idnits 2.17.1
draft-ietf-sidrops-signed-tal-04.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The abstract seems to contain references ([I-D.ietf-sidrops-https-tal]),
which it shouldn't. Please replace those with straight textual mentions
of the documents in question.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please
use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
mean).
Found 'MUST not' in this paragraph:
However, the CA certificates for each key, and the contents
published by each key MUST be equivalent. In other words it MUST not
make a difference which of the keys is used as a starting point for
top-down validation by RP software.
-- The document date (January 7, 2020) is 1570 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
** Downref: Normative reference to an Informational RFC: RFC 5781
** Obsolete normative reference: RFC 6486 (Obsoleted by RFC 9286)
** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112)
Summary: 4 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group C. Martinez
3 Internet-Draft LACNIC
4 Intended status: Standards Track G. Michaelson
5 Expires: July 10, 2020 APNIC
6 T. Bruijnzeels
7 NLnet Labs
8 R. Austein
9 Dragon Research Labs
10 January 7, 2020
12 RPKI Signed Object for Trust Anchor Keys
13 draft-ietf-sidrops-signed-tal-04
15 Abstract
17 Trust Anchor Locators (TALs) [I-D.ietf-sidrops-https-tal] are used by
18 Relying Parties in the RPKI to locate and validate Trust Anchor
19 certificates used in RPKI validation. This document defines an RPKI
20 signed object for Trust Anchor Keys (TAK), that can be used by Trust
21 Anchors to signal their set of current keys and the location(s) of
22 the accompanying CA certiifcates to Relying Parties, as well as
23 changes to this set in the form of revoked keys and new keys, in
24 order to support both planned and unplanned key rolls without
25 impacting RPKI validation.
27 Status of This Memo
29 This Internet-Draft is submitted in full conformance with the
30 provisions of BCP 78 and BCP 79.
32 Internet-Drafts are working documents of the Internet Engineering
33 Task Force (IETF). Note that other groups may also distribute
34 working documents as Internet-Drafts. The list of current Internet-
35 Drafts is at https://datatracker.ietf.org/drafts/current/.
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress."
42 This Internet-Draft will expire on July 10, 2020.
44 Copyright Notice
46 Copyright (c) 2020 IETF Trust and the persons identified as the
47 document authors. All rights reserved.
49 This document is subject to BCP 78 and the IETF Trust's Legal
50 Provisions Relating to IETF Documents
51 (https://trustee.ietf.org/license-info) in effect on the date of
52 publication of this document. Please review these documents
53 carefully, as they describe your rights and restrictions with respect
54 to this document. Code Components extracted from this document must
55 include Simplified BSD License text as described in Section 4.e of
56 the Trust Legal Provisions and are provided without warranty as
57 described in the Simplified BSD License.
59 Table of Contents
61 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
62 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
63 3. TAK Object definition . . . . . . . . . . . . . . . . . . . . 4
64 3.1. The TAK Object Content Type . . . . . . . . . . . . . . . 4
65 3.2. The TAK Object eContent . . . . . . . . . . . . . . . . . 5
66 3.2.1. version . . . . . . . . . . . . . . . . . . . . . . . 5
67 3.2.2. current . . . . . . . . . . . . . . . . . . . . . . . 5
68 3.2.3. revoked . . . . . . . . . . . . . . . . . . . . . . . 6
69 3.3. TAK Object Validation . . . . . . . . . . . . . . . . . . 6
70 4. TAK Object Generation and Publication . . . . . . . . . . . . 6
71 5. Relying Party Use . . . . . . . . . . . . . . . . . . . . . . 8
72 6. Maintaining multiple TA keys . . . . . . . . . . . . . . . . 9
73 7. Performing TA Key Rolls . . . . . . . . . . . . . . . . . . . 10
74 7.1. Phase 1: Add a TAK for Key 'A' . . . . . . . . . . . . . 10
75 7.2. Phase 2: Add a Key 'B' . . . . . . . . . . . . . . . . . 11
76 7.3. Phase 3: Roll to Key 'C' . . . . . . . . . . . . . . . . 11
77 7.3.1. Planned Direction Roll . . . . . . . . . . . . . . . 11
78 7.3.2. Unplanned Direction Roll . . . . . . . . . . . . . . 12
79 7.4. Phase X: Roll to Key 'D', 'E', .. . . . . . . . . . . . . 12
80 8. Deployment Considerations . . . . . . . . . . . . . . . . . . 12
81 9. Security Considerations . . . . . . . . . . . . . . . . . . . 12
82 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
83 10.1. OID . . . . . . . . . . . . . . . . . . . . . . . . . . 13
84 10.2. File Extension . . . . . . . . . . . . . . . . . . . . . 13
85 11. Security Considerations . . . . . . . . . . . . . . . . . . . 13
86 12. Revision History . . . . . . . . . . . . . . . . . . . . . . 13
87 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
88 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
89 14.1. Normative References . . . . . . . . . . . . . . . . . . 14
90 14.2. Informative References . . . . . . . . . . . . . . . . . 15
91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
93 1. Requirements notation
95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
97 "OPTIONAL" in this document are to be interpreted as described in BCP
98 14 [RFC2119] [RFC8174] when, and only when, they appear in all
99 capitals, as shown here.
101 2. Overview
103 Trust Anchor Locators (TALs) [I-D.ietf-sidrops-https-tal] are used by
104 Relying Parties in the RPKI to locate and validate Trust Anchor (TA)
105 certificates used in RPKI validation. However, until now there has
106 been no formal way of notifying Relying Parties (RP) of updates to a
107 TAL. Such updates may be needed in particular in case a Trust Anchor
108 needs to perform a planned, or unplanned, key roll.
110 This document defines a new RPKI signed object that can be used to
111 document the current set of keys and the location(s) of the
112 accompanying CA certificates, as well as any changes to this set.
113 This allows RPs to be notified automatically of such changes, and
114 enables Trust Anchors to pre-stage a number of operational keys so
115 that planned and unplanned key rolls can be performed without risking
116 the invalidation of the RPKI tree under the TA. We call this object
117 the Trust Anchor Keys (TAK) object.
119 When Relying Parties (RPs) are first bootstrapped, they use any
120 current TAL to discover a key and location(s) of the TA
121 certificate(s) for a TA. The RP can then retrieve and validating the
122 TA certificate, and subsequently validate the manifest [RFC6486] and
123 CRL [section 5 of @!RFC6487]. However, before processing any other
124 objects it will then first validate the TAK object, if present. All
125 enumerated new keys (and locations) are then added to a new list of
126 current TA keys for this TA. The RP will then recursively fetch and
127 validate the TA certificates, manifest, CRL and TAK objects for each
128 of these keys. As a part of this process the RP will also compile a
129 list of revoked keys enumerated by any of the validly signed TAK
130 objects. As the final step the RP will then filter out any revoked
131 TA keys from its new set. This new set now replaces the previous
132 set.
134 This process allows Trust Anchors to operate a set of N current keys,
135 where any key can effectively revoke any or all of the other keys to
136 perform either a planned, or an unplanned, key roll. This also
137 allows Trust Anchors to produce long lived TAK objects as forward
138 pointers to RPs, and retire its old key when doing a key roll. While
139 the generic process is quite involved, the amount of work needed to
140 support an envisioned normal key roll is fairly limited. Under
141 normal circumstances a TA will typically have two current keys, so
142 that is can perform an emergency roll over in case one of the keys is
143 lost. This means that the RP will need to validate one additional CA
144 certificate, a CRL, a manifest and two TAK objects.
146 When a key roll is executed a TA will remove one old key, and
147 introduce one new (back-up) key. The RP will remove the old key from
148 its set, and it will not be queried again, and it will add the new
149 key and its TA certifcate location(s).
151 Only in a situation where an RP is very outdated can it be expected
152 that the RP will have to discover several chained TAK object. But,
153 since it will remove the outdated TALs in this process, this presents
154 a one time cost only.
156 3. TAK Object definition
158 The TAK object makes use of the template for RPKI digitally signed
159 objects [RFC6488], which defines a Crytopgraphic Message Syntax (CMS)
160 [RFC5652] wrapper for the Signed TALs content as well as a generic
161 validation procedure for RPKI signed objects. Therefore, to complete
162 the specification of the TAK object (see Section 4 of [RFC6488]),
163 this document defines:
165 o The OID defined in Section 3.1 that identifies the signed object
166 as being a TAK. (This OID appears within the eContentType in the
167 encapContentInfo object as well as the content-type signed
168 attribute in the signerInfo object).
170 o The ASN.1 syntax for the TAK eContent defined in Section 3.2.
172 o Additional steps to the validation steps specified in [RFC6488]
173 required to validate the TAK, defined in Section 3.3.
175 3.1. The TAK Object Content Type
177 This document requests an OID for TAK objects as follows:
179 signed-Tal OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
180 rsadsi(113549) pkcs(1) pkcs9(9) 16 id-smime (1) TBD }
182 This OID MUST appear both within the eContentType in the
183 encapContentInfo object as well as the content-type signed attribute
184 in the signerInfo object (see [RFC6488])
186 3.2. The TAK Object eContent
188 The content of a TAK object is ASN.1 encoded using the Distinguished
189 Encoding Rules (DER) [X.690], and is defined as follows:
191 TAK ::= SEQUENCE {
192 version INTEGER DEFAULT 0,
193 current ::= SEQUENCE SIZE (1..MAX) OF CurrentKey,
194 revoked ::= SEQUENCE OF SubjectPublicKeyInfo
195 }
197 CurrentKey ::= SEQUENCE {
198 certificateURIs SEQUENCE SIZE (1..MAX) OF CertificateURI,
199 subjectPublicKeyInfo SubjectPublicKeyInfo
200 }
202 CertificateURI ::= IA5String
204 SubjectPublicKeyInfo ::= SEQUENCE {
205 algorithm AlgorithmIdentifier,
206 subjectPublicKey BIT STRING
207 }
209 3.2.1. version
211 The version number of the TAK object MUST be 0.
213 3.2.2. current
215 This field defines the set of current keys (CurrentKey) according to
216 the signer of this Signed TALs object.
218 3.2.2.1. CurrentKey
220 This field defines a current TA Key, equivalent to [I-D.ietf-sidrops-
221 https-tal]. This structure contains a sequence of one or more URIs
222 and a SubjectPublicKeyInfo.
224 3.2.2.1.1. certificateURIs
226 This field is equivalent to the URI section in section 2.1 of
227 [I-D.ietf-sidrops-https-tal]. It MUST contain at least one
228 CertificateURI element. Each CertificateURI element contains the
229 IA5String representation of either an rsync URI [RFC5781], or an
230 HTTPS URI [RFC7230].
232 3.2.2.1.2. subjectPublicKeyInfo
234 This field contains a SubjectPublicKeyInfo [section 4.1.2.7 or
235 @!RFC5280] in DER format [X.690].
237 3.2.3. revoked
239 This field contains the list of keys, identified by
240 SubjectPublicKeyInfo, that are no longer to be used according to the
241 signer of this document.
243 3.3. TAK Object Validation
245 To determine whether a TAK object is valid, the RP MUST perform the
246 following steps in addition to those specified in [RFC6488]:
248 o The eContentType OID matches the OID described in Section 3.1
250 o The TAK object appears as the product of a Trust Anchor CA
251 certificate.
253 o This Trust Anchor CA has published only one TAK object in its
254 repository for this key, and this object appears on the Manifest
255 as the only entry using the ".tak" extension (see [RFC6481]). In
256 case more than one TAK object is found, all such objects MUST be
257 considered invalid.
259 o The EE certificate of this TAK object describes its Internet
260 Number Resources (INRs) using the "inherit" attribute
262 o The decoded TAK content conforms to the format defined in
263 Section 3.2.
265 If the above procedure indicates that the manifest is invalid, then
266 the TAK object MUST be discarded and treated as though no TAK object
267 were present.
269 4. TAK Object Generation and Publication
271 A TA MAY choose to use TAK objects to communicate its set of current,
272 and revoked keys. If a TA chooses to use TAK objects, then it SHOULD
273 generate and publish TAK objects under each of its current keys. An
274 exception to this rule exists when a TA has lost permanent access to
275 one of its keys or the accompanying repository publication point. In
276 such cases however, the key in question MUST be revoked as described
277 below in Section 7.
279 A non-normative guideline for naming this object is that the filename
280 chosen for the Signed TAL Object in the publication repository be a
281 value derived from the public key part of the entity's key pair,
282 using the algorithm described for CRLs in section 2.2 of [RFC6481]
283 for generation of filenames. The filename extension of ".tak" MUST
284 be used to denote the object as a TAK. Note that this is in-line
285 with filename extensions defined in section 7.2 of [RFC6481]
287 In order to generate the TAK Objects, the TA MUST perform the
288 following actions:
290 o The TA MUST generate a key pair for a "one-time-use" EE
291 certificate to use for the TAK
293 o The TA MUST generate a one-time-use EE certificate for the TAK
295 o This EE certificate MUST have an SIA extension access description
296 field with an accessMethod OID value of id-ad-signedobject, where
297 the associated accessLocation references the publication point of
298 the TAK as an object URL.
300 o As described in [RFC6487], an [RFC3779] extension is required in
301 the EE certificate used for this object. However, because the
302 resource set is irrelevant to this object type, this certificate
303 MUST describe its Internet Number Resources (INRs) using the
304 "inherit" attribute, rather than explicit description of a
305 resource set.
307 o This EE certificate MUST have a "notBefore" time that matches, or
308 predates the moment that the TAK will be published.
310 o This EE certificate MUST have a "notAfter" time that reflects the
311 intended duration for which this TAK will be published. If the EE
312 certificate for a Signed TAL is expired, it MUST no longer be
313 published, but it MAY be replaced by a newly generated TAK object
314 with equivalent content and an updated "notAfter" time.
316 o The same set of current keys (see Section 3.2.2) MUST be included
317 on each TAK object for each current key.
319 o The TAK object MUST include all revoked keys (see Section 3.2.3)
320 that became revoked while the key signing the TAK in question was
321 current.
323 5. Relying Party Use
325 Relying Parties MUST keep a record of all current keys for each
326 configured Trust Anchor, as well as the URI(s) where the CA
327 certificate for each of these keys may be retrieved. This record MAY
328 be bootstrapped by the use of a pre-configured (and unsigned) TAL
329 file [I-D.ietf-sidrops-https-tal], but it MUST be updated with
330 authoritative signed information found in valid TAK objects found in
331 subsequent validation runs.
333 When performing top-down validation RPs MUST first validate and
334 process any TAK objects for each of its known current keys for a TA
335 by performing the following steps:
337 o A CA certificate is retrieved and validated from the known URIs as
338 described in sections 3 and 4 of [I-D.ietf-sidrops-https-tal].
340 o The manifest and CRL for this certificate are then validated first
341 as described in [RFC6487] and [RFC6486].
343 o The TAK file, if present, is validated as described in
344 Section 3.3.
346 For each valid TAK file thus found all current keys, i.e.
347 SubjectPublicKeyInfo and URIs, are kept. If any previously unknown
348 keys are added to the set of current keys, then they MUST also be
349 processed as described above.
351 Once the TAK objects for all keys are processed the set of current
352 keys and URIs for the TA is updated as follows: * All new current
353 keys found on any valid TAK object are added to the set of current
354 keys. * The set of URIs for each current key is replaced by the union
355 of all URIs for this key found on all valid TAK objects. * Finally,
356 any current key that matches any revoked key on any valid TAK object
357 is removed from the set of current keys.
359 Note that if a current key does not occur on any valid TAK object,
360 but it is not revoked either, then it and any previously known URIs
361 for it are kept. Also note that if an RP was bootstrapped using a
362 TAL file [I-D.ietf-sidrops-https-tal], the keys and URIs will now
363 have been replaced by values found on TAK objects.
365 After this the RP can choose any one of the valid CA certificates for
366 any key that is still in the set of current keys for this TA, in
367 order to continue the top-down validation of object for this TA as
368 described in [RFC6487].
370 6. Maintaining multiple TA keys
372 If a TA operates multiple keys, then the signed material for these
373 keys MUST be published under different directories in the context of
374 the 'id-ad-caRepository' and 'id-ad-rpkiManifest' Subject Information
375 Access descriptions contained on the CA certificates [RFC6487].
376 Publishing objects under the same space would lead to confusion at
377 best, and in case of file name collisions of objects invalidity.
379 However, the CA certificates for each key, and the contents published
380 by each key MUST be equivalent. In other words it MUST not make a
381 difference which of the keys is used as a starting point for top-down
382 validation by RP software.
384 This means that the IP and AS resources contained on all current CA
385 certificates for the current TA keys MUST be the same. Furthermore
386 for any delegation of IP and AS resources to a child, the TA MUST
387 have an equivalent CA certificate published under each of its keys.
388 Any updates in delegations MUST be reflected under each of its keys.
389 A TA SHOULD NOT publish any other objects besides a CRL, a Manifest,
390 a single TAK object, and any number of CA certificates for delegation
391 to child Certification Authorities.
393 If a TA uses a single remote publication server for its keys using
394 the RPKI publication protocol [RFC8181], then it MUST include all
395 and PDUs for the products of each of its keys
396 in a single query in order to ensure that they will reflect the same
397 content at all times.
399 If a TA uses multiple publication servers then it is by definition
400 inevitable that the content of different keys will be out of sync at
401 times. In such cases the TA SHOULD ensure that the duration of these
402 moments are limited to the shortest possible time. Furthermore the
403 following should be observed:
405 o In cases where a CA certificate is revoked completely, or replaced
406 by a certificate with a reduced set of resources, these changes
407 will not take effect fully until all the TA keys repository
408 publication points have been updated. Given that TA key
409 operations are normally performed infrequently we don't expect
410 that this is a problem. I.e. if the revocation or shrinking of an
411 issued CA certificate is staged for days, or weeks anyway, then
412 experiencing a delay of several minutes for the repository
413 publication points to all be updated is fairly insignificant.
415 o In cases where a CA certificate is replaced by a certificate with
416 an extend set of resources the TA MUST inform the receiving CA
417 only after all its repository publication points have been
418 updated. This ensures that the receiving CA will not issue any
419 products that could be invalid if an RP uses a TA key just before
420 the CA certificate was due to be updated.
422 Finally, note that the publication locations of CA certificates for
423 delegations to child CAs under each key will be different, and
424 therefore the Authority Information Access 'id-ad-caIssuers' value on
425 certificates issued by the child CAs may not match (section 4.8.7 of
426 [RFC6487]). However, this information is not considered critical for
427 validation of these objects and provided as hints to RP software
428 only. Therefore RP software MUST NOT reject these certificates based
429 on a mismatch of this value.
431 7. Performing TA Key Rolls
433 In this section we will describe how present day RPKI TAs that use
434 only one key pair, and that do not use TAK objects, can change to
435 having two current keys at all times allowing them to perform both
436 planned and unplanned key rolls.
438 7.1. Phase 1: Add a TAK for Key 'A'
440 Before adding any new keys a Trust Anchor may want to build up
441 operational experience in maintaining a TAK object that describes its
442 current key only. We will call refer to this key as key 'A'
443 throughout this section.
445 The TA will have a TAL file [I-D.ietf-sidrops-https-tal] that
446 contains one or more URIs where the (equivalent) CA certificates for
447 this key 'A' can be retrieved. The TA can now generate a TAK objects
448 that includes key 'A' only in its sequence of 'CurrentKey' values.
450 The TA SHOULD publish the CA certificate for key 'A' at one or more
451 new locations not used in the TAL file, and use these new URIs in the
452 TAK object. The TA is free to choose any naming strategy for these
453 locations. As a non-normative suggestion, one such approach could be
454 to use the date that this phase was started as part of the file name
455 or a directory where the CA certificate is published.
457 The TA can now monitor the retrieval of its CA certificates from the
458 URI(s) in the newly published TAK object, relative to the retrieval
459 from the URI(s) listed in its TAL file, to learn the proportion of
460 RPs that can successfully validate and use the TAK object.
462 7.2. Phase 2: Add a Key 'B'
464 The TA can now generate a new key pair, key 'B'. This key MUST now
465 be used to create a new CA certificate for this key, and issue
466 equivalent CA certificates for delegations to child CAs, as described
467 in Section 6.
469 At this point, the TA can also issue a new TAL file
470 [I-D.ietf-sidrops-https-tal] for key 'B', and test locally that the
471 validation outcome for the new key is indeed equivalent to the other
472 current key(s).
474 When the TA is certain that both keys are equivalent, it MUST issue a
475 new TAK object under each of its current keys, and include both the
476 old key 'A' and this new key 'B' in the set of current keys.
478 The TA SHOULD now also release a new TAL file for this new key 'B' as
479 the intended new key to be used by RP software. However, as
480 described above, it SHOULD use a different set of URIs in the TAL
481 compared to the TAK file, so that it can learn the proportion of RPs
482 that can successfully validate and use the updated TAK objects.
484 7.3. Phase 3: Roll to Key 'C'
486 In this phase a new key, key 'C' is generated as described above in
487 Section 7.2. And one of the previous keys is revoked.
489 7.3.1. Planned Direction Roll
491 If the key roll is planned, and the TA has access to all its keys
492 'A', 'B' and 'C', and the publication servers for each of the keys,
493 then a new TAK object is generated for each of these keys listing
494 keys 'B' and 'C' as current, and key 'A' as revoked.
496 The TA SHOULD now publish a long-lived TAK file, CRL and Manifest
497 under key 'A', remove all other content, and destroy key 'A'. This
498 way RP software that uses a TAL for key 'A' can still successfully
499 find keys 'B' and 'C', and in future 'D', 'E', etc.
501 If access to key 'A' was lost, then the process is slightly
502 different. The TAK object for key 'A' cannot be updated and will
503 therefore still refer to keys 'A' and 'B' as the current keys, and
504 include no revocations. However, an updated TAK object listing keys
505 'B' and 'C' as current, and listing key 'A' as revoked can still be
506 issued and published under keys 'B' and 'C'. As described in
507 Section 5 RPs will then discover that key 'A' is revoked, and
508 continue to use keys 'B' and 'C'.
510 7.3.2. Unplanned Direction Roll
512 If key 'B' is compromised, the process is similar to above, except of
513 course that now keys 'A' and 'C' are included in the set of current
514 keys, and key 'B' is in the set of revoked keys. If the TA still has
515 access to key 'B', then it SHOULD publish a long-lived TAK file, CRL
516 and manifest for key 'B' and remove all other content for it. If it
517 cannot perform this action then simply marking key 'B' as revoked
518 will still notify RPs to disregard it.
520 7.4. Phase X: Roll to Key 'D', 'E', ..
522 Further key rolls are essentially no different the roll to key 'C'
523 described in Section 7.3, except that there is no need to still
524 include key 'A' in the list of revoked keys when the the roll to key
525 'D' is performed. RPs will already have learned to that key 'A' is
526 revoked, before they learn about key 'D'.
528 8. Deployment Considerations
530 Including Signed TAL objects while RP tools do not support this
531 standard will result in these RPs rejecting these objects. It is not
532 expected that this will result in the invalidation of any other
533 object under a Trust Anchor.
535 That said, the flagging mechanism introduced here can only be relied
536 on once a majority of RPs support it. Defining when that moment
537 arrives is by definition something that cannot be established at the
538 time of writing this document. The use of unique URIs in TAK objects
539 compared to their equivalent TAL files should help operators
540 understand which proportion of RPs support this mechanism.
542 9. Security Considerations
544 It should be noted that because any key can revoke the other key(s),
545 a risk introduced: if an adversary can gain access to one of the
546 keys, and publication servers for it, then they can essentially take
547 over a TA. It should also be noted that a TA can revoke all of its
548 keys by accident and make itself obsolete.
550 However, these risks can be mitigated greatly by the use of Hardware
551 Security Modules (HSM) by TAs, which will guard against theft of a
552 private key, and operational processes to guard against (accidental)
553 mis-use of the keys in an HSM by operators.
555 Although HSMs can help against key theft, the risk of key loss is
556 still very applicable. In some ways more so, because back-ups are
557 hard by design. Key loss can easily happen for example when an
558 operator card set that is used to authorise use of a key in an HSM
559 can no longer be used, e.g. because cards are broken or lost, or a
560 persons who holds a card is sadly no longer with us, or passwords are
561 forgotten, etc.
563 In such cases the ability to perform an unplanned roll as described
564 in this document will be very useful, provided that access to the
565 both keys is arranged differently, and the issues affecting one key,
566 do not necessarily affect the other key.
568 An example where the planned rolls are useful is when a TA is using
569 an HSM from vendor X, and they want to migrate to an HSM from vendor
570 Y.
572 10. IANA Considerations
574 10.1. OID
576 IANA is to add the following to the "RPKI Signed Objects" registry:
578 Decimal | Description | References
579 --------+--------------------------------+---------------
580 TBD | Trust Anchor Keys | [section 3.1]
582 10.2. File Extension
584 IANA is to add an item for the Signed TAL file extension to the "RPKI
585 Repository Name Scheme" created by [RFC6481] as follows:
587 Extension | RPKI Object | References
588 -----------+-------------------------------------------
589 .tak | Trust Anchor Keys | [this document]
591 11. Security Considerations
593 TBD
595 12. Revision History
597 03 - Last Draft under Tim's authorship.
599 04 - First Draft with Georges's authorship. No substantive
600 revisions.
602 13. Acknowledgements
604 The authors wish to thank Martin Hoffmann for a thourough review of
605 this document.
607 14. References
609 14.1. Normative References
611 [I-D.ietf-sidrops-https-tal]
612 Huston, G., Weiler, S., Michaelson, G., Kent, S., and T.
613 Bruijnzeels, "Resource Public Key Infrastructure (RPKI)
614 Trust Anchor Locator", draft-ietf-sidrops-https-tal-08
615 (work in progress), April 2019.
617 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
618 Requirement Levels", BCP 14, RFC 2119,
619 DOI 10.17487/RFC2119, March 1997,
620 .
622 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
623 Addresses and AS Identifiers", RFC 3779,
624 DOI 10.17487/RFC3779, June 2004,
625 .
627 [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI
628 Scheme", RFC 5781, DOI 10.17487/RFC5781, February 2010,
629 .
631 [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for
632 Resource Certificate Repository Structure", RFC 6481,
633 DOI 10.17487/RFC6481, February 2012,
634 .
636 [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski,
637 "Manifests for the Resource Public Key Infrastructure
638 (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012,
639 .
641 [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
642 X.509 PKIX Resource Certificates", RFC 6487,
643 DOI 10.17487/RFC6487, February 2012,
644 .
646 [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object
647 Template for the Resource Public Key Infrastructure
648 (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012,
649 .
651 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
652 Protocol (HTTP/1.1): Message Syntax and Routing",
653 RFC 7230, DOI 10.17487/RFC7230, June 2014,
654 .
656 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
657 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
658 May 2017, .
660 [RFC8181] Weiler, S., Sonalker, A., and R. Austein, "A Publication
661 Protocol for the Resource Public Key Infrastructure
662 (RPKI)", RFC 8181, DOI 10.17487/RFC8181, July 2017,
663 .
665 [X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
666 "Information technology - ASN.1 encoding rules:
667 Specification of Basic Encoding Rules (BER), Canonical
668 Encoding Rules (CER) and Distinguished Encoding Rules
669 (DER)", 2002.
671 14.2. Informative References
673 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
674 RFC 5652, DOI 10.17487/RFC5652, September 2009,
675 .
677 Authors' Addresses
679 Carlos Martinez
680 LACNIC
682 Email: carlos@lacnic.net
683 URI: https://www.lacnic.net/
685 George G. Michaelson
686 Asia Pacific Network Information Centre
687 6 Cordelia St
688 South Brisbane, QLD 4101
689 Australia
691 Email: ggm@apnic.net
692 Tim Bruijnzeels
693 NLnet Labs
695 Email: tim@nlnetlabs.nl
696 URI: https://www.nlnetlabs.nl/
698 Rob Austein
699 Dragon Research Labs
701 Email: sra@hactrn.net