idnits 2.17.1 draft-ietf-sidr-ltamgmt-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 255 has weird spacing: '...ntifier unc...' == Line 258 has weird spacing: '... points repl...' == Line 331 has weird spacing: '...lagname boole...' == Line 361 has weird spacing: '...tagname tagva...' -- The document date (December 4, 2011) is 4499 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'I-D.sidr-arch' is mentioned on line 121, but not defined == Missing Reference: 'I-D.sidr-res-cert-prof' is mentioned on line 125, but not defined == Missing Reference: 'ID.sidr-res-cert-prof' is mentioned on line 455, but not defined == Unused Reference: 'RFC2119' is defined on line 1090, but no explicit reference was found in the text == Unused Reference: 'RFC3513' is defined on line 1093, but no explicit reference was found in the text == Unused Reference: 'RFC5396' is defined on line 1104, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3513 (Obsoleted by RFC 4291) Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Secure Inter-Domain Routing M. Reynolds 3 Internet-Draft IPSw 4 Intended status: Standards Track S. Kent 5 Expires: June 6, 2012 BBN 6 December 4, 2011 8 Local Trust Anchor Management for the Resource Public Key Infrastructure 9 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as 19 Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/1id-abstracts.html 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html 32 This Internet-Draft will expire on June 6, 2012. 34 Copyright and License Notice 36 Copyright (c) 2011 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Abstract 51 This document describes a facility to enable a relying party (RP) to 52 manage trust anchors (TAs) in the context of the Resource Public Key 53 Infrastructure (RPKI). It is common to allow an RP to import TA 54 material in the form of self-signed certificates. The facility 55 described in this document allows an RP to impose constraints on such 56 TAs. Because this mechanism is designed to operate in the RPKI 57 context, the relevant constraints are the RFC 3779 extensions that 58 bind address spaces and/or autonomous system (AS) numbers to 59 entities. The primary motivation for this facility is to enable an RP 60 to ensure that resource allocation information that it has acquired 61 via some trusted channel is not overridden by the information 62 acquired from the RPKI repository system or by the putative TAs that 63 the RP imports. Specifically, the mechanism allows an RP to specify a 64 set of bindings between public key identifiers and RFC 3779 extension 65 data and will override any conflicting bindings expressed via the 66 putative TAs and the certificates downloaded from the RPKI repository 67 system. Although this mechanism is designed for local use by an RP, 68 an entity that is accorded administrative control over a set of RPs 69 may use this mechanism to convey its view of the RPKI to a set of RPs 70 within its jurisdiction. The means by which this latter use case is 71 effected is outside the scope of this document. 73 Table of Contents 75 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 76 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5 77 2 Overview of Certificate Processing . . . . . . . . . . . . . . 5 78 2.1 Target Certificate Processing . . . . . . . . . . . . . . . 5 79 2.2 Perforation . . . . . . . . . . . . . . . . . . . . . . . . 5 80 2.3 TA Re-parenting . . . . . . . . . . . . . . . . . . . . . . 6 81 2.4 Paracertificates . . . . . . . . . . . . . . . . . . . . . 6 82 3 Format of the constraints file . . . . . . . . . . . . . . . . 8 83 3.1 Relying party subsection . . . . . . . . . . . . . . . . . 8 84 3.2 Flags subsection . . . . . . . . . . . . . . . . . . . . . 8 85 3.3 Tags subsection . . . . . . . . . . . . . . . . . . . . . . 9 86 3.3.1 Xvalidity_dates tag . . . . . . . . . . . . . . . . . . 10 87 3.3.2 Xcrldp tag . . . . . . . . . . . . . . . . . . . . . . 10 88 3.3.3 Xcp tag . . . . . . . . . . . . . . . . . . . . . . . . 11 89 3.3.4 Xaia tag . . . . . . . . . . . . . . . . . . . . . . . 11 90 3.4 Blocks subsection . . . . . . . . . . . . . . . . . . . . . 12 91 4 Certificate Processing Algorithm . . . . . . . . . . . . . . . 13 92 4.1 Proofreading algorithm . . . . . . . . . . . . . . . . . . 14 93 4.2 TA processing algorithm . . . . . . . . . . . . . . . . . . 15 94 4.2.1 Preparatory processing (stage 0) . . . . . . . . . . . 16 95 4.2.2 Target processing (stage 1) . . . . . . . . . . . . . . 17 96 4.2.3 Ancestor processing (stage 2) . . . . . . . . . . . . . 18 97 4.2.4 Tree processing (stage 3) . . . . . . . . . . . . . . . 19 98 4.2.5 TA re-parenting (stage 4) . . . . . . . . . . . . . . . 20 99 4.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . 21 100 5 Implications for Path Discovery . . . . . . . . . . . . . . . . 21 101 5.1 Two answers . . . . . . . . . . . . . . . . . . . . . . . . 21 102 5.2 One answer . . . . . . . . . . . . . . . . . . . . . . . . 22 103 5.3 No answer . . . . . . . . . . . . . . . . . . . . . . . . . 22 104 6 Implications for Revocation . . . . . . . . . . . . . . . . . . 22 105 6.1 No state bits set . . . . . . . . . . . . . . . . . . . . . 23 106 6.2 ORIGINAL state bit set . . . . . . . . . . . . . . . . . . 23 107 6.3 PARA state bit set . . . . . . . . . . . . . . . . . . . . 23 108 6.4 Both ORIGINAL and PARA state bits set . . . . . . . . . . . 24 109 7 Security Considerations . . . . . . . . . . . . . . . . . . . . 24 110 8 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 24 111 9 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 112 10 References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 113 10.1 Normative References . . . . . . . . . . . . . . . . . . . 24 114 10.2 Informative References . . . . . . . . . . . . . . . . . . 25 115 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 116 Appendix A: Sample Constraints File . . . . . . . . . . . . . . . 26 117 Appendix B: Optional Sorting Algorithm for Ancestor Processing . . 27 119 1 Introduction 121 The Resource Public Key Infrastructure (RPKI) [I-D.sidr-arch] is a 122 PKI in which certificates are issued to facilitate management of IP 123 addresses and autonomous system number resources. Such resources are 124 expressed in the form of X.509v3 "resource" certificates with 125 extensions as defined by RFC 3779 [I-D.sidr-res-cert-prof]. 126 Validation of a resource certificate is preceded by path discovery. 127 Path discovery is effected by constructing a certificate path 128 (upward) from a target certificate to a trust anchor. Path validation 129 proceeds from the TA in question to the target certificate, using the 130 public key from each certificate along the path to verify the 131 signature of its subordinate certificate. In the RPKI it is 132 anticipated that one or more putative TAs, aligned with the resource 133 allocation hierarchy, will be available in the form of self-signed 134 certificates configured by an RP. There are circumstances under which 135 an RP may wish to override the resource specifications obtained 136 through the RPKI distributed repository system [I-D.sidr-repos- 137 struct]. This document describes a mechanism by which an RP may 138 override any conflicting information expressed via the putative TAs 139 and the certificates downloaded from the RPKI repository system. 141 To effect this local control, this document calls for a relying party 142 to specify a set of bindings between public key identifiers and 143 resources (IP resources and/or AS number resources) through a text 144 file known as a constraints file. The constraints expressed in this 145 file then take precedence over any competing claims expressed by 146 resource certificates acquired from the distributed repository 147 system. (The means by which a relying party acquires the key 148 identifier and the RFC 3779 extension data used to populate the 149 constraints file is outside the scope of this document.) The relying 150 party also may use a local publication point (the root of a local 151 directory tree that is made available as if it were a remote 152 repository) as a source of certificates and CRLs (and other RPKI 153 signed objects, e.g. ROAs and manifests) that do not appear in the 154 RPKI repository system. 156 In order to allow reuse of existing, standard path validation 157 mechanisms, the RP-imposed constraints are realized by having the RP 158 itself represented as the only TA known in the local certificate 159 validation context. To ensure that all RPKI certificates can be 160 validated relative to this TA, this RP TA certificate must contain 161 all-encompassing resource allocations, i.e. 0/0 for IPv4, 0::/0 for 162 IPv6 and 0-4294967295 for AS numbers. Thus, a conforming 163 implementation of this mechanism must be able to cause a self-signed 164 certification authority (CA) certificate to be created with a locally 165 generated key pair. It also must be able to issue CA certificates 166 subordinate to this TA. Finally, a conforming implementation of this 167 mechanism must process the constraints file and modify certificates 168 as needed in order to enforce the constraints asserted in the file. 170 The remainder of this document describes in detail the types of 171 certificate modification that may occur, the semantics of the 172 constraints file, and the implications of certificate modification on 173 path discovery and revocation. 175 1.1 Terminology 177 It is assumed that the reader is familiar with the terms and concepts 178 described in "Internet X.509 Public Key Infrastructure Certificate 179 and Certificate Revocation List (CRL) Profile" [RFC5280] and "X.509 180 Extensions for IP Addresses and AS Identifiers" [RFC3779]. 182 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 183 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 184 document are to be interpreted as described in RFC 2119. 186 2 Overview of Certificate Processing 188 The fundamental aspect of the facility described in this document is 189 one of certificate modification. The constraints file, described in 190 more detail in the next section, contains assertions about resources 191 that are to be specially processed. As a result of this processing, 192 certificates in the local copy of the RPKI repository are transformed 193 into new certificates satisfying the resource constraints so 194 specified. This enables the RP to override conflicting assertions 195 about resource holdings as acquired from the RPKI repository system. 196 Three forms of certificate modification can occur. 198 2.1 Target Certificate Processing 200 If a certificate is acquired from the RPKI repository system and its 201 SKI is listed in the constraints file, it will be reissued directly 202 under the RP TA certificate, with (possibly) modified RFC 3779 203 extensions. The modified extensions will include any RFC 3779 data 204 expressed in the constraints file. In Section 4.2, target certificate 205 processing corresponds to stage one of the algorithm. 207 2.2 Perforation 209 Any certificate acquired from the RPKI repository that contains an 210 RFC 3779 extension that intersects the resource data in the 211 constraints file will be reissued directly under the RP TA, with 212 modified RFC 3779 extensions. We refer to the process of modifying 213 the RFC 3779 extension in an affected certificate as "perforation" 214 (because the process will create "holes" in these extensions). The 215 modified extensions will exclude any RFC 3779 data expressed in the 216 constraints file. In the certificate processing algorithm described 217 in Section 4.2, perforation corresponds to stage two of the algorithm 218 ("ancestor processing") and also to stage three of the algorithm 219 ("tree processing"). 221 2.3 TA Re-parenting 223 For consistency, all valid, self-signed certificates that would have 224 been regarded as TAs in the public RPKI certificate hierarchy, e.g. 225 self-signed certificates issued by IANA or the RIRs, will be re- 226 issued under the RP TA certificate. This processing is done even 227 though all but one of these certificates might not intersect any 228 resources specified in the constraints file. We refer to this 229 reissuance as "re-parenting" since the Issuer (parent) of the 230 certificate has been changed. In the certificate processing algorithm 231 described in Section 4.2, TA re-parenting corresponds to stage four 232 of the algorithm. 234 2.4 Paracertificates 236 If a certificate is subject to any of the three forms of processing 237 just described, that certificate will be referred to as an "original" 238 certificate and the processed (output) certificate will be referred 239 to as a paracertificate. When an original certificate is transformed 240 into a paracertificate all the fields and extensions from the 241 original certificate will be retained, except as indicated in Table 242 1, below. 244 Original Certificate Field Action 246 Version unchanged 247 Serial number created per note A 248 Signature replaced if needed 249 with RP's signing alg 250 Issuer replaced with RP's name 251 Validity dates replaced per note B 252 Subject unchanged 253 Subject public key info unchanged 254 Extensions 255 Subject key identifier unchanged 256 Key usage unchanged 257 Basic constraints unchanged 258 CRL distribution points replaced per note B 259 Certificate policy replaced per note B 260 Authority info access replaced per note B 261 Authority key ident replaced with RP's 262 IP address block modified as described 263 AS number block modified as described 264 Subject info access unchanged 265 All other extensions unchanged 266 Signature Algorithm same as above 267 Signature value new 269 Table 1 Certificate Field Modifications 271 Note A. The serial number will be created by concatenating the 272 current time (the number of seconds since Jan 1, 1970) with a count 273 of the certificates created in the current run. 275 Note B. These fields are derived (as described in section 3.3 below) 276 from parameters in the constraints file (if present); otherwise, they 277 take on values from the certificates from which the paracertificates 278 are derived. 280 3 Format of the constraints file 282 This section describes a general model for the syntax of the 283 constraints file. The model described below is nominal; 284 implementations need not match details of this model as presented, 285 but the external behavior of implementations MUST correspond to the 286 externally observable characteristics of this model in order to be 287 compliant. 289 The constraints file consists of four logical subsections: the 290 replying party subsection, the flags subsection, the tags subsection 291 and the blocks subsection. The relying party subsection and the 292 blocks subsection are REQUIRED and MUST be present; the flags and 293 tags subsections are OPTIONAL. Each subsection is described in more 294 detail below. Note that the semicolon (;) character acts as the 295 comment character, to enable annotating constraints files. All 296 characters from a semicolon to the end of that line are ignored. In 297 addition, lines consisting only of whitespace are ignored. The 298 subsections MUST occur in the order indicated. An example constraints 299 file is given in Appendix A. 301 3.1 Relying party subsection 303 The relying party subsection is a REQUIRED subsection of the 304 constraints file. It MUST be the first subsection of the constraints 305 file, and it MUST consist of two lines of the form: 307 PRIVATEKEYMETHOD value [ ... value ] 308 TOPLEVELCERTIFICATE value 310 The first line provides guidance to the certificate processing 311 algorithm on the method that will be used to gain access to the RP's 312 private key. This line consists of the string literal 313 PRIVATEKEYMETHOD, followed by one or more whitespace delimited string 314 values. These values are passed to the certificate processing 315 algorithm as described below. Note that this entry, as for all 316 entries in the constraints file, is case sensitive. 318 The second line of this subsection consists of the string literal 319 TOPLEVELCERTIFICATE, followed by exactly one string value. This value 320 is the name of a file containing the relying party's TA certificate. 321 The file name is passed to the certificate processing algorithm as 322 described below. 324 3.2 Flags subsection 326 The flags subsection of the constraints file is an OPTIONAL 327 subsection. If present it MUST immediately follow the relying party 328 subsection. The flags subsection consists of one or more lines of the 329 form 331 CONTROL flagname booleanvalue 333 Each such line is referred to as a control line. Each control line 334 MUST contain exactly three whitespace delimited strings. The first 335 string MUST be the literal CONTROL. The second string MUST be one of 336 the following three literals: 338 resource_nounion 339 intersection_always 340 treegrowth 342 The third string denotes a boolean value, and MUST be one of the 343 literals TRUE or FALSE. Control flags influence the global operation 344 of the certificate processing algorithm; the semantics of the flags 345 is described in detail in Section 4.2. Note that each flag has a 346 default value, so that if the corresponding CONTROL line does not 347 appear in the constraints file, the algorithm flag is considered to 348 take the corresponding default value. The default value for each flag 349 is FALSE. Thus, if any flag is not named in a control line it takes 350 the value FALSE. Further, if the flags subsection is absent, all 351 three flags take the value FALSE. 353 3.3 Tags subsection 355 The tags subsection is an OPTIONAL subsection in the constraints 356 file. If present it MUST immediately follow the relying party 357 subsection (if the flags subsection is absent) or the flags 358 subsection (if it is present). The tags subsection consists of one or 359 more lines of the form 361 TAG tagname tagvalue [ ... tagvalue ] 363 Each such line is referred to as a tag line. Each tag line MUST 364 consist of at least three whitespace delimited string values, the 365 first of which must be the literal TAG. The second string value gives 366 the name of the tag, and subsequent string(s) give the value(s) of 367 the tag. The tag name MUST be one of the following four string 368 literals: 370 Xvalidity_dates 371 Xcrldp 372 Xcp 373 Xaia 375 The purpose of the tag lines is to provide an indication of the means 376 by which paracertificate fields, specifically those indicated above 377 under "Note B", are constructed. Each tag has a default, so that if 378 the corresponding tag line is not present in the constraints file, 379 the default behavior is used when constructing the paracertificates. 380 The syntax and semantics of each tag line is described next. 382 Note that the tag lines are considered to be global; the action of 383 each tag line (or the default action, if that tag line is not 384 present) applies to all paracertificates that are created as part of 385 the certificate processing algorithm. 387 3.3.1 Xvalidity_dates tag 389 This tag line is used to control the value of the notBefore and 390 notAfter fields in paracertificates. If this tag line is specified 391 and there is a single tagvalue which is the literal string C, the 392 paracertificate validity interval is copied from the original 393 certificate validity interval from which it is derived. If this tag 394 is specified and there is a single tagvalue which is the literal 395 string R, the paracertificate validity interval is copied from the 396 validity interval of the relying party's top level (TA) certificate. 397 If this tag is specified and the tagvalue is neither of these 398 literals, then exactly two tagvalues MUST be specified. Each must be 399 a Generalized Time string of the form YYYYMMDDHHMMSSZ. The first 400 tagvalue is assigned to the notBefore field and the second tagvalue 401 is assigned to the notAfter field. It MUST be the case that the 402 tagvalues may be parsed as valid Generalized Time strings such that 403 notBefore is less than notAfter, and also such that notAfter 404 represents a time in the future (i.e., the paracertificate has not 405 already expired). 407 If this tag line is not present in the constraints file the default 408 behavior is to copy the validity interval from the original 409 certificate to the corresponding paracertificate. 411 3.3.2 Xcrldp tag 413 This tag line is used to control the value of the CRL distribution 414 point extension in paracertificates. If this tag line is specified 415 and there is a single tagvalue that is the string literal C, the 416 CRLDP of the paracertificate is copied from the CRLDP of the original 417 certificate from which it is derived. If this tag line is specified 418 and there is a single tagvalue that is the string literal R, the 419 CRLDP of the paracertificate is copied from the CRLDP of the RP's top 420 level certificate. If this tag line is specified and there is a 421 single tagvalue that is not one of these two reserved literals, or if 422 there is more than one tagvalue, then each tagvalue is interpreted as 423 a URI that will be placed in the CRLDP sequence in the 424 paracertificate. 426 If this tag line is not present in the constraints file the default 427 behavior is to copy the CRLDP from the original certificate into the 428 corresponding paracertificate. 430 3.3.3 Xcp tag 432 This tag line is used to control the value of the policyQualifierId 433 field in paracertificates. If this tag line is specified there MUST 434 be exactly one tagvalue. If the tagvalue is the string literal C, the 435 paracertificate value is copied from the value in the corresponding 436 original certificate. If the tagvalue is the string literal R, the 437 paracertificate value is copied from the value in the RP's top level 438 TA certificate. If the tagvalue is the string literal D, the 439 paracertificate value is set to the default OID. If the tagvalue is 440 not one of these reserved string literals, then the tagvalue MUST be 441 an OID specified using the standard dotted notation. The value in the 442 paracertificate's policyQualifierId field is set to this OID. Note 443 the RFC 5280 specifies that only a single policy may be specified in 444 a certificate, so only a single tagvalue is permitted in this tag 445 line, even though the CertificatePolicy field is an ASN.1 sequence. 447 If this tag line is not specified the default behavior is to use the 448 default OID in creating the paracertificate. 450 This option permits the RP to convert a value of the 451 policyQualifierId field in a certificate (that would not be in 452 conformance with the RPKI CP) to a conforming value in the 453 paracertificate. This conversion enables use of RPKI validation 454 software that checks the policy field against that specified in the 455 RPKI CP [ID.sidr-res-cert-prof]. 457 3.3.4 Xaia tag 459 This tag line is used to control the value of the Authority 460 Information Access (AIA) extension in the paracertificate. If this 461 tag line is present then it MUST have exactly one tagvalue. If this 462 tagvalue is the string literal C, then the AIA field in the 463 paracertificate is copied from the AIA field in the original 464 certificate from which it is derived. If this tag line is present and 465 the tagvalue is not the reserved string literal, then the tagvalue 466 MUST be a URI. This URI is set as the AIA extension of the 467 paracertificates that are created. 469 If this tag line is not specified the default behavior is to use copy 470 the AIA field from the original certificate to the AIA field of the 471 paracertificate. 473 3.4 Blocks subsection 475 The blocks subsection is a REQUIRED subsection of the constraints 476 file. If the tags subsection is present, the blocks subsection MUST 477 appear immediately after it. If the tags subsection is absent, but 478 the flags subsection is present, the block subsection MUST appear 479 immediately after it. Otherwise, the blocks subsection MUST appear 480 immediately after the relying party subsection. The blocks subsection 481 consists of one or more blocks, known as target blocks. A target 482 block is used to specify an association between a certificate (given 483 by a hash of its public key information) and a set of resource 484 assertions. Each target block contains four regions, an SKI region, 485 an IPv4 region, an IPv6 region and an AS number region. All regions 486 are REQUIRED to be present in a target block. 488 The SKI region contains a single line beginning with the string 489 literal SKI and followed by forty hexadecimal characters giving the 490 subject key identifier of a certificate, known as the target 491 certificate. The hex character string MAY contain embedded whitespace 492 or colon characters (included to improve readability), which are 493 ignored. The IPv4 region consists of a line containing only the 494 string literal IPv4. This line is followed by zero or more lines 495 containing IPv4 prefixes in the format described in RFC 3779. The 496 IPv6 region consists of a line containing only the string literal 497 IPv6, followed by zero or more lines containing IPv6 prefixes using 498 the format described in RFC 3513. (The presence of the IPv4 and IPv6 499 literals is to simplify parsing of the constraints file.) Finally, 500 the AS number region consists of a line containing only the string 501 literal AS#, followed by zero or more lines containing AS numbers 502 (one per line). The AS numbers are specified in decimal notation as 503 recommended in RFC 5396. A target block is terminated by either the 504 end of the constraints file, or by the beginning of the next target 505 block, as signaled by its opening SKI region line. An example target 506 block is shown below. See also the complete constraints file example 507 given in Appendix A. Note that whitespace, as always, is ignored. 509 SKI 00:12:33:44:00:BA:BA:DE:EB:EE:00:99:88:77:66:55:44:33:22:11 510 IPv4 511 10.2.3/24 512 10.8/16 513 IPv6 514 1:2:3:4:5:6/112 515 AS# 516 123 517 567 519 The blocks subsection MUST contain at least one target block. Note 520 that it is OPTIONAL that the SKI refer to a certificate that is known 521 or resolvable within the context of the local RPKI repository. Also, 522 there is no REQUIRED or implied ordering of target blocks within the 523 block subsection. As a result of the fact that blocks may occur in 524 any order, it MAY result that the outcome of processing a constraints 525 file depends on the order in which target blocks occur within the 526 constraints file. The next section of this document contains a 527 detailed description of the certificate processing algorithm. 529 4 Certificate Processing Algorithm 531 The section describes the certificate processing algorithm through 532 which paracertificates are created from original certificates in the 533 local RPKI repository. For the purposes of describing this algorithm, 534 it will be assumed that certificates may be persistently associated 535 with state (or metadata) information. This state information will be 536 further construed as having the form of any array of named bits that 537 are associated with each certificate. No specific implementation of 538 this functionality is mandated by this document. Any implementation 539 that provides the indicated functionality is acceptable, and need not 540 actually consist of a bit field associated with each certificate. 542 The state bits used in certificate processing are 544 NOCHAIN 545 ORIGINAL 546 PARA 547 TARGET 549 If the NOCHAIN bit is set, this indicates that a full path between 550 the given certificate and a TA has not yet been discovered. If the 551 ORIGINAL bit is set, this indicates that the certificate is question 552 has been processed by some part of the processing algorithm described 553 in Section 4.2. If it was processed as part of stage one processing, 554 as described in section 4.2.2, the TARGET bit will also be set. 555 Finally, any paracertificate will have the PARA bit set. 557 At the beginning of algorithm processing each certificate in the 558 local RPKI repository has the ORIGINAL, PARA and TARGET bits clear. 559 If a certificate has a complete, validated path to a TA, or is itself 560 a TA, then that certificate will have the NOCHAIN bit clear, 561 otherwise it will have the NOCHAIN bit set. As the certificate 562 processing algorithm is executed, the bit state of original 563 certificates may change. In addition, since the certificate 564 processing algorithm may also be creating paracertificates, it is 565 responsible for actively setting or clearing the state of these four 566 bits on those paracertificates. 568 The certificate processing algorithm consists of two sub-algorithms: 570 "proofreading" and "TA processing". Conceptually, the proofreading 571 sub-algorithm performs syntactic checks on the constraints file, 572 while the TA processing sub-algorithm performs the actual certificate 573 transformation processing. If the proofreading sub-algorithm does not 574 succeed in parsing the constraints file, the TA processing sub- 575 algorithm is not executed. Note also that if the constraints file is 576 not present, neither sub-algorithm is executed and the local RPKI 577 repository is not modified. Each of the constituent algorithms will 578 now be described in detail. 580 4.1 Proofreading algorithm 582 The goal of the proofreading algorithm is to check the constraints 583 file for syntactic errors, such as missing REQUIRED subsections, or 584 malformed addresses such as 1.2.300/24. It also performs a set of 585 heuristic checks, such as checking for prefixes that are too large 586 (larger than /8). The proofreading algorithm SHOULD also examine 587 resource regions (IPv4, IPv6 and AS# regions) within the blocks 588 subsection, and reorder such resources within a region in ascending 589 numeric order. On encountering any error the proofreading algorithm 590 SHOULD provide an error message indicating the line on which the 591 error occurred as well as informative text that is sufficiently 592 descriptive as to allow the user to identify and correct the error. 593 An implementation of the proofreading algorithm MUST NOT assume that 594 it has access to the local RPKI repository (even read-only access). 595 An implementation of the proofreading algorithm MUST NOT alter the 596 local RPKI repository in any way; it also MUST NOT change any of the 597 state/metadata information associated with certificates in that 598 repository. (Recall that the processing described here is creating a 599 copy of that local repository.) Finally, the proofreading algorithm 600 MAY produce a transformed output file containing the same syntactic 601 information as in the text version of the constraints file, so long 602 as the format of the transformed file is understood by the TA 603 processing algorithm. 605 The proofreading algorithm performs the following syntactic checks on 606 the constraints file. It checks for the presence of the REQUIRED 607 relying party subsection and the REQUIRED blocks subsection. It 608 checks that the order of the two, three or four subsections is as 609 stated above. It checks that the relying party subsection conforms to 610 the specification given in section 3.1 above. If present, it checks 611 that the tags and flags subsections conform to the specifications in 612 sections 3.2 and 3.3 above. It then checks the blocks subsection. It 613 splits the blocks subsection into constituent target blocks, as 614 delimited by the SKI region line(s), and verifies that at least one 615 target block is present. It verifies that each SKI region line 616 contains exactly forty hexadecimal digits and contains no additional 617 characters other than whitespace or colon characters. For each target 618 block, it then verifies the presence of the IPv4, IPv6 and AS# 619 regions, and also verifies that at least one such resource is 620 present. For each IPv4 prefix, IPv6 prefix and autonomous system 621 number given, it checks that the indicated resource is syntactically 622 valid according to the appropriate RFC definition, as described in 623 section 3.4. It also verifies that no IPv4 resource has a prefix 624 larger than /8. The proofreading algorithm SHOULD performing 625 reordering within each of the three resource regions so that stated 626 resources occur in ascending numerical order. If the proofreading 627 algorithm has performed any reordering of information it MAY 628 overwrite the constraints file. If it does so, however, it MUST 629 preserve all information contained within the file, including 630 information that is not parsed (such as comments). If the 631 proofreading algorithm has performed any reordering of information 632 but has not overwritten the constraints file, it MAY produce a 633 transformed output file, as described above. If the proofreading 634 algorithm has performed any reordering of information, but has 635 neither overwritten the constraints file nor produced a transformed 636 output file, it MUST provide an error message to the user indicating 637 what reordering was performed. 639 4.2 TA processing algorithm 641 The TA processing algorithm acts on the constraints file (or the 642 output file produced by the proofreading algorithm) and the contents 643 of the local RPKI repository to produce paracertificates for the 644 purpose of enforcing the resource allocations as expressed in the 645 constraints file. The TA processing algorithm operates in five 646 stages, a preparatory stage (stage 0), target processing (stage 1), 647 ancestor processing (stage 2), tree processing (state 3) and TA re- 648 parenting (stage 4). Conceptually, during the preparatory stage the 649 constraints (or proofreader output) file is read and a set of 650 internal RP, tag and flag variables are set based on the contents of 651 that file. (If the constraint file has not specified one or more of 652 the tags and/or flags, those tags and flags are set to default 653 values.) During target processing all certificates specified by a 654 target block are processed, and the resources for those certificates 655 are (potentially) expanded; for each target found a new 656 paracertificate is manufactured with its various fields set, as shown 657 in Table 1, using the values of the internal variables set in the 658 preparatory stage and also, of course, the fields of the original 659 certificate (and, potentially, fields of the RP's TA certificate). In 660 stage 2 (ancestor) processing, all ancestors of the each target 661 certificate are found, and the claimed resources are then removed 662 (perforated). A new paracertificate with these diminished resources 663 is crafted, with its fields generated based on internal variable 664 settings, original certificate field values, and, potentially, the 665 fields of the RP's TA certificate. In tree processing (stage 3), the 666 entire local RPKI repository is searching for any other certificates 667 that have resources that intersect a target resource, and that were 668 not otherwise processed during a preceding stage. Perforation is 669 again performed for any such intersecting certificates, and 670 paracertificates created as in stage 2. Finally, in the fourth and 671 last stage, TA re-parenting, any TA certificates in the local RPKI 672 repository that have not already been processed are now re-parented 673 under the RP's TA certificate. This transformation will create 674 paracertificates; however, these paracertificates may have RFC 3779 675 resources that were not altered during algorithm processing. The 676 final output of algorithm processing will be threefold. First, the 677 state/metadata information on some (original) certificates in the 678 repository MAY be altered. Second, paracertificates will be created, 679 with the appropriate metadata, and entered into the repository. 680 Finally, the TA processing algorithm SHOULD produce a human readable 681 log of its actions, indicating which paracertificates were created 682 and why. The remainder of this section describes the processing 683 stages of the algorithm in detail. 685 4.2.1 Preparatory processing (stage 0) 687 During preparatory processing, the constraints file, or the 688 corresponding output file of the proofreader algorithm, is read. 689 Internal variables are set corresponding to each tag and flag, if 690 present, or to their defaults, if absent. Internal variables are also 691 set corresponding to the PRIVATEKEYMETHOD value string(s) and the 692 TOPLEVELCERTIFICATE string. The TA processing algorithm is queried to 693 determine if it supports the indicated private key access 694 methodology. This query is performed in an implementation-specific 695 manner. In particular, an implementation is free to vacuously return 696 success to this query. The TA processing algorithm next uses the 697 value string for the TOPLEVELCERTIFICATE to locate this certificate, 698 again in an implementation-specific manner. The certificate in 699 question may already be present in the local RPKI repository, or it 700 may be located elsewhere. The implementation is also free to create 701 the top level certificate at this time, and then assign to this 702 newly-created certificate the name indicated. It is necessary only 703 that, at the conclusion of this processing, a valid trust anchor 704 certificate for the relying party has been created or otherwise 705 obtained. 707 Some form of access to the RP's private key and top level certificate 708 are required for subsequent correct operation of the algorithm. 709 Therefore, stage 0 processing MUST terminate if one or both 710 conditions are not satisfied. In the error case, the implementation 711 SHOULD provide an error message of sufficient detail that the user 712 can correct the error(s). If stage 0 processing does not succeed, no 713 further stages of TA processing are executed. 715 4.2.2 Target processing (stage 1) 717 During target processing, the TA processing algorithm reads all 718 target blocks in the constraints file or corresponding proofreader 719 output file. It then processes each target block in the order 720 specified in the file. In the description that follows, except where 721 noted, the operation of the algorithm on a single target block will 722 be described. Note, however, that all stage 1 processing is executed 723 before any processing in subsequent stages is performed. 725 The algorithm first obtains the SKI region of the target block. It 726 then locates, in an implementation-dependent manner, the certificate 727 the SKI extension field of which contains that value. Note that if 728 paracertificates have been created by virtue of previous target 729 blocks being processed, those paracertificates are not searched in 730 attempting to locate a certificate with a matching SKI; only original 731 certificates are searched. If more than one original certificate is 732 found matching this SKI, there are two possible scenarios. If a 733 resource holder has two certificates issued by the same CA, with 734 overlapping validity intervals and the same key, but distinct subject 735 names (typically, by virtue of the SerialNumber parts being 736 different), then these two certificates are both considered to be 737 (distinct) targets, and are both processed. If, however, a resource 738 holder has certificates issued by two different CAs, containing 739 different resources, but using the same key, there is no unambiguous 740 method to decide which of the certificates is intended as the target. 741 In this latter case the algorithm MUST issue a warning to that 742 effect, mark the target block in question as unavailable for 743 processing by subsequent stages and proceed to the next target block. 744 If no certificate is found then the algorithm SHOULD issue a warning 745 to that effect and proceed to process the next target block. 747 If a single original certificate is found matching the indicated SKI, 748 then the algorithm takes the following actions. First, it sets the 749 ORIGINAL state bit for the certificate found. Second, it sets the 750 TARGET state bit for the certificate found. Third, it extracts the 751 RFC 3779 resources from the certificate. If the global 752 resource_nounion flag is TRUE, it compares the extracted certificate 753 resources with the resources specified in the constraints file. If 754 the two resource sets are different, the algorithm SHOULD issue a 755 warning noting the difference. An output resource set is then formed 756 that is identical to the resource set extracted from the certificate. 757 If, however, the resource_nounion flag is FALSE, then the output 758 resource set is calculated by forming the union of the resources 759 extracted from the certificate and the resources specified for this 760 target block in the constraints file. A paracertificate is then 761 constructed according to Table 1, using fields from the original 762 certificate, the tags that had been set during stage 0, and, if 763 necessary, fields from the RP's TA certificate. The RFC 3779 764 resources of the paracertificate are equated to the derived output 765 resource set. The PARA state bit is set for the newly created 766 paracertificate. 768 4.2.3 Ancestor processing (stage 2) 770 The goal of ancestor processing is to discover all ancestors of 771 target certificates and remove from those ancestors the resources 772 specified in the target blocks corresponding to the targets being 773 processed. Note that it is possible that, for a given chain from a 774 target certificate to a trust anchor, another target might be 775 encountered. This is handled by removing all the target resources of 776 all descendents. The set of all targets that are descendants of the 777 given certificate is formed. The union of all the target resources of 778 the corresponding target blocks is computed, and this union in then 779 removed from the shared ancestor. 781 In detail, the algorithm is as follows. First, all original target 782 certificates processed during stage 1 processing are collected. 783 Second, any such certificates that have the NOCHAIN state bit set are 784 eliminated from the collection. (Note that, as a result of 785 eliminating such certificates, the resulting collection may be empty, 786 in which case this stage of algorithm processing terminates, and 787 processing advances to stage 3.) Next, an implementation MAY sort the 788 collection. The optional sorting algorithm is described in Appendix 789 B. Note that all stage 2 processing is completed before any stage 3 790 processing. 792 Two levels of nested iteration are performed. The outer iteration is 793 effected over all certificates in the collection; the inner iteration 794 is over all ancestors of the designated certificate being processed. 795 The first certificate in the collection is chosen, and a resource set 796 R is initialized based on the resources of the target block for that 797 certificate (since the certificate is in the collection, it must be a 798 target certificate, and thus correspond to a target block). The 799 parent of the certificate is then located using ordinary path 800 discovery over original certificates only. The ancestor's certificate 801 resources A are then extracted. These resources are then perforated 802 with respect to R. That is, an output set of resources is created by 803 forming the intersection I of A and R, and then taking the set 804 difference A - I as the output resources. A paracertificate is then 805 created containing resources that are these output resources, and 806 containing other fields and extensions from the original certificate 807 (and possibly the RP's TA certificate) according to the procedure 808 given in Table 1. The PARA state bit is set on this paracertificate 809 and the ORIGINAL state bit is set on A. If A is also a target 810 certificate, as indicated by its TARGET state bit being set, then 811 there will already have been a paracertificate created for it. This 812 previous paracertificate is destroyed in favor of the newly created 813 paracertificate. In this case also, the set R is augmented by adding 814 into it the set of resources of the target block for A. The algorithm 815 then proceeds to process the parent of A. This inner iteration 816 continues until the self-signed certificate at the root of the path 817 is encountered and processed. The outer iteration then continues by 818 clearing R and proceeding to the next certificate in the target 819 collection. 821 Note that ancestor processing has the potential for order dependency, 822 as mentioned earlier in this document. If sorting is not implemented, 823 or if the sorting algorithm fails to completely process the 824 collection of target certificates because the allotted maximum number 825 of iterations has been realized, it may be the case that an ancestor 826 of a certificate logically occurs before that certificate in the 827 collection. Whenever an existing paracertificate is replaced by a 828 newly created paracertificate during ancestor processing, the 829 algorithm SHOULD alert the user, and SHOULD log sufficient detail 830 such that the user is able to determine which resources were 831 perforated from the original certificate in order to create the (new) 832 paracertificate. 834 In addition, implementations MUST provide for conflict detection and 835 notification during ancestor processing. In particular, if a 836 certificate is encountered two or more times during any part of the 837 ancestor processing algorithm, and the modifications dictated by the 838 ancestor processing algorithm are in conflict, the implementation 839 MUST refrain from processing that certificate. Further, the 840 implementation MUST present the user with an error message that 841 contains enough detail that the user can locate those directives in 842 the constraints file that are creating the conflict. For example, 843 during one stage of the processing algorithm it may be directed that 844 resources R1 be added to a certificate C, while during a different 845 stage of the processing algorithm it may be directed that resources 846 R2 be removed from certificate C. If the resource sets R1 and R2 have 847 a non-empty intersection, that is a conflict. 849 4.2.4 Tree processing (stage 3) 851 The goal of tree processing is to locate other certificates the 852 resources of which might conflict with the resources allocated to a 853 target by virtue of their being mentioned in the constraints file. In 854 this stage of processing, certificates that are not ancestors of any 855 target are considered. In detail, the algorithm used is as follows. 856 First, all target certificates are again collected. Second, all 857 target certificates that have the NOCHAIN state bit set are 858 eliminated from this collection. Third, if the intersection_always 859 global flag is set, those target blocks that occur in the constraints 860 file, but that did not correspond to a certificate in the local 861 repository, are also added to the collection. In tree processing, 862 unlike ancestor processing, this collection is not sorted. An 863 iteration is now performed over each certificate (or set of target 864 block resources) in the collection. Note that the collection may be 865 empty, in which case this stage of algorithm processing terminates, 866 and processing advances to stage 4. Note also that all stage 3 867 processing is performed before any stage 4 processing. 869 Given a certificate or target resource block, each top level original 870 TA certificate is examined. If that TA certificate has an 871 intersection with the target block resources, then the certificate is 872 perforated with respect to those resources. A paracertificate is 873 created based on the contents of the original certificate (and 874 possibly the RP's TA certificate, as indicated in Table 1) using the 875 perforated resources. The ORIGINAL state bit is set on the original 876 certificate processed in this manner, and the PARA state bit is set 877 on the paracertificate just created. An inner iteration then begins 878 on the descendants of the original certificate just processed. There 879 are two ways in which this iteration may proceed. If the treegrowth 880 global flag is clear, then examination of the children proceeds until 881 all children are exhausted, or until one child is found with 882 intersecting resources. If the treegrowth global flag is set, all 883 children are examined. Since a transfer of resources may be in 884 process such that more than one child possesses intersecting 885 resources, it is RECOMMENDED that the treegrowth flag be set. The 886 inner iteration proceeds until all descendants have been examined and 887 no further intersecting resources are found. The outer iteration then 888 continues with the next certificate or target resource block in the 889 collection. Note that unlike ancestor processing, there is no concept 890 of a potentially cumulating resource collection R; only the resources 891 in the target block are used for perforation. 893 4.2.5 TA re-parenting (stage 4) 895 In the final stage of TA algorithm processing, all TA certificates 896 (other than the RP's TA certificate) that have not already been 897 processed in a previous stage are now processed. It will be the case 898 that all such unprocessed TA certificates have no intersection with 899 any target resource blocks. As such, in creating the corresponding 900 paracertificates, the output resource set is identical to the input 901 resource set. Other transformations as described in Table 1 are 902 performed. The original TA certificates have the ORIGINAL state bit 903 set; the newly created paracertificates have the PARA state bit set. 904 Note that once stage four processing is completely, only a single TA 905 certificate will remain in an unprocessed state, namely the relying 906 party's own TA certificate. 908 4.3 Discussion 910 The algorithm described in this document effectively creates two 911 coexisting certificate hierarchies: the original certificate 912 hierarchy and the paracertificate hierarchy. Note that original 913 certificates are not removed during any of the processing described 914 in the previous section. Some original certificates may move from 915 having no state bits set (or only the NOCHAIN state bit set) to 916 having one or both of the ORIGINAL and TARGET state bits set. In 917 addition, the NOCHAIN state bit will still be set if it was set 918 before any processing. The paracertificate hierarchy, however, is 919 intended to supersede the original hierarchy for the purposes of ROA 920 validation. The presence of two hierarchies has implications for the 921 handling of path discovery, and also for the handling of revocation. 922 If one thinks of a certificate as being "named" by its SKI, then 923 there can now be two certificates with the same name, one an original 924 certificate and the other a paracertificate. The next two sections 925 discuss the implications of this duality in detail. Before 926 proceeding, it is worth noting that even without the existence of the 927 paracertificate hierarchy, cases may exist in which two or more 928 original certificates have the same SKI. As noted earlier, in Section 929 4.2.2, these cases may be subdivided into the case in which such 930 certificates are distinguishable by virtue of having different 931 subject names, but identical issuers and resource sets, versus all 932 other cases. In the distinguishable case, the path discovery 933 algorithm treats the original certificates as separate certificates, 934 and processes them separately. In all other cases, the original 935 certificates should be treated as indistinguishable, and path 936 validation should fail. 938 5 Implications for Path Discovery 940 Path discovery proceeds from a child certificate C by asking for a 941 parent certificate P such that the AKI of C is equal to the SKI of P. 942 With one hierarchy this question would produce at most one answer. 943 With two hierarchies, the original certificate hierarchy and the 944 paracertificate hierarchy, the question may produce two answers, one 945 answer, or no answer. Each of these cases is considered in turn. 947 5.1 Two answers 949 In this case, it SHOULD be the case that one of the matches is a 950 certificate with the ORIGINAL state bit set and the PARA state bit 951 clear, while the other match inversely has the ORIGINAL state bit 952 clear and the PARA state bit set. If any other combination of 953 ORIGINAL and PARA state bits obtains, the path discovery algorithm 954 MUST alert the user. In addition, the path discovery algorithm SHOULD 955 refrain from attempting to make a choice as to which of the two 956 certificates is the putative parent. In the no-error case, with the 957 state bits are as indicated, the certificate with the PARA state bit 958 set is chosen as the parent P. Note this means, in effect, that all 959 children of the original certificate have been re-parented under the 960 paracertificate. 962 5.2 One answer 964 If the matching certificate has neither the ORIGINAL state bit set 965 nor the PARA state bit set, this certificate is the parent. If the 966 matching certificate has the PARA state bit set but the ORIGINAL 967 state bit not set, this certificate is the parent. (This situation 968 would arise, for example, if the original certificate had been 969 revoked by its issuer but the paracertificate had not been revoked by 970 the RP.) If the matching certificate has the ORIGINAL state bit set 971 but the PARA state bit not set, this is not an error but it is a 972 situation in which path discovery MUST be forced to fail. The parent 973 P MUST be set to NULL, and the NOCHAIN state bit must be set on C and 974 all its descendants; the user SHOULD be warned. Even if the RP has 975 revoked the paracertificate, the original certificate MAY persist. 976 Forcing path discovery to unsuccessfully terminate is a reflection of 977 the RP's preference for path discovery to fail as opposed to using 978 the original hierarchy. Finally, if the matching certificate has both 979 the ORIGINAL and PARA state bits set, this is an error. The parent P 980 MUST be set to NULL, and the user MUST be warned. 982 5.3 No answer 984 This situation occurs when C has no parent in either the original 985 hierarchy or the paracertificate hierarchy. In this case the parent P 986 is NULL and path discovery terminates unsuccessfully. The NOCHAIN 987 state bit must be set on C and all its descendants. 989 6 Implications for Revocation 991 In a standard implementation of revocation in a PKI, a valid CRL 992 names a (sibling) certificate by serial number. That certificate is 993 revoked and is purged from the local RPKI repository. In the 994 mechanism described in this document, the original certificate 995 hierarchy and the paracertificate hierarchy are closely related. It 996 can thus be asked how revocation is handled in the presence of these 997 two hierarchies, in particular with regard to whether changes in one 998 of the hierarchies triggers corresponding changes in the other 999 hierarchy. There are four cases based on the state of the ORIGINAL 1000 and PARA bits. These will be discussed in the subsections below. It 1001 should be noted that the existence of two hierarchies presents a 1002 particular challenge with respect to revocation. If a CRL arrives and 1003 is processed, that can result in the destruction of one of the path 1004 chains. In the case of a single hierarchy this would mean that 1005 certain objects would fail to validate. In the presence of two 1006 hierarchies, however, a CRL revocation may force the preferred path 1007 to be destroyed. If the RP later determines that the CRL revocation 1008 should not have occurred, he is faced with an undesirable situation: 1009 the deprecated path will be discovered. In order to prevent this 1010 outcome, an RP MUST be able to configure one or more additional 1011 repository URIs in support of local trust anchor management. 1013 6.1 No state bits set 1015 If the CRL names a certificate that has neither the ORIGINAL state 1016 bit set nor the PARA state bit set, revocation proceeds normally. All 1017 children of the revoked certificate have their state modified so that 1018 the NOCHAIN state bit is set. 1020 6.2 ORIGINAL state bit set 1022 If the CRL names a certificate with the ORIGINAL state bit set and 1023 the PARA state bit clear, then this certificate is revoked as usual. 1024 If this original certificate also has the TARGET state bit set, then 1025 the corresponding paracertificate (if it exists) is not revoked; if 1026 this original certificate has the TARGET state bit clear, then the 1027 corresponding paracertificate is revoked as well. Note that since all 1028 the children of the original certificate have been re-parented to be 1029 children of the corresponding paracertificate, as described above, 1030 the revocation algorithm MUST NOT set the NOCHAIN state bit on these 1031 children unless the paracertificate is also revoked. Note also that 1032 if the original certificate is revoked but the paracertificate is not 1033 revoked, the paracertificate retains its PARA state bit. This is to 1034 ensure that path discovery proceeds preferentially through the 1035 paracertificate hierarchy, as described above. 1037 6.3 PARA state bit set 1039 If the CRL names a certificate with the PARA state bit set and the 1040 ORIGINAL state bit clear, this CRL must have been issued, perforce, 1041 by the RP itself. This is because all the paracertificates are 1042 children of the RP's TA certificate. (Recall that a TA is not revoked 1043 via a CRL; it is merely removed from the repository.) The 1044 paracertificate is revoked and all children of the paracertificate 1045 have the NOCHAIN state bit set. No action is taken on the 1046 corresponding original certificate; in particular, its ORIGINAL state 1047 bit is not cleared. 1049 Note that the serial numbers of paracertificates are synthesized 1050 according to the procedure given in Table 1, rather than being 1051 assigned by an algorithm under the control of the (original) issuer. 1053 6.4 Both ORIGINAL and PARA state bits set 1055 This is an error. The revocation algorithm MUST alert the user and 1056 take no further action. 1058 ' 1059 7 Security Considerations 1061 The goal of the algorithm described in this document is to enable an 1062 RP to impose its own constraints on its view of the RPKI, which 1063 itself is a security function. An RP using a constraints file is 1064 trusting the assertions made in that file. Errors in the constraints 1065 file used by an RP can undermine the security offered by the RPKI, to 1066 that RP. In particular, since the paracertificate hierarchy is 1067 intended to trump the original certificate hierarchy for the purposes 1068 of path discovery, an improperly constructed paracertificate 1069 hierarchy could validate origin attestations that would otherwise be 1070 invalid, or could declare as invalid origin attestations that would 1071 otherwise be valid. As a result, an RP must carefully consider the 1072 security implications of the constraints file being used. 1074 8 IANA Considerations 1076 [Note to IANA, to be removed prior to publication: there are no IANA 1077 considerations stated in this version of the document.] 1079 9 Acknowledgements 1081 The authors would like to acknowledge the significant contributions 1082 of Charles Gardiner, who was the original author of an internal 1083 version of this document, and who contributed significantly to its 1084 evolution into the current version. 1086 10 References 1088 10.1 Normative References 1090 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1091 Requirement Levels", BCP 14, RFC 2119, March 1997. 1093 [RFC3513] Hinden, R., and S. Deering, "Internet Protocol Version 6 1094 (IPv6) Addressing Architecture", RFC 3513, April 2003. 1096 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 1097 Addresses and AS Identifiers", RFC 3779, June 2004. 1099 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1100 Housley, R., and W. Polk, "Internet X.509 Public Key 1101 Infrastructure Certificate and Certificate Revocation 1102 List (CRL) Profile", RFC 5280, May 2008. 1104 [RFC5396] Huston, G., and G. Michaelson, "Textual Representation of 1105 Autonomous System (AS) Numbers", RFC 5396, December 2008. 1107 [I-D. sidr-arch] 1108 Lepinski, M. and S. Kent, "An Infrastructure to Support 1109 Secure Internet Routing", draft-ietf-sidr-arch-13.txt 1110 (work in progress), May 2011. 1112 [I-D. sidr-repos-struct] 1113 Huston, G., Loomans, R., and G. Michaelson, "A Profile 1114 for Resource Certificate Policy Structure", draft-ietf- 1115 sidr-repos-struct-09.txt (work in progress), July 2011. 1117 [I-D. sidr-res-cert-prof] 1118 Huston, G., Michaelson, G., and R. Loomans, "A Profile 1119 for X.509 PKIX Resource Certificates", draft-ietf-sidr- 1120 res-certs-22.txt (work in progress), May 2011. 1122 10.2 Informative References 1124 None. 1126 Authors' Addresses 1128 Stephen Kent 1129 Raytheon BBN Technologies 1130 10 Moulton St. 1131 Cambridge, MA 02138 1133 Email: kent@bbn.com 1135 Mark Reynolds 1136 Island Peak Software 1137 328 Virginia Road 1138 Concord, MA 01742 1140 Email: mcr@islandpeaksoftware.com 1142 Appendix A: Sample Constraints File 1144 ; 1145 ; Sample constraints file for TBO LTA Test Corporation. 1146 ; 1147 ; TBO manages its own local (10.x.x.x) address space 1148 ; via the target blocks in this file. 1149 ; 1151 ; 1152 ; Relying party subsection. TBO uses ssh-agent as 1153 ; a software cryptographic agent. 1154 ; 1156 PRIVATEKEYMETHOD OBO(ssh-agent) 1157 TOPLEVELCERTIFICATE tbomaster.cer 1159 ; 1160 ; Flags subsection 1161 ; 1162 ; Always use the resources in this file to augment 1163 ; certificate resources. 1164 ; Always process resource conflicts in the tree, even 1165 ; if the target certificate is missing. 1166 ; Always search the entire tree. 1167 ; 1169 CONTROL resource_nounion FALSE 1170 CONTROL intersection_always TRUE 1171 CONTROL treegrowth TRUE 1173 ; 1174 ; Tags subsection 1175 ; 1176 ; Copy the original cert's validity dates. 1177 ; Use the default policy OID. 1178 ; Use our own CRLDP. 1179 ; Use our own AIA. 1180 ; 1182 TAG Xvalidity_dates C 1183 TAG Xcp D 1184 TAG Xcrldp rsync://tbo_lta_test.com/pub/CRLs 1185 TAG Xaia rsync://tbo_lta_test.com/pub/repos 1187 ; 1188 ; Block subsection 1189 ; 1191 ; 1192 ; First block: TBO corporate 1193 ; 1195 SKI 00112233445566778899998877665544332211 1196 IPv4 1197 10.2.3/24 1198 10.8/16 1199 IPv6 1200 2000:2:3:4:5:6/112 1201 AS# 1202 60123 1203 5507 1205 ; 1206 ; Second block: TBO LTA Test Enforcement Division 1207 ; 1209 SKI 653420AF758421CF600029FF857422AA6833299F 1210 IPv4 1211 10.2.8/24 1212 10.47/16 1213 IPv6 1214 AS# 1215 60124 1217 ; 1218 ; Third block: TBO LTA Test Acceptance Corporation 1219 ; Quality financial services since sometime 1220 ; late yesterday. 1221 ; 1223 SKI 19:82:34:90:8b:a0:9c:ef:00:af:a0:98:23:09:82:4b:ef:ab:98:09 1224 IPv4 1225 10.3.3/24 1226 IPv6 1227 AS# 1228 60125 1230 ; End of TBO constraints file 1232 Appendix B: Optional Sorting Algorithm for Ancestor Processing 1234 Sorting is performed in an effort to eliminate any order dependencies 1235 in ancestor processing, as described in section 4.2.3 of this 1236 document. The sorting algorithm does this by rearranging the 1237 processing of certificates such that if A is an ancestor of B, B is 1238 processed before A. The sorting algorithm is an OPTIONAL part of 1239 ancestor processing. Sorting proceeds as follows. The collection 1240 created at the beginning of ancestor processing is traversed and any 1241 certificate in the collection that is visited as a result of path 1242 discovery is temporarily marked. After the traversal, all unmarked 1243 certificates are moved to the beginning of the collection. The 1244 remaining marked certificates are unmarked, and a traversal again 1245 performed through this sub-collection of previously marked 1246 certificates. The sorting algorithm proceeds iteratively until all 1247 certificates have been sorted or until a predetermined fixed number 1248 of iterations has been performed. (Eight is suggested as a munificent 1249 value for the upper bound, since the number of sorting steps need not 1250 be any greater than the maximum depth of the tree.) Finally, the 1251 ancestor processing algorithm is applied in turn to each certificate 1252 in the remaining sorted collection. If the sorting algorithm fails to 1253 converge, that is if the maximum number of iterations has been 1254 reached and unsorted certificates remain, the implementation SHOULD 1255 warn the user.