RPKI Signed Object for Trust Anchor Keys

The information below is for an old version of the document
Document Type Expired Internet-Draft (sidrops WG)
Authors Carlos Martínez  , George Michaelson  , Tom Harrison  , Tim Bruijnzeels  , Rob Austein 
Last updated 2021-05-05 (latest revision 2020-11-01)
Replaces draft-tbruijnzeels-sidrops-signed-tal
Stream Internet Engineering Task Force (IETF)
Expired & archived
pdf htmlized bibtex
Additional Resources
- Mailing list discussion
Stream WG state In WG Last Call
Document shepherd No shepherd assigned
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


A Trust Anchor Locator (TAL) [I-D.ietf-sidrops-https-tal] is used by Relying Parties (RP) in the RPKI to locate and validate a Trust Anchor (TA) CA certificate used in RPKI validation. This document defines an RPKI signed object for a set of Trust Anchor Keys (TAK), that can be used by TA creators and publishers to signal their set of current keys and the location(s) of the accompanying CA certificates to RPs, as well as changes to this set in the form of revoked keys and new keys, in order to support both planned and unplanned key rolls without impacting RPKI validation.


Carlos Martínez (carlos@lacnic.net)
George Michaelson (ggm@apnic.net)
Tom Harrison (tomh@apnic.net)
Tim Bruijnzeels (tim@nlnetlabs.nl)
Rob Austein (sra@hactrn.net)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)