting proceeds as follows. The collection
1227	   created at the beginning of ancestor processing is traversed and any
1228	   certificate in the collection that is visited as a result of path
1229	   discovery is temporarily marked. After the traversal, all unmarked
1230	   certificates are moved to the beginning of the collection. The
1231	   remaining marked certificates are unmarked, and a traversal again
1232	   performed through this sub-collection of previously marked
1233	   certificates. The sorting algorithm proceeds iteratively until all
1234	   certificates have been sorted or until a predetermined fixed number
1235	   of iterations has been performed. (Eight is suggested as a munificent
1236	   value for the upper bound, since the number of sorting steps need
1237	   should be no greater than the maximum depth of the tree). Finally,
1238	   the ancestor processing algorithm is applied in turn to each
1239	   certificate in the remaining sorted collection. If the sorting
1240	   algorithm fails to converge, that is if the maximum number of
1241	   iterations has been reached and unsorted certificates remain, the
1242	   implementation SHOULD warn the user.