[sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-09.txt

internet-drafts@ietf.org Thu, 16 November 2017 07:59 UTC

Return-Path: <internet-drafts@ietf.org>
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E7D126BFD; Wed, 15 Nov 2017 23:59:51 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: <i-d-announce@ietf.org>
Cc: sidr@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.66.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151081919187.28369.12154628810347674400@ietfa.amsl.com>
Date: Wed, 15 Nov 2017 23:59:51 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/-p8Br7YNj2U0jC59UTHrfrBraDM>
Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-09.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 07:59:52 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing WG of the IETF.

        Title           : RPKI Validation Reconsidered
        Authors         : Geoff Huston
                          George Michaelson
                          Carlos M. Martinez
                          Tim Bruijnzeels
                          Andrew Lee Newton
                          Daniel Shaw
	Filename        : draft-ietf-sidr-rpki-validation-reconsidered-09.txt
	Pages           : 22
	Date            : 2017-11-15

   This document specifies an alternative to the certificate validation
   procedure specified in RFC 6487 that reduces aspects of operational
   fragility in the management of certificates in the RPKI, while
   retaining essential security features.

   Where the procedure specified in RFC 6487 requires that Resource
   Certificates are rejecting entirely if they are found to over-claim
   any resources not contained on the issuing certificate, the
   validation process defined here allows an issuing Certificate
   Authority to chose to communicate that such Resource Certificates
   should be accepted for the intersection of their resources and the
   issuing certificate.

   This choice is signalled by form of a set of alternative Object
   Identifiers (OIDs) of RFC 3779 X.509 Extensions for IP Addresses and
   AS Identifiers, and certificate policy for the Resource Public Key
   Infrastructure (RFC 6484).  It should be noted that in case these
   OIDs are not used for any certificate under a Trust Anchor, the
   validation procedure defined here has the same outcome as the
   procedure defined in RFC 6487

   Furthermore this document provides an alternative to ROA (RFC 6482),
   and BGPSec Router Certificate (BGPSec PKI Profiles - publication
   requested) validation.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at: