draft-ietf-sidr-rpki-oob-setup-05.txt		draft-ietf-sidr-rpki-oob-setup-06.txt
	Network Working Group R. Austein		Network Working Group R. Austein
	Internet-Draft Dragon Research Labs		Internet-Draft Dragon Research Labs
	Intended status: Standards Track December 21, 2016		Intended status: Standards Track January 10, 2017
	Expires: June 24, 2017		Expires: July 14, 2017
	An Out-Of-Band Setup Protocol For RPKI Production Services		An Out-Of-Band Setup Protocol For RPKI Production Services
	draft-ietf-sidr-rpki-oob-setup-05		draft-ietf-sidr-rpki-oob-setup-06
	Abstract		Abstract
	This note describes a simple out-of-band protocol to ease setup of		This note describes a simple out-of-band protocol to ease setup of
	the RPKI provisioning and publication protocols between two parties.		the RPKI provisioning and publication protocols between two parties.
	The protocol is encoded in a small number of XML messages, which can		The protocol is encoded in a small number of XML messages, which can
	be passed back and forth by any mutually agreeable secure means.		be passed back and forth by any mutually agreeable secure means.
	This setup protocol is not part of the provisioning or publication		This setup protocol is not part of the provisioning or publication
	protocol, rather, it is intended to simplify configuration of these		protocol, rather, it is intended to simplify configuration of these
	protocols by setting up relationships and exchanging BPKI keying		protocols by setting up relationships and exchanging keying material
	material.		used to authenticate those relationships.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This Internet-Draft is submitted in full conformance with the
	provisions of BCP 78 and BCP 79.		provisions of BCP 78 and BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on June 24, 2017.		This Internet-Draft will expire on July 14, 2017.
	Copyright Notice		Copyright Notice
	Copyright (c) 2016 IETF Trust and the persons identified as the		Copyright (c) 2017 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect		carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must		to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of		include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as		the Trust Legal Provisions and are provided without warranty as
	skipping to change at page 2, line 43		skipping to change at page 2, line 43
	1. Introduction		1. Introduction
	This note describes a small XML-based out-of-band protocol used to		This note describes a small XML-based out-of-band protocol used to
	set up relationships between parents and children in the RPKI		set up relationships between parents and children in the RPKI
	provisioning protocol ([RFC6492]) and between publishers and		provisioning protocol ([RFC6492]) and between publishers and
	repositories in the RPKI publication protocol		repositories in the RPKI publication protocol
	([I-D.ietf-sidr-publication]).		([I-D.ietf-sidr-publication]).
	The basic function of this protocol is public key exchange, in the		The basic function of this protocol is public key exchange, in the
	form of self-signed BPKI X.509 certificates, but workshop experience		form of self-signed X.509 certificates, but workshop experience has
	has demonstrated that it's simpler for the user if we also bundle the		demonstrated that it's simpler for the user if we also bundle the
	other configuration information needed to bring up a new player into		other configuration information needed to bring up a new player into
	the messages used in the key exchange.		the messages used in the key exchange.
	The underlying transport for this protocol is deliberately		The underlying transport for this protocol is deliberately
	unspecified. It might be a USB stick, a web interface secured with		unspecified. It might be a USB stick, a web interface secured with
	conventional HTTPS, PGP-signed email, a T-shirt printed with a QR		conventional HTTPS, PGP-signed email, a T-shirt printed with a QR
	code, or a carrier pigeon.		code, or a carrier pigeon.
	Since much of the purpose of this protocol is key exchange,		Since much of the purpose of this protocol is key exchange,
	authentication and integrity of the key exchange MUST be ensured via		authentication and integrity of the key exchange MUST be ensured via
	skipping to change at page 6, line 13		skipping to change at page 6, line 13
	repository.		repository.
	5. Protocol Elements		5. Protocol Elements
	Each message in the protocol is a distinct XML element in the		Each message in the protocol is a distinct XML element in the
	"http://www.hactrn.net/uris/rpki/rpki-setup/" XML namespace.		"http://www.hactrn.net/uris/rpki/rpki-setup/" XML namespace.
	The outermost XML element of each message contains a version		The outermost XML element of each message contains a version
	attribute. This document describes version 1 of the protocol.		attribute. This document describes version 1 of the protocol.
			Appendix A is a [RelaxNG] schema for this protocol. The schema is
			normative: in the event of a disagreement between the schema and the
			following textual description, the schema is authoritative.
	5.1. Common Protocol Elements		5.1. Common Protocol Elements
	Most messages contain, among other things, a self-signed BPKI X.509		Most messages contain, among other things, a self-signed BPKI X.509
	certificate. These certificates are represented as XML elements		certificate. These certificates are represented as XML elements
	whose text value is the Base64 text encoding the DER representation		whose text value is the Base64 text encoding the DER representation
	of the X.509 certificate.		of the X.509 certificate.
	A number of attributes contain "handles". A handle in this protocol		A number of attributes contain "handles". A handle in this protocol
	is a text string in the US-ASCII character set consisting of letters,		is a text string in the US-ASCII character set consisting of letters,
	digits, and the special characters "/", "-", and "_". This protocol		digits, and the special characters "/", "-", and "_". This protocol
	skipping to change at page 19, line 27		skipping to change at page 19, line 27
	Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein,		Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein,
	"RPKI Repository Delta Protocol", draft-ietf-sidr-delta-		"RPKI Repository Delta Protocol", draft-ietf-sidr-delta-
	protocol-04 (work in progress), September 2016.		protocol-04 (work in progress), September 2016.
	[I-D.ietf-sidr-publication]		[I-D.ietf-sidr-publication]
	Weiler, S., Sonalker, A., and R. Austein, "A Publication		Weiler, S., Sonalker, A., and R. Austein, "A Publication
	Protocol for the Resource Public Key Infrastructure		Protocol for the Resource Public Key Infrastructure
	(RPKI)", draft-ietf-sidr-publication-09 (work in		(RPKI)", draft-ietf-sidr-publication-09 (work in
	progress), September 2016.		progress), September 2016.
			[RelaxNG] Clark, J., "RELAX NG Compact Syntax", OASIS , November
			2002, <https://www.oasis-open.org/committees/relax-ng/
			compact-20021121.html>.
	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", RFC 2119, BCP 14, March 1997.		Requirement Levels", RFC 2119, BCP 14, March 1997.
	[RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A		[RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A
	Protocol for Provisioning Resource Certificates",		Protocol for Provisioning Resource Certificates",
	RFC 6492, February 2012.		RFC 6492, February 2012.
	10.2. Informative References		10.2. Informative References
	[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,		[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
	Housley, R., and W. Polk, "Internet X.509 Public Key		Housley, R., and W. Polk, "Internet X.509 Public Key
	Infrastructure Certificate and Certificate Revocation List		Infrastructure Certificate and Certificate Revocation List
	(CRL) Profile", RFC 5280, May 2008.		(CRL) Profile", RFC 5280, May 2008.
	[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)",		[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)",
	RFC 5652, STD 70, September 2009.		RFC 5652, STD 70, September 2009.
	Appendix A. RelaxNG Schema		Appendix A. RelaxNG Schema
	Here is a RelaxNG schema describing the protocol elements.		Here is a [RelaxNG] schema describing the protocol elements.
	# $Id: rpki-setup.rnc 3618 2016-04-11 21:19:50Z sra $		This schema is normative: in the event of a disagreement between this
			schema and the document text above, this schema is authoritative.
	default namespace = "http://www.hactrn.net/uris/rpki/rpki-setup/"		default namespace = "http://www.hactrn.net/uris/rpki/rpki-setup/"
	version = "1"		version = "1"
	base64 = xsd:base64Binary { maxLength="512000" }		base64 = xsd:base64Binary { maxLength="512000" }
	handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]*" }		handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]*" }
	uri = xsd:anyURI { maxLength="4096" }		uri = xsd:anyURI { maxLength="4096" }
	any = element * { attribute * { text }*, ( any | text )* }		any = element * { attribute * { text }*, ( any | text )* }
	tag = xsd:token { maxLength="1024" }		tag = xsd:token { maxLength="1024" }
	authorization_token = base64		authorization_token = base64
	bpki_ta = base64		bpki_ta = base64
	start |= element child_request {		start |= element child_request {
End of changes. 11 change blocks.
	11 lines changed or deleted		21 lines changed or added
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/