RPKI Signed Object for Trust Anchor Key
draft-ietf-sidrops-signed-tal-15
Document | Type | Active Internet-Draft (sidrops WG) | |
---|---|---|---|
Authors | Carlos M. Martínez , George G. Michaelson , Tom Harrison , Tim Bruijnzeels , Rob Austein | ||
Last updated | 2024-04-23 (Latest revision 2024-04-09) | ||
Replaces | draft-tbruijnzeels-sidrops-signed-tal | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Intended RFC status | Proposed Standard | ||
Formats | |||
Reviews |
OPSDIR Last Call Review due 2024-04-26
Incomplete
SECDIR Last Call Review due 2024-04-26
Incomplete
GENART Last Call Review due 2024-04-26
Incomplete
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Russ Housley | ||
Shepherd write-up | Show Last changed 2024-02-25 | ||
IESG | IESG state | In Last Call (ends 2024-04-26) | |
Action Holder | |||
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Warren "Ace" Kumari | ||
Send notices to | keyur@arrcus.com, housley@vigilsec.com | ||
IANA | IANA review state | IANA OK - Actions Needed |
draft-ietf-sidrops-signed-tal-15
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". 13.1. APNIC * Responsible Organization: Asia-Pacific Network Information Centre * Location: https://github.com/APNIC-net/rpki-signed-tal-demo * Description: A proof-of-concept for relying party TAK usage. * Level of Maturity: This is a proof-of-concept implementation. * Coverage: This implementation includes all of the features described in version 15 of this specification, except for writing TAL files based on TAK data. The repository includes a link to various test TALs that can be used for testing TAK scenarios, too. * Contact Information: Tom Harrison, tomh@apnic.net 13.2. rpki-client * Responsible Organization: Job Snijders, the OpenBSD project * Location: https://www.rpki-client.org * Description: A relying party implementation which can validate TAKs. Martinez, et al. Expires 12 October 2024 [Page 18] Internet-Draft RPKI signed object for TAL April 2024 * Level of Maturity: Mature. Trust Anchor operators are encouraged to use rpki-client as part of smoke testing to help ensure high levels of standards compliance when introducing changes, and use rpki-client in a continuous monitoring fashion to help maintain high levels of operational excellence. * Coverage: This implementation includes all features except TAK acceptance timers. * Contact information: Job Snijders, job@fastly.com 13.3. rpki-rs * Responsible Organization: Tim Bruijnzeels, tim@ripe.net * Location: https://github.com/NLnetLabs/rpki-rs/tree/signed-tal * Description: Library support for encoding and decoding TAK objects. * Level of Maturity: This is a proof-of-concept implementation. * Coverage: This implementation includes support for encoding and decoding TAK objects. * Contact information: Tim Bruijnzeels, tim@ripe.net 14. Revision History 03 - Last draft under Tim's authorship. 04 - First draft with George's authorship. No substantive revisions. 05 - First draft with Tom's authorship. No substantive revisions. 06 - Rob Kisteleki's critique. 07 - Switch to two-key model. 08 - Keepalive. 09 - Acceptance timers, predecessor keys, no long-lived CRL/MFT. 10 - Using TAK objects for distribution of TAL data. 11 - Manual update guidance, additional security considerations, identifier updates. Martinez, et al. Expires 12 October 2024 [Page 19] Internet-Draft RPKI signed object for TAL April 2024 12 - TAK object comments. 13 - Removal of compromise text, extra RP support text, key destruction text, media type registration, signed object registry note. 14 - Keepalive. 15 - Additional implementation notes and editorial updates. 15. Acknowledgments The authors wish to thank Martin Hoffmann for a thorough review of the document, Russ Housley for multiple reviews of the ASN.1 definitions and for providing a new module for the TAK object, Job Snijders for the extensive suggestions around TAK object structure/ distribution and rpki-client implementation work, and Ties de Kock for text/suggestions around TAK/TAL distribution and general security considerations. 16. References 16.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <https://www.rfc-editor.org/info/rfc3629>. [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, <https://www.rfc-editor.org/info/rfc3779>. [RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, <https://www.rfc-editor.org/info/rfc5198>. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>. Martinez, et al. Expires 12 October 2024 [Page 20] Internet-Draft RPKI signed object for TAL April 2024 [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, February 2010, <https://www.rfc-editor.org/info/rfc5781>. [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, <https://www.rfc-editor.org/info/rfc6481>. [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, <https://www.rfc-editor.org/info/rfc6487>. [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, <https://www.rfc-editor.org/info/rfc6488>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8181] Weiler, S., Sonalker, A., and R. Austein, "A Publication Protocol for the Resource Public Key Infrastructure (RPKI)", RFC 8181, DOI 10.17487/RFC8181, July 2017, <https://www.rfc-editor.org/info/rfc8181>. [RFC8630] Huston, G., Weiler, S., Michaelson, G., Kent, S., and T. Bruijnzeels, "Resource Public Key Infrastructure (RPKI) Trust Anchor Locator", RFC 8630, DOI 10.17487/RFC8630, August 2019, <https://www.rfc-editor.org/info/rfc8630>. [RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, June 2022, <https://www.rfc-editor.org/info/rfc9110>. [RFC9286] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, June 2022, <https://www.rfc-editor.org/info/rfc9286>. [X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", 2002. Martinez, et al. Expires 12 October 2024 [Page 21] Internet-Draft RPKI signed object for TAL April 2024 16.2. Informative References [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>. [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", BCP 205, RFC 7942, DOI 10.17487/RFC7942, July 2016, <https://www.rfc-editor.org/info/rfc7942>. Appendix A. ASN.1 Module This appendix includes the ASN.1 module for the TAK object. Martinez, et al. Expires 12 October 2024 [Page 22] Internet-Draft RPKI signed object for TAL April 2024 <CODE BEGINS> RPKISignedTrustAnchorList-2021 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) 74 } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE FROM CryptographicMessageSyntax-2009 -- in [RFC5911] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } SubjectPublicKeyInfo FROM PKIX1Explicit-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; ct-signedTAL CONTENT-TYPE ::= { TYPE TAK IDENTIFIED BY id-ct-signedTAL } id-ct-signedTAL OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 50 } CertificateURI ::= IA5String TAKey ::= SEQUENCE { comments SEQUENCE SIZE (0..MAX) OF UTF8String, certificateURIs SEQUENCE SIZE (1..MAX) OF CertificateURI, subjectPublicKeyInfo SubjectPublicKeyInfo } TAK ::= SEQUENCE { version INTEGER DEFAULT 0, current TAKey, predecessor [0] TAKey OPTIONAL, successor [1] TAKey OPTIONAL } END <CODE ENDS> Authors' Addresses Martinez, et al. Expires 12 October 2024 [Page 23] Internet-Draft RPKI signed object for TAL April 2024 Carlos Martinez LACNIC Rambla Mexico 6125 11400 Montevideo Uruguay Email: carlos@lacnic.net URI: https://www.lacnic.net/ George G. Michaelson Asia Pacific Network Information Centre 6 Cordelia St South Brisbane QLD 4101 Australia Email: ggm@apnic.net Tom Harrison Asia Pacific Network Information Centre 6 Cordelia St South Brisbane QLD 4101 Australia Email: tomh@apnic.net Tim Bruijnzeels RIPE NCC Stationsplein 11 Amsterdam Netherlands Email: tim@ripe.net URI: https://www.ripe.net/ Rob Austein Dragon Research Labs Email: sra@hactrn.net Martinez, et al. Expires 12 October 2024 [Page 24]