[sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-10.txt

internet-drafts@ietf.org Fri, 22 December 2017 14:44 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: i-d-announce@ietf.org
Cc: sidr@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151395385619.28008.7578453053550569599@ietfa.amsl.com>
Date: Fri, 22 Dec 2017 06:44:16 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidr/twGOuQWmPjL2myCbFZakjSwMgIQ>
Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-10.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing WG of the IETF.

        Title           : RPKI Validation Reconsidered
        Authors         : Geoff Huston
                          George Michaelson
                          Carlos M. Martinez
                          Tim Bruijnzeels
                          Andrew Lee Newton
                          Daniel Shaw
	Filename        : draft-ietf-sidr-rpki-validation-reconsidered-10.txt
	Pages           : 27
	Date            : 2017-12-22

Abstract:
   This document specifies an alternative to the certificate validation
   procedure specified in RFC 6487 that reduces aspects of operational
   fragility in the management of certificates in the RPKI, while
   retaining essential security features.

   Where the procedure specified in RFC 6487 requires that Resource
   Certificates are rejecting entirely if they are found to over-claim
   any resources not contained on the issuing certificate, the
   validation process defined here allows an issuing Certificate
   Authority to chose to communicate that such Resource Certificates
   should be accepted for the intersection of their resources and the
   issuing certificate.

   It should be noted that the validation process defined here considers
   validation under a single Trust Anchor only.  In particular, concerns
   regarding over-claims where multiple configured Trust Anchors claim
   overlapping resources are considered out of scope for this document.

   This choice is signalled by form of a set of alternative Object
   Identifiers (OIDs) of RFC 3779 X.509 Extensions for IP Addresses and
   AS Identifiers, and certificate policy for the Resource Public Key
   Infrastructure (RFC 6484).  It should be noted that in case these
   OIDs are not used for any certificate under a Trust Anchor, the
   validation procedure defined here has the same outcome as the
   procedure defined in RFC 6487

   Furthermore this document provides an alternative to ROA (RFC 6482),
   and BGPSec Router Certificate (BGPSec PKI Profiles - publication
   requested) validation.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-10
https://datatracker.ietf.org/doc/html/draft-ietf-sidr-rpki-validation-reconsidered-10

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-10


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

[sidr] I-D Action: draft-ietf-sidr-rpki-validatio… internet-drafts