Skip to content
Permalink
root
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

rpki-setup-key-rollover/draft-misell-rpki-bpki-key-rollover.xml

Go to file
 
 
Cannot retrieve contributors at this time
239 lines (224 sloc) 11.6 KB
Raw Blame
Open in GitHub Desktop
<?xml version="1.0" encoding="utf-8"?>
<?xml-model href="rfc7991bis.rnc"?>
<!DOCTYPE rfc [
<!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;">
]>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
ipr="trust200902" submissionType="IETF" category="std" version="3"
docName="draft-misell-rpki-bpki-key-rollover-latest">
<front>
<title abbrev="RPKI BPKI Rollover">A BPKI key rollover protocol for the Resource Public Key Infrastructure (RPKI)</title>
<seriesInfo name="Internet-Draft" status="standard" value="draft-misell-rpki-bpki-key-rollover-latest"/>
<author fullname="Q Misell" initials="Q" surname="Misell">
<organization abbrev="AS207960">AS207960 Cyfyngedig</organization>
<address>
<postal>
<street>13 Pen-y-lan Terrace</street>
<city>Caerdydd</city>
<code>CF23 9EU</code>
<country>United Kingdom</country>
</postal>
<email>q@as207970.net</email>
<email>q@magicalcodewit.ch</email>
<uri>https://magicalcodewit.ch</uri>
</address>
</author>
<area>rtg</area>
<workgroup>sidr</workgroup>
<abstract>
<t></t>
</abstract>
</front>
<middle>
<section>
<name>Introduction</name>
<t>The RPKI setup protocol specified in
<xref target="RFC8183"/>
does not specify a mechanism for key rollover
of the CA keys exchanged during the setup process. This document extends
<xref target="RFC6492"/>
and
<xref target="RFC8181"/>
to allow both the server and client to update their CA keys in-band.
</t>
<section>
<name>Requirements Language</name>
<t>The key words <bcp14>MUST</bcp14>, <bcp14>MUST NOT</bcp14>, <bcp14>REQUIRED</bcp14>,
<bcp14>SHALL</bcp14>, <bcp14>SHALL NOT</bcp14>, <bcp14>SHOULD</bcp14>, <bcp14>SHOULD NOT</bcp14>,
<bcp14>RECOMMENDED</bcp14>, <bcp14>NOT RECOMMENDED</bcp14>, <bcp14>MAY</bcp14>, and
<bcp14>OPTIONAL</bcp14>
in this document are to be interpreted as described in
<xref target="BCP14"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section>
</section>
<section>
<name>Protocol specification</name>
<section>
<name>Protocol negotiation</name>
<t>This document does not define a method to negotiate usage of these new extensions.
It is up to operators to use out-of-band mechanisms to agree on support for this document.
</t>
</section>
<section>
<name>XML Namespace</name>
<t>All new XML elements defined in this document belong to the namespace of
<tt>https://as207960.net/spec/rpki/setup-update/</tt>. This document uses the XML namespace prefix of
<tt>setup_update</tt> however compliant implementations <bcp14>MUST</bcp14> accept other namespace
prefixes.
</t>
</section>
<section>
<name>New message types</name>
<t>The <tt>type</tt> field of the <tt>message</tt> element in the
<tt>http://www.apnic.net/specs/rescerts/up-down/</tt> namespace, and the <tt>type</tt> field of the
<tt>msg</tt> element in the <tt>http://www.hactrn.net/uris/rpki/publication-spec/</tt> namespace are
extended with the following new values:
</t>
<ul>
<li>update_client_certificate</li>
<li>updated_client_certificate_accepted</li>
<li>request_updated_server_certificate</li>
<li>updated_server_certificate</li>
<li>accept_updated_server_certificate</li>
</ul>
<t>The messages for these extensions are defined below.</t>
<section>
<name>The <tt>update_client_certificate</tt> message</name>
<t>The value of the message <tt>type</tt> element for this request is:</t>
<sourcecode>
type="update_client_certificate"
</sourcecode>
<t>Payload:</t>
<sourcecode type="xml"><![CDATA[
<setup_update:new_child_bpki_ta xmnls:setup_update="https://as207960.net/spec/rpki/setup-update/">
[New child TA CA]
</setup_update:new_child_bpki_ta>
]]></sourcecode>
<t>The child CA <bcp14>MUST</bcp14> be encoded as specified in
<xref target="RFC8183"/>
</t>
<t>This command directs the server to update its stored TA for the client. The server
<bcp14>MUST</bcp14>
update its stored certificate or respond with a Request-Not-Performed Response. If the client
receives a Request-Not-Performed Response it <bcp14>MUST</bcp14> continue to use its old TA.
</t>
</section>
<section>
<name>The <tt>updated_client_certificate_accepted</tt> message</name>
<t>The value of the message <tt>type</tt> element for this request is:</t>
<sourcecode>
type="updated_client_certificate_accepted"
</sourcecode>
<t>This message has no payload.</t>
<t>Receipt of this message by a client in response to an <tt>update_client_certificate</tt> message
indicates the server has accepted the client's new TA and that the client <bcp14>MUST</bcp14> use
its new TA in all future exchanges.
</t>
</section>
<section>
<name>The <tt>request_updated_server_certificate</tt> message</name>
<t>The value of the message <tt>type</tt> element for this request is:</t>
<sourcecode>
type="request_updated_server_certificate"
</sourcecode>
<t>This message has no payload.</t>
<t>This message indicates a request from the client to the server for the server's new TA CA, if
available. Servers <bcp14>MUST</bcp14> respond with an <tt>updated_server_certificate</tt>
unless an internal error occurred.
</t>
<t>Clients <bcp14>SHOULD</bcp14> send this message periodically to check for a new TA from the
parent.
</t>
</section>
<section>
<name>The <tt>updated_server_certificate</tt> message</name>
<t>The value of the message <tt>type</tt> element for this request is:</t>
<sourcecode>
type="updated_server_certificate"
</sourcecode>
<t>Payload:</t>
<sourcecode type="xml"><![CDATA[
<setup_update:new_parent_bpki_ta xmnls:setup_update="https://as207960.net/spec/rpki/setup-update/">
[New parent TA CA]
</setup_update:new_parent_bpki_ta>
]]></sourcecode>
<t>OR</t>
<sourcecode type="xml"><![CDATA[
<setup_update:no_new_parent_bpki_ta xmnls:setup_update="https://as207960.net/spec/rpki/setup-update/"/>
]]></sourcecode>
<t>The parent CA <bcp14>MUST</bcp14> be encoded as specified in
<xref target="RFC8183"/>
</t>
<t>This response either includes the parents new TA if one is available, or a statement that the
parent
doesn't have a new TA it wishes to communicate to its client.
</t>
</section>
<section>
<name>The "accept_updated_server_certificate" message</name>
<t>The value of the message "type" element for this request is:</t>
<sourcecode>
type="accept_updated_server_certificate"
</sourcecode>
<t>This message has no payload.</t>
<t>This message indicates that the client has accepted the server's new TA. Future exchanges
<bcp14>MUST</bcp14>
use the parent's new TA.
</t>
</section>
</section>
<section>
<name>End Entity Certificates for updating the Trust Anchor</name>
<t>Each CMS message in <xref target="RFC6492"/> and <xref target="RFC8181"/> must be signed by an EE
certificate. Due to the sensitive nature of updating the TA a standard EE cannot be used to update
the TA and ensure sufficient security.</t>
<t>The EE certificate used to sign a CMS message containing a message relating to a TA
<bcp14>MUST</bcp14> include an rpkiBpkiTAUpdate X.509 extendedKeyUsage. If a client or a server
receives a message relating to TAs not including this EKU it <bcp14>MUST</bcp14> reject the
message.</t>
<t>The rpkiBpkiTAUpdate has the OID of <tt>1.3.6.1.4.1.56292.1.2.1</tt></t>
</section>
<section>
<name>Error codes</name>
<t>The
<xref target="RFC6492"/>
error codes are extended with the following additional codes:
</t>
<ol>
<li>1401: The new TA presented by the child wasn't acceptable to the server, the
reasons <bcp14>SHOULD</bcp14> be elaborated in the "description" element.
</li>
</ol>
<t>The
<xref target="RFC8181"/>
error codes are extended with the following additional codes:
</t>
<ol>
<li>unacceptable_child_ca: The new TA presented by the child wasn't acceptable to the server, the
reasons <bcp14>SHOULD</bcp14> be elaborated in the "error_text" element.
</li>
</ol>
</section>
</section>
</middle>
<back>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<referencegroup anchor="BCP14" target="https://www.rfc-editor.org/info/bcp14">
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8174.xml"/>
</referencegroup>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.6492.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8181.xml"/>
<xi:include href="https://www.rfc-editor.org/refs/bibxml/reference.RFC.8183.xml"/>
</references>
</references>
</back>
</rfc>