1 / 10

A Profile for Trust Anchor Material for the Resource Certificate PKI

A Profile for Trust Anchor Material for the Resource Certificate PKI. Geoff Huston SIDR WG IETF 74. Background. This has been the topic of WG discussion who should be putative TA for the RPKI how should TA material be published

jake
Download Presentation

A Profile for Trust Anchor Material for the Resource Certificate PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74

  2. Background • This has been the topic of WG discussion • who should be putative TA for the RPKI • how should TA material be published • Focus the discussion by creating a document to address Trust Anchors for the RPKI • Removed section 6.3 from Res Cert profile draft • Created a new draft with this material • draft-ietf-sidr-ta-00.txt

  3. Who? • Draft is silent on prescribing roles for bodies: “This document does not nominate any organizations as default trust anchors for the RPKI.” • Reasons for this position: • This task falls outside of IETF WG direction relating to conventional protocol parameter registry functions • The standard technology specification should encompass use in a broad spectrum of contexts including various forms of private use as well as public • However, the document does observe that: “for most RPs, the IANA is in a unique role as the default TA for representing public address space and public AS numbers.”

  4. How? • No change from previous TA specification in draft-ietf-sidr-res-certs • (aside from some terminology clarifications) • Two-Tier Model of Trust Anchor • Allows for variation in resources held at the “root” while keeping the trust anchor material constant • Can be used in a variety of contexts, both public and private • Aligns with the TA work in PKIX WG (draft-ietf-pkix-ta-format-01)

  5. ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) 1. External Trust Anchor Certificate - ETA Signed: ETA

  6. ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) Signed: ETA CRL of ETA Issuer: ETA 2. Certificate Revocation List for ETA Signed: ETA

  7. ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA Signed: ETA CRL of ETA Issuer: ETA 3. ETA EE Certificate (for CMS Object Verification) Signed: ETA

  8. ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA Signed: ETA CRL of ETA Issuer: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: ETA Signed: RPKI TA 4. RPKI TA Certificate

  9. CMS Signed Object 5. CMS packaging of the RPKI TA Certificate ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) CMS Header ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA Signed: ETA CMS Payload CRL of ETA Issuer: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: ETA Signed: RPKI TA Signed: ETA EE

  10. CMS Signed Object ETA TA Certificate Issuer: ETA Subject: ETA CA: True (no 3779 ext) CMS Header ETA EE Certificate Issuer: ETA Subject: ETA EE CA: False (no 3779 ext) Signed: ETA Signed: ETA CMS Payload CRL of ETA Issuer: ETA RPKI TA Certificate Issuer: RPKI TA Subject: RPKI TA CA: True 3779 Exts Signed: ETA Signed: RPKI TA Signed: ETA EE

More Related