idnits 2.17.1 

draft-ietf-sidr-res-certs-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 16.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 1138.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1149.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1156.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1162.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses
     in the document.  If these are example addresses, they should be changed.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 142: '...Certificate that MUST be present for t...'
     RFC 2119 keyword, line 143: '... Relying Parties SHOULD check that a R...'
     RFC 2119 keyword, line 170: '...esource extension SHOULD be a CRITICAL...'
     RFC 2119 keyword, line 173: '...       extension MUST be used and MUST...'
     RFC 2119 keyword, line 178: '...       MUST use this sorted canonical ...'
     (102 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (June 19, 2006) is 6521 days in the past.  Is this
     intentional?


  Checking references for intended status: Best Current Practice
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 2050 (Obsoleted by RFC 7020)

  ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280)

  ** Downref: Normative reference to an Informational RFC: RFC 4158


     Summary: 7 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	SIDR                                                           G. Huston
3	Internet-Draft                                                R. Loomans
4	Intended status: Best Current                              G. Michaelson
5	Practice                                                           APNIC
6	Expires: December 21, 2006                                 June 19, 2006

8	             A Profile for X.509 PKIX Resource Certificates
9	                    draft-ietf-sidr-res-certs-01.txt

11	Status of this Memo

13	   By submitting this Internet-Draft, each author represents that any
14	   applicable patent or other IPR claims of which he or she is aware
15	   have been or will be disclosed, and any of which he or she becomes
16	   aware will be disclosed, in accordance with Section 6 of BCP 79.

18	   Internet-Drafts are working documents of the Internet Engineering
19	   Task Force (IETF), its areas, and its working groups.  Note that
20	   other groups may also distribute working documents as Internet-
21	   Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at
29	   http://www.ietf.org/ietf/1id-abstracts.txt.

31	   The list of Internet-Draft Shadow Directories can be accessed at
32	   http://www.ietf.org/shadow.html.

34	   This Internet-Draft will expire on December 21, 2006.

36	Copyright Notice

38	   Copyright (C) The Internet Society (2006).

40	Abstract

42	   This document defines a profile for X.509 certificates for the
43	   purposes of supporting validation of assertions of "right-to- use" of
44	   an Internet Number Resource (IP Addresses and Autonomous System
45	   Numbers).  This profile is used to convey the authorization of the
46	   subject to be regarded as the current unique controlled of the IP
47	   addresses and AS numbers that are described in a Resource
48	   Certificate.

50	Table of Contents

52	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
53	     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
54	   2.  Describing Resources in Certificates . . . . . . . . . . . . .  5
55	   3.  Resource Certificate Fields  . . . . . . . . . . . . . . . . .  6
56	     3.1.  Version  . . . . . . . . . . . . . . . . . . . . . . . . .  6
57	     3.2.  Serial number  . . . . . . . . . . . . . . . . . . . . . .  6
58	     3.3.  Signature Algorithm  . . . . . . . . . . . . . . . . . . .  6
59	     3.4.  Issuer . . . . . . . . . . . . . . . . . . . . . . . . . .  6
60	     3.5.  Subject  . . . . . . . . . . . . . . . . . . . . . . . . .  6
61	     3.6.  Valid From . . . . . . . . . . . . . . . . . . . . . . . .  6
62	     3.7.  Valid To . . . . . . . . . . . . . . . . . . . . . . . . .  7
63	     3.8.  Subject Public Key Info  . . . . . . . . . . . . . . . . .  7
64	     3.9.  Resource Certificate Version 3 Extension Fields  . . . . .  7
65	       3.9.1.  Basic Constraints  . . . . . . . . . . . . . . . . . .  7
66	       3.9.2.  Subject Key Identifier . . . . . . . . . . . . . . . .  8
67	       3.9.3.  Authority Key Identifier . . . . . . . . . . . . . . .  8
68	       3.9.4.  Key Usage  . . . . . . . . . . . . . . . . . . . . . .  8
69	       3.9.5.  CRL Distribution Points  . . . . . . . . . . . . . . .  9
70	       3.9.6.  Authority Information Access . . . . . . . . . . . . .  9
71	       3.9.7.  Subject Information Access . . . . . . . . . . . . . . 10
72	       3.9.8.  Certificate Policies . . . . . . . . . . . . . . . . . 11
73	       3.9.9.  Subject Alternate Name . . . . . . . . . . . . . . . . 11
74	       3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 11
75	       3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 11
76	   4.  Resource Certificate Revocation List Profile . . . . . . . . . 11
77	     4.1.  Version  . . . . . . . . . . . . . . . . . . . . . . . . . 12
78	     4.2.  Issuer Name  . . . . . . . . . . . . . . . . . . . . . . . 12
79	     4.3.  This Update  . . . . . . . . . . . . . . . . . . . . . . . 12
80	     4.4.  Next Update  . . . . . . . . . . . . . . . . . . . . . . . 12
81	     4.5.  Signature  . . . . . . . . . . . . . . . . . . . . . . . . 12
82	     4.6.  Revoked Certificate List . . . . . . . . . . . . . . . . . 13
83	       4.6.1.  Serial Number  . . . . . . . . . . . . . . . . . . . . 13
84	       4.6.2.  Revocation Date  . . . . . . . . . . . . . . . . . . . 13
85	     4.7.  CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 13
86	       4.7.1.  Authority Key Identifier . . . . . . . . . . . . . . . 13
87	       4.7.2.  CRL Number . . . . . . . . . . . . . . . . . . . . . . 13
88	   5.  Resource Certificate Request Profile . . . . . . . . . . . . . 14
89	     5.1.  Resource Certificate Request Template Fields . . . . . . . 14
90	     5.2.  Resource Certificate Request Control Fields  . . . . . . . 17
91	   6.  Resource Certificate Validation  . . . . . . . . . . . . . . . 18
92	     6.1.  Trust Anchors for Resource Certificates  . . . . . . . . . 19
93	     6.2.  Resource Extension Validation  . . . . . . . . . . . . . . 20
94	     6.3.  Resource Certificate Path Validation . . . . . . . . . . . 20
95	   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 22
96	   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 22
97	   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
98	   10. Normative References . . . . . . . . . . . . . . . . . . . . . 22
99	   Appendix A.  Example Resource Certificate  . . . . . . . . . . . . 23
100	   Appendix B.  Example Certificate Revocation List . . . . . . . . . 24
101	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
102	   Intellectual Property and Copyright Statements . . . . . . . . . . 26

104	1.  Introduction

106	   This document defines a profile for X.509 certificates for use in the
107	   context of Resources Certificates.  Resource Certificates are X.509
108	   certificates that conform to the PKIX profile [RFC3280] and to this
109	   additional profile, and attest that the subject has the "right-to-
110	   use" a listed set of IP addresses and Autonomous Numbers.

112	   A Resource Certificate describes an action by an Issuer that binds a
113	   list of IP address blocks and AS numbers to the Subject of a
114	   certificate, identified by the unique association of the Subject's
115	   private key with the public key contained in the Resource
116	   Certificate.

118	   In the context of the public Internet it is intended that Resource
119	   Certificates are used in a manner that is aligned to the public
120	   number resource distribution function, Specifically, when a number
121	   resource is allocated or assigned by a Registry to an entity, this
122	   allocation is described by a Resource Certificate issued by the
123	   Registry with a subject corresponding to the entity that is the
124	   recipient of this assignment or allocation.  This corresponds to a
125	   hierarchical PKI structure, where Resource Certificates are only
126	   issued in one 'direction' and there is a single unique path from a
127	   "Root CA" to any valid certificate.

129	   Validation of a certificate in such a hierarchical PKI can be
130	   undertaken by creating a valid issuer - subject chain from the trust
131	   anchor allocation authorities to the certificate [RFC4158].

133	   Resource Certificates may be used in the context of secure inter-
134	   domain routing protocols to convey a right-to-use of an IP number
135	   resource that is being passed within the routing protocol, to verify
136	   legitimacy and correctness of routing information.  Related use
137	   contexts include validation of access to Internet Routing Registries
138	   for nominated routing objects, validation of routing requests, and
139	   detection of potential unauthorized used of IP addresses.

141	   This profile defines those fields that are used in a Resource
142	   Certificate that MUST be present for the certificate to be valid.
143	   Relying Parties SHOULD check that a Resource Certificate conforms to
144	   this profile as a requisite for validation of a Resource Certificate.

146	1.1.  Terminology

148	   It is assumed that the reader is familiar with the terms and concepts
149	   described in "Internet X.509 Public Key Infrastructure Certificate
150	   and Certificate Revocation List (CRL) Profile" [RFC3280], "X.509
151	   Extensions for IP Addresses and AS Identifiers" [RFC3779], "Internet
152	   Protocol" [RFC0791], "Internet Protocol Version 6 (IPv6) Addressing
153	   Architecture" [RFC4291], "Internet Registry IP Allocation Guidelines"
154	   [RFC2050], and related regional Internet registry address management
155	   policy documents.

157	   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
158	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
159	   document are to be interpreted as described in RFC 2119.

161	2.  Describing Resources in Certificates

163	   The framework for describing an association between the subject of a
164	   certificate and the resources currently under the subject's current
165	   control is described in [RFC3779].

167	   There are three aspects of this resource extension that are noted in
168	   this profile:

170	   1.  RFC 3779 notes that this resource extension SHOULD be a CRITICAL
171	       extension to the X.509 Certificate.  This Resource Certificate
172	       profile further defines that the use of this certificate
173	       extension MUST be used and MUST be marked as CRITICAL.

175	   2.  RFC 3779 defines a sorted canonical form of describing a resource
176	       set, with maximal spanning ranges and maximal spanning prefix
177	       masks as appropriate.  All valid certificates in this profile
178	       MUST use this sorted canonical form of resource description

180	   3.  A test of the resource extension in the context of certificate
181	       unique value token within the context of certificates issued by
182	       the validity includes the first condition that the resources
183	       described in the Issuer's resource extension must encompass those
184	       of the Subject's resource extension.  In this context "encompass"
185	       allows for the Issuer's resource set to be the same as, or a
186	       strict superset of, any subject's resource set.  Certificate
187	       validity in the context of this profile also includes a second
188	       condition that no two (or more) certificates issued by a single
189	       Issuer to two (or more) different subjects have a non-null
190	       intersection of resources.  In other words an Issuer can certify
191	       at most one unique subject as the unique holder of a right-to-use
192	       for any particular resource.

194	   This implies that a test of certificate validity implies that there
195	   exists a set of valid certificates in an issuer-subject chain from
196	   one, and only one, trust anchor to the certificate in question, and
197	   that the resource extensions from the trust anchor to the certificate
198	   form a sequence of encompassing relationships.

200	3.  Resource Certificate Fields

202	   A Resource Certificate is a valid X.509 v3 public key certificate,
203	   consistent with the PKIX profile [RFC3280], containing the fields
204	   listed in this section.  Unless specifically noted as being OPTIONAL,
205	   all the fields listed here MUST be present, and any other field MUST
206	   NOT appear in a conforming Resource Certificate.  Where a field value
207	   is specified here this value MUST be used in conforming Resource
208	   Certificates.

210	3.1.  Version

212	   Resource Certificates are X.509 Version 3 certificates.  This field
213	   MUST be present, and the Version MUST be 3 (i.e. the value of this
214	   field is 2).

216	3.2.  Serial number

218	   The serial number value is a positive integer that is unique per
219	   Issuer.

221	3.3.  Signature Algorithm

223	   This field describes the algorithm used to compute the signature on
224	   this certificate.  This profile uses SHA-256 with RSA
225	   (sha256WithRSAEncryption), and the value for this field MUST be the
226	   OID value 1.2.840.113549.1.1.11 [RFC4055].

228	3.4.  Issuer

230	   This field identifies the entity that has signed and issued the
231	   certificate.  The value of this field is an X.501 name.

233	3.5.  Subject

235	   This field identifies the entity to whom the resource has been
236	   allocated / assigned.  The value of this field is an X.500 name.  In
237	   this profile the subject name is determined by the Issuer.

239	   This field MUST be non-empty.

241	3.6.  Valid From

243	   The starting time at which point the certificate is valid.  In this
244	   profile the "Valid From" time is to be no earlier than the time of
245	   certificate generation.  As per Section 4.1.2.5 of [RFC3280],
246	   Certificate Authorities (CAs) conforming to this profile MUST always
247	   encode the certificate's "Valid From" date through the year 2049 as
248	   UTCTime, and dates in 2050 or later MUST be encoded as
249	   GeneralizedTime.  These two time formats are defined in [RFC3280].

251	3.7.  Valid To

253	   The Valid To time is the date and time at which point in time the
254	   certificate's validity ends.  It represents the anticipated lifetime
255	   of the resource allocation / assignment arrangement between the
256	   Issuer and the Subject.  As per Section 4.1.2.5 of [RFC3280], CAs
257	   conforming to this profile MUST always encode the certificate's
258	   "Valid To" date through the year 2049 as UTCTime, and dates in 2050
259	   or later MUST be encoded as GeneralizedTime.  These two time formats
260	   are defined in [RFC3280].

262	3.8.  Subject Public Key Info

264	   This field specifies the subject's public key and the algorithm with
265	   which the key is used.  The public key algorithm MUST be RSA, and
266	   thus the OID for the algorithm is 1.2.840.113549.1.1.1.  A minimum
267	   key size of 1024 bits is mandated in this profile.  Regional Registry
268	   CAs MUST use a key size of 2048 bits.

270	   [Note - not for publication.  One alternative option is to specify
271	   "no less than 2048 bits" and allow for longer key sizes.  On the
272	   other hand it may be preferable to move to EC-DSA instead of RSA, in
273	   which case allowing for the option of longer RSA key sizes may be
274	   considered inappropriate.]

276	3.9.  Resource Certificate Version 3 Extension Fields

278	   As noted in Section 4.2 of [RFC3280], each extension in a certificate
279	   is designated as either critical or non-critical.  A certificate
280	   using system MUST reject the certificate if it encounters a critical
281	   extension it does not recognize; however, a non-critical extension
282	   MAY be ignored if it is not recognized [RFC3280].

284	   The following X.509 V3 extensions MUST be present in a conforming
285	   Resource Certificate.

287	3.9.1.  Basic Constraints

289	   The basic constraints extension identifies whether the subject of the
290	   certificate is a CA and the maximum depth of valid certification
291	   paths that include this certificate.

293	   The Issuer determines whether the cA boolean is set.  If this bit is
294	   set, then it indicates that the Subject is allowed to issue resources
295	   certificates within this overall framework (i.e. the subject is
296	   permitted be a CA).

298	   The Path Length Constraint is not specified in this profile and MUST
299	   NOT be present.

301	   The Basic Constraints extension field is a critical extension in the
302	   Resource Certificate profile, and MUST be present.

304	   [note - not for publication.  It is unclear whether the CA bit should
305	   be set on in all cases.

307	3.9.2.  Subject Key Identifier

309	   The subject key identifier extension provides a means of identifying
310	   certificates that contain a particular public key.  To facilitate
311	   certification path construction, this extension MUST appear in all
312	   Resource Certificates.  This extension is non-critical.

314	   The value of the subject key identifier MUST be the value placed in
315	   the key identifier field of the Authority Key Identifier extension of
316	   certificates issued by the subject of this certificate.

318	   The Key Identifier used here is the 160-bit SHA-1 hash of the value
319	   of the DER-encoded ASN.1 bit string of the subject public key, as
320	   described in Section 4.2.1.2 of[RFC3280].

322	3.9.3.  Authority Key Identifier

324	   The subject key identifier extension provides a means of identifying
325	   certificates that are signed by a particular issuer's private key, by
326	   providing a hash value of the corresponding Issuer's public key.  To
327	   facilitate path construction, this extension MUST appear in all
328	   Resource Certificates.  The keyIdentifier subfield MUST be present.
329	   The authorityCertIssuer and authorityCertSerialNumber subfields MAY
330	   be present.  This extension is non-critical.

332	   The Key Identifier used here is the 160-bit SHA-1 hash of the value
333	   of the DER-encoded ASN.1 bit string of the issuer's public key, as
334	   described in Section 4.2.1.1 of [RFC3280].

336	3.9.4.  Key Usage

338	   This describes the purpose of the certificate.  This is a critical
339	   extension, and it MUST be present.

341	   In certificates issued to CAs only the keyCertSign and CRLSign bits
342	   are set to TRUE.  In end-entity certificates the digitialSignature
343	   bit MUST be set and MUST be the only bit set to TRUE.

345	3.9.5.  CRL Distribution Points

347	   This field (CRLDP) identifies the location(s) of the CRL(s)
348	   associated with certificates issued by this Issuer.  This profile
349	   uses the URI form of object identification.  The preferred URI access
350	   mechanism is a single "rsync" URL that references a single inclusive
351	   CRL for each issuer.

353	   In this profile the certificate issuer is also the CRL issuer,
354	   implying at the CRLIssuer subfield MUST be omitted, and the
355	   distributionPoint subfield MUST be present.  The Reasons subfield
356	   MUST be omitted.

358	   The distributionPoint MUST contain general names, and MUST NOT
359	   contain a nameRelativeToCRLIssuer.  The type of the general name MUST
360	   be of type URI.  Furthermore, as the scope of the CRL is all
361	   certificates issued by this issuer, the sequence of distributionPoint
362	   values MUST contain only a single DistributionPointName set.  The
363	   DistributionPointName set MAY contain more than one URI value.  An
364	   rsync URI MUST be present in the DistributionPointName set.

366	   This extension MUST be present and it is non-critical.

368	   [NOTE - not for publication.  The reason for the specification of an
369	   RSYNC URI as a MUST in this profile is to ensure that relying parties
370	   who wish to maintain a local copy of a synchronized repository are
371	   not forced to maintain a retrieval capability using a potentially
372	   unbounded set of URI types.  The profile is attempting to ensure that
373	   rsync should be all that is required to perform a repository
374	   synchronization operation.  A more restrictive potential condition
375	   here (and also in the SIA and AIA extensions) is that one and only
376	   one RSYNC URI is permitted.  This would reduce some of the potential
377	   variations in certificates and also stress that certificate access
378	   and use by relying parties is critically dependent on RSYNC access,
379	   and that other forms of access are not necessarily available to
380	   relying parties.]

382	3.9.6.  Authority Information Access

384	   This field (AIA) identifies the location of all certificates that are
385	   issued by this Issuer that are signed with the Issuer's private key
386	   that signed this certificate.  This profile uses a URI form of object
387	   identification.  The preferred URI access mechanisms is "rsync", and
388	   an rsync URI MUST be specified with an accessMethod value of id-ad-
389	   caIssuers.  Other access method URIs MAY also be included in the
390	   value sequence of this extension.

392	   This field MUST be present, and is non-critical.

394	   [Note - not for publication rfc3280 defines only two OIDs for the
395	   access method, id-ad-caIssuers and id-ad-ocsp.  It would appear that
396	   id-ad-ocsp is not relevant here in that OCSP is not included as part
397	   of the resource certificate profile - which leaves id-ad-caIssuers.
398	   The text in 4.2.2.1 of RFC3280 notes that: "the id-ad-caIssuers OID
399	   is used when the additional information lists CAs that have issued
400	   certificates superior to the CA that issued the certificate
401	   containing this extension.  The referenced CA issuers description is
402	   intended to aid certificate users in the selection of a certification
403	   path that terminates at a point trusted by the certificate user"
404	   However there is no intention to require that such a list be included
405	   in this subfield in this profile.  The question is: What accessMethod
406	   OID should be used here in the Access Description?]

408	3.9.7.  Subject Information Access

410	   This field (SIA) identifies the location of information and services
411	   relating to the subject of the certificate in which the SIA extension
412	   appears that relate to the subject public key that is certified in
413	   this certificate.  Where the Subject is a CA for Resource
414	   Certificates this information and service collection will include all
415	   current valid certificates that have been issued by this subject that
416	   are signed with the subject's corresponding private key.  This
417	   profile uses a URI form of location identification.  The preferred
418	   URI access mechanism is "rsync", and an rsync URI SHOULD be
419	   specified, with an access method value of id-ad-caRepository when the
420	   subject of the certificate is a CA.  Other access method URIs MAY
421	   also be included in the value sequence of this extension.

423	   This field MUST be present when the subject is a CA, and is non-
424	   critical.  Where the subject is not a CA this field MUST NOT be
425	   present.

427	   [Note - not for publication.  RFC3280 defines only two OIDs for the
428	   access method, id-ad-caRepository and id-ad-timeStamping, with the
429	   difference being whether the subject is a CA or not.  The access
430	   method id-ad-caRepository appears to be appropriate where the subject
431	   is a CA.  Where the subject is NOT a CA would it be useful to have
432	   the SIA extension point to where the subject stores digital objects
433	   that have been signed by the subject?  If this were considered to be
434	   desirable, then the id-ad-timeStamping appears to be inappropriate in
435	   this context.  The general question is: What accessMethod OID should
436	   be used here in the Access Description?  The approach currently used
437	   in this draft is that SIA should only be present for CAs and must be
438	   absent in the case of End Entity certificates.]

440	3.9.8.  Certificate Policies

442	   This extension MUST reference the Resource Certificate Policy, using
443	   the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2".  This field
444	   MUST be present and MUST contain only this value for Resource
445	   Certificates.

447	   PolicyQualifiers MUST NOT be used in this profile.

449	   This extension MUST be present and it is critical.

451	3.9.9.  Subject Alternate Name

453	   This is an optional extension, and MAY contain an X.501 Name as
454	   supplied by the subject in the Certificate Request or as assigned by
455	   the Issuer CA.

457	3.9.10.  IP Resources

459	   This field contains the list of IP address resources as per
460	   [RFC3779].  The value may specify the "inherit" element for a
461	   particular AFI value and an optional SAFI value.  All Resource
462	   Certificates MUST include an IP Resources extension, an AS Resources
463	   extension, or both extensions.

465	   This extension, if present, MUST be marked critical.

467	3.9.11.  AS Resources

469	   This field contains the list of AS number resources as per [RFC3779],
470	   or may specify the "inherit" element.  All Resource Certificates MUST
471	   include an IP Resources extension, an AS Resources extension, or both
472	   extensions.  RDI values are NOT supported in this profile and MUST
473	   NOT be used.

475	   This extension, if present, MUST be marked critical.

477	4.  Resource Certificate Revocation List Profile

479	   Each Resource CA MUST issue a version 2Certificate Revocation List
480	   (CRL), consistent with [RFC3280].  The CRL issuer is the CA, and no
481	   indirect CRLs are supported in this profile.  The scope of the CRL
482	   MUST be "all certificates issued by this CA".  The contents of the
483	   CRL are a list of all unexpired certificates issued by the CA that
484	   have been revoked by the CA.

486	   An entry MUST NOT be removed from the CRL until it appears on one
487	   regularly scheduled CRL issued beyond the revoked certificate's
488	   validity period.

490	   This profile does not allow issuance of Delta CRLs.

492	   The profile does not allow the issuance of multiple current CRLs with
493	   different scope by a single CA.

495	   No CRL fields other than those listed below are allowed in CRLs
496	   issued under this profile.  Unless otherwise indicated, these fields
497	   MUST be present in the CRL.  Where two or more CRLs issued by a
498	   single CA are present in a certificate repository, the CRL with the
499	   highest value of the "CRL Number" field supersedes all other extant
500	   CRLs issued by this CA..

502	4.1.  Version

504	   Resource Certificate Revocation Lists are Version 2 certificates (the
505	   integer value of this field is 1).

507	4.2.  Issuer Name

509	   The value of this field is the X.501 name of the issuing CA who is
510	   also the signer of the CRL, and is identical to the Issuer name in
511	   the Resource Certificates.

513	4.3.  This Update

515	   This is the date and time that this CRL was issued.  The value of
516	   this field MUST be encoded as UTCTime for dates through the year
517	   2049, and MUST be encoded as GeneralizedTime for dates in the year
518	   2050 or later.

520	4.4.  Next Update

522	   This is the date and time by which the next CRL will be issued.  The
523	   value of this field MUST be encoded as UTCTime for dates through the
524	   year 2049, and MUST be encoded as GeneralizedTime for dates in the
525	   year 2050 or later.

527	4.5.  Signature

529	   This field contains the algorithm used to sign this CRL.  The
530	   signature algorithm MUST be SHA-256 with RSA.  This field MUST be
531	   present.

533	4.6.  Revoked Certificate List

535	   When there are no revoked certificates, then the revoked certificate
536	   list MUST be absent.

538	   For each revoked resource certificate ONLY the following fields MUST
539	   be present.  No CRL entry extensions are supported in this profile.

541	4.6.1.  Serial Number

543	   The serial number of the revoked certificate.

545	4.6.2.  Revocation Date

547	   The time the certificate was revoked.  This time SHOULD NOT be a
548	   future date.  The value of this field MUST be encoded as UTCTime for
549	   dates through the year 2049, and MUST be encoded as GeneralizedTime
550	   for dates in the year 2050 or later.

552	4.7.  CRL Extensions

554	   The X.509 v2 CRL format allows extensions to be placed in a CRL.  The
555	   following extensions are supported in this profile, and MUST be
556	   present in a CRL.

558	4.7.1.  Authority Key Identifier

560	   The authority key identifier extension provides a means of
561	   identifying the public key corresponding to the private key used to
562	   sign a CRL.  Conforming CRL issuers MUST use the key identifier
563	   method.  The syntax for this CRL extension is defined in section
564	   4.2.1.1 of [RFC3280].

566	   This extension is non-critical.

568	4.7.2.  CRL Number

570	   The CRL Number extension conveys a monotonically increasing sequence
571	   number for a given CA.  This extension allows users to easily
572	   determine when a particular CRL supersedes another CRL.  The higher
573	   CRL Number value supersedes all other CRLs issued by the CA within
574	   the scope of this profile.

576	   This extension is non-critical.

578	5.  Resource Certificate Request Profile

580	   This profile refines the specification in [RFC4211], as it relates to
581	   Resource Certificates.  A Certificate Request Message object,
582	   formatted according to the Certificate Request Message Format (CRMF),
583	   is passed to a Certificate Authority as the initial step in issuing a
584	   certificate.

586	   [Note - not for publication.  RFC2986 references PKCS #10:
587	   Certification Request Syntax Specification, Version 1.7.  Given the
588	   relative wide support of CMC, the extension of PKCS#10 that is
589	   roughly equivalent to CMP, then it would appear that a CMC profile
590	   should also be included here.  It is unclear at this point whether a
591	   PCKS#10 profile is also necessary in this profile.]

593	   This request may be conveyed to the CA via a Registration Authority
594	   (RA), acting under the direction of a Subject.

596	   [Note - not for publication: There are no profile-based
597	   qualifications regarding Proof-of-Possession.  This may be refined in
598	   subsequent iterations of this draft.]

600	5.1.  Resource Certificate Request Template Fields

602	   This profile applies the following additional constraints to fields
603	   that may appear in a Certificate Request Template:

605	   Version
606	      This field MAY be absent, or MAY specify the request of a Version
607	      3 Certificate.

609	   SerialNumber
610	      As per [RFC4211], this field is assigned by the CA and MUST be
611	      omitted in this profile.

613	   SigningAlgorithm
614	      As per [RFC4211], this field is assigned by the CA and MUST be
615	      omitted in this profile.

617	   Issuer
618	      This field is assigned by the CA and MUST be omitted in this
619	      profile.

621	   Validity
622	      This field MAY be omitted.  If omitted, the CA will issue a
623	      Certificate with Validity dates as determined by the CA.  If
624	      specified, then the CA MAY override the requested values with
625	      dates as determined by the CA.

627	   Subject  As the subject name is assigned by the CA, this field MAY be
628	      omitted, in which case the subject name will be generated by the
629	      CA.  If specified, the CA SHOULD consider this as the subject's
630	      suggestion, but the CA is NOT bound to honour this suggestion.

632	   PublicKey
633	      This field MUST be present.

635	   This profile applies the following additional constraints to X509 v3
636	   Certificate extension fields that may appear in a Certificate
637	   Request:

639	   BasicConstraints
640	      If this is omitted then this field is assigned by the CA.

642	      The Path Length Constraint is not supported in this Resource
643	      Certificate Profile, and this field MUST be omitted in this
644	      profile.

646	      The CA MAY honour the SubjectType CA bit set to on.  If this bit
647	      is set, then it indicates that the Subject is allowed to issue
648	      resources certificates within this overall framework.

650	      The CA MAY honour the SubjectType CA bit set of off (End Entity
651	      certificate request).

653	      [Note - not for publication.  There are some potential variants on
654	      this model, where the CA bit may be considered as being set in all
655	      circumstances.  For example, if the generation of signed resource
656	      objects, such as routing origination authorities requires the
657	      generation of special purpose resource certificates whose validity
658	      dates are implicitly the validity dates of the associated
659	      authority, then the subject needs to be able to issue certificates
660	      - i.e. there is a CA requirement.  In this version of the draft
661	      this is left as a subject suggestion in the request that the CA
662	      may, or may not, honor in the issued certificate.  In this model
663	      all the entities are CAs, except for the users of ROA signing
664	      shadow certs.  In both cases, the CA knows the intended purpose
665	      (i.e. issue to others: CA, issue shadow to yourself: non-CA). ]

667	   SubjectKeyIdentifier
668	      This field is assigned by the CA and MUST be omitted in this
669	      profile.

671	   AuthorityKeyIdentifier
672	      This field is assigned by the CA and MUST be omitted in this
673	      profile.

675	   KeyUsage
676	      The CA MAY honor KeyUsage extensions of CertificateSigning and
677	      CRLSigning if present, as long as this is consistent with the
678	      BasicConstraints SubjectType subfield, when specified.

680	   CRLDistributionPoints
681	      This field MAY be honoured by the CA on the condition that the CA
682	      issues a certificate with the BasicConstraints SubjectType CA bit
683	      set and the KeyUsage set to CertificateSigning and CRLSigning.

685	      If specified, this field contains a sequence of URIs that
686	      references a CRL that will be published by the subject for
687	      subordinate certificates.  This sequence MUST include a rsync URI.
688	      This field MAY be honoured by the CA if present.

690	      If this field is omitted and KeyUsage is set to CertificateSigning
691	      then the CA MUST generate a CRLDistributionPoint URL based on out-
692	      of-band information that has been passed between the CA and the
693	      requester.

695	      [Note - not for publication.  The issue of where and how to
696	      specify where the subject will publish the CRL if the CA bit is
697	      set and honored by the issuer is described here as information
698	      that is either provided in this field in the certificate request
699	      or provided via an "out-of-band" exchange.  An alternative is to
700	      say that this field MUST be provided if the CA bit is set in the
701	      request.]

703	   AuthorityInformationAccess
704	      This field is assigned by the CA and MUST be omitted in this
705	      profile.

707	   SubjectInformationAccess
708	      This field MAY be honoured by the CA on the condition that the CA
709	      issues a certificate with the BasicConstraints SubjectType CA bit
710	      set and the KeyUsage set to CertificateSigning and CRLSigning.

712	      If specified, this field contains a URI of the form of a single
713	      rsync URL that references a single publication point that will be
714	      used by the subject for all certificates that published by the
715	      subject for subordinate certificates, and MUST be honoured by the
716	      CA.

718	      If this field is omitted and KeyUsage is set to CertificateSigning
719	      then the CA MUST generate a SIA URL based on out-of-band
720	      information that has been passed between the CA and the requester.

722	      [Note not for publication - the same considerations with respect
723	      to the CRL DistributionPoints apply to this field as well. i.e. if
724	      this field is missing than it is also an option for the Issuer to
725	      deny the request and not issue a certificate if the issued
726	      certificate was to have the CA bit set.]

728	   CertificatePolicies
729	      This field is assigned by the CA and MUST be omitted in this
730	      profile.

732	   SubjectAlternateName
733	      This field MAY be present, and the CA MAY use this as the
734	      SubjectAltName in the issued Certificate.

736	   IPResources
737	      This field is assigned by the CA and MUST be omitted in this
738	      profile.

740	   ASResources
741	      This field is assigned by the CA and MUST be omitted in this
742	      profile.

744	   With the exception of the publicKey field, the CA is permitted to
745	   alter any requested field.

747	5.2.  Resource Certificate Request Control Fields

749	   The following control fields are supported in this profile:

751	   Authenticator Control
752	      It is noted that the intended model of authentication of the
753	      subject in a long term one, and the advice as offered in [RFC4211]
754	      is that the Authenticator Control field be used.

756	      [Note - not for publication: The method of generation and
757	      authentication of this field is to be specified.  The desirable
758	      properties include the ability to validate the subject and the
759	      authenticity of the provided public key.]

761	   Resource Class
762	      The profile defines an additional control for Resource Certificate
763	      Requests, namely a Resource Class control.
764	      The Subject MUST specify a Resource Class value as specified by
765	      the CA to which the request refers.  The CA will issue a
766	      certificate with the IPAddress and AS Number resources that match
767	      the subject's right-of-use of these resources with the class of
768	      resources specified by the Resource Class control value.

770	      [Note - not for publication: This specification of the resource
771	      class is related the various forms of resource allocation which
772	      imply that an entity may be the holder of resources with differing
773	      validation dates and differing validation paths, even when the
774	      entity is the recipient of resources allocated from a single
775	      'upstream' issuing registry.  Due to this consideration it may not
776	      be possible to issue a single certificate with an all-encompassing
777	      resource set.  Alternatively it is possible to define a structure
778	      where there is no Resource Class specified and the issuer issues a
779	      set of spanning certificates for all resources held by the subject
780	      (i.e. all resources that fall under the subject's "right-of-use")]

782	6.  Resource Certificate Validation

784	   This section describes the Resource Certificate validation procedure.
785	   This refines the generic procedure described in [RFC3280]:

787	   To meet this goal, the path validation process verifies, among other
788	   things, that a prospective certification path (a sequence of n
789	   certificates) satisfies the following conditions:

791	   1.  for all x in {1, ..., n-1}, the subject of certificate x is the
792	       issuer of certificate x+1;

794	   2.  certificate 1 is issued by a trust anchor;

796	   3.  certificate n is the certificate to be validated; and

798	   4.  for all x in {1, ..., n}, the certificate was valid at the time
799	       in question.

801	6.1.  Trust Anchors for Resource Certificates

803	   The trust model used in the resource certificate framework in the
804	   context of validation of assertions of public number resources in
805	   public-use contexts is a top-down delegated CA model that mirrors the
806	   delegation of resources from a registry distribution point to the
807	   entities that are the direct recipients of these resources.  Within
808	   the trust model these recipient entities may, in turn, operate a
809	   registry and perform further allocations or assignments.  This is a
810	   strict hierarchy, in that any number resource and a corresponding
811	   recipient entity has only one 'parent' issuing registry for that
812	   number resource (i.e. there is always a unique parent entity for any
813	   resource and corresponding entity), and that the issuing registry is
814	   not a direct or indirect subordinate recipient entity of the
815	   recipient entity in question (i.e. no loops in the hierarchy).  The
816	   only exception to the "no loop" condition are the nominated trust
817	   anchors, where a self-signed certificate is issued.

819	   At the time of preparing this draft there are proposed to be multiple
820	   roots of this public number resource hierarchy, corresponding to
821	   multiple trust anchors.  These trust anchors are the self-signed
822	   certificates that are issued by the Regional Internet Registries.
823	   Each self-signed certificate issued by a RIR contains a resource set
824	   that describes those resources where the RIR is administratively
825	   responsible.  There MUST NOT be overlap of resources in the IP
826	   resource extensions across the collection of RIR self-signed
827	   certificates.  This implies that a validation path for any valid
828	   certificate is unique, in the sense that the path will terminate with
829	   a single trust anchor.

831	   Cross-certification of these trust anchors, where one trust anchor
832	   entity issues a certificate with a subject of another trust anchor is
833	   not seen as providing any further substance to the integrity or ease
834	   of validation in this trust model, so cross-certification is not used
835	   in the trust anchor structure for this Resource Certificate
836	   framework.

838	   The adoption of a single trust anchor as a unique distinguished root
839	   of this certificate hierarchy is a potential future option here, and
840	   within the proposed framework some care has been taken not to
841	   preclude the potential for a single distinguished root for this
842	   certificate framework that could issue a certificate to each RIR with
843	   a resource extension that matches the resource sets that fall under
844	   the administrative responsibility of each RIR.

846	6.2.  Resource Extension Validation

848	   The IP resource extension definition [RFC3779] defines a critical
849	   extensions for Internet number resources.  These are ASN.1 encoded
850	   representations of the IPv4 and IPv6 address range (either as a
851	   prefix/length, or start-end pair) and the AS number set.

853	   Valid Resource Certificates MUST have a valid IP address and/or AS
854	   number resource extension.  In order to validate a Resource
855	   Certificate the resource extension must also be validated.  This
856	   validation process relies on definitions of comparison of resource
857	   sets:

859	   more specific  Given two IP address or AS number contiguous ranges, A
860	      and B, A is "more specific" than B if range B includes all IP
861	      addresses or AS numbers described by range A, and if range B is
862	      larger than range A.

864	   equal  Given two IP address or AS number contiguous ranges, A and B,
865	      A is "equal" to B if range A describes precisely the same
866	      collection of IP addresses or AS numbers as described by range B.
867	      The definition of "inheritance" in [RFC3779]is equivalent to this
868	      "equality" comparison.

870	   Validation of a certificate's resource extension in the context of an
871	   ordered certification path of {1,2, ... , n} where '1'is a trust
872	   anchor and 'n' is the target certificate, implies that each of the
873	   contiguous resource sets of IP addresses and AS Numbers described in
874	   certificate x, for 'x' is greater than , are more specific or equal
875	   to the resources described in certificate x-1.

877	6.3.  Resource Certificate Path Validation

879	   Validation of signed resource data using a target resource
880	   certificate consists of assembling an ordered sequence (or
881	   'Certificate Path') of certificates ({1,2,...n} where '1' is a trust
882	   anchor, and 'n' is the target certificate) verifying that all of the
883	   following conditions hold:

885	   1.  The certificate can be verified using the Issuer's public key and
886	       the signature algorithm

888	   2.  The current time lies within the certificate's Validity From and
889	       To values.

891	   3.  The certificate contains all fields that MUST be present and
892	       contains field values as specified in this profile for all field
893	       values that MUST be present.

895	   4.  No field value that MUST NOT be present is present in the
896	       certificate.

898	   5.  The Issuer has not revoked the certificate by placing the
899	       certificate's serial number on the Issuer's current Certificate
900	       Revocation List, and the CRL is itself valid.

902	   6.  That the resource extension data is equal to or more specific
903	       than the resource extension data contained in a valid certificate
904	       where this Issuer is the Subject (the previous certificate in the
905	       ordered sequence)

907	   7.  The Certificate Path originates at a trust anchor, and there
908	       exists a signing chain across the Certificate Path where the
909	       Subject of Certificate x in the Certificate Path matches the
910	       Issuer in Certificate x+1 in the Certificate Path.

912	   Validation of a certificate may perform these tests in any chosen
913	   order.

915	   A Resource Certificate may have a number of potential parent
916	   certificates, where a potential parent certificate is one where the
917	   subject name matches the issuer name of the resource certificate.  A
918	   candidate parent certificate is any member of the parent certificate
919	   set where the resource extension validity constraint is satisfied,
920	   and a valid candidate parent certificate is any candidate parent
921	   certificate that also matches validity conditions 1 through 6.  A
922	   valid parent certificate is a valid candidate parent certificate that
923	   also matches validity condition 7.

925	   Certificates and CRLs used in this process may be found on a single
926	   repository, maintained by a regular top-down walk from the Root Trust
927	   Anchors via Issuer certificates and their SIA fields as forward
928	   pointers, plus the CRLDP.  Alternatively, validation may be performed
929	   using a bottom-up process with on-line certificate access using the
930	   AIA and CRLDP pointers to guide the certificate retrieval process.

932	   There exists the possibility of encountering certificate paths that
933	   are arbitrarily long, or attempting to generate paths with loops as
934	   means of creating a potential DOS attack on a certificate validator.
935	   Some further heuristics may be required to halt the validation
936	   process in order to avoid some of the issues associated with attempts
937	   to validate such structures.  It is suggested that implementations of
938	   Resource Certificate validation MAY halt with a validation failure if
939	   the certificate path length exceeds a pre-determined configuration
940	   parameter.

942	   In the context of Resource Certificates that are generated in respect
943	   of public resources and with the framework of the associated resource
944	   distribution process, it is suggested that this configuration
945	   parameter of maximum certificate path length be set to a value of
946	   100.  (There is no particular reason for suggesting this value other
947	   than the observation that it appears to be comfortably longer than
948	   any real distribution chain for public number resources, without
949	   being too long so as to pose potential DOS concerns for relying
950	   parties performing a validation operation.)

952	7.  Security Considerations

954	   [to be completed]

956	8.  IANA Considerations

958	   [An OID for a resource class option in a certificate request may need
959	   to be defined.]

961	9.  Acknowledgements

963	   The authors would like to acknowledge the valued contributions from
964	   Stephen Kent, Robert Kisteleki, Randy Bush, Russ Housley, Ricardo
965	   Patara and Rob Austein in the preparation and subsequent review of
966	   this document.

968	10.  Normative References

970	   [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791,
971	              September 1981.

973	   [RFC2050]  Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D., and
974	              J. Postel, "INTERNET REGISTRY IP ALLOCATION GUIDELINES",
975	              BCP 12, RFC 2050, November 1996.

977	   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
978	              X.509 Public Key Infrastructure Certificate and
979	              Certificate Revocation List (CRL) Profile", RFC 3280,
980	              April 2002.

982	   [RFC3779]  Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
983	              Addresses and AS Identifiers", RFC 3779, June 2004.

985	   [RFC4055]  Schaad, J., Kaliski, B., and R. Housley, "Additional
986	              Algorithms and Identifiers for RSA Cryptography for use in
987	              the Internet X.509 Public Key Infrastructure Certificate
988	              and Certificate Revocation List (CRL) Profile", RFC 4055,
989	              June 2005.

991	   [RFC4158]  Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
992	              Nicholas, "Internet X.509 Public Key Infrastructure:
993	              Certification Path Building", RFC 4158, September 2005.

995	   [RFC4211]  Schaad, J., "Internet X.509 Public Key Infrastructure
996	              Certificate Request Message Format (CRMF)", RFC 4211,
997	              September 2005.

999	   [RFC4291]  Hinden, R. and S. Deering, "IP Version 6 Addressing
1000	              Architecture", RFC 4291, February 2006.

1002	Appendix A.  Example Resource Certificate

1004	   The following is an example Resource Certificate.

1006	   Certificate Name: UDkyh1nUjIjk5_WpdkZMh3KuvYo-25f7.crt

1008	   Data:
1009	     Version: 3
1010	     Serial:  9719 (0x25f7)
1011	     Signature Algorithm:
1012	              Hash: SHA256, Encryption: RSA
1013	     Issuer:  CN=APNIC-AP-IANA
1014	     Validity:
1015	              Not Before: Fri May 12 05:37:43 2006 GMT
1016	              Not After:  Thu Aug 10 05:37:43 2006 GMT
1017	     Subject: CN=FC9B85ADDF5B
1018	     Subject Public Key Info:
1019	              Public Key Algorithm: rsaEncryption
1020	              RSA Public Key: (1024 bit)
1021	              Modulus (1024 bit):
1022	                   00:f2:e5:63:d6:e3:89:45:47:02:13:90:b7:e5:39:
1023	                   a3:f0:8c:3b:27:0d:d1:90:92:46:9b:45:d0:52:34:
1024	                   f1:7c:c7:34:9f:be:d0:41:18:ab:35:43:62:89:2e:
1025	                   3e:32:ab:01:e2:86:76:2a:44:83:49:4c:83:02:b4:
1026	                   0c:2a:b0:b2:82:c6:35:24:7b:16:7a:35:42:36:15:
1027	                   18:50:fe:8b:7f:c9:04:18:69:6b:ed:59:0d:61:ea:
1028	                   20:ef:cd:19:30:9f:ce:b8:4a:f5:fb:ad:81:42:ab:
1029	                   57:72:0c:47:b0:d8:30:c0:0c:5b:52:dc:aa:94:95:
1030	                   3e:fe:44:ac:d5:b0:f4:d5:cb
1031	              Exponent: 65537 (0x10001)
1032	     X509v3 extensions:
1033	       Basic Constraints:

1035	              CA:TRUE
1036	       Subject Key Identifier:
1037	              keyid: 50:39:32:87:59:D4:8C:88:E4:E7:F5:A9:
1038	                     76:46:4C:87:72:AE:BD:8A
1039	       Authority Key Identifier:
1040	              keyid: 19:54:CD:F2:81:C6:4E:31:09:6D:3A:15:
1041	                     E6:88:39:30:21:A6:56:73
1042	       Key Usage: critical
1043	              Certificate Sign, CRL Sign
1044	       CRL Distribution Points:
1045	              URI:rsync://rsync.apnic.net/repository/
1046	                         pvpjvwUeQix2e54X8fGbhmdYMo0/
1047	                         GVTN8oHGTjEJbToV5og5MCGmVnM/
1048	                         GVTN8oHGTjEJbToV5og5MCGmVnM.crl
1049	       Authority Information Access:
1050	               CA Issuers - URI:rsync://rsync.apnic.net/repository/
1051	                                       pvpjvwUeQix2e54X8fGbhmdYMo0/
1052	                                       GVTN8oHGTjEJbToV5og5MCGmVnM
1053	       Subject Information Access:
1054	               CA Repository - URI:rsync://rsync.apnic.net/repository/
1055	                                      pvpjvwUeQix2e54X8fGbhmdYMo0/
1056	                                      GVTN8oHGTjEJbToV5og5MCGmVnM/
1057	                                      UDkyh1nUjIjk5_WpdkZMh3KuvYo
1058	       Certificate Policies: critical
1059	               Policy: 1.3.6.1.5.5.7.14.2
1060	       ipAddrBlock: critical
1061	               192.0.0.0/24
1062	       autonomousSysNum: critical
1063	               64512
1064	       Subject Alternative Name:
1065	               DirName:/CN=<subject_supplied_string>

1067	     Signature:
1068	               72:27:9c:bc:a8:7f:c0:f0:27:62:a1:1f:55:b3:c7:b1:31:c9:fc:
1069	               42:84:71:30:3b:0d:c0:d6:ad:79:b1:f6:1d:14:e8:f3:0f:f3:dd:
1070	               40:3d:ae:28:a6:33:96:b6:d3:7d:d2:f3:ac:d3:8e:d4:2e:ad:ab:
1071	               71:4d:05:74:20:ed:bc:e3:bd:85:7f:af:8b:70:3e:b8:90:b6:2d:
1072	               a5:e3:9d:2a:c8:a9:9b:73:3c:03:43:d2:b8:d2:4e:68:34:eb:db:
1073	               3c:44:eb:eb:1e:3b:03:d9:3b:e0:64:a6:31:90:9b:2c:4a:26:8e:
1074	               0e:36:4c:ee:c8:e9:29:6b:78:61:87:05:e2:f9

1076	Appendix B.  Example Certificate Revocation List

1078	   The following is an example Certificate Revocation List.

1080	   Certificate Name: GVTN8oHGTjEJbToV5og5MCGmVnM.crl

1082	   Data:
1083	     Version: 2
1084	     Issuer:  CN=APNIC-AP-IANA
1085	     Effective Date: Fri May 12 05:37:43 2006 GMT
1086	     Next Update:    Fri May 26 05:37:43 2006 GMT
1087	     Signature algorithn
1088	              Hash: SHA256, Encryption: RSA
1089	     CRL V2 Extensions:
1090	       Authority Key Identifier:
1091	         Keyid: 19:54:cd:f2:81:c6:4e:31:09:6d:3a:15:
1092	                e6:88:39:30:21:a6:56:73
1093	         Certificate Issuer:
1094	                CN=APNIC-AP-IANA
1095	         Certificate Serial Number: 1b
1096	       CRL Number:  1097
1097	     Revocation List:
1098	       Revoked Certificates
1099	         Serial Number: 0b
1100	           Revocation Date: Mon May 8 05:10:19 2006 GMT
1101	         Serial Number: 0c
1102	           Revocation Date: Mon May 8 05:10:19 2006 GMT

1104	Authors' Addresses

1106	   Geoff Huston
1107	   Asia Pacific Network Information Centre

1109	   Email: gih@apnic.net
1110	   URI:   http://www.apnic.net

1112	   Robert Loomans
1113	   Asia Pacific Network Information Centre

1115	   Email: robertl@apnic.net
1116	   URI:   http://www.apnic.net

1118	   George Michaelson
1119	   Asia Pacific Network Information Centre

1121	   Email: ggm@apnic.net
1122	   URI:   http://www.apnic.net

1124	Full Copyright Statement

1126	   Copyright (C) The Internet Society (2006).

1128	   This document is subject to the rights, licenses and restrictions
1129	   contained in BCP 78, and except as set forth therein, the authors
1130	   retain all their rights.

1132	   This document and the information contained herein are provided on an
1133	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1134	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1135	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1136	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1137	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1138	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

1140	Intellectual Property

1142	   The IETF takes no position regarding the validity or scope of any
1143	   Intellectual Property Rights or other rights that might be claimed to
1144	   pertain to the implementation or use of the technology described in
1145	   this document or the extent to which any license under such rights
1146	   might or might not be available; nor does it represent that it has
1147	   made any independent effort to identify any such rights.  Information
1148	   on the procedures with respect to rights in RFC documents can be
1149	   found in BCP 78 and BCP 79.

1151	   Copies of IPR disclosures made to the IETF Secretariat and any
1152	   assurances of licenses to be made available, or the result of an
1153	   attempt made to obtain a general license or permission for the use of
1154	   such proprietary rights by implementers or users of this
1155	   specification can be obtained from the IETF on-line IPR repository at
1156	   http://www.ietf.org/ipr.

1158	   The IETF invites any interested party to bring to its attention any
1159	   copyrights, patents or patent applications, or other proprietary
1160	   rights that may cover technology that may be required to implement
1161	   this standard.  Please address the information to the IETF at
1162	   ietf-ipr@ietf.org.

1164	Acknowledgment

1166	   Funding for the RFC Editor function is provided by the IETF
1167	   Administrative Support Activity (IASA).