[sidr] RFC 8360 on Resource Public Key Infrastructure (RPKI) Validation Reconsidered

rfc-editor@rfc-editor.org Thu, 05 April 2018 04:21 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AA6128954; Wed, 4 Apr 2018 21:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mDWqa6KDPvSe; Wed, 4 Apr 2018 21:21:14 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21924127369; Wed, 4 Apr 2018 21:21:14 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id B585FB839F5; Wed, 4 Apr 2018 21:20:44 -0700 (PDT)
To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org
X-PHP-Originating-Script: 1005:ams_util_lib.php
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, drafts-update-ref@iana.org, sidr@ietf.org
Content-type: text/plain; charset=UTF-8
Message-Id: <20180405042044.B585FB839F5@rfc-editor.org>
Date: Wed, 4 Apr 2018 21:20:44 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/qqif5RftSOAnMeUSr5f4X71tZWo>
Subject: [sidr] =?utf-8?q?RFC_8360_on_Resource_Public_Key_Infrastructure_?= =?utf-8?q?=28RPKI=29_Validation_Reconsidered?=
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidr/>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 04:21:16 -0000

A new Request for Comments is now available in online RFC libraries.

        
        RFC 8360

        Title:      Resource Public Key Infrastructure (RPKI) 
                    Validation Reconsidered 
        Author:     G. Huston,
                    G. Michaelson,
                    C. Martinez,
                    T. Bruijnzeels,
                    A. Newton,
                    D. Shaw
        Status:     Standards Track
        Stream:     IETF
        Date:       April 2018
        Mailbox:    gih@apnic.net, ggm@apnic.net, 
                    carlos@lacnic.net, tim@ripe.net, 
                    andy@arin.net, daniel@afrinic.net
        Pages:      29
        Characters: 52125
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-sidr-rpki-validation-reconsidered-10.txt

        URL:        https://www.rfc-editor.org/info/rfc8360

        DOI:        10.17487/RFC8360

This document specifies an alternative to the certificate validation
procedure specified in RFC 6487 that reduces aspects of operational
fragility in the management of certificates in the Resource Public
Key Infrastructure (RPKI), while retaining essential security
features.

The procedure specified in RFC 6487 requires that Resource
Certificates are rejected entirely if they are found to overclaim any
resources not contained on the issuing certificate, whereas the
validation process defined here allows an issuing Certification
Authority (CA) to chose to communicate that such Resource
Certificates should be accepted for the intersection of their
resources and the issuing certificate.

It should be noted that the validation process defined here considers
validation under a single trust anchor (TA) only.  In particular,
concerns regarding overclaims where multiple configured TAs claim
overlapping resources are considered out of scope for this document.

This choice is signaled by a set of alternative Object Identifiers
(OIDs) per "X.509 Extensions for IP Addresses and AS Identifiers"
(RFC 3779) and "Certificate Policy (CP) for the Resource Public Key                                     
Infrastructure (RPKI)" (RFC 6484).  It should be noted that in case
these OIDs are not used for any certificate under a trust anchor, the
validation procedure defined here has the same outcome as the
procedure defined in RFC 6487.

Furthermore, this document provides an alternative to Route Origin
Authorization (ROA) (RFC 6482) and BGPsec Router Certificate (BGPsec
PKI Profiles -- publication requested) validation.

This document is a product of the Secure Inter-Domain Routing Working Group of the IETF.

This is now a Proposed Standard.

STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the 
standardization state and status of this protocol.  Distribution of this 
memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  https://www.ietf.org/mailman/listinfo/ietf-announce
  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC