Resource Public Key Infrastructure (RPKI) Trust Anchor Locator
RFC 8630

Document Type RFC - Proposed Standard (August 2019; No errata)
Obsoletes RFC 7730
Last updated 2019-08-09
Replaces draft-tbruijnzeels-sidrops-https-tal
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Chris Morrow
Shepherd write-up Show (last changed 2019-02-27)
IESG IESG state RFC 8630 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Warren Kumari
Send notices to Chris Morrow <morrowc@ops-netman.net>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                         G. Huston
Request for Comments: 8630                                         APNIC
Obsoletes: 7730                                                S. Weiler
Category: Standards Track                                        W3C/MIT
ISSN: 2070-1721                                            G. Michaelson
                                                                   APNIC
                                                                 S. Kent
                                                            Unaffiliated
                                                          T. Bruijnzeels
                                                              NLnet Labs
                                                             August 2019

     Resource Public Key Infrastructure (RPKI) Trust Anchor Locator

Abstract

   This document defines a Trust Anchor Locator (TAL) for the Resource
   Public Key Infrastructure (RPKI).  The TAL allows Relying Parties in
   the RPKI to download the current Trust Anchor (TA) Certification
   Authority (CA) certificate from one or more locations and verify that
   the key of this self-signed certificate matches the key on the TAL.
   Thus, Relying Parties can be configured with TA keys but can allow
   these TAs to change the content of their CA certificate.  In
   particular, it allows TAs to change the set of IP Address Delegations
   and/or Autonomous System Identifier Delegations included in the
   extension(s) (RFC 3779) of their certificate.

   This document obsoletes the previous definition of the TAL as
   provided in RFC 7730 by adding support for Uniform Resource
   Identifiers (URIs) (RFC 3986) that use HTTP over TLS (HTTPS) (RFC
   7230) as the scheme.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8630.

Huston, et al.               Standards Track                    [Page 1]
RFC 8630                        HTTPS TAL                    August 2019

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Changes from RFC 7730 ......................................3
   2. Trust Anchor Locator ............................................3
      2.1. Trust Anchor Locator Motivation ............................3
      2.2. Trust Anchor Locator File Format ...........................4
      2.3. TAL and TA Certificate Considerations ......................4
      2.4. Example ....................................................6
   3. Relying Party Use ...............................................6
   4. URI Scheme Considerations .......................................7
   5. Security Considerations .........................................8
   6. IANA Considerations .............................................8
   7. References ......................................................8
      7.1. Normative References .......................................8
      7.2. Informative References ....................................10
   Acknowledgements ..................................................10
   Authors' Addresses ................................................11

1.  Introduction

   This document defines a Trust Anchor Locator (TAL) for the Resource
   Public Key Infrastructure (RPKI) [RFC6480].  This format may be used
   to distribute Trust Anchor (TA) material using a mix of out-of-band
   and online means.  Procedures used by Relying Parties (RPs) to verify
   RPKI signed objects SHOULD support this format to facilitate
   interoperability between creators of TA material and RPs.  This
   document obsoletes [RFC7730] by adding support for Uniform Resource
   Identifiers (URIs) [RFC3986] that use HTTP over TLS (HTTPS) [RFC7230]
Show full document text