A new Request for Comments is now available in online RFC libraries.
RFC 8360
Title: Resource Public Key Infrastructure (RPKI)
Validation Reconsidered
Author: G. Huston,
G. Michaelson,
C. Martinez,
T. Bruijnzeels,
A. Newton,
D. Shaw
Status: Standards Track
Stream: IETF
Date: April 2018
Mailbox: gih@apnic.net, ggm@apnic.net,
carlos@lacnic.net, tim@ripe.net,
andy@arin.net, daniel@afrinic.net
Pages: 29
Characters: 52125
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-ietf-sidr-rpki-validation-reconsidered-10.txt
URL: https://www.rfc-editor.org/info/rfc8360
DOI: 10.17487/RFC8360
This document specifies an alternative to the certificate validation
procedure specified in RFC 6487 that reduces aspects of operational
fragility in the management of certificates in the Resource Public
Key Infrastructure (RPKI), while retaining essential security
features.
The procedure specified in RFC 6487 requires that Resource
Certificates are rejected entirely if they are found to overclaim any
resources not contained on the issuing certificate, whereas the
validation process defined here allows an issuing Certification
Authority (CA) to chose to communicate that such Resource
Certificates should be accepted for the intersection of their
resources and the issuing certificate.
It should be noted that the validation process defined here considers
validation under a single trust anchor (TA) only. In particular,
concerns regarding overclaims where multiple configured TAs claim
overlapping resources are considered out of scope for this document.
This choice is signaled by a set of alternative Object Identifiers
(OIDs) per "X.509 Extensions for IP Addresses and AS Identifiers"
(RFC 3779) and "Certificate Policy (CP) for the Resource Public Key
Infrastructure (RPKI)" (RFC 6484). It should be noted that in case
these OIDs are not used for any certificate under a trust anchor, the
validation procedure defined here has the same outcome as the
procedure defined in RFC 6487.
Furthermore, this document provides an alternative to Route Origin
Authorization (ROA) (RFC 6482) and BGPsec Router Certificate (BGPsec
PKI Profiles -- publication requested) validation.
This document is a product of the Secure Inter-Domain Routing Working Group of the IETF.
This is now a Proposed Standard.
STANDARDS TRACK: This document specifies an Internet Standards Track
protocol for the Internet community, and requests discussion and suggestions
for improvements. Please refer to the current edition of the Official
Internet Protocol Standards (https://www.rfc-editor.org/standards) for the
standardization state and status of this protocol. Distribution of this
memo is unlimited.
This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
https://www.ietf.org/mailman/listinfo/ietf-announce
https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
For searching the RFC series, see https://www.rfc-editor.org/search
For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk
Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.
The RFC Editor Team
Association Management Solutions, LLC
