A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.
Title : Local Trust Anchor Management for the Resource Public Key Infrastructure
Author(s) : Mark C. Reynolds
Stephen Kent
Matthew Lepinski
Filename : draft-ietf-sidr-ltamgmt-08.txt
Pages : 28
Date : 2013-04-05
Abstract:
This document describes a facility to enable a relying party (RP) to
manage trust anchors (TAs) in the context of the Resource Public Key
Infrastructure (RPKI). It is common in RP software (not just in the
RPKI) to allow an RP to import TA material in the form of self-signed
certificates. However, this approach to incorporating TAs is
potentially dangerous. (These self-signed certificates rarely
incorporate any extensions that impose constraints on the scope of
the imported public keys, and the RP is not able to impose such
constraints.) The facility described in this document allows an RP to
impose constraints on such TAs. Because this mechanism is designed to
operate in the RPKI context, the most important constraints are the
Internet Number Resources (INRs) expressed via RFC 3779 extensions.
These extentions bind address spaces and/or autonomous system (AS)
numbers to entities. The primary motivation for the facility described
in this document is to enable an RP to ensure that INR information
that it has acquired via some trusted channel is not overridden by the
information acquired from the RPKI repository system or by the putative
TAs that the RP imports. Specifically, the mechanism allows an RP to
specify a set of overriding bindings between public key identifiers and
INR data. These bindings take precedence over any conflicting bindings
acquired by the putative TAs and the certificates downloaded from the
RPKI repository system. This mechanism is designed for local use by an RP,
but any entity that is accorded administrative control over a set of RPs
may use this mechanism to convey its view of the RPKI to RPs within its
jurisdiction. The means by which this latter use case is effected is
outside the scope of this document.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-ltamgmt
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-sidr-ltamgmt-08
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-ltamgmt-08
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
