A Profile for Resource Public Key Infrastructure (RPKI) Trust Anchor Keys (TAKs) LACNIC
Rambla Mexico 6125 Montevideo 11400 Uruguay carlos@lacnic.net https://www.lacnic.net/
Asia Pacific Network Information Centre
6 Cordelia St South Brisbane 4101 Australia QLD ggm@apnic.net
Asia Pacific Network Information Centre
6 Cordelia St South Brisbane 4101 Australia QLD tomh@apnic.net
RIPE NCC
Stationsplein 11 Amsterdam The Netherlands tim@ripe.net https://www.ripe.net/
Dragon Research Labs
sra@hactrn.net
OPS sidrops security cryptography X.509 A Trust Anchor Locator (TAL) is used by Relying Parties (RPs) in the Resource Public Key Infrastructure (RPKI) to locate and validate a Trust Anchor (TA) Certification Authority (CA) certificate used in RPKI validation. This document defines an RPKI signed object for a Trust Anchor Key (TAK). A TAK object can be used by a TA to signal to RPs the location(s) of the accompanying CA certificate for the current public key, as well as the successor public key and the location(s) of its CA certificate. This object helps to support planned key rollovers without impacting RPKI validation.
Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Overview
    • .  Requirements Notation
  • .  TAK Object Definition
    • .  The TAK Object Content Type
    • .  The TAK Object eContent
      • .  TAKey
      • .  TAK
    • .  TAK Object Validation
  • .  TAK Object Generation and Publication
  • .  Relying Party Use
    • .  Manual Update of TA Public Key Details
  • .  Maintaining Multiple TA Key Pairs
  • .  Performing TA Key Rolls
    • .  Phase 1: Add a TAK for Key Pair 'A'
    • .  Phase 2: Add a Key Pair 'B'
    • .  Phase 3: Update TAL to point to 'B'
    • .  Phase 4: Remove Key Pair 'A'
  • .  Using TAK Objects to Distribute TAL Data
  • .  Deployment Considerations
    • .  Relying Party Support
    • .  Alternate Transition Models
  • .  Operational Considerations
    • .  Acceptance Timers
  • Security Considerations
    • .  Previous Keys
    • .  TA Compromise
    • .  Alternate Transition Models
  • IANA Considerations
    • .  Content Type
    • .  Signed Object
    • .  File Extension
    • .  Module Identifier
    • .  Registration of Media Type application/rpki-signed-tal
  • References
    • .  Normative References
    • .  Informative References
  • .  ASN.1 Module
  • Acknowledgments
  • Authors' Addresses
Overview A Trust Anchor Locator (TAL) is used by Relying Parties (RPs) in the Resource Public Key Infrastructure (RPKI) to locate and validate Trust Anchor (TA) Certification Authority (CA) certificates used in RPKI validation. However, until now, there has been no in-band way of notifying RPs of updates to a TAL. In-band notifications mean that TA operators can be more confident of RPs being aware of key rollover operations. This document defines a new RPKI signed object that can be used to document the location(s) of the TA CA certificate for the current TA public key, as well as the value of the successor public key and the location(s) of its TA CA certificate. This allows RPs to be notified automatically of such changes and enables TAs to stage a successor public key so that planned key rollovers can be performed without risking the invalidation of the RPKI tree under the TA. We call this object the Trust Anchor Key (TAK) object. When RPs are first bootstrapped, they use a TAL to discover the public key and location(s) of the CA certificate for a TA. The RP can then retrieve and validate the CA certificate and subsequently validate the manifest and Certificate Revocation List (CRL) published by that TA (). However, before processing any other objects, it will first validate the TAK object if it is present. If the TAK object lists only the current public key, then the RP continues processing as it would in the absence of a TAK object. If the TAK object includes a successor public key, the RP starts a 30-day acceptance timer for that key and then continues standard top-down validation with the current public key. During the following validation runs up until the expiry of the acceptance timer, the RP verifies that the public keys and the certificate URLs listed in the TAK object remain unchanged. If they remain unchanged as at that time, then the RP will fetch the successor public key, update its local state with that public key and its associated certificate location(s), and continue processing using that public key. The primary motivation for this work is being able to migrate from a Hardware Security Module (HSM) produced by one vendor to one produced by another, where the first vendor does not support exporting private keys for use by the second. There may be other scenarios in which key rollover is useful, though.
Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
TAK Object Definition The TAK object makes use of the template for RPKI digitally signed objects , which defines a Cryptographic Message Syntax (CMS) wrapper for the content, as well as a generic validation procedure for RPKI signed objects. Therefore, to complete the specification of the TAK object (see ), this document defines the following:
  • the OID () that identifies the signed object as being a TAK (this OID appears within the eContentType in the encapContentInfo object, as well as the content-type signed attribute in the signerInfo object)
  • the ASN.1 syntax for the TAK eContent ()
  • the additional steps required to validate a TAK ()
The TAK Object Content Type This document specifies an OID for the TAK object as follows: id-ct-signedTAL OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 50 } This OID MUST appear in both the eContentType in the encapContentInfo object and the content-type signed attribute in the signerInfo object (see ).
The TAK Object eContent The content of a TAK object is ASN.1 encoded using the Distinguished Encoding Rules (DER) and is defined per the module in .
TAKey This structure defines a TA public key similar to that from . It contains a sequence of zero or more comments, one or more certificate URIs, and a SubjectPublicKeyInfo.
comments:
This field is semantically equivalent to the comment section defined in . Each comment is human-readable informational UTF-8 text , conforming to the restrictions defined in . The leading "#" character that is used to denote a comment in is omitted here.
certificateURIs:
This field is semantically equivalent to the URI section defined in . It MUST contain at least one CertificateURI element. Each CertificateURI element contains the IA5String representation of either an rsync URI or an HTTPS URI .
subjectPublicKeyInfo:
This field contains a SubjectPublicKeyInfo () in the DER format .
TAK
version:
The version number of the TAK object MUST be 0.
current:
This field contains the TA public key of the repository in which the TAK object is published.
predecessor:
This field contains the TA public key that was in use for this TA immediately prior to the current TA public key, if applicable.
successor:
This field contains the TA public key to be used in place of the current public key, if applicable, after expiry of the relevant acceptance timer.
TAK Object Validation To determine whether a TAK object is valid, the RP MUST perform the following checks in addition to those specified in :
  • The eContentType OID matches the OID described in .
  • The TAK object appears as the product of a TA CA certificate (i.e., the TA CA certificate itself is the issuer of the End-Entity (EE) certificate of the TAK object).
  • The TA CA has published only one TAK object in its repository for this public key, and this object appears on the manifest as the only entry using the ".tak" extension (see ).
  • The EE certificate of this TAK object describes its Internet Number Resources (INRs) using the "inherit" attribute.
  • The decoded TAK content conforms to the format defined in .
  • The SubjectPublicKeyInfo value of the current TA public key in the TAK object matches that of the TA CA certificate used to issue the EE certificate of the TAK object.
If any of these checks do not succeed, the RP MUST ignore the TAK object and proceed as though it were not listed on the manifest. The RP is not required to compare its current set of certificateURIs for the current public key with those listed in the TAK object. The RP MAY alert the user that these sets of certificateURIs do not match. If this happens, the user may opt to manually update the set of certificateURIs in their configuration. However, the RP MUST NOT automatically update its configuration to use these certificateURIs in the event of inconsistency. This is because the migration of users to new certificateURIs should happen by way of the successor public key process.
TAK Object Generation and Publication A non-normative guideline for naming this object is that the filename be a value derived from the public key part of the entity's key pair, using the algorithm described for CRLs in . The filename extension of ".tak" MUST be used to denote the object as a TAK. In order to generate a TAK object, the TA MUST perform the following actions:
  • The TA MUST generate a one-time-use EE certificate for the TAK.
  • This EE certificate MUST have a unique key pair.
  • This EE certificate MUST have a Subject Information Access (SIA) extension access description field with an accessMethod OID value of id-ad-signedObject, where the associated accessLocation references the publication point of the TAK as an object URL.
  • As described in , the EE certificate used for this object must contain either the IP Address Delegation extension or the Autonomous System Identifier Delegation extension , or both. However, because the resource set is irrelevant to this object type, this certificate MUST describe its INRs using the "inherit" attribute rather than explicitly describing a resource set.
  • This EE certificate MUST have a "notBefore" time that matches or predates the moment that the TAK will be published.
  • This EE certificate MUST have a "notAfter" time that reflects the intended duration for which this TAK will be published. If the EE certificate for a TAK object is expired, it MUST no longer be published, but it MAY be replaced by a newly generated TAK object with equivalent content and an updated "notAfter" time.
  • The current TA public key for the TAK MUST match that of the TA CA certificate under which the TAK was issued.
In distribution contexts that support media types, the "application/rpki-signed-tal" media type can be used for TAK objects.
Relying Party Use RPs MUST keep a record of the current public key for each configured TA, as well as the URI(s) where the CA certificate for this public key may be retrieved. This record is typically bootstrapped by the use of a pre-configured (and unsigned) TAL file . When performing top-down validation, RPs MUST first validate and process the TAK object for its current known public key by performing the following steps:
  • A CA certificate is retrieved and validated from the known URIs as described in Sections and of .
  • The manifest and CRL for this certificate are then validated as described in and .
  • If the TAK object is present, it is validated as described in .
If the TAK object includes a successor public key, then the RP must verify the successor public key by:
  • performing top-down validation using the successor public key in order to validate the TAK object for the successor TA,
  • ensuring that a valid TAK object exists for the successor TA,
  • ensuring that the successor TAK object's current public key matches the initial TAK object's successor public key, and
  • ensuring that the successor TAK object's predecessor public key matches the initial TAK object's current public key.
If any of these steps fails, then the successor public key has failed verification. If the successor public key passes verification and the RP has not seen that successor public key on the previous successful validation run for this TA, then the RP:
  • sets an acceptance timer of 30 days for this successor public key for this TA,
  • cancels the existing acceptance timer for this TA (if applicable), and
  • continues standard top-down validation as described in using the current public key.
If the successor public key passes verification and the RP has seen that successor public key on the previous successful validation run for this TA, the RP continues standard top-down validation using the current public key if the relevant acceptance timer has not expired. Otherwise, the RP updates its current known public key details for this TA to be those of the successor public key and begins top-down validation again using the successor public key. If the successor public key does not pass verification or if the TAK object does not include a successor public key, the RP cancels the existing acceptance timer for this TA (if applicable). An RP MUST NOT use a successor public key for top-down validation outside of the process described above, except for the purpose of testing that the new public key is working correctly. This allows a TA to publish a successor public key for a period of time, allowing RPs to test it while still being able to rely on RPs using the current public key for their production RPKI operations. A successor public key may have the same SubjectPublicKeyInfo value as the current public key; this will be the case where a TA is updating the certificateURIs for that public key.
Manual Update of TA Public Key Details An RP may opt to not support the automatic transition of TA public key data, as defined in . An alternative approach is for the RP to alert the user when a new successor public key is seen and when the relevant acceptance timer has expired. The user can then manually transition to the new TA public key data. This process ensures that the benefits of the acceptance timer period are still realised, as compared with TA public key update based on a TAL distributed out of band by a TA.
Maintaining Multiple TA Key Pairs An RP that can process TAK objects will only ever use one public key for validation: either the current public key, or the successor public key once the relevant acceptance timer has expired. By contrast, an RP that cannot process TAK objects will continue to use the public key details per its TAL (or equivalent manual configuration) indefinitely. As a result, even when a TA is using a TAK object in order to migrate clients to a new public key, the TA may have to maintain the previous key pair for a period of time alongside the new key pair in order to ensure continuity of service for older clients. For each TA key pair that a TA maintains, the signed material for these key pairs MUST be published under different directories in the context of the 'id-ad-caRepository' and 'id-ad-rpkiManifest' SIA descriptions contained on the CA certificates . Publishing objects under the same directory is potentially confusing for RPs and could lead to object invalidity in the event of filename collisions. Also, the CA certificates for each maintained key pair and the content published for each key pair MUST be equivalent (except for the TAK object). In other words, for the purposes of RPKI validation, it MUST NOT make a difference which of the public keys is used as a starting point. This means that the IP and Autonomous System (AS) resources contained on all current CA certificates for the maintained TA key pairs MUST be the same. Furthermore, for any delegation of IP and AS resources to a child CA, the TA MUST have an equivalent CA certificate published under each of its key pairs. Any updates in delegations MUST be reflected under each of its key pairs. A TA SHOULD NOT publish any other objects besides a CRL, a manifest, a single TAK object, and any number of CA certificates for delegation to child CAs. If a TA uses a single remote publication server (per ) for its key pairs, then it MUST include all <publish/> and <withdraw/> Protocol Data Units (PDUs) for the products of each of its key pairs in a single query in order to reduce the risk of RPs seeing inconsistent data in the TA's RPKI repositories. If a TA uses multiple publication servers, then the content for different key pairs will be out of sync at times. The TA SHOULD ensure that the duration of these moments is limited to the shortest possible time. Furthermore, the following should be observed:
  • In cases where a CA certificate is revoked or replaced by a certificate with a reduced set of resources, these changes will not take effect fully until all the relevant repository publication points have been updated. Given that TA private key operations are normally performed infrequently, this is unlikely to be a problem: if the revocation or shrinking of an issued CA certificate is staged for days/weeks, then experiencing a delay of several minutes for the repository publication points to be updated is relatively insignificant.
  • In cases where a CA certificate is replaced by a certificate with an extended set of resources, the TA MUST inform the receiving CA only after all of its repository publication points have been updated. This ensures that the receiving CA will not issue any products that could be invalid if an RP uses a TA public key just before the CA certificate was due to be updated.
Finally, note that the publication locations of CA certificates for delegations to child CAs under each key pair will be different; therefore, the Authority Information Access 'id-ad-caIssuers' values () on certificates issued by the child CAs may not be as expected when performing top-down validation, depending on the TA public key that is used. However, these values are not critical to top-down validation, so RPs performing such validation MUST NOT reject a certificate simply because this value is not as expected.
Performing TA Key Rolls This section describes how present-day RPKI TAs that use only one key pair and do not use TAK objects can use a TAK object to perform a planned key rollover.
Phase 1: Add a TAK for Key Pair 'A' Before adding a successor public key, a TA may want to confirm that it can maintain a TAK object for its current key pair only. We will refer to this key pair as key pair 'A' throughout this section.
Phase 2: Add a Key Pair 'B' The TA can now generate a new key pair called 'B'. The private key of this key pair MUST now be used to create a new CA certificate for the associated public key and issue equivalent CA certificates for delegations to child CAs as described in . At this point, the TA can also construct a new TAL file for the public key of key pair 'B' and locally test that the validation outcome for the new public key is equivalent to that of the other current public key(s). When the TA is certain that the content for both public keys is equivalent and wants to initiate the migration from 'A' to 'B', it issues a new TAK object under key pair 'A', with the public key from that key pair as the current public key for that object, the public key from key pair 'B' as the successor public key, and no predecessor public key. It also issues a TAK object under key pair 'B', with the public key from that key pair as the current public key for that object, the public key from key pair 'A' as the predecessor public key, and no successor public key. Once this has happened, RP clients will start seeing the new public key and setting acceptance timers accordingly.
Phase 3: Update TAL to point to 'B' At about the time that the TA expects clients to start setting the public key from key pair 'B' as the current public key, the TA must release a new TAL file for that public key. It SHOULD use a different set of URIs in the TAL compared to the TAK file so that the TA can learn the proportion of RPs that can successfully validate and use the updated TAK objects. To support RPs that do not take account of TAK objects, the TA should continue operating key pair 'A' for a period of time after the expected migration of clients to the public key from 'B'. The length of that period of time is a local policy matter for that TA: for example, it might operate the key pair until no clients are attempting to validate using the associated public key.
Phase 4: Remove Key Pair 'A' The TA SHOULD now remove all content from the repository used by key pair 'A' and destroy the private key for that key pair. RPs attempting to rely on a TAL for the public key from key pair 'A' from this point will not be able to perform RPKI validation for the TA and will have to update their local state manually by way of a new TAL file.
Using TAK Objects to Distribute TAL Data RPs must be configured with RPKI TA data in order to function correctly. This TA data is typically distributed in the TAL format defined in . A TAK object can also serve as a format for distribution of this data, though, because the TAKey data stored in the TAK object contains the same data that would appear in a TAL for the associated TA. RPs may support conversion of TAK objects into TAL files. RPs that support conversion MUST validate the TAK object using the process from . One exception to the standard validation process in this context is that an RP MAY treat a TAK object as valid, even though it is associated with a TA that the RP is not currently configured to trust. If the RP is relying on this exception when converting a given TAK object, the RP MUST communicate that fact to the user. When converting a TAK object, an RP MUST default to producing a TAL file based on the 'current' TAKey in the TAK object, though it MAY optionally support producing TAL files based on the 'predecessor' and 'successor' TAKeys. If the TAKey that is being converted has comments, an RP MUST include those comments in the TAL file. If TAK object validation fails, then the RP MUST NOT produce a TAL file based on the TAK object. Users should be aware that TAK objects distributed out of band have similar security properties to TAL files (i.e., there is no authentication). In particular, TAK objects that are not signed by TAs with which the RP is currently configured should only be used if the source that distributes them is one the user trusts to distribute TAL files. If an RP is not transitioning to new TA data using the automatic process described in or the partially manual process described in , then the user will have to rely on an out-of-band mechanism for validating and updating the TA data for the RP. Users in this situation should take similar care when updating a TA using a TAK object file as when using a TAL file to update TA data.
Deployment Considerations
Relying Party Support Publishing TAK objects while RPs do not support this standard will result in those RPs rejecting these objects. It is not expected that this will result in the invalidation of any other object under a TA. Some RPs may purposefully not support this mechanism: for example, they may be implemented or configured such that they are unable to update local current public key data. TA operators should take this into consideration when planning key rollover. However, these RPs would ideally still notify their operators of planned key rollovers so that the operator could update the relevant configuration manually.
Alternate Transition Models Alternate models for TAL update exist and are complementary to this mechanism. For example, TAs can liaise directly with RP software developers to include updated and reissued TAL files in new code releases and use existing code update mechanisms in the RP community to distribute the changes. Additionally, these non-TA channels for distributing TAL data may themselves monitor for TAK objects and then update the TAL data in their distributions or packages accordingly. In this way, TAK objects may be useful even for RPs that don't implement in-band support for the protocol. Non-TA channels for distributing TAL data should ensure, so far as is possible, that their update mechanisms take account of any changes that a user has made to their local TA public key configuration. For example, if a new public key is published for a TA, but the non-TA channel's mechanism is able to detect that a user had removed the TA's previous public key from their local TA public key configuration such that the user no longer relies on it, then the mechanism should not add the new public key to the user's TA public key configuration by default.
Operational Considerations
Acceptance Timers Acceptance timers are used in TAK objects in order to permit RPs to test that the new public key is working correctly. In turn, this means that the TA operator will be able to gain confidence in the correct functioning of the new public key before RPs are relying on that public key in their production RPKI operations. If a successor public key is not working correctly, a TA may remove that public key from the current TAK object. A TA that removes a successor public key from a TAK object SHOULD NOT add the same successor public key back into the TAK object for that TA. This is because there may be an RP that has fetched the TAK object while the successor public key was listed in it and has started an acceptance timer accordingly but has not fetched the TAK object during the period when the successor public key was not listed in it. If the unchanged successor public key is added back into the TA, such an RP will transition to using the new TA public key more quickly than other RPs, which may make debugging and similar processes more complicated. A simple way of addressing this problem in a situation where the TA operator doesn't want to reissue the SubjectPublicKeyInfo content for the successor public key that was withdrawn is to update the URL set for the successor public key. Since RPs must take that URL set into account for the purposes of initiating and cancelling acceptance timers, an RP that observes a change to that URL set will cancel any existing acceptance timer it has and initiate a new acceptance timer in its place.
Security Considerations
Previous Keys A TA needs to consider the length of time for which it will maintain previously current key pairs and their associated repositories. An RP that is seeded with old TAL data will run for 30 days using the previous public key before migrating to the next public key due to the acceptance timer requirements, and this 30-day delay applies to each new key pair that has been issued since the old TAL data was initially published. In these instances, it may be better for the TA to send error responses when receiving requests for the old publication URLs so that the RP reports an error to its operator and the operator seeds it with up-to-date TAL data immediately. Once a TA has decided not to maintain a previously current key pair and its associated repository, the TA SHOULD destroy the associated private key. The TA SHOULD also reuse the TA CA certificate URLs from the previous TAL data for the next TAL that it generates. These measures will help to mitigate the risk of an adversary gaining access to the private key and its associated publication points in order to send invalid or incorrect data to RPs seeded with the TAL data for the corresponding public key.
TA Compromise TAK objects do not offer protection against compromise of the current TA private key or the successor TA private key. TA private key compromise in general is out of scope for this document. While it is possible for a malicious actor to use TAK objects to cause RPs to transition from the current TA public key to a successor TA public key, such action is predicated on the malicious actor having compromised the current TA private key in the first place. Since a malicious actor who has compromised the current TA private key has complete control over the TA anyway, TAK objects do not alter the security considerations relevant to this scenario.
Alternate Transition Models describes other ways in which a TA may transition from one key pair to another. Transition by way of an in-band process reliant on TAK objects is not mandatory for TAs or RPs, though the fact that the TAK objects are verifiable by way of the currently trusted TA public key is a benefit compared with existing out-of-band mechanisms for TA public key distribution. There will be a period of time where both the current public key and the successor public key are available for use, and RPs that are initialised at different points of the transition process or from different out-of-band sources may be using either the current public key or the successor public key. TAs are required to ensure, so far as is possible, that RPKI validation outcomes are the same regardless of which of the two keys is used.
IANA Considerations
Content Type IANA has registered an OID for one content type in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows:
Decimal Description References
50 id-ct-signedTAL
Description:
id-ct-signedTAL
OID:
1.2.840.113549.1.9.16.1.50
Specification:
Signed Object IANA has added the following to the "RPKI Signed Objects" registry:
Name OID Reference
Trust Anchor Key 1.2.840.113549.1.9.16.1.50
IANA has also added the following note to the "RPKI Signed Objects" registry:
Objects of the types listed in this registry, as well as RPKI resource certificates and CRLs, are expected to be validated using the RPKI.
File Extension IANA has added the following item for the Signed TAL file extension to the "RPKI Repository Name Schemes" registry created by :
Filename Extension RPKI Object Reference
.tak Trust Anchor Key RFC 9691
Module Identifier IANA has registered an OID for one module identifier in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry as follows:
Decimal Description References
74 RPKISignedTrustAnchorList-2021 RFC 9691
Description:
RPKISignedTrustAnchorList-2021
OID:
1.2.840.113549.1.9.16.0.74
Specification:
RFC 9691
Registration of Media Type application/rpki-signed-tal IANA has registered the media type "application/rpki-signed-tal" in the "Media Types" registry as follows:
Type name:
application
Subtype name:
rpki-signed-tal
Required parameters:
N/A
Optional parameters:
N/A
Encoding considerations:
binary
Security considerations:
Carries an RPKI Signed TAL. This media type contains no active content. See the Security Considerations section of RFC 9691 for further information.
Interoperability considerations:
N/A
Published specification:
RFC 9691
Applications that use this media type:
RPKI operators
Fragment identifier considerations:
N/A
Additional information:
Content:
This media type is for a signed object, as defined in RFC 6488, which contains trust anchor key material as defined in RFC 9691.
Magic number(s):
N/A
File extension(s):
.tak
Macintosh file type code(s):
N/A
Person & email address to contact for further information:
iesg@ietf.org
Intended usage:
COMMON
Restrictions on usage:
N/A
Author:
sidrops WG
Change controller:
IESG
 References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. UTF-8, a transformation format of ISO 10646 ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279. X.509 Extensions for IP Addresses and AS Identifiers This document defines two X.509 v3 certificate extensions. The first binds a list of IP address blocks, or prefixes, to the subject of a certificate. The second binds a list of autonomous system identifiers to the subject of a certificate. These extensions may be used to convey the authorization of the subject to use the IP addresses and autonomous system identifiers contained in the extensions. [STANDARDS-TRACK] Unicode Format for Network Interchange The Internet today is in need of a standardized form for the transmission of internationalized "text" information, paralleling the specifications for the use of ASCII that date from the early days of the ARPANET. This document specifies that format, using UTF-8 with normalization and specific line-ending sequences. [STANDARDS-TRACK] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] The rsync URI Scheme This document specifies the rsync Uniform Resource Identifier (URI) scheme. This document is not an Internet Standards Track specification; it is published for informational purposes. A Profile for Resource Certificate Repository Structure This document defines a profile for the structure of the Resource Public Key Infrastructure (RPKI) distributed repository. Each individual repository publication point is a directory that contains files that correspond to X.509/PKIX Resource Certificates, Certificate Revocation Lists and signed objects. This profile defines the object (file) naming scheme, the contents of repository publication points (directories), and a suggested internal structure of a local repository cache that is intended to facilitate synchronization across a distributed collection of repository publication points and to facilitate certification path construction. [STANDARDS-TRACK] A Profile for X.509 PKIX Resource Certificates This document defines a standard profile for X.509 certificates for the purpose of supporting validation of assertions of "right-of-use" of Internet Number Resources (INRs). The certificates issued under this profile are used to convey the issuer's authorization of the subject to be regarded as the current holder of a "right-of-use" of the INRs that are described in the certificate. This document contains the normative specification of Certificate and Certificate Revocation List (CRL) syntax in the Resource Public Key Infrastructure (RPKI). This document also specifies profiles for the format of certificate requests and specifies the Relying Party RPKI certificate path validation procedure. [STANDARDS-TRACK] Signed Object Template for the Resource Public Key Infrastructure (RPKI) This document defines a generic profile for signed objects used in the Resource Public Key Infrastructure (RPKI). These RPKI signed objects make use of Cryptographic Message Syntax (CMS) as a standard encapsulation format. [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. A Publication Protocol for the Resource Public Key Infrastructure (RPKI) This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. Even in cases where a certificate issuer runs its own publication repository, it can be useful to run the certificate engine itself on a different machine from the publication repository. This document defines a protocol which addresses these needs. Resource Public Key Infrastructure (RPKI) Trust Anchor Locator This document defines a Trust Anchor Locator (TAL) for the Resource Public Key Infrastructure (RPKI). The TAL allows Relying Parties in the RPKI to download the current Trust Anchor (TA) Certification Authority (CA) certificate from one or more locations and verify that the key of this self-signed certificate matches the key on the TAL. Thus, Relying Parties can be configured with TA keys but can allow these TAs to change the content of their CA certificate. In particular, it allows TAs to change the set of IP Address Delegations and/or Autonomous System Identifier Delegations included in the extension(s) (RFC 3779) of their certificate. This document obsoletes the previous definition of the TAL as provided in RFC 7730 by adding support for Uniform Resource Identifiers (URIs) (RFC 3986) that use HTTP over TLS (HTTPS) (RFC 7230) as the scheme. HTTP Semantics The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. Manifests for the Resource Public Key Infrastructure (RPKI) This document defines a "manifest" for use in the Resource Public Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority that are published at this repository publication point, the manifest contains both the name of the file containing the object and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect replay attacks, and unauthorized in-flight modification or deletion of signed objects. This document obsoletes RFC 6486. Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) ITU-T Informative References Cryptographic Message Syntax (CMS) This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX) The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.
ASN.1 Module This appendix includes the ASN.1 module for the TAK object. RPKISignedTrustAnchorList-2021 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) 74 } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE FROM CryptographicMessageSyntax-2009 -- in [RFC5911] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } SubjectPublicKeyInfo FROM PKIX1Explicit-2009 -- in [RFC5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } ; ct-signedTAL CONTENT-TYPE ::= { TYPE TAK IDENTIFIED BY id-ct-signedTAL } id-ct-signedTAL OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 50 } CertificateURI ::= IA5String TAKey ::= SEQUENCE { comments SEQUENCE SIZE (0..MAX) OF UTF8String, certificateURIs SEQUENCE SIZE (1..MAX) OF CertificateURI, subjectPublicKeyInfo SubjectPublicKeyInfo } TAK ::= SEQUENCE { version INTEGER DEFAULT 0, current TAKey, predecessor [0] TAKey OPTIONAL, successor [1] TAKey OPTIONAL } END
Acknowledgments The authors wish to thank for a thorough review of the document, for multiple reviews of the ASN.1 definitions and for providing a new module for the TAK object, for the extensive suggestions around TAK object structure/distribution and rpki-client implementation work, and for text/suggestions around TAK/TAL distribution and general security considerations.
Authors' Addresses LACNIC
Rambla Mexico 6125 Montevideo 11400 Uruguay carlos@lacnic.net https://www.lacnic.net/
Asia Pacific Network Information Centre
6 Cordelia St South Brisbane 4101 Australia QLD ggm@apnic.net
Asia Pacific Network Information Centre
6 Cordelia St South Brisbane 4101 Australia QLD tomh@apnic.net
RIPE NCC
Stationsplein 11 Amsterdam The Netherlands tim@ripe.net https://www.ripe.net/
Dragon Research Labs
sra@hactrn.net