A Profile for X.509 PKIX
Resource CertificatesAsia Pacific Network Information
Centre33 Park Rd.MiltonQLD4064Australiagih@apnic.nethttp://www.apnic.netAsia Pacific Network Information
Centre33 Park Rd.MiltonQLD4064Australiaggm@apnic.nethttp://www.apnic.netAsia Pacific Network Information
Centre33 Park Rd.MiltonQLD4064Australiarobertl@apnic.nethttp://www.apnic.net
Routing Area
SIDRThis document defines a standard profile for X.509
certificates for the purposes of supporting validation of
assertions of "right-to-use" of an Internet Number Resource (IP
Addresses and Autonomous System Numbers). This profile is used
to convey the issuer's authorization of the subject to be
regarded as the current holder of a "right-of-use" of the IP
addresses and AS numbers that are described in the issued
certificate.This document defines a standard profile for X.509
certificates for use in the context of certification of IP
Addresses and AS Numbers. Such certificates are termed here
"Resource Certificates." Resource Certificates are X.509
certificates that conform to the PKIX profile , and also conform to the constraints
specified in this profile. Resource Certificates attest that the
issuer has granted the subject a "right-to-use" for a listed set
of IP addresses and Autonomous System numbers.A Resource Certificate describes an action by a certificate
issuer that binds a list of IP Address blocks and AS Numbers to
the subject of the issued certificate. The binding is identified
by the association of the subject's private key with the
subject's public key contained in the Resource Certificate, as
signed by the private key of the certificate's issuer.In the context of the public Internet, and the use of public
number resources within this context, it is intended that
Resource Certificates are used in a manner that is explicitly
aligned to the public number resource distribution
function. Specifically, when a number resource is allocated or
assigned by a number registry to an entity, this allocation is
described by an associated Resource Certificate. This
certificate is issued by the number registry, and the subject's
public key that is being certified by the issuer corresponds to
the public key part of a public / private key pair that was
generated by the same entity who is the recipient of the number
assignment or allocation. A critical extension to the
certificate enumerates the IP Resources that were allocated or
assigned by the issuer to the entity. In the context of the
public number distribution function, this corresponds to a
hierarchical PKI structure, where Resource Certificates are only
issued in one 'direction' and there is a single unique path of
certificates from a certification authority operating at the apex
of a resource distribution hierarchy to a valid certificate.Validation of a Resource Certificate in such a hierarchical
PKI can be undertaken by establishing a valid issuer-subject
certificate chain from a certificate issued by a trust anchor
certification authority to the certificate , with the additional constraint of
ensuring that each subject's listed resources are fully
encompassed by those of the issuer at each step in the
issuer-subject certificate chain.Resource Certificates may be used in the context of the
operation of secure inter-domain routing protocols to convey a
right-to-use of an IP number resource that is being passed
within the routing protocol, allowing relying parties to verify
legitimacy and correctness of routing information. Related use
contexts include validation of Internet Routing Registry
objects, validation of routing requests, and detection of
potential unauthorised use of IP addresses.This profile defines those fields that are used in a Resource
Certificate that MUST be present for the certificate to be
valid. Relying Parties SHOULD check that a Resource Certificate
conforms to this profile as a requisite for validation of a
Resource Certificate.It is assumed that the reader is familiar with the terms
and concepts described in "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile" , "X.509
Extensions for IP Addresses and AS Identifiers" , "Internet Protocol" , "Internet Protocol Version 6 (IPv6)
Addressing Architecture" ,
"Internet Registry IP Allocation Guidelines" , and related regional Internet
registry address management policy documents.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in RFC 2119.The framework for describing an association between the
subject of a certificate and the resources currently under the
subject's control is described in .There are three aspects of this resource extension that are
noted in this profile: RFC 3779 notes that a resource extension SHOULD be a
CRITICAL extension to the X.509 Certificate. This Resource
Certificate profile further specifies that the use of this
certificate extension MUST be used in all Resource
Certificates and MUST be marked as CRITICAL. RFC 3779 defines a sorted canonical form of describing a
resource set, with maximal spanning ranges and maximal
spanning prefix masks as appropriate. All valid certificates
in this profile MUST use this sorted canonical form of
resource description in the resource extension
field. A test of the resource extension in the context of
certificate validity includes the condition that the
resources described in the immediate superior certificate in
the PKI hierarchy (the certificate where this certificate's
issuer is the subject) has a resource set (called here the
"issuer's resource set") that must encompass the resource
set of the issued certificate. In this context "encompass"
allows for the issuer's resource set to be the same as, or a
strict superset of, any subject's resource set. A test of certificate validity entails the identification of
a sequence of valid certificates in an issuer-subject chain
(where the subject field of one certificate appears as the
issuer in the next certificate in the sequence) from a trust
anchor certification authority to the certificate being validated,
and that the resource extensions in this certificate sequence
from the trust anchor's issued certificate to the certificate
being validated form a sequence of encompassing relationships in
terms of the resources described in the resource extension.A Resource Certificate is a valid X.509 v3 public key
certificate, consistent with the PKIX profile , containing the fields listed in this
section. Unless specifically noted as being OPTIONAL, all the
fields listed here MUST be present, and any other field MUST NOT
appear in a conforming Resource Certificate. Where a field value
is specified here this value MUST be used in conforming Resource
Certificates.Resource Certificates are X.509 Version 3 certificates.
This field MUST be present, and the Version MUST be 3
(i.e. the value of this field is 2).The serial number value is a positive integer that is
unique per Issuer.This field describes the algorithm used to compute the
signature on this certificate. This profile specifies a
minimum of SHA-256 with RSA (sha256WithRSAEncryption), and
allows for the use of SHA-384 or SHA-512. Accordingly, the
value for this field MUST be one of the OID values { pkcs-1 11
}, { pkcs-1 12 } or { pkcs-1 13 } .It is noted that larger key sizes are computationally
expensive for both the Certification Authority and relying
parties, indicating that care should be taken when deciding to
use larger than the minimum key size.This field identifies the entity that has signed and issued
the certificate. The value of this field is a valid X.501
name.If the certificate is a subordinate certificate issued by
virtue of the "cA" bit set in the immediate superior
certificate, then the issuer name MUST correspond to the
subject name as contained in the immediate superior
certificate.This field MUST be non-empty.This field identifies the entity to whom the resource has
been allocated / assigned. The value of this field is a valid
X.501 name.In this profile the subject name is determined by the
issuer, and each distinct entity certified by the issuer MUST
be identified using a subject name that is unique per
issuer.This field MUST be non-empty.The starting time at which point the certificate is
valid. In this profile the "Valid From" time SHOULD be no
earlier than the time of certificate generation. As per
Section 4.1.2.5 of ,
Certification Authorities (CAs) conforming to this profile
MUST always encode the certificate's "Valid From" date through
the year 2049 as UTCTime, and dates in 2050 or later MUST be
encoded as GeneralizedTime. These two time formats are defined
in .In this profile, it is valid for a certificate to have a
value for this field that pre-dates the same field value in
any superior certificate. However, it is not valid to infer
from this information that a certificate was, or will be,
valid at any particular time other than the current time.The Valid To time is the date and time at which point in
time the certificate's validity ends. It represents the
anticipated lifetime of the resource allocation / assignment
arrangement between the issuer and the subject. As per Section
4.1.2.5 of , CAs conforming to
this profile MUST always encode the certificate's "Valid To"
date through the year 2049 as UTCTime, and dates in 2050 or
later MUST be encoded as GeneralizedTime. These two time
formats are defined in .In this profile, it is valid for a certificate to have a
value for this field that post-dates the same field value in
any superior certificate. However, it is not valid to infer
from this information that a certificate was, or will be,
valid at any particular time other than the current time.CAs are typically advised against issuing a certificate
with a validity interval that exceeds the validity interval of
the CA's certificate that will be used to validate the issued
certificate. However, in the context of this profile, it is
anticipated that a CA may have valid grounds to issue a
certificate with a validity interval that exceeds the validity
interval of the CA's certificate.This field specifies the subject's public key and the
algorithm with which the key is used. The public key algorithm
MUST be RSA, and, accordingly, the OID for the public key
algorithm is 1.2.840.113549.1.1.1. The key size MUST be a
minimum size of 1024 bits. In the context of certifying
resources it is recommended that the key size of keys that are
intended to be used at the apex of a certificate issuance
hierarchy, and their immediate subordinates, SHOULD use a
minimum key size of 2048 bits. Immediate subordinates of
these certificates, when used in the context of continued
levels of high trust, SHOULD use a minimum key size of 2048
bits.In the application of this profile to certification of
public number resources, it would be consistent with this
recommendation that the Regional Internet Registries use a key
size of 2048 bits in their issued certificates, and that their
immediate subordinate certificate authorities also use a key
size of 2048 bits. All other subordinate certificates MAY use
a key size of 1024 bits.It is noted that larger key sizes are computationally
expensive for both the CA and relying parties, indicating that
care should be taken when deciding to use larger than the
minimum key size.As noted in Section 4.2 of ,
each extension in a certificate is designated as either
critical or non-critical. A certificate-using system MUST
reject the certificate if it encounters a critical extension
it does not recognise; however, a non-critical extension MAY
be ignored if it is not recognised .The following X.509 V3 extensions MUST be present in a
conforming Resource Certificate, except where explicitly noted
otherwise.The basic constraints extension identifies whether the
subject of the certificate is a CA and the maximum depth of
valid certification paths that include this certificate.The issuer determines whether the "cA" boolean is set. If
this bit is set, then it indicates that the subject is
allowed to issue resources certificates within this overall
framework (i.e. the subject is permitted be a CA).The Path Length Constraint is not specified in this
profile and MUST NOT be present.The Basic Constraints extension field is a critical
extension in the Resource Certificate profile, and MUST be
present when the subject is a CA, and MUST NOT be present
otherwise.The subject key identifier extension provides a means of
identifying certificates that contain a particular public
key. To facilitate certification path construction, this
extension MUST appear in all Resource Certificates. This
extension is non-critical.The value of the subject key identifier MUST be the value
placed in the key identifier field of the Authority Key
Identifier extension of immediate subordinate certificates
(all certificates issued by the subject of this
certificate).The Key Identifier used here is the 160-bit SHA-1 hash of
the value of the DER-encoded ASN.1 bit string of the subject
public key, as described in Section 4.2.1.2 of .The authority key identifier extension provides a means of
identifying certificates that are signed by the issuer's
private key, by providing a hash value of the issuer's
public key. To facilitate path construction, this extension
MUST appear in all Resource Certificates. The keyIdentifier
sub field MUST be present in all Resource Certificates, with
the exception of a CA who issues a "self-signed"
certificate. The authorityCertIssuer and
authorityCertSerialNumber sub fields MUST NOT be
present. This extension is non-critical.The Key Identifier used here is the 160-bit SHA-1 hash of
the value of the DER-encoded ASN.1 bit string of the
issuer's public key, as described in Section 4.2.1.1 of
.This describes the purpose of the certificate. This is a
critical extension, and it MUST be present.In certificates issued to Certificate Authorities only the
keyCertSign and CRLSign bits are set to TRUE and MUST be the
only bits set to TRUE. In end-entity certificates the digitalSignature bit MUST
be set and MUST be the only bit set to TRUE.This field (CRLDP) identifies the location(s) of the
CRL(s) associated with certificates issued by this
Issuer. This profile uses the URI form of object
identification. The preferred URI access mechanism is a
single RSYNC URI ("rsync://")
that references a single inclusive CRL for each issuer.In this profile the certificate issuer is also the CRL
issuer, implying at the CRLIssuer sub field MUST be omitted,
and the distributionPoint sub-field MUST be present. The
Reasons sub-field MUST be omitted.The distributionPoint MUST contain general names, and
MUST NOT contain a nameRelativeToCRLIssuer. The type of the
general name MUST be of type URI.In this profile, the scope of the CRL is specified to be
all certificates issued by this CA issuer using a given key
pair.The sequence of distributionPoint values MUST contain
only a single DistributionPointName set. The
DistributionPointName set MAY contain more than one URI
value. An RSYNC URI MUST be present in the
DistributionPointName set, and reference the most recent
instance of this issuer's certificate revocation list. Other
access form URIs MAY be used in addition to the RSYNC
URI.This extension MUST be present and it is
non-critical. There is one exception, namely where a CA
distributes its public key in the form of a "self-signed"
certificate, the CRLDP MUST be omitted. This field (AIA) identifies the point of publication of
the certificate that is issued by the issuer's immediate
superior CA, where this certificate's issuer is the
subject. In this profile a single reference object to
publication location of the immediate superior certificate
MUST be used, except in the case where a CA distributes its
public key in the form of a "self-signed" certificate, in
which case the AIA field SHOULD be omitted.This profile uses a URI form of object
identification. The preferred URI access mechanisms is
"rsync", and an RSYNC URI MUST be specified with an
accessMethod value of id-ad-caIssuers. The URI MUST
reference the point of publication of the certificate where
this issuer is the subject (the issuer's immediate superior
certificate). Other access method URIs referencing the same
object MAY also be included in the value sequence of this
extension.When an Issuer re-issues a CA certificate, the
subordinate certificates need to reference this new
certificate via the AIA field. In order to avoid the
situation where a certificate re-issuance necessarily
implies a requirement to re-issue all subordinate
certificates, CA Certificate issuers SHOULD use a persistent
URL name scheme for issued certificates. This implies that
re-issued certificates overwrite previously issued
certificates to the same subject in the publication
repository, and use the same publication name as previously
issued certificates. In this way subordinate certificates
can maintain a constant AIA field value and need not be
re-issued due solely to a re-issue of the superior
certificate. The issuers' policy with respect to the
persistence of name objects of issued certificates MUST be
specified in the Issuer's Certification Practice
Statement.This extension is non-critical.This field (SIA) identifies the location of information
and services relating to the subject of the certificate in
which the SIA extension appears. Where the Subject is a CA
in this profile, this information and service collection
will include all current valid certificates that have been
issued by this subject that are signed with the subject's
corresponding private key.This profile uses a URI form of location identification. The
preferred URI access mechanism is "rsync", and an RSYNC URI MUST be
specified, with an access method value of id-ad-caRepository when
the subject of the certificate is a CA. The RSYNC URI must reference
an object collection rather than an individual object and MUST use a
trailing '/' in the URI.Other access method URIs that reference the same location
MAY also be included in the value sequence of this
extension. The ordering of URIs in this sequence reflect the
subject's relative preferences for access methods, with the
first method in the sequence being the most preferred.This field MUST be present when the subject is a CA, and
is non-critical.For End Entity (EE) certificates, where the subject is
not a CA, this field MAY be present, and is non-critical.
If present, it either references the location where objects
signed by the key pair associated with the EE certificate
can be accessed, or, in the case of single-use EE
certificates it references the location of the single object
that has been signed by the corresponding key pair.When the subject is an End Entity, and it publishes
objects signed with the matching private key in a
repository, the directory where these signed objects is
published is referenced the id-ad-signedObjectRepository
OID.
id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
id-ad-signedObjectRepository OBJECT IDENTIFIER ::= { id-ad 9 }
When the subject is an End Entity, and it publishes a
single object signed with the matching private key, the
location where this signed object is published is referenced
the id-ad-signedObject OID.
id-ad-signedObject OBJECT IDENTIFIER ::= { id-ad 11 }
This profile requires the use of repository publication
manifests to list all
signed objects that are deposited in the repository
publication point associated with a CA or an EE. The
publication point of the manifest for a CA or EE is placed in
the SIA extension of the CA or EE certificate. This profile
uses a URI form of manifest identification for the
accessLocation. The preferred URI access mechanisms is
"rsync", and an RSYNC URI MUST be specified. Other
accessDescription fields may exist with this id-ad-Manifest
accessMethod, where the accessLocation value indicates
alternate URI access mechanisms for the same manifest object.
id-ad-rpkiManifest OBJECT IDENTIFIER ::= { id-ad 10 }
CA certificates MUST include in the SIA an accessMethod
OID of id-ad-rpkiManifest, where the associated
accessLocation refers to the subject's published manifest
object as an object URL.When an EE certificate is intended for use in verifying
multiple objects, EE certificate MUST include in the SIA an
access method OID of id-ad-rpkiManifest, where the associated
access location refers to the publication point of the
objects that are verified using this EE certificate.When an EE certificate is used to sign a single object,
the EE certificate MUST include in the SIA an access method
OID of id-ad-signedObject, where the associated access
location refers to the publication point of the single object
that is verified using this EE certificate. In this case, the
SIA MUST NOT include the access method OID of
id-ad-rpkiManifest.This extension MUST reference the Resource Certificate
Policy, using the OID Policy Identifier value of
"1.3.6.1.5.5.7.14.2". This field MUST be present and MUST
contain only this value for Resource Certificates.PolicyQualifiers MUST NOT be used in this profile.This extension MUST be present and it is critical.This field contains the list of IP address resources as
per . The value may specify
the "inherit" element for a particular AFI value. In the
context of resource certificates describing public number
resources for use in the public Internet, the SAFI value
MUST NOT be used. All Resource Certificates MUST include an
IP Resources extension, an AS Resources extension, or both
extensions.This extension, if present, MUST be marked critical.This field contains the list of AS number resources as
per , or may specify the
"inherit" element. RDI values are NOT supported in this
profile and MUST NOT be used. All Resource Certificates MUST
include an IP Resources extension, an AS Resources
extension, or both extensions.This extension, if present, MUST be marked critical.Each CA MUST issue a version 2 Certificate Revocation List
(CRL), consistent with . The CRL
issuer is the CA, and no indirect CRLs are supported in this
profile.An entry MUST NOT be removed from the CRL until it appears on
one regularly scheduled CRL issued beyond the revoked
certificate's validity period.This profile does not allow issuance of Delta CRLs.The scope of the CRL MUST be "all certificates issued
by this CA using a given key pair". The contents of the CRL are
a list of all non-expired certificates issued by the CA using a
given key pair that have been revoked by the CA.The profile allows the issuance of multiple current CRLs with
different scope by a single CA, with the scope being defined by
the key pair used by the CA.No CRL fields other than those listed here are permitted in
CRLs issued under this profile. Unless otherwise indicated,
these fields MUST be present in the CRL. Where two or more CRLs
issued by a single CA with the same scope, the CRL with the
highest value of the "CRL Number" field supersedes all other
CRLs issued by this CA.Resource Certificate Revocation Lists are Version 2
certificates (the integer value of this field is 1).The value of this field is the X.501 name of the issuing CA
who is also the signer of the CRL, and is identical to the
Issuer name in the Resource Certificates that are issued by
this issuer.This field contains the date and time that this CRL was
issued. The value of this field MUST be encoded as UTCTime for
dates through the year 2049, and MUST be encoded as
GeneralizedTime for dates in the year 2050 or later.This is the date and time by which the next CRL SHOULD be
issued. The value of this field MUST be encoded as UTCTime
for dates through the year 2049, and MUST be encoded as
GeneralizedTime for dates in the year 2050 or later.This field contains the algorithm used to sign this
CRL. This profile specifies a minimum of SHA-256 with RSA
(sha256WithRSAEncryption), and allows for the use of SHA-384
or SHA-512. This field MUST be present.It is noted that larger key sizes are computationally
expensive for both the CRL Issuer and relying parties,
indicating that care should be taken when deciding to use
larger than the minimum key size.When there are no revoked certificates, then the revoked
certificate list MUST be absent.For each revoked resource certificate only the following
fields MUST be present. No CRL entry extensions are supported
in this profile, and CRL entry extensions MUST NOT be present
in a CRL.The issuer's serial number of the revoked certificate.The time the certificate was revoked. This time MUST
NOT be a future date. The value of this field MUST be
encoded as UTCTime for dates through the year 2049, and MUST
be encoded as GeneralizedTime for dates in the year 2050 or
later.The X.509 v2 CRL format allows extensions to be placed in a
CRL. The following extensions are supported in this profile,
and MUST be present in a CRL.The authority key identifier extension provides a means
of identifying the public key corresponding to the private
key used to sign a CRL. Conforming CRL issuers MUST use the
key identifier method. The syntax for this CRL extension is
defined in section 4.2.1.1 of .This extension is non-critical.The CRL Number extension conveys a monotonically
increasing sequence number of positive integers for a given
CA and scope. This extension allows users to easily
determine when a particular CRL supersedes another CRL. The
highest CRL Number value supersedes all other CRLs issued by
the CA with the same scope.This extension is non-critical.A resource certificate request MAY use either of PKCS#10 or
Certificate Request Message Format (CRMF). A CA Issuer MUST
support PKCS#10 and a CA Issuer may, with mutual consent of the
subject, support CRMF.This profile refines the specification in , as it relates to Resource
Certificates. A Certificate Request Message object, formatted
according to PKCS#10, is passed to a CA as the initial step in
issuing a certificate.This request may be conveyed to the CA via a Registration
Authority (RA), acting under the direction of a Subject.With the exception of the public key related fields, the CA
is permitted to alter any requested field when issuing a
corresponding certificate.This profile applies the following additional constraints
to fields that may appear in a CertificationRequestInfo:
This
field is mandatory and MUST have the value 0.This
field is optional. If present, the value of this field
SHOULD be empty, in which case the issuer MUST generate
a subject name that is unique in the context of
certificates issued by this issuer. If the value of this
field is non-empty, then the CA MAY consider the value
of this field as the subject's suggested subject name,
but the CA is NOT bound to honour this suggestion, as
the subject name MUST be unique per issuer in
certificates issued by this issuer. This field specifies the subject's
public key and the algorithm with which the key is
used. The public key algorithm MUST be RSA, and the OID
for the algorithm is 1.2.840.113549.1.1.1. This field
also includes a bit-string representation of the
entity's public key. For the RSA public-key algorithm
the bit string contains the DER encoding of a value of
PKCS #1 type RSAPublicKey. defines the attributes field as
key-value pairs where the key is an OID and the value's
structure depends on the key.The only attribute used in this profile is the
ExtensionRequest attribute as defined in . This attribute contains X509v3
Certificate Extensions. The profile for extensions in
certificate requests is specified in .This profile applies the following additional constraints
to fields that MAY appear in a CertificationRequest Object:
This profile specifies a minimum of SHA-256 with RSA
(sha256WithRSAEncryption), and allows for the use of
SHA-384 or SHA-512. Accordingly, the value for this
field MUST be one of the OID values { pkcs-1 11 }, {
pkcs-1 12 } or { pkcs-1 13 }
.It is noted that larger key sizes are computationally
expensive for both the CA and relying parties,
indicating that care should be taken when deciding to
use larger than the minimum key size.This profile refines the Certificate Request Message Format
(CRMF) specification in , as it
relates to Resource Certificates. A Certificate Request
Message object, formatted according to the CRMF, is passed to
a CA as the initial step in issuing a certificate.This request MAY be conveyed to the CA via a Registration
Authority (RA), acting under the direction of a subject.With the exception of the public key related fields, the CA
is permitted to alter any requested field when issuing a
corresponding certificate.This profile applies the following additional constraints
to fields that may appear in a Certificate Request Template:
This
field MAY be absent, or MAY specify the request of a
Version 3 Certificate. It SHOULD be omitted. As
per , this field is
assigned by the CA and MUST be omitted in this
profile.
As per , this field is
assigned by the CA and MUST be omitted in this
profile. This
field is assigned by the CA and MUST be omitted in this
profile. This
field MAY be omitted. If omitted, the CA will issue a
Certificate with Validity dates as determined by the
CA. If specified, then the CA MAY override the requested
values with dates as determined by the CA. This
field is optional. If present, the value of this field
SHOULD be empty, in which case the issuer MUST generate
a subject name that is unique in the context of
certificates issued by this issuer. If the value of this
field is non-empty, then the CA MAY consider the value
of this field as the subject's suggested subject name,
but the CA is NOT bound to honour this suggestion, as
the subject name MUST be unique per issuer in
certificates issued by this issuer. This
field MUST be present.This
attribute contains X509v3 Certificate Extensions. The
profile for extensions in certificate requests is
specified in .The following control fields are supported in this
profile: It is noted that the intended model of
authentication of the subject is a long term one, and
the advice as offered in
is that the Authenticator Control field be used. The following extensions MAY appear in a PKCS#10 or CRMF
Certificate Request. Any other extensions MUST NOT appear in a
Certificate Request. This profile places the following
additional constraints on these extensions.: If
this is omitted then the CA will issue an end entity
certificate with the BasicConstraints extension not
present in the issued certificate.The Path Length Constraint is not supported in this
Resource Certificate Profile, and this field MUST be
omitted in this profile.The CA MAY honour the SubjectType CA bit set to on. If
this bit is set, then it indicates that the Subject is
allowed to issue resource certificates within this overall
framework.The CA MUST honour the SubjectType CA bit set to off
(End Entity certificate request), in which case the
corresponding end entity certificate will not contain a
BasicConstraints extension. This field is assigned by the CA and MUST be omitted in
this profile. This field is assigned by the CA and
MUST be omitted in this profile. The CA MAY
honor KeyUsage extensions of keyCertSign and
cRLSign if present, as long as this is consistent with
the BasicConstraints SubjectType sub field, when
specified. This field MUST be present when the
subject is a CA, and the field value SHOULD be honoured by
the CA. If the CA is not able to honor the requested field
value, then the CA MUST reject the Certificate
Request. This field (SIA) identifies the location of information
and services relating to the subject of the certificate in
which the SIA extension appears. Where the subject is a CA
in this profile, this information and service collection
will include all current valid certificates that have been
issued by this subject that are signed with the subject's
corresponding private key.This profile uses a URI form of location
identification. An RSYNC URI MUST be specified, with an
access method value of id-ad-caRepository when the subject
of the certificate is a CA. The RSYNC URI MUST reference
an object collection rather than an individual object and
MUST use a trailing '/' in the URI. Other access method
URIs that reference the same location MAY also be included
in the value sequence of this extension. The ordering of
URIs in this sequence reflect the subject's relative
preferences for access methods, with the first method in
the sequence being the most preferred by the
Subject.A request for a CA certificate MUST include in the SIA
of the request the id-ad-caRepository access method, and
also MUST include in the SIA of the request the
accessMethod OID of id-ad-rpkiManifest, where the
associated accessLocation refers to the subject's
published manifest object as an object URL.When an EE certificate is intended for use in verifying
multiple objects, the certificate request for the EE
certificate MUST include in the SIA of the request an
access method OID of id-ad-signedObjectRepository, and
also MUST include in the SIA of the request an access
method OID of id-ad-rpkiManifest, where the associated
access location refers to the publication point of the
objects that are verified using this EE certificate.When an EE certificate is used to sign a single object,
the certificate request for the EE certificate MUST
include in the SIA of the request an access method OID of
id-ad-signedObject, where the associated access location
refers to the publication point of the single object that
is verified using this EE certificate, and MUST NOT
include an id-ad-rpkiManifest access method OID in the SIA
of the request. This field is assigned by the CA and MUST be omitted in
this profile.This field is assigned by the CA and MUST
be omitted in this profile. This field is assigned by the CA and MUST be omitted in
this profile. With the exceptions of the publicKey field and the
SubjectInformationAccess field, the CA is permitted to alter
any requested field.This section describes the Resource Certificate validation
procedure. This refines the generic procedure described in
section 6 of :To meet this goal, the path validation process verifies,
among other things, that a prospective certification path (a
sequence of n certificates) satisfies the following conditions:
for all x in {1, ..., n-1}, the subject of certificate x
is the issuer of certificate x+1; certificate 1 is issued by a trust anchor; certificate n is the certificate to be validated; and
for all x in {1, ..., n}, the certificate is valid.The IP resource extension definition defines a critical extensions for
Internet number resources. These are ASN.1 encoded
representations of the IPv4 and IPv6 address range (either as
a prefix/length, or start-end pair) and the AS number set.Valid Resource Certificates MUST have a valid IP address
and/or AS number resource extension. In order to validate a
Resource Certificate the resource extension must also be
validated. This validation process relies on definitions of
comparison of resource sets: Given two IP address or AS
number contiguous ranges, A and B, A is "more specific"
than B if range B includes all IP addresses or AS numbers
described by range A, and if range B is larger than range
A. Given two IP address or AS number
contiguous ranges, A and B, A is "equal" to B if range A
describes precisely the same collection of IP addresses or
AS numbers as described by range B. The definition of
"inheritance" in is
equivalent to this "equality" comparison.Given two IP address and AS
number sets X and Y, X "encompasses" Y if, for every
contiguous range of IP addresses or AS numbers elements in
set Y, the range element is either more specific than or
equal to a contiguous range element within the set X.Validation of a certificate's resource extension in the
context of an ordered certificate sequence of {1,2, ... , n}
where '1' is issued by a trust anchor and 'n' is the target
certificate, and where the subject of certificate 'x' is the
issuer of certificate 'x' + 1, implies that the resources
described in certificate 'x' "encompass" the resources
described in certificate 'x' + 1, and the resources described
in the trust anchor information "encompass" the resources
described in certificate 1.
Validation of signed resource data using a target resource
certificate consists of assembling an ordered sequence (or
'Certification Path') of certificates ({1,2,...n} where '1' is a
certificate that has been issued by a trust anchor, and 'n' is
the target certificate) verifying that all of the following
conditions hold: The certificate can be verified using the
Issuer's public key and the signature algorithm The current time lies within the certificate's Validity
From and To values. The certificate contains all fields that MUST be
present and contains field values as specified in this
profile for all field values that MUST be present. No field value that MUST NOT be present in this profile
is present in the certificate. The Issuer has not revoked the certificate by placing
the certificate's serial number on the Issuer's current
Certificate Revocation List, and the Certificate
Revocation List is itself valid. That the resource extension data is "encompassed" by
the resource extension data contained in a valid
certificate where this Issuer is the Subject (the previous
certificate in the ordered sequence) The Certification Path originates with a certificate
issued by a trust anchor, and there exists a signing chain
across the Certification Path where the Subject of
Certificate x in the Certification Path matches the Issuer
in Certificate x+1 in the Certification Path.A certificate validation algorithm may perform these tests
in any chosen order.Certificates and CRLs used in this process may be found in
a locally maintained cache, maintained by a regular top-down
synchronization pass, seeded with the CAs who operate at the
apex of the resource distribution hierarchy, via reference to
issued certificates and their SIA fields as forward pointers,
plus the CRLDP. Alternatively, validation may be performed
using a bottom-up process with on-line certificate access
using the certificate's AIA and CRLDP pointers to guide the
certificate retrieval process for each certificate's immediate
superior CA certificate.There exists the possibility of encountering certificate
paths that are arbitrarily long, or attempting to generate
paths with loops as means of creating a potential DOS attack
on a certificate validator. Some further heuristics may be
required to halt the certification path validation process in
order to avoid some of the issues associated with attempts to
validate such structures. It is suggested that implementations
of Resource Certificate validation MAY halt with a validation
failure if the certification path length exceeds a
pre-determined configuration parameter.The trust model that may be used in the resource
certificate framework in the context of validation of
assertions of public number resources in public-use contexts
is one that readily maps to a top-down delegated CA model that
mirrors the delegation of resources from a registry
distribution point to the entities that are the direct
recipients of these resources. Within this trust model these
recipient entities may, in turn, operate a registry and
perform further allocations or assignments. This is a strict
hierarchy, in that any number resource and a corresponding
recipient entity has only one 'parent' issuing registry for
that number resource (i.e. there is always a unique parent
entity for any resource and corresponding entity), and that
the issuing registry is not a direct or indirect subordinate
recipient entity of the recipient entity in question (i.e. no
loops in the model).The more general consideration is that selection of one or
more trust anchor CAs is a task undertaken by relying
parties. The structure of the resource certificate profile
admits potentially the same variety of trust models as the
PKIX profile. There is only one additional caveat on the
general applicability of trust models and PKIX frameworks,
namely that in forming a validation path to a trust anchor CA,
the sequence of certificates MUST preserve the resource
extension validation property, as described in , and the validation of the first
certificate in the validation path not only involves the
verification that the certificate was issued by a trust anchor
CA, but also that the resource set described in the
certificate MUST be encompassed by the trust anchor CA's
resource set, as described in .The trust anchor information, describing a CA that serves
as a trust anchor, includes the following:the trusted issuer name,the trusted public key algorithm,the trusted public key,optionally, the trusted public key parameters associated
with the public key, anda resource set, consisting of a set of IPv4 resources,
IPv6 resources and AS number resources.The trust anchor information may be provided to the path
processing procedure in the form of a self-signed
certificate.In the RPKI the hierarchical certificate framework corresponds
to the hierarchies of the resource distribution function. In
consideration of this, it is reasonable to nominate to relying
parties a default set of trust anchors for the RPKI that
correspond to the entities who serve at the top levels of the
associated resource allocation hierarchy. The corresponding
nominated trust anchor CA entities should map, in some fashion,
to the apex point(s) of the hierarchical resource distribution
structure.The characteristics of a trust anchor model for the RPKI
appears to include the following considerations:The entity or entities that issue proposed trust anchor
material for the RPKI should be as close as possible to the
apex of the associated resource distribution hierarchySuch issued proposed trust anchor material should be
long-lived. As it can be reasonably anticipated that default
trust anchor material would be distributed with relying party
validation software, the implication is that the distributed
default trust anchor material should remain constant for
extended time intervals.It is a poor trust model when any entity that issues
putative trust anchor material is forced to be authoritative
over information or actions of which the entity has no direct
knowledge nor has a definitive record. Entities who propose
themselves in a role of a trust anchor issuer should be able to
point to corroborative material supporting the assertion that
they are legitimate authorities for the information where they
are representing themselves as a potential trust anchor for
relying parties.A conventional approach to RPKI trust anchor distribution
would be for the publication of a single trust anchor "root"
RPKI certificate that corresponds to the apex of the RPKI
certificate hierarchy, where the entity that issues this "root"
certificate is also the entity at the apex of the associated
resource distribution hierarchy. In the case of the global IPv4
address, IPv6 address and AS Number space this apex entity is
the Internet Assigned Number Authority (IANA).This apex entity would issue and publish a self-signed "root"
certificate as the proposed trust anchor. This certificate is a
CA Resource Certificate, but differs from other certificates in
the RPKI in that it has no AIA value and no CRLDP value, and has
a resource extension of the complete set of IPv4 and IPv6
addresses and AS Numbers. This entity would then issue
subordinate RPKI certificates in a conventional manner that
correspond to IANA allocations.From the perspective of relying parties, and from the
perspective of the distribution of validation tools, this model
of the apex entity publishing a single self-signed RPKI
certificate as the putative trust anchor has some significant
advantages. It is an entirely conventional approach to trust
anchor distribution. It makes use of long-term stable trust
material in the form of a single self-signed certificate and an
associated key pair. Relying parties to not have to perform
regular on-line validation of the currency of the trust anchor
material at high frequency, as the resource set in this
self-signed "root" certificate would not change over time as the
resource set is fully encompassing of all resources in this
certificate. It also has the advantage of most closely
representing the resource distribution model, where the apex of
the resource distribution hierarchy publishes a proposed RPKI
trust anchor point.There are some salient lessons to be learned from the DNSSEC
experience, where the DNSSEC framework simply assumed that the
apex of the DNS hierarchy would in a position to sign the root
zone of the DNS immediately and the subordinate DNSSEC key
structures would fall into their respective interlocking
positions. This assumption has not been realized so far, and the
measures taken to work around the lack of a DNSSEC rigned root
zone have not enjoyed much support. This has acted as an
impediment to DNSSEC deployment given that relying parties have
no clear mechanism to resolve their trust questions. The result
is that DNSSEC deployment has serously stalled awaiting the
signed DNS root zone. Applying this DNSSEC experience to the
RPKI situation suggests that while a single signed apex of the
RPKI appears to offer a simple and conventional approach to the
distribution of trust anchor material for the RPKI, it also
appears prudent to consider alternative approaches to the
distribution of putative trust anchor material that do not
mandate a critical and immediate role for the party who operates
at the apex of the resource distribution hierarchy. This section
considers as a contingency such an alternative approach.In the absence of a single apex "root" certificate for the
RPKI, an alternative arrangement would be to move the putative
trust anchor point one level down in the resource distribution
hierarchy. This leads to the consideration of using the Regional
Internet Registries (RIRs) to each issue a self-signed "root"
RPKI certificate, the collection of which would form the
putative trust anchor set, where the associated resource set as
described in the resource extension in these RPKI certificate
corresponds exactly to the allocation of resources to that
Internet Registry as described in the existing registries that
are administered by the IANA.However, no other party in the RPKI hierarchy can offer
itself as a putative trust anchor using the same apprach of a
stable self-signed RPKI certificate. The consideration here is
that the RPKI certificate for parties who sit at a lower point
in the resource distribution hierarchy have a resource set that
is not necessarily stable for an extended period. Each time a
superior entity performs a resource allocation to this party,
the putative trust anchor self-signed certificate needs to be
re-issued, assuming the resource attribute of this self-signed
RPKI certificate must at all times accurately reflect those
resources for which the party has administrative
responsibility. As this resource allocation can happen on a
relatively frequent basis, then using such self-signed RPKI
certificates as trust anchors for the RPKI raises the problem
that these certificates may not necessarily be long-lived.An alternative approach would be for an entity who wishes to
offer itself as a putative RPKI trust anchor for part of the
hierarchy of resource allocations to regularly publish a
self-signed "root" RPKI CA certificate at a stable URL, and to
publish a packaged form of this URL as the distributed trust
anchor material. The details of this approach form the
perspective of each RIR follow.The RIR maintains a RPKI self-signed "root" certificate
that is used as the apex of a RPKI certificate issuance
hierarchy. This self-signed certificate MUST have the
keyCertSign sign bit set in the key usage extension, and the
CA flag set in the basic constraints extension, no AIA value
and no CRLDP value. This RPKI certificate will be reissued
upon the allocation of additional resources from the IANA, or
prior to expiration of the current RPKI self-signed
certificate. The validity interval of this certificate should
reflect the anticipated period of the cycle of resource
allocations from the IANA.The RIR maintains a "trust anchor material" keypair.The RIR issues a self-signed CA PKI certificate using the
"trust anchor material" keypair, where the public key in the
certificate is the public key of the "trust anchor material"
key pair and the self-signed certificate is signed by the
corresponding private key. This self-signed certificate MUST
have the keyCertSign sign bit set in the key usage extension,
and the CA flag set in the basic constraints extension, no AIA
value and no CRLDP value. The validity period of this
certificate shold be long-lived, with the precise period to be
a matter of RIR policy. The self-signed certificate performs
the trust anchor distribution material. The SIA of this
certificate references a publication point where a CRL and
subordinate products of this certificate are published.The RIR issues a subordinate EE PKI certificate with a
validity period identical to the validity period of the RPKI
self-signed "root" certificate. This EE PKI certificate MUST
have the digitalSignature bit set, and this MUST be the only
bit set to TRUE. The the CA flag set MUST be cleared in the
basic constraints extension. The validity period of this EE
certificate should be aligned to the validity period of the
self-signed CA RPKI certificate. The RIR regularly issues a CRL for the self-signed PKI
certificate. The CRL issuance cycle SHOULD be shorter than the
validity period for the RPKI self-signed "root"
certificate. It is suggest that the CRL issuance cycle SHOULD
be 48 hours.Each time the RPKI self-signed "root" certificate is
re-issued, or prior to the expiration of the EE PKI
certificate, the RIR generates a Cryptographic Message Syntax
(CMS) signed-data object, where the
payload is the RPKI self-signed "root" certificate. The object
is CMS-signed with the private key of the EE PKI
certificate. The EE PKI certificate is also included as a CMS
signed attribute in the CMS object. The self-signed CA PKI
certificate and the CRL are not to be included in the CMS
object. The CMS object is published at the location referenced
in the SIA of the self-signed CA PKI certificate.The RIR will distribute the self-signed CA PKI certificate
as its proposed trust anchor material, using SSL access.The RIR will publish the modulus and exponent of the "trust
anchor material" public key on its web site.Relying Parties can assemble the current default trust anchor
collection by using the distributed self-signed CA PKI
certificate for each RIR:The public key in the self-signed CA PKI certificate can be
validatedusing the modulus and exponent values as retrieved
from the RIR's web site using SSL access.The CA's CRL and CMS object can be retrieved from the
publication point referenced by the SIA in the CA PKI
certificate.The CRL can be verified against the CA PKI certificate.
The CMS signature can be verified using the embedded EE
PKI certificate, the retrieved CRL and the self-signed CA PKI
certificate. The relying party can then load the enclosed self-signed CA
RPKI certificate as a trust anchor for RPKI validation for
those resources described in the resource extension of this
certificate.Relying Parties should perform this retrieval and validation
operation at intervals no less frequent than the nextUpdate time
of the published CRL, and should perform the retrieval operation
prior to the expiration of the EE PKI certificate, or upon
revocation of the EE PKI certificate that was used to sign the
CMS object that held the relying party's current self-signed CA
RPKI certificate. It is suggested that this retrieval interval
is 24 hours.If an RIR wishes to perform an issuance of the self-signed CA
RPKI certificate outside the conventional update cycle time, it
can notify relying parties of this by revising the nextUpdate
time of the CRL to a shorter interval, issuing a new EE PKI
certificate and a new CMS object with the new self-signed CA
RPKI certificate, and revoking the old EE PKI certificate at the
nextUpdate time in the next CRL. This revocation will provide an
indication to relying parties to perform the retrieval operation
at a time earlier than a concentional update cycle time.The Security Considerations of
and apply to Resource Certificates
as defined by this profile, and their use.A Resource Certificate PKI cannot in and of itself resolve
any forms of ambiguity relating to uniqueness of assertions of
rights of use in the event that two or more valid certificates
encompass the same resource. If the issuance of resource
certificates is aligned to the status of resource allocations
and assignments then the information conveyed in a certificate
is no better than the information in the allocation and
assignment databases. The specification of the entities to be responsible for the
generation of trust anchor material for the RPKI is beyond the
intended scope of this document.[Note to IESG to be removed prior to publication: Section
proposes a model of trust anchor
construction where IANA issues a single self-singed certificate
as a trust anchor for the entire RPKI. The authors have
consulted RFC2860 and cannot find clear guidance in that
document as to whether a direction from the IESG to the IANA to
perform the function of self-signed trust anchor certificate
issuance lies within the scope of the operational arrangements
between the IETF and the IANA. Section
asl notes the protracted experience to date with the proposal
for IANA to sign the root zone of the DNS within the DNSSEC
framework. Accordingly, this document also describes an
alternate mechanism that allows relying parties to use trust
anchor material that is generated by the Regional Internet
Registries.]The authors would like to acknowledge the valued
contributions from Stephen Kent, Robert Kisteleki, Randy Bush,
Russ Housley, Ricardo Patara and Rob Austein in the preparation
and subsequent review of this document. The document also reflects
review comments received from Sean Turner.Manifests for the Resource Public Key InfrastructureISCAPNICBBNBBNrsyncSAMBAThe following is an example Resource Certificate.The following is an example Certificate Revocation List.