Internet DRAFT - draft-huston-sidr-validity
draft-huston-sidr-validity
Network Working Group G. Huston
Internet-Draft G. Michaelson
Updates: 6487 (if approved) APNIC
Intended status: Standards Track October 9, 2015
Expires: April 11, 2016
Update to RPKI Validation
draft-huston-sidr-validity-00.txt
Abstract
This document updates the RPKI certificate validation procedure as
specified in Section 7.2 of RFC6487.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 11, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Huston & Michaelson Expires April 11, 2016 [Page 1]
Internet-Draft RPKI Validation October 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The RPKI Certification Path Validation . . . . . . . . . . . . 3
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
6. Normative References . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5
Huston & Michaelson Expires April 11, 2016 [Page 2]
Internet-Draft RPKI Validation October 2015
1. Introduction
This document updates the RPKI certificate validation procedure as
specified in Section 7.2 of [RFC6487], by replacing the section 7.2
of [RFC6487] with the specification contained here.
2. The RPKI Certification Path Validation
Validation of signed resource data using a target resource
certificate, and a specific set of number resources, consists of
verifying that the digital signature of the signed resource data is
valid, using the public key of the target resource certificate, and
also validating the resource certificate in the context of the RPKI,
using the path validation process. This path validation process
verifies, among other things, that a prospective certification path
(a sequence of n certificates) satisfies the following conditions:
1. for all 'x' in {1, ..., n-1}, the Subject of certificate 'x'
is the Issuer of certificate ('x' + 1);
2. certificate '1' is issued by a trust anchor;
3. certificate 'n' is the certificate to be validated; and
4. for all 'x' in {1, ..., n}, certificate 'x' is valid for the
specific set of resources.
RPKI validation for a specific set of resources entails verifying
that all of the following conditions hold, in addition to the
Certification Path Validation criteria specified in Section 6 of
[RFC5280]:
1. The certificate can be verified using the Issuer's public key
and the signature algorithm
2. The current time lies within the certificate's Validity From
and To values.
Huston & Michaelson Expires April 11, 2016 [Page 3]
Internet-Draft RPKI Validation October 2015
3. The certificate contains all fields that MUST be present, as
specified by [RFC6487], and contains values for selected
fields that are defined as allowable values by this
specification.
4. No field, or field value, that the [RFC6487] specification
defines as MUST NOT be present is used in the certificate.
5. The Issuer has not revoked the certificate. A revoked
certificate is identified by the certificate's serial number
being listed on the Issuer's current CRL, as identified by the
CRLDP of the certificate, the CRL is itself valid, and the
public key used to verify the signature on the CRL is the same
public key used to verify the certificate itself.
6. The resource extension data contained in this certificate
"encompasses" the entirety of the resources in the specific
resource set ("encompass" in this context is defined in
Section 7.1 of [RFC6487]).
7. The Certification Path originates with a certificate issued by
a trust anchor, and there exists a signing chain across the
Certification Path where the Subject of Certificate 'x' in the
Certification Path matches the Issuer in Certificate 'x + 1'
in the Certification Path, and the public key in Certificate
'x' can verify the signature value in Certificate 'x+1'.
A certificate validation algorithm MAY perform these tests in any
chosen order.
There exists the possibility of encountering certificate paths that
are arbitrarily long, or attempting to generate paths with loops as
means of creating a potential denial-of-service (DOS) attack on an
Relying Party (RP). An RP executing this procedure MAY apply further
heuristics to guide the certification path validation process to a
halt in order to avoid some of the issues associated with attempts to
validate such malformed certification path structures.
Implementations of resource certificate validation MAY halt with a
validation failure if the certification path length exceeds a locally
defined configuration parameter.
Huston & Michaelson Expires April 11, 2016 [Page 4]
Internet-Draft RPKI Validation October 2015
3. Security Considerations
This update is intended to improve the robustness of the RPKI
framework by altering the procedure of the original validation path
that included an "encompassing" condition applied pairwise to the
certificates used in the validation path.
The intent of this update is to ensure that all certificates on a
validation path encompass the resources that are included in the
validation query, but to remove the "encompassing" constraint on the
resources used in pairwise comparison. This change to the validation
procedure reduces the criticality of strict orchestration of the
sequence of certificate issuance and revocation in those
circumstances, and can thereby improve the robustness of the RPKI as
a consequence, without altering the underlying semnatics of the
association of a public key value across a collection of number
resources.
4. IANA Considerations
No updates to the registries are suggested by this document.
5. Acknowledgements
Thanks
6. Normative References
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for
X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/
RFC6487, February 2012,
<http://www.rfc-editor.org/info/rfc6487>.
Huston & Michaelson Expires April 11, 2016 [Page 5]
Internet-Draft RPKI Validation October 2015
Authors' Addresses
Geoff Huston
Asia Pacific Network Information Centre
6 Cordelia St
South Brisbane, QLD 4101
Australia
Phone: +61 7 3858 3100
Email: gih@apnic.net
George Michaelson
Asia Pacific Network Information Centre
6 Cordelia St
South Brisbane, QLD 4101
Australia
Phone: +61 7 3858 3100
Email: ggm@apnic.net
Huston & Michaelson Expires April 11, 2016 [Page 6]