Updates to the RPKI Certificate Policy I-D

Steve Kent

BBN Technologies

Basis of Changes

• We received feedback from– Geoff Huston– Randy Bush – Tim Christensen

• I also added text re IANA’s role as a trust anchor and co-administrator of the CP

• We know of a couple of additional required changes, and will issue a new version very soon

• I hope we can then proceed to WGLC

Reminder: What is the RPKI CP?

• There is exactly one CP for the whole RPKI

• All CA’s operating in the RPKI MUST include the OID for the CP in every (RPKI) certificate they issue

• Thus, all prospective RPKI CA’s (IANA, RIRs, NIRs, LIRs/ISPs) REALLY OUGHT to pay attention to this document, and provide feedback!

Global Changes

• Corrected definition of a "bogus" route to include unauthorized advertisement of an unallocated address (not just one that has been allocated)

• Changed text to allow the possibility of additional assigned objects (not just ROAs)

• Changed text from "distributing" PKI data to ”publishing PKI data in the RPKI distributed repository system”

• Added text to allow for other routing-related uses of the RPKI data (not just route filters)

Specific Changes (1/4)

• 1.3.1 (Certification Authorities): Added IANA and rewrote this in attempt to clarify

• 1.3.5 (Other Participants): Notes that every CA is responsible for populating the RPKI distributed repository system with its data, but that this function can be outsourced

• 1.5.1/2 (CP administration & contact info): says that the CP is co-administered by IANA and the RIRs (which act as default trust anchors for the RPKI) and provides contact info for each

Specific Changes (2/4)• 3.1.1 (Types of names): Added IANA to the list of CA’s whose

name will be a directory distinguished name, and added NIRs to list of organizations whose names "consist of a single CN attribute with a value generated by the issuer.”

• 5.6 (Key changeover): Text now notes that a (CA) certificate issued to an ISP/LIR by an RIR/NIR might have a lifetime longer than the RIR/NIR’s (CA) certificate. This is because the ISP/LIR certificate typically will have a validity period that reflects the contractual relationship between the issuer and subject.

• 5.8 (CA or RA termination): Text now says that if an organization acting as a CA in the RPKI terminates operation without identifying a replacement, then the effective control of the IP addresses and AS numbers revert back to the issuing organization(s), and the terminated CA’s certificate will be revoked.

Specific Changes (3/4)

• 6.1.4 (CA public key delivery to relying parties) -- Added IANA to list of entities whose public keys are distributed out of band.

• 6.3.2 (Certificate operational periods and key pair usage periods): Updated text to motivate two-tier TA structure for the RPKI However, one sentence needs to be changed, based on RIR feedback:

“IANA holds all IP address and AS number space, i.e., all the resources which form the base of the RPKI hierarchy, Because a self-signed IANA certificate represents this base, it should have a very long life time.”

Two-tied Model Diagram

Registry TA Certificate

Registry TA CRL

RPKI TA Certificate

CMS Signed ObjectRegistry EE Certificate

Other CMS fields

RIR & IANA TA Pairs

ARIN TA

ARIN RPKI TA

RIPE TA

RIPE RPKI TA

APNIC TA

APNIC RPKI TA

LACNIC TA

LACNIC RPKI TA

AfriNICTA

AfriNICRPKI TA

IANA TA

IANA RPKI TA

Specific Changes (4/4)

• 9. (Other Business and Legal Matters): Almost all subsections are now "[OMITTED]" because there is no single set of responses that would cover every relevant organization in the RPKI, i.e., each organization will to specify this information in its CPS

• 9.12 (Amendments): still needs to be updated to reflect text in 1.5.1, i.e., listing RIRs and IANA as the co-administrators of the CP

Questions?