A Profile for X.509 PKIX
Resource CertificatesAsia Pacific Network Information
Centregih@apnic.nethttp://www.apnic.netAsia Pacific Network Information
Centreggm@apnic.nethttp://www.apnic.netAsia Pacific Network Information
Centrerobertl@apnic.nethttp://www.apnic.net
Routing Area
SIDRThis document defines a standard profile for X.509 certificates for
the purposes of supporting validation of assertions of "right-of-use" of
an Internet Number Resource (IP Addresses and Autonomous System
Numbers). This profile is used to convey the issuer's authorization of
the subject to be regarded as the current holder of a "right-of-use" of
the IP addresses and AS numbers that are described in the issued
certificate.This document defines a standard profile for X.509 certificates for use in the context of certification of IP
Addresses and AS Numbers. Such certificates are termed here "Resource
Certificates." Resource Certificates are X.509 certificates that conform
to the PKIX profile , and also conform to
the constraints specified in this profile. Resource Certificates attest
that the issuer has granted the subject a "right-of-use" for a listed
set of IP addresses and Autonomous System numbers.A Resource Certificate describes an action by a certificate issuer
that binds a list of IP Address blocks and AS Numbers to the subject of
the issued certificate. The binding is identified by the association of
the subject's private key with the subject's public key contained in the
Resource Certificate, as signed by the private key of the certificate's
issuer.In the context of the public Internet, and the use of public number
resources within this context, it is intended that Resource Certificates
are used in a manner that is explicitly aligned to the public number
resource distribution function. Specifically, when a number resource is
allocated or assigned by a number registry to an entity, this allocation
is described by an associated Resource Certificate. This certificate is
issued by the number registry, and the subject's public key that is
being certified by the issuer corresponds to the public key part of a
public / private key pair that was generated by the same entity who is
the recipient of the number assignment or allocation. A critical
extension to the certificate enumerates the IP Resources that were
allocated or assigned by the issuer to the entity. In the context of the
public number distribution function, this corresponds to a hierarchical
PKI structure, where Resource Certificates are only issued in one
'direction' and there is a single unique path of certificates from a
certification authority operating at the apex of a resource distribution
hierarchy to a valid certificate.Validation of a Resource Certificate in such a hierarchical PKI can
be undertaken by establishing a valid issuer-subject certificate chain
from a certificate issued by a trust anchor certification authority to
the certificate , with the additional
constraint of ensuring that each subject's listed resources are fully
encompassed by those of the issuer at each step in the issuer-subject
certificate chain.Resource Certificates may be used in the context of the operation of
secure inter-domain routing protocols to convey a right-of-use of an IP
number resource that is being passed within the routing protocol,
allowing relying parties to verify legitimacy and correctness of routing
information. Related use contexts include validation of Internet Routing
Registry objects, validation of routing requests, and detection of
potential unauthorised use of IP addresses.This profile defines those fields that are used in a Resource
Certificate that MUST be present for the certificate to be valid.
Relying Parties SHOULD check that a Resource Certificate conforms to
this profile as a requisite for validation of a Resource
Certificate.It is assumed that the reader is familiar with the terms and
concepts described in "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile" , "X.509 Extensions for IP Addresses and AS
Identifiers" , "Internet Protocol" , "Internet Protocol Version 6 (IPv6)
Addressing Architecture" , "Internet
Registry IP Allocation Guidelines" , and
related regional Internet registry address management policy
documents.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.The framework for describing an association between the subject of a
certificate and the resources currently under the subject's control is
described in .There are three aspects of this resource extension that are noted in
this profile: RFC 3779 notes that a resource extension SHOULD be a CRITICAL
extension to the X.509 Certificate. This Resource Certificate
profile further specifies that the use of this certificate extension
MUST be used in all Resource Certificates and MUST be marked as
CRITICAL. RFC 3779 defines a sorted canonical form of describing a resource
set, with maximal spanning ranges and maximal spanning prefix masks
as appropriate. All valid certificates in this profile MUST use this
sorted canonical form of resource description in the resource
extension field. A test of the resource extension in the context of certificate
validity includes the condition that the resources described in the
immediate superior certificate in the PKI hierarchy (the certificate
where this certificate's issuer is the subject) has a resource set
(called here the "issuer's resource set") that must encompass the
resource set of the issued certificate. In this context "encompass"
allows for the issuer's resource set to be the same as, or a strict
superset of, any subject's resource set.A test of certificate validity entails the identification of a
sequence of valid certificates in an issuer-subject chain (where the
subject field of one certificate appears as the issuer in the next
certificate in the sequence) from a trust anchor certification authority
to the certificate being validated, and that the resource extensions in
this certificate sequence from the trust anchor's issued certificate to
the certificate being validated form a sequence of encompassing
relationships in terms of the resources described in the resource
extension.A Resource Certificate is a valid X.509 v3 public key certificate,
consistent with the PKIX profile ,
containing the fields listed in this section. Unless specifically noted
as being OPTIONAL, all the fields listed here MUST be present, and any
other field MUST NOT appear in a conforming Resource Certificate. Where
a field value is specified here this value MUST be used in conforming
Resource Certificates.Resource Certificates are X.509 Version 3 certificates. This field
MUST be present, and the Version MUST be 3 (i.e. the value of this
field is 2).The serial number value is a positive integer that is unique per
Issuer.This field describes the algorithm used to compute the signature on
this certificate. This profile specifies a minimum of SHA-256 with RSA
(sha256WithRSAEncryption), and allows for the use of SHA-384 or
SHA-512. Accordingly, the value for this field MUST be one of the OID
values { pkcs-1 11 }, { pkcs-1 12 } or { pkcs-1 13 } .This field identifies the entity that has signed and issued the
certificate. The value of this field is a valid X.501 name.If the certificate is a subordinate certificate issued by virtue of
the "cA" bit set in the immediate superior certificate, then the
issuer name MUST correspond to the subject name as contained in the
immediate superior certificate.This field MUST be non-empty.This field identifies the entity to whom the resource has been
allocated / assigned. The value of this field is a valid X.501
name.In this profile the subject name is determined by the issuer, and
each distinct entity certified by the issuer MUST be identified using
a subject name that is unique per issuer.This field MUST be non-empty.The starting time at which point the certificate is valid. In this
profile the "Valid From" time SHOULD be no earlier than the time of
certificate generation. As per Section 4.1.2.5 of , Certification Authorities (CAs) conforming
to this profile MUST always encode the certificate's "Valid From" date
through the year 2049 as UTCTime, and dates in 2050 or later MUST be
encoded as GeneralizedTime. These two time formats are defined in
.In this profile, it is valid for a certificate to have a value for
this field that pre-dates the same field value in any superior
certificate. However, it is not valid to infer from this information
that a certificate was, or will be, valid at any particular time other
than the current time.The Valid To time is the date and time at which point in time the
certificate's validity ends. It represents the anticipated lifetime of
the resource allocation / assignment arrangement between the issuer
and the subject. As per Section 4.1.2.5 of , CAs conforming to this profile MUST always
encode the certificate's "Valid To" date through the year 2049 as
UTCTime, and dates in 2050 or later MUST be encoded as
GeneralizedTime. These two time formats are defined in .In this profile, it is valid for a certificate to have a value for
this field that post-dates the same field value in any superior
certificate. However, it is not valid to infer from this information
that a certificate was, or will be, valid at any particular time other
than the current time.CAs are typically advised against issuing a certificate with a
validity interval that exceeds the validity interval of the CA's
certificate that will be used to validate the issued certificate.
However, in the context of this profile, it is anticipated that a CA
may have valid grounds to issue a certificate with a validity interval
that exceeds the validity interval of the CA's certificate.This field specifies the subject's public key and the
algorithm with which the key is used. The public key algorithm
MUST be RSA, and, accordingly, the OID for the public key
algorithm is 1.2.840.113549.1.1.1. The key size MUST be a
minimum size of 2048 bits.It is noted that larger key sizes are computationally
expensive for both the CA and relying parties, indicating that
care should be taken when deciding to use larger than the
minimum key size.As noted in Section 4.2 of , each
extension in a certificate is designated as either critical or
non-critical. A certificate-using system MUST reject the certificate
if it encounters a critical extension it does not recognise; however,
a non-critical extension MAY be ignored if it is not recognised .The following X.509 V3 extensions MUST be present in a conforming
Resource Certificate, except where explicitly noted otherwise.The basic constraints extension identifies whether the subject of
the certificate is a CA and the maximum depth of valid certification
paths that include this certificate.The issuer determines whether the "cA" boolean is set. If this
bit is set, then it indicates that the subject is allowed to issue
resources certificates within this overall framework (i.e. the
subject is permitted be a CA).The Path Length Constraint is not specified in this profile and
MUST NOT be present.The Basic Constraints extension field is a critical extension in
the Resource Certificate profile, and MUST be present when the
subject is a CA, and MUST NOT be present otherwise.The subject key identifier extension provides a means of
identifying certificates that contain a particular public key. To
facilitate certification path construction, this extension MUST
appear in all Resource Certificates. This extension is
non-critical.The value of the subject key identifier MUST be the value placed
in the key identifier field of the Authority Key Identifier
extension of immediate subordinate certificates (all certificates
issued by the subject of this certificate).The Key Identifier used here is the 160-bit SHA-1 hash of the
value of the DER-encoded ASN.1 bit string of the subject public key,
as described in Section 4.2.1.2 of .The authority key identifier extension provides a means of
identifying certificates that are signed by the issuer's private
key, by providing a hash value of the issuer's public key. To
facilitate path construction, this extension MUST appear in all
Resource Certificates. The keyIdentifier sub field MUST be present
in all Resource Certificates, with the exception of a CA who issues
a "self-signed" certificate. The authorityCertIssuer and
authorityCertSerialNumber sub fields MUST NOT be present. This
extension is non-critical.The Key Identifier used here is the 160-bit SHA-1 hash of the
value of the DER-encoded ASN.1 bit string of the issuer's public
key, as described in Section 4.2.1.1 of .This describes the purpose of the certificate. This is a critical
extension, and it MUST be present.In certificates issued to Certificate Authorities only the
keyCertSign and CRLSign bits are set to TRUE and MUST be the only
bits set to TRUE.In end-entity certificates the digitalSignature bit MUST be set
and MUST be the only bit set to TRUE.This field (CRLDP) identifies the location(s) of the CRL(s)
associated with certificates issued by this Issuer. This profile
uses the URI form of object identification. The preferred URI access
mechanism is a single RSYNC URI ("rsync://") that references a single inclusive CRL for
each issuer.In this profile the certificate issuer is also the CRL issuer,
implying at the CRLIssuer sub field MUST be omitted, and the
distributionPoint sub-field MUST be present. The Reasons sub-field
MUST be omitted.The distributionPoint MUST contain general names, and MUST NOT
contain a nameRelativeToCRLIssuer. The type of the general name MUST
be of type URI.In this profile, the scope of the CRL is specified to be all
certificates issued by this CA issuer using a given key pair.The sequence of distributionPoint values MUST contain only a
single DistributionPointName set. The DistributionPointName set MAY
contain more than one URI value. An RSYNC URI MUST be present in the
DistributionPointName set, and reference the most recent instance of
this issuer's certificate revocation list. Other access form URIs
MAY be used in addition to the RSYNC URI.This extension MUST be present and it is non-critical. There is
one exception, namely where a CA distributes its public key in the
form of a "self-signed" certificate, the CRLDP MUST be omitted.This field (AIA) identifies the point of publication of the
certificate that is issued by the issuer's immediate superior CA,
where this certificate's issuer is the subject. In this profile a
single reference object to publication location of the immediate
superior certificate MUST be used, except in the case where a CA
distributes its public key in the form of a "self-signed"
certificate, in which case the AIA field SHOULD be omitted.This profile uses a URI form of object identification. The
preferred URI access mechanisms is "rsync", and an RSYNC URI MUST be
specified with an accessMethod value of id-ad-caIssuers. The URI
MUST reference the point of publication of the certificate where
this issuer is the subject (the issuer's immediate superior
certificate). Other access method URIs referencing the same object
MAY also be included in the value sequence of this extension.When an Issuer re-issues a CA certificate, the subordinate
certificates need to reference this new certificate via the AIA
field. In order to avoid the situation where a certificate
re-issuance necessarily implies a requirement to re-issue all
subordinate certificates, CA Certificate issuers SHOULD use a
persistent URL name scheme for issued certificates. This implies
that re-issued certificates overwrite previously issued certificates
to the same subject in the publication repository, and use the same
publication name as previously issued certificates. In this way
subordinate certificates can maintain a constant AIA field value and
need not be re-issued due solely to a re-issue of the superior
certificate. The issuers' policy with respect to the persistence of
name objects of issued certificates MUST be specified in the
Issuer's Certification Practice Statement.This extension is non-critical.This field (SIA) identifies the location of information and
services relating to the subject of the certificate in which the SIA
extension appears. Where the Subject is a CA in this profile, this
information and service collection will include all current valid
certificates that have been issued by this subject that are signed
with the subject's corresponding private key.This profile uses a URI form of location identification. The
preferred URI access mechanism is "rsync", and an RSYNC URI MUST be
specified, with an access method value of id-ad-caRepository when
the subject of the certificate is a CA. The RSYNC URI must reference
an object collection rather than an individual object and MUST use a
trailing '/' in the URI.Other access method URIs that reference the same location MAY
also be included in the value sequence of this extension. The
ordering of URIs in this sequence reflect the subject's relative
preferences for access methods, with the first method in the
sequence being the most preferred.This field MUST be present when the subject is a CA, and is
non-critical.For End Entity (EE) certificates, where the subject is not a CA,
this field MAY be present, and is non-critical. If present, it
either references the location where objects signed by the key pair
associated with the EE certificate can be accessed, or, in the case
of single-use EE certificates it references the location of the
single object that has been signed by the corresponding key
pair.When the subject is an End Entity, and it publishes objects
signed with the matching private key in a repository, the directory
where these signed objects is published is referenced the
id-ad-signedObjectRepository OID.When the subject is an End Entity, and it publishes a single
object signed with the matching private key, the location where this
signed object is published is referenced the id-ad-signedObject
OID.This profile requires the use of repository publication manifests
to list all signed objects
that are deposited in the repository publication point associated
with a CA or an EE. The publication point of the manifest for a CA
or EE is placed in the SIA extension of the CA or EE certificate.
This profile uses a URI form of manifest identification for the
accessLocation. The preferred URI access mechanisms is "rsync", and
an RSYNC URI MUST be specified. Other accessDescription fields may
exist with this id-ad-Manifest accessMethod, where the
accessLocation value indicates alternate URI access mechanisms for
the same manifest object.CA certificates MUST include in the SIA an accessMethod OID of
id-ad-rpkiManifest, where the associated accessLocation refers to
the subject's published manifest object as an object URL.When an EE certificate is intended for use in verifying multiple
objects, EE certificate MUST include in the SIA an access method OID
of id-ad-rpkiManifest, where the associated access location refers
to the publication point of the objects that are verified using this
EE certificate.When an EE certificate is used to sign a single published
object, the EE certificate MUST include in the SIA an access
method OID of id-ad-signedObject, where the associated
access location refers to the publication point of the
single object that is verified using this EE certificate. In
this case, the SIA MUST NOT include the access method OID of
id-ad-rpkiManifest.This extension MUST reference the Resource Certificate Policy,
using the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This
field MUST be present and MUST contain only this value for Resource
Certificates.PolicyQualifiers MUST NOT be used in this profile.This extension MUST be present and it is critical.This field contains the list of IP address resources as per . The value may specify the "inherit"
element for a particular AFI value. In the context of resource
certificates describing public number resources for use in the
public Internet, the SAFI value MUST NOT be used. All Resource
Certificates MUST include an IP Resources extension, an AS Resources
extension, or both extensions.This extension, if present, MUST be marked critical.This field contains the list of AS number resources as per , or may specify the "inherit" element. RDI
values are NOT supported in this profile and MUST NOT be used. All
Resource Certificates MUST include an IP Resources extension, an AS
Resources extension, or both extensions.This extension, if present, MUST be marked critical.Each CA MUST issue a version 2 Certificate Revocation List (CRL),
consistent with . The CRL issuer is the
CA, and no indirect CRLs are supported in this profile.An entry MUST NOT be removed from the CRL until it appears on one
regularly scheduled CRL issued beyond the revoked certificate's validity
period.This profile does not allow issuance of Delta CRLs.The scope of the CRL MUST be "all certificates issued by this CA
using a given key pair". The contents of the CRL are a list of all
non-expired certificates issued by the CA using a given key pair that
have been revoked by the CA.The profile allows the issuance of multiple current CRLs with
different scope by a single CA, with the scope being defined by the key
pair used by the CA.No CRL fields other than those listed here are permitted in CRLs
issued under this profile. Unless otherwise indicated, these fields MUST
be present in the CRL. Where two or more CRLs issued by a single CA with
the same scope, the CRL with the highest value of the "CRL Number" field
supersedes all other CRLs issued by this CA.Resource Certificate Revocation Lists are Version 2 certificates
(the integer value of this field is 1).The value of this field is the X.501 name of the issuing CA who is
also the signer of the CRL, and is identical to the Issuer name in the
Resource Certificates that are issued by this issuer.This field contains the date and time that this CRL was issued. The
value of this field MUST be encoded as UTCTime for dates through the
year 2049, and MUST be encoded as GeneralizedTime for dates in the
year 2050 or later.This is the date and time by which the next CRL SHOULD be issued.
The value of this field MUST be encoded as UTCTime for dates through
the year 2049, and MUST be encoded as GeneralizedTime for dates in the
year 2050 or later.This field contains the algorithm used to sign this CRL. This
profile specifies a minimum of SHA-256 with RSA
(sha256WithRSAEncryption), and allows for the use of SHA-384 or
SHA-512. This field MUST be present.It is noted that larger key sizes are computationally expensive for
both the CRL Issuer and relying parties, indicating that care should
be taken when deciding to use larger than the minimum key size.When there are no revoked certificates, then the revoked
certificate list MUST be absent.For each revoked resource certificate only the following fields
MUST be present. No CRL entry extensions are supported in this
profile, and CRL entry extensions MUST NOT be present in a CRL.The issuer's serial number of the revoked certificate.The time the certificate was revoked. This time MUST NOT be a
future date. The value of this field MUST be encoded as UTCTime for
dates through the year 2049, and MUST be encoded as GeneralizedTime
for dates in the year 2050 or later.The X.509 v2 CRL format allows extensions to be placed in a CRL.
The following extensions are supported in this profile, and MUST be
present in a CRL.The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used to
sign a CRL. Conforming CRL issuers MUST use the key identifier
method. The syntax for this CRL extension is defined in section
4.2.1.1 of .This extension is non-critical.The CRL Number extension conveys a monotonically increasing
sequence number of positive integers for a given CA and scope. This
extension allows users to easily determine when a particular CRL
supersedes another CRL. The highest CRL Number value supersedes all
other CRLs issued by the CA with the same scope.This extension is non-critical.A resource certificate request MAY use either of PKCS#10 or
Certificate Request Message Format (CRMF). A CA Issuer MUST support
PKCS#10 and a CA Issuer may, with mutual consent of the subject, support
CRMF.This profile refines the specification in , as it relates to Resource Certificates. A
Certificate Request Message object, formatted according to PKCS#10, is
passed to a CA as the initial step in issuing a certificate.This request may be conveyed to the CA via a Registration Authority
(RA), acting under the direction of a Subject.With the exception of the public key related fields, the CA is
permitted to alter any requested field when issuing a corresponding
certificate.This profile applies the following additional constraints to
fields that may appear in a CertificationRequestInfo: This field is
mandatory and MUST have the value 0.This field is
optional. If present, the value of this field SHOULD be empty,
in which case the issuer MUST generate a subject name that is
unique in the context of certificates issued by this issuer. If
the value of this field is non-empty, then the CA MAY consider
the value of this field as the subject's suggested subject name,
but the CA is NOT bound to honour this suggestion, as the
subject name MUST be unique per issuer in certificates issued by
this issuer. This
field specifies the subject's public key and the algorithm with
which the key is used. The public key algorithm MUST be RSA, and
the OID for the algorithm is 1.2.840.113549.1.1.1. This field
also includes a bit-string representation of the entity's public
key. For the RSA public-key algorithm the bit string contains
the DER encoding of a value of PKCS #1 type RSAPublicKey. defines the attributes field as
key-value pairs where the key is an OID and the value's
structure depends on the key.The only attribute used in this profile is the
ExtensionRequest attribute as defined in . This attribute contains X509v3
Certificate Extensions. The profile for extensions in
certificate requests is specified in .This profile applies the following additional constraints to
fields that MAY appear in a CertificationRequest Object: This
profile specifies a minimum of SHA-256 with RSA
(sha256WithRSAEncryption), and allows for the use of SHA-384 or
SHA-512. Accordingly, the value for this field MUST be one of
the OID values { pkcs-1 11 }, { pkcs-1 12 } or { pkcs-1 13 }
.It is noted that larger key sizes are computationally
expensive for both the CA and relying parties, indicating that
care should be taken when deciding to use larger than the
minimum key size.This profile refines the Certificate Request Message Format (CRMF)
specification in , as it relates to
Resource Certificates. A Certificate Request Message object, formatted
according to the CRMF, is passed to a CA as the initial step in
issuing a certificate.This request MAY be conveyed to the CA via a Registration Authority
(RA), acting under the direction of a subject.With the exception of the public key related fields, the CA is
permitted to alter any requested field when issuing a corresponding
certificate.This profile applies the following additional constraints to
fields that may appear in a Certificate Request Template: This field MAY be
absent, or MAY specify the request of a Version 3 Certificate.
It SHOULD be omitted. As per
, this field is assigned by the CA
and MUST be omitted in this profile. As per
, this field is assigned by the CA
and MUST be omitted in this profile. This field is
assigned by the CA and MUST be omitted in this profile. This field MAY
be omitted. If omitted, the CA will issue a Certificate with
Validity dates as determined by the CA. If specified, then the
CA MAY override the requested values with dates as determined by
the CA. This field is
optional. If present, the value of this field SHOULD be empty,
in which case the issuer MUST generate a subject name that is
unique in the context of certificates issued by this issuer. If
the value of this field is non-empty, then the CA MAY consider
the value of this field as the subject's suggested subject name,
but the CA is NOT bound to honour this suggestion, as the
subject name MUST be unique per issuer in certificates issued by
this issuer. This field
MUST be present.This attribute
contains X509v3 Certificate Extensions. The profile for
extensions in certificate requests is specified in .The following control fields are supported in this profile:
It
is noted that the intended model of authentication of the
subject is a long term one, and the advice as offered in is that the Authenticator Control field
be used. The following extensions MAY appear in a PKCS#10 or CRMF
Certificate Request. Any other extensions MUST NOT appear in a
Certificate Request. This profile places the following additional
constraints on these extensions.: If this is
omitted then the CA will issue an end entity certificate with the
BasicConstraints extension not present in the issued
certificate.The Path Length Constraint is not supported in this Resource
Certificate Profile, and this field MUST be omitted in this
profile.The CA MAY honour the SubjectType CA bit set to on. If this bit
is set, then it indicates that the Subject is allowed to issue
resource certificates within this overall framework.The CA MUST honour the SubjectType CA bit set to off (End
Entity certificate request), in which case the corresponding end
entity certificate will not contain a BasicConstraints extension.
This
field is assigned by the CA and MUST be omitted in this profile.
This field is assigned by the CA and MUST be omitted in this
profile. The CA MAY honor
KeyUsage extensions of keyCertSign and cRLSign if present, as long
as this is consistent with the BasicConstraints SubjectType sub
field, when specified.
This field MUST be present when the subject is a CA, and the field
value SHOULD be honoured by the CA. If the CA is not able to honor
the requested field value, then the CA MUST reject the Certificate
Request. This field (SIA) identifies the location of information
and services relating to the subject of the certificate in
which the SIA extension appears. Where the subject is a CA in this profile, this
information and service collection will include all
current valid certificates that have been issued by this
subject that are signed with the subject's corresponding
private key.This profile uses a URI form of location
identification. An RSYNC URI MUST be specified, with an
access method value of id-ad-caRepository when the subject
of the certificate is a CA. The RSYNC URI MUST reference
an object collection rather than an individual object and
MUST use a trailing '/' in the URI. Other access method
URIs that reference the same location MAY also be included
in the value sequence of this extension. The ordering of
URIs in this sequence reflect the subject's relative
preferences for access methods, with the first method in
the sequence being the most preferred by the
Subject.A request for a CA certificate MUST include in the SIA
of the request the id-ad-caRepository access method, and
also MUST include in the SIA of the request the
accessMethod OID of id-ad-rpkiManifest, where the
associated accessLocation refers to the subject's
published manifest object as an object URL.This field MAY be present when the subject is a EE. If
it is present the field value SHOULD be honoured by the
CA. If the CA is not able to honor the requested field
value, then the CA MUST reject the Certificate Request.
If it is not present the CA SHOULD honor this request and
omit the SIA from the issued certificate. If the CA is not
able to honor the request to omit the SIA, then the CA
MUST reject the Certificate Request.When an EE certificate is intended for use in verifying
multiple objects, the certificate request for the EE
certificate MUST include in the SIA of the request an
access method OID of id-ad-signedObjectRepository, and
also MUST include in the SIA of the request an access
method OID of id-ad-rpkiManifest, where the associated
access location refers to the publication point of the
objects that are verified using this EE
certificate.When an EE certificate is used to sign a single
published object, the certificate request for the EE
certificate MUST include in the SIA of the request an
access method OID of id-ad-signedObject, where the
associated access location refers to the publication point
of the single object that is verified using this EE
certificate, and MUST NOT include an id-ad-rpkiManifest
access method OID in the SIA of the request.In the case when the EE certificate is to be used
exclusively to sign one or more unpublished objects, such
that the all signed objects will not be published in any
RPKI repository, then the SIA SHOULD be omitted from the
request. This
field is assigned by the CA and MUST be omitted in this
profile.This field is assigned by the CA and MUST be
omitted in this profile. This
field is assigned by the CA and MUST be omitted in this profile.
With the exceptions of the publicKey field and the
SubjectInformationAccess field, the CA is permitted to alter any
requested field.This section describes the Resource Certificate validation procedure.
This refines the generic procedure described in section 6 of :To meet this goal, the path validation process verifies, among other
things, that a prospective certification path (a sequence of n
certificates) satisfies the following conditions: for all x in {1, ..., n-1}, the subject of certificate x is the
issuer of certificate x+1; certificate 1 is issued by a trust anchor; certificate n is the certificate to be validated; and for all x in {1, ..., n}, the certificate is valid.The IP resource extension definition
defines a critical extensions for Internet number resources. These are
ASN.1 encoded representations of the IPv4 and IPv6 address range
(either as a prefix/length, or start-end pair) and the AS number
set.Valid Resource Certificates MUST have a valid IP address and/or AS
number resource extension. In order to validate a Resource Certificate
the resource extension must also be validated. This validation process
relies on definitions of comparison of resource sets: Given two IP address or AS number
contiguous ranges, A and B, A is "more specific" than B if range B
includes all IP addresses or AS numbers described by range A, and
if range B is larger than range A. Given two IP address or AS number contiguous
ranges, A and B, A is "equal" to B if range A describes precisely
the same collection of IP addresses or AS numbers as described by
range B. The definition of "inheritance" in is equivalent to this "equality"
comparison.Given two IP address and AS number sets X
and Y, X "encompasses" Y if, for every contiguous range of IP
addresses or AS numbers elements in set Y, the range element is
either more specific than or equal to a contiguous range element
within the set X.Validation of a certificate's resource extension in the context of
an ordered certificate sequence of {1,2, ... , n} where '1' is issued
by a trust anchor and 'n' is the target certificate, and where the
subject of certificate 'x' is the issuer of certificate 'x' + 1,
implies that the resources described in certificate 'x' "encompass"
the resources described in certificate 'x' + 1, and the resources
described in the trust anchor information "encompass" the resources
described in certificate 1.Validation of signed resource data using a target resource
certificate consists of assembling an ordered sequence (or
'Certification Path') of certificates ({1,2,...n} where '1' is a
certificate that has been issued by a trust anchor, and 'n' is the
target certificate) verifying that all of the following conditions
hold: The certificate can be verified using the Issuer's public key
and the signature algorithm The current time lies within the certificate's Validity From
and To values. The certificate contains all fields that MUST be present and
contains field values as specified in this profile for all field
values that MUST be present. No field value that MUST NOT be present in this profile is
present in the certificate. The Issuer has not revoked the certificate by placing the
certificate's serial number on the Issuer's current Certificate
Revocation List, and the Certificate Revocation List is itself
valid. That the resource extension data is "encompassed" by the
resource extension data contained in a valid certificate where
this Issuer is the Subject (the previous certificate in the
ordered sequence) The Certification Path originates with a certificate issued by
a trust anchor, and there exists a signing chain across the
Certification Path where the Subject of Certificate x in the
Certification Path matches the Issuer in Certificate x+1 in the
Certification Path.A certificate validation algorithm may perform these tests in any
chosen order.Certificates and CRLs used in this process may be found in a
locally maintained cache, maintained by a regular top-down
synchronization pass, seeded with the CAs who operate at the apex of
the resource distribution hierarchy, via reference to issued
certificates and their SIA fields as forward pointers, plus the CRLDP.
Alternatively, validation may be performed using a bottom-up process
with on-line certificate access using the certificate's AIA and CRLDP
pointers to guide the certificate retrieval process for each
certificate's immediate superior CA certificate.There exists the possibility of encountering certificate paths that
are arbitrarily long, or attempting to generate paths with loops as
means of creating a potential DOS attack on a certificate validator.
Some further heuristics may be required to halt the certification path
validation process in order to avoid some of the issues associated
with attempts to validate such structures. It is suggested that
implementations of Resource Certificate validation MAY halt with a
validation failure if the certification path length exceeds a
pre-determined configuration parameter.The trust model that may be used in the resource certificate
framework in the context of validation of assertions of public number
resources in public-use contexts is one that readily maps to a
top-down delegated CA model that mirrors the delegation of resources
from a registry distribution point to the entities that are the direct
recipients of these resources. Within this trust model these recipient
entities may, in turn, operate a registry and perform further
allocations or assignments. This is a strict hierarchy, in that any
number resource and a corresponding recipient entity has only one
'parent' issuing registry for that number resource (i.e. there is
always a unique parent entity for any resource and corresponding
entity), and that the issuing registry is not a direct or indirect
subordinate recipient entity of the recipient entity in question (i.e.
no loops in the model).The more general consideration is that selection of one or more
trust anchor CAs is a task undertaken by relying parties. The
structure of the resource certificate profile admits potentially the
same variety of trust models as the PKIX profile. There is only one
additional caveat on the general applicability of trust models and
PKIX frameworks, namely that in forming a validation path to a trust
anchor CA, the sequence of certificates MUST preserve the resource
extension validation property, as described in , and the validation of the first certificate
in the validation path not only involves the verification that the
certificate was issued by a trust anchor CA, but also that the
resource set described in the certificate MUST be encompassed by the
trust anchor CA's resource set, as described in .The trust anchor information, describing a CA that serves as a
trust anchor, includes the following:the trusted issuer name,the trusted public key algorithm,the trusted public key,optionally, the trusted public key parameters associated with
the public key, anda resource set, consisting of a set of IPv4 resources, IPv6
resources and AS number resources.The trust anchor information may be provided to the path processing
procedure in the form of a self-signed certificate.In the RPKI the hierarchical certificate framework corresponds to
the hierarchies of the resource distribution function. In
consideration of this, it is reasonable to nominate to relying
parties a default set of trust anchors for the RPKI that correspond
to the entities who operate at the upper levels of the associated
resource allocation hierarchy. The corresponding nominated trust
anchor CA(s) should therefore map, in some fashion, to apex point(s)
of the hierarchical resource distribution structure.The characteristics of a trust anchor framework for the RPKI
includes the following considerations:The entity or entities that issue proposed trust anchor
material for the RPKI should be as close as possible to the apex
of the associated resource distribution hierarchy.Such trust anchor material should be long-lived. As it can be
reasonably anticipated that default nominated trust anchor
material would be distributed with relying party validation
software, the implication is that the distributed default
nominated trust anchor material should remain constant for
extended time intervals.It is a poor trust model when any entity that issues putative
trust anchor material is forced to be authoritative over
information or actions of which the entity has no direct
knowledge, nor is in possession of a current definitive record
of such actions. Entities who propose themselves in a role of a
trust anchor issuer should be able to point to corroborative
material supporting the assertion that they are legitimate
authorities for the information where they are representing
themselves as a potential trust anchor for relying parties.An entity offering itself as a putative RPKI trust anchor for a
part of the RPKI is required to regularly publish a RPKI CA
certificate at a stable URL, and to publish a packaged form of this
URL as distributed trust anchor material, as follows:The entity issues a RPKI self-signed "root" CA certificate
that is used as the apex of a RPKI certificate issuance
hierarchy. This certificate MUST have the keyCertSign sign bit
set in the key usage extension, and the CA flag set in the basic
constraints extension, no AIA value and no CRLDP value. This
certificate MUST be reissued at regular intervals prior to
expiration of the current RPKI self-signed certificate, and MUST
be reissued upon any change in the resource set that has been
allocated to the entity who is operating this CA. The validity
interval of this certificate should reflect the anticipated
period of the regular RPKI certificate re-issuance. The entity maintains a "trust anchor material" key
pair.The entity issues a PKI self-signed CA certificate using the trust anchor material key
pair, where the subject public key in the certificate is the
public key of the trust anchor material key pair and the
certificate is signed by the corresponding private key of trust
anchor material key pair. This certificate MUST have the
keyCertSign sign bit set in the key usage extension, and the CA
flag set in the basic constraints extension, no AIA value and no
CRLDP value. The validity period of this certificate shold be
very long-lived, with the period to be defined by the entity.
The SIA of this certificate references a publication point where
the CRL and the subordinate product of this certificate are
published.The PKI CA issues a subordinate PKI EE certificate with a
validity period identical to the validity period of the RPKI
self-signed "root" CA certificate. This PKI EE certificate MUST
have the digitalSignature bit set, and this MUST be the only bit
set to TRUE. The CA flag set MUST be cleared in the basic
constraints extension. The validity period of this certificate
should be aligned to the validity period of the RPKI self-signed
"root" CA certificate. The PKI CA regularly issues a CRL. The CRL issuance cycle
SHOULD be shorter than the validity period for the RPKI
self-signed "root" certificate.Each time the RPKI self-signed "root" certificate is
re-issued, or prior to the expiration of the PKI EE certificate,
the PKI CA generates a Cryptographic Message Syntax (CMS) signed-data object, where the payload
is the RPKI self-signed "root" certificate. The object is
CMS-signed with the private key of the PKI EE certificate. The
PKI EE certificate is included as a CMS signed attribute in the
CMS object. The PKI self-signed CA certificate and the asociated
CRL are not to be included in the CMS object. The format of the
CMS object is specified in . The
CMS object is published at the location referenced in the SIA of
the PKI self-signed CA certificate.The entity publically distributes the PKI self-signed CA
certificate as its proposed trust anchor material.The entity publishes the modulus and exponent of the "trust
anchor material" public key using a trusted form of publication
that allows the entity's identity to be validated and the
retrieval of the published information to be secured.Relying Parties can assemble the default trust anchor collection
by using the distributed PKI self-signed CA certificate for each
nominated trust anchor:The public key in the self-signed CA PKI certificate can be
validated using the modulus and exponent values as retrieved
from the entity's publication point using a secured retrieval
operation.The PKI CA's CRL and CMS objects can be retrieved from the
publication point referenced by the SIA in the PKI CA
certificate.The CRL can be verified against the PKI CA certificate.
The CMS signature can be verified using the included PKI EE
certificate together with the retrieved CRL and the self-signed
PKI CA certificate. The relying party can then load the enclosed RPKI self-signed
CA certificate as a trust anchor for RPKI validation for those
resources described in the resource extension of this RPKI
certificate.Relying Parties should perform this retrieval and validation
operation at intervals no less frequent than the nextUpdate time of
the published CRL, and should perform the retrieval operation prior
to the expiration of the PKI EE certificate, or upon revocation of
the PKI EE certificate that was used to sign the CMS object that
held the relying party's current RPKI self-signed CA
certificate.If a trust anchor CA wishes to perform an issuance of the RPKI
self-signed CA certificate outside the established update cycle
time, it can notify relying parties of this by revising the
nextUpdate time of the PKI CA's CRL to a shorter interval, issuing a
new PKI CA certificate and a new CMS object with the new RPKI
self-signed CA certificate, and revoking the old PKI EE certificate
at the nextUpdate time in the next issued CRL. This revocation will
provide an indication to relying parties to perform the retrieval
operation ofthe RPKI self-signed CA certificate at a time earlier
than the normal update cycle time.The Security Considerations of and
apply to Resource Certificates as defined
by this profile, and their use.A Resource Certificate PKI cannot in and of itself resolve any forms
of ambiguity relating to uniqueness of assertions of rights of use in
the event that two or more valid certificates encompass the same
resource. If the issuance of resource certificates is aligned to the
status of resource allocations and assignments then the information
conveyed in a certificate is no better than the information in the
allocation and assignment databases.[Note to IANA, to be removed prior to publication: there are no IANA
considerations stated in this document.]The authors would like to acknowledge the valued contributions from
Stephen Kent, Robert Kisteleki, Randy Bush, Russ Housley, Ricardo Patara
and Rob Austein in the preparation and subsequent review of this
document. The document also reflects review comments received from Sean
Turner and David Cooper.
The following review comments are unresolved at present:
Use of additional non-critical extensions:
Section 3: "Unless specifically noted as being OPTIONAL, all the
fields listed here MUST be present, and any other field MUST NOT
appear in a conforming Resource Certificate."The review comment was that certificate profile should permit the
use of non-critical extensions. The scenario nominatedwas one in which
a CA product added non-critical extensions to a certificate that would
not affect a relying party's decision to accept the certificate,
regardless of whether the relying party could process the
extension. It was noted that it may be possible to configure these CA
products so that they do not include these extensions in the
certificates, but that is a question that would need to be answered by
someone more familiar with particular CA products that add
non-critical extensions that identify the CA product used to mint the
certificate.The rationale for not permitting non-critical extensions is that it
was not seen as being appropriate to be in the position of having
certificates with extensions which relying parties may see as valid,
but contain extensions that, were the relying party to understand the
extension, would contradict or qualify in some way this original
validity. The profile takes the position of minimialism over
extensibility, taking the approach of nomination of a specific goal
for the PKI, namely to construct a PKI that precisely matches the IP
number resource allocation structure, and then defining a certificate
profile that was precisely aligned to this objective. If there is some
need or requirement to use the RFC3779 extensions in contexts other
than assertions about right of use of resources by virtue of an
allocation action, that make use of other extensions than are
specified here, then the authors suggest that it would be more
appropriate to define a distinct profile to fulfil this function.It is proposed to leave the text as is.CRL Scope: Section 3.9.5: In this profile,
the scope of the CRL is specified to be all certificates issued by
this CA issue using a given key pair.The review comment was that the scope of a CRL must be all
certificates issued by the issuing CA unless the CRL includes an
issuingDistributionPoint extension. So, if the scope of CRLs is to be
limited to certificates signed with a given key pair, then the profile
must either require inclusion of the issuingDistributionPoint
extension in CRLs or forbid CAs from performing key rollover. The
latter option may be implemented by having issuers change names
whenever changing the key pair used to sign certificates.It is proposed to drop the scope restriction, and remove the
text in Section 3.9.5.Name Uniqueness:Section 3.5 stipulates that
subject names must simply be unique per issuer, while X.509 requires
that names must be globally unique.The review comment was that the Security Considerations section in
RFC5280 states: " While X.509 mandates that names be unambiguous,
there is a risk that two unrelated authorities will issue certificates
and/or CRLs under the same issuer name." X.501 states that a
(directory) name shall be unambiguous, in that it denotes just one
object, but need not be unique, in that it not be the only name that
unambiguously denotes the object, and that for every name form used in
the GeneralName type, there shall be a name registration system that
ensures that any name used unambiguously identifies one entity to both
certificate issuer and certificate users. The review comment is that
problem with a less stringent requirement is that if two CAs issue
certificates and CRLs under the same name, there is a risk that a
relying party will use a CRL issued by one of these CAs to determine
the status of a certificate issued by the other CA.The rationale for using a name this is unique per issuer is that
the RPKI is strictly hierarchical, the repository publication
structure is structured on a per-CA basis, the CRLDP is mandatory to
include in all RPKI certificates (except apex self-signed certs) so
that each certificate points directly to the associated CRL that can
revoke it, the contextof the use of names is within a per issuer
context, a single entity may hold resources from multiple sources and
the RPKI name space is unconstrained such that it is neither
coordinated nor restricted to be structured in any fashion, and the
RPKI is not attesting a name or an identity but a right to use
resources. Because the context of the use of names in the RPKI is one
that positions names within a strict hierarchy, then the essential
name attribute of unambiguity is achieved in the RPKI when names are
specified to be unique per issuer.It is proposed not to alter the existing specification of
uniqueness of names on a per-issuer basis.Recommendation X.509: The Directory - Authentication
FrameworkManifests for the Resource Public Key InfrastructureISCAPNICBBNBBNrsyncSAMBAThe following is an example Resource Certificate.The following is an example Certificate Revocation List.Using the Cryptographic Message Syntax (CMS) , a RPKI Trust Anchor Object (RTA) is a type of
signed-data object. The general format of a CMS object is:As a RTA is a signed-data object, it uses the corresponding OID,
1.2.840.113549.1.7.2. .According to the CMS specification, the signed-data content type
shall have ASN.1 type SignedData:The elements of the signed-data content type are as follows: The version is the syntax
version number. It MUST be 3, corresponding to the signerInfo
structure having version number 3. The
digestAlgorithms set MUST include only SHA-256, the OID for
which is 2.16.840.1.101.3.4.2.1. . It MUST NOT contain any other
algorithms.This element is
defined in . The certificates
element MUST be included and MUST contain only the single PKI
EE certificate needed to validate this CMS Object. The
CertificateSet type is defined in section 10 of The crls element MUST be
omitted.This element is defined
in .encapContentInfo is the signed content, consisting of a content
type identifier and the content itself.The elements of this signed content type are as follows: The ContentType for an
RTA is defined as id-ct-RPKITrustAnchor and has the
numerical value of 1.2.840.113549.1.9.16.1.33. The content of an RTA is
an RPKI self-signed CA certificate. It is formally defined
as: The definition of Certificate is taken from
.SignerInfo is defined under CMS as:The content of the SignerInfo element are as follows: The version number MUST be
3, corresponding with the choice of SubjectKeyIdentifier for
the sid. The sid is defined as: For a RTA, the sid MUST be a
SubjectKeyIdentifier. The
digestAlgorithm MUST be SHA-256, the OID for which is
2.16.840.1.101.3.4.2.1. The signedAttrs
element is defined as: The signedAttr element MUST be present and MUST
include the content-type and message-digest attributes. The
signer MAY also include the signing-time signed attribute,
the binary-signing-time signed attribute, or both signed
attributes. Other signed attributes that are deemed
appropriate MAY also be included. The intent is to allow
additional signed attributes to be included if a future need
is identified. This does not cause an interoperability
concern because unrecognized signed attributes are ignored
by the relying party.The signedAttr MUST include only a single instance of any
particular attribute. Additionally, even though the syntax
allows for a SET OF AttributeValue, in a RTA the attrValues
must consist of only a single AttributeValue. The
ContentType attribute MUST be present. The attrType
OID for the ContentType attribute is
1.2.840.113549.1.9.3.The attrValues for the ContentType attribute in a
RTA MUST be 1.2.840.113549.1.9.16.1.24 (matching the
eContentType in the EncapsulatedContentInfo). The
MessageDigest attribute MUST be present. The
attrType OID for the MessageDigest Attribute is
1.2.840.113549.1.9.4.The attrValues for the MessageDigest attribute
contains the output of the digest algorithm applied
to the content being signed, as specified in Section
11.1 of . The
SigningTime attribute MAY be present. If it is
present it MUST be ignored by the relying party. The
presence of absence of the SigningTime attribute in
no way affects the validation of the RTA. The
attrType OID for the SigningTime attribute is
1.2.840.113549.1.9.5.The attrValues for the SigningTime attribute is
defined as: The Time element specifies the time,
based on the local system clock, at which the
digital signature was applied to the content.
The The BinarySigningTime attribute MAY be present.
If it is present it MUST be ignored by the relying
party. The presence of absence of the
BinarySigningTime attribute in no way affects the
validation of the RTA. The attrType OID for the
SigningTime attribute is
1.2.840.113549.1.9.16.2.46.The attrValues for the SigningTime attribute is
defined as: The BinaryTime element specifies the
time, based on the local system clock, at which the
digital signature was applied to the content.The
signatureAlgorithm MUST be RSA (rsaEncryption), the OID for
which is 1.2.840.113549.1.1.1.q The signature value is
defined as: The signature characteristics are defined by the
digest and signature algorithms. unsignedAttrs MUST
be omitted.Before a relying party can use an RTA, the relying party must first
validate the RTA by performing the following steps.Verify that the RTA syntax complies with this specification. In
particular, verify the following:The contentType of the CMS object is SignedData (OID
1.2.840.113549.1.7.2).The version of the SignedData object is 3.The digestAlgorithm in the SignedData object is SHA-256
(OID 2.16.840.1.101.3.4.2.1).The certificates field in the SignedData object is present
and contains an EE certificate whose Subject Key Identifier
(SKI) matches the sid field of the SignerInfo object.The crls field in the SignedData object is omitted. The eContentType in the EncapsulatedContentInfo is
id-ct-RPKITrustAnchor (OID 1.2.840.113549.1.9.16.1.[TBD])
The version of the SignerInfo is 3. The digestAlgorithm in the SignerInfo object is SHA-256
(OID 2.16.840.1.101.3.4.2.1). The signatureAlgorithm in the SignerInfo object is RSA (OID
1.2.840.113549.1.1.1). The signedAttrs field in the SignerInfo object is present
and contains both the ContentType attribute (OID
1.2.840.113549.1.9.3) and the MessageDigest attribute (OID
1.2.840.113549.1.9.4).The unsignedAttrs field in the SignerInfo object is
omitted.Use the public key in the EE certificate to verify the
signature on the RTA.Verify that the EE certificate is a valid end-entity
certificate in the Trust Anchor PKI by validating that the PKI CA
certificate issued this EE certificate, and the PKI CA's CRL has
not revoked the EE certificate, and that the PKI CA's CRL is
valid.