draft-ietf-sidr-publication-03.txt   draft-ietf-sidr-publication-04.txt 
Network Working Group S. Weiler Network Working Group S. Weiler
Internet-Draft SPARTA, Inc. Internet-Draft SPARTA, Inc.
Intended status: Standards Track A. Sonalker Intended status: Standards Track A. Sonalker
Expires: January 17, 2013 Battelle Memorial Institute Expires: April 23, 2014 Battelle Memorial Institute
R. Austein R. Austein
Dragon Research Labs Dragon Research Labs
July 16, 2012 October 20, 2013
A Publication Protocol for the Resource Public Key Infrastructure (RPKI) A Publication Protocol for the Resource Public Key Infrastructure (RPKI)
draft-ietf-sidr-publication-03 draft-ietf-sidr-publication-04
Abstract Abstract
This document defines a protocol for publishing Resource Public Key This document defines a protocol for publishing Resource Public Key
Infrastructure (RPKI) objects. Even though the RPKI will have many Infrastructure (RPKI) objects. Even though the RPKI will have many
participants issuing certificates and creating other objects, it is participants issuing certificates and creating other objects, it is
operationally useful to consolidate the publication of those objects. operationally useful to consolidate the publication of those objects.
This document provides the protocol for doing so. This document provides the protocol for doing so.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 17, 2013. This Internet-Draft will expire on April 23, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Context . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Context . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Specification . . . . . . . . . . . . . . . . . . . . 4 3. Protocol Specification . . . . . . . . . . . . . . . . . . . 3
3.1. Common Details . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Common Details . . . . . . . . . . . . . . . . . . . . . 4
3.1.1. Common XML Message Format . . . . . . . . . . . . . . 4 3.1.1. Common XML Message Format . . . . . . . . . . . . . . 4
3.2. Control Sub-Protocol . . . . . . . . . . . . . . . . . . . 5 3.2. Control Sub-Protocol . . . . . . . . . . . . . . . . . . 5
3.2.1. Config Object . . . . . . . . . . . . . . . . . . . . 5 3.2.1. Config Object . . . . . . . . . . . . . . . . . . . . 5
3.2.2. Client Object . . . . . . . . . . . . . . . . . . . . 5 3.2.2. Client Object . . . . . . . . . . . . . . . . . . . . 5
3.3. Publication Sub-Protocol . . . . . . . . . . . . . . . . . 6 3.3. Publication Sub-Protocol . . . . . . . . . . . . . . . . 6
3.4. Error handling . . . . . . . . . . . . . . . . . . . . . . 7 3.4. Error handling . . . . . . . . . . . . . . . . . . . . . 7
3.5. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5. XML Schema . . . . . . . . . . . . . . . . . . . . . . . 7
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1. Config Set Query and Response . . . . . . . . . . . . . . 9 4.1. <config/> Set Query . . . . . . . . . . . . . . . . . . . 11
4.2. Config Get Query and Response . . . . . . . . . . . . . . 10 4.2. <config/> Set Reply . . . . . . . . . . . . . . . . . . . 12
4.3. Example 3: Client Create Query and Reply . . . . . . . . . 11 4.3. <config/> Get Query . . . . . . . . . . . . . . . . . . . 12
4.4. Example 4: Client Set Query and Reply . . . . . . . . . . 12 4.4. <config/> Get Reply . . . . . . . . . . . . . . . . . . . 13
4.5. Example 5: Client Get Query and Reply . . . . . . . . . . 13 4.5. <client/> Create Query . . . . . . . . . . . . . . . . . 13
4.6. Example 6: Client List Query and Reply . . . . . . . . . . 13 4.6. <client/> Create Reply . . . . . . . . . . . . . . . . . 14
4.7. Example 7: Client Destroy Query and Reply . . . . . . . . 14 4.7. <client/> Set Query . . . . . . . . . . . . . . . . . . . 14
4.8. Example 8: Publish Query and Reply . . . . . . . . . . . . 14 4.8. <client/> Set Reply . . . . . . . . . . . . . . . . . . . 15
4.9. Example 9: Withdraw Query and Reply . . . . . . . . . . . 15 4.9. <client/> Get Query . . . . . . . . . . . . . . . . . . . 15
4.10. Example 10: Report Error Reply . . . . . . . . . . . . . . 16 4.10. <client/> Get Reply . . . . . . . . . . . . . . . . . . . 15
5. Operational Considerations . . . . . . . . . . . . . . . . . . 16 4.11. <client/> List Query . . . . . . . . . . . . . . . . . . 16
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 4.12. <client/> List Reply . . . . . . . . . . . . . . . . . . 16
7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 4.13. <client/> Destroy Query . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.14. <client/> Destroy Reply . . . . . . . . . . . . . . . . . 17
8.1. Normative References . . . . . . . . . . . . . . . . . . . 19 4.15. <publish/> Query . . . . . . . . . . . . . . . . . . . . 17
8.2. Informative References . . . . . . . . . . . . . . . . . . 19 4.16. <publish/> Reply . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 4.17. <withdraw/> Query . . . . . . . . . . . . . . . . . . . . 18
4.18. <withdraw/> Reply . . . . . . . . . . . . . . . . . . . . 19
4.19. <report_error/> With Text . . . . . . . . . . . . . . . . 19
4.20. <report_error/> Without Text . . . . . . . . . . . . . . 19
5. Operational Considerations . . . . . . . . . . . . . . . . . 19
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
7. Security Considerations . . . . . . . . . . . . . . . . . . . 21
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
8.1. Normative References . . . . . . . . . . . . . . . . . . 21
8.2. Informative References . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
This document assumes a working knowledge of the Resource Public Key This document assumes a working knowledge of the Resource Public Key
Infrastructure (RPKI), which is intended to support improved routing Infrastructure (RPKI), which is intended to support improved routing
security on the Internet. [RFC6480] security on the Internet. [RFC6480]
In order to make participation in the RPKI easier, it is helpful to In order to make participation in the RPKI easier, it is helpful to
have a few consolidated repositories for RPKI objects, thus saving have a few consolidated repositories for RPKI objects, thus saving
every participant from the cost of maintaining a new service. every participant from the cost of maintaining a new service.
skipping to change at page 4, line 30 skipping to change at page 4, line 27
This section discusses details that the two subprotocols have in This section discusses details that the two subprotocols have in
common, including the transport and CMS wrappers. common, including the transport and CMS wrappers.
Both protocols use a simple request/response interaction. The client Both protocols use a simple request/response interaction. The client
passes a request to the server, and the server generates a passes a request to the server, and the server generates a
corresponding response. corresponding response.
A message exchange commences with the client initiating an HTTP POST A message exchange commences with the client initiating an HTTP POST
with content type of "application/rpki-publication", with the message with content type of "application/rpki-publication", with the message
object as the body. The server's response will similarly be the body object as the body. The server's response will similarly be the body
of the response with a content type of "application/ of the response with a content type of "application/rpki-
rpki-publication". publication".
The content of the POST and the server's response will be a well- The content of the POST and the server's response will be a well-
formed Cryptographic Message Syntax (CMS) [RFC5652] object with OID = formed Cryptographic Message Syntax (CMS) [RFC5652] object with OID =
1.2.840.113549.1.7.2 as described in Section 3.1 of [RFC6492]. 1.2.840.113549.1.7.2 as described in Section 3.1 of [RFC6492].
3.1.1. Common XML Message Format 3.1.1. Common XML Message Format
The XML schema for this protocol (including both subprotocols) is The XML schema for this protocol (including both subprotocols) is
below in Section 3.5. Both subprotocols use the same basic XML below in Section 3.5. Both subprotocols use the same basic XML
message format, which looks like: message format, which looks like:
<?xml version='1.0' encoding='us-ascii'?> <?xml version='1.0' encoding='us-ascii'?>
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"
version="2" version="2"
type="message type"> type="message type">
[one or more PDUs] [one or more PDUs]
</msg> </msg>
version: version: The value of this attribute is the version of this
The value of this attribute is the version of this protocol. protocol. This document describes version 2.
This document describes version 2.
type: type: The possible values of this attribute are "reply" and "query".
The possible values of this attribute are "reply" and "query".
A query PDU may be one of four types: config_query, client_query, A query PDU may be one of four types: config_query, client_query,
publish_query, or withdraw_query. The first two are used by the publish_query, or withdraw_query. The first two are used by the
control sub-protocol, the latter two by the publication sub-protocol. control sub-protocol, the latter two by the publication sub-protocol.
A reply PDU may be one of five types: config_reply, client_reply, A reply PDU may be one of five types: config_reply, client_reply,
publish_reply, withdraw_reply, or report_error_reply. publish_reply, withdraw_reply, or report_error_reply.
Each of these PDUs may include an optional tag to facilitate bulk Each of these PDUs may include an optional tag to facilitate bulk
operation. If a tag is set in a query PDU, the corresponding operation. If a tag is set in a query PDU, the corresponding
skipping to change at page 6, line 10 skipping to change at page 5, line 45
3.2.2. Client Object 3.2.2. Client Object
Unlike the <config/> object, the <client/> object represents one Unlike the <config/> object, the <client/> object represents one
client authorized to use the publication server. There may be more client authorized to use the publication server. There may be more
than one <client/> object on each publication server. Again, its use than one <client/> object on each publication server. Again, its use
is typically restricted to the respository operator. is typically restricted to the respository operator.
The <client/> object supports five actions: "create", "set", "get", The <client/> object supports five actions: "create", "set", "get",
"list", and "destroy". Each client has a "client_handle" attribute, "list", and "destroy". Each client has a "client_handle" attribute,
which is used in responses and must be specified in "create", "set", which is used in responses and must be specified in "create", "set",
"get", or "destroy" actions. The "create" and "set" actions take "get", or "destroy" actions. The "create" and "set" actions have an
optional boolean attributes. The only attribute currently defined is optional flag to clear CMS-timestamp-based replay protection, to
used to clear CMS-timestamp-based replay protection, to allow allow recovery from misconfigured clocks.
recovery from misconfigured clocks.
Payload data which can be configured in a <client/> object include: Payload data which can be configured in a <client/> object include:
o base_uri (attribute): This attribute represents the base URI below o base_uri (attribute): This attribute represents the base URI below
which the client will be allowed to publish data. Additional which the client will be allowed to publish data. Additional
constraints may be imposed by the publication server in certain constraints may be imposed by the publication server in certain
cases, for e.g., a child publishing directly under its parent. cases, for e.g., a child publishing directly under its parent.
o bpki_cert (element): This represents the X.509 BPKI CA certificate o bpki_cert (element): This represents the X.509 BPKI CA certificate
for this client. This should be used as part of the certificate for this client. This should be used as part of the certificate
chain when validating incoming CMS messages. Two valid approaches chain when validating incoming CMS messages. Two valid approaches
exist. If the optional bpki_glue certificate is being used, then exist. If the optional bpki_glue certificate is being used, then
the bpki_cert certificate should be issued by the bpki_glue the bpki_cert certificate should be issued by the bpki_glue
certificate; otherwise, the bpki_cert certificate should be issued certificate; otherwise, the bpki_cert certificate should be issued
by the publication engine's bpki_ta certificate. by the publication engine's bpki_ta certificate.
o bpki_glue (element): This is an additional (optional) X.509 o bpki_glue (element): This is an additional (optional) type of
certificate for this client. It may be used in certain X.509 certificate for this client. It may be used in certain
pathological cross-certification cases which require a two- pathological cross-certification cases which require a two-
certificate chain due to issuer name conflicts. When being used, certificate chain due to issuer name conflicts. When being used,
issuing order is that the bpki_glue certificate should be the issuing order is that the bpki_glue certificate should be the
issuer of the bpki_cert certificate. Otherwise, it should be issuer of the bpki_cert certificate. Otherwise, it should be
issued by the publication engine's bpki_ta certificate. Since issued by the publication engine's bpki_ta certificate. Since
this is an optional use certificate, it may be left unset if not this is an optional use certificate, it may be left unset if not
needed. needed.
3.3. Publication Sub-Protocol 3.3. Publication Sub-Protocol
skipping to change at page 7, line 48 skipping to change at page 7, line 43
occurred. occurred.
The body of the <report_error/> element itself is an optional text The body of the <report_error/> element itself is an optional text
string; if present, this is debugging information. string; if present, this is debugging information.
3.5. XML Schema 3.5. XML Schema
The following is a RelaxNG compact form schema describing the The following is a RelaxNG compact form schema describing the
Publication Protocol. Publication Protocol.
default namespace = "http://www.hactrn.net/uris/rpki/publication-spec/" # $Id: rpki-publication.rnc 2601 2013-10-18 19:21:28Z sra $
# RelaxNG schema for RPKI publication protocol.
default namespace =
"http://www.hactrn.net/uris/rpki/publication-spec/"
# This is version 2 of the protocol.
version = "2"
# Top level PDU is either a query or a reply.
# Top level PDU
start = element msg { start = element msg {
attribute version { "2" } , attribute version { version } ,
( ( attribute type { "query" }, query_elt*) | ( ( attribute type { "query" }, query_elt*) |
(attribute type { "reply" }, reply_elt*)) (attribute type { "reply" }, reply_elt*))
} }
# PDUs allowed in a query # PDUs allowed in a query.
query_elt = ( config_query | client_query | publish_query |
withdraw_query )
# PDUs allowed in a reply query_elt |= config_query
reply_elt = ( config_reply | client_reply | publish_reply | query_elt |= client_query
withdraw_reply | report_error_reply ) query_elt |= publish_query
query_elt |= withdraw_query
# PDUs allowed in a reply.
reply_elt |= config_reply
reply_elt |= client_reply
reply_elt |= publish_reply
reply_elt |= withdraw_reply
reply_elt |= report_error_reply
# Tag attributes for bulk operations.
# Tag attributes for bulk operations
tag = attribute tag { xsd:token {maxLength="1024" } } tag = attribute tag { xsd:token {maxLength="1024" } }
# Base64 encoded DER stuff # Base64 encoded DER stuff.
base64 = xsd:base64Binary base64 = xsd:base64Binary
# Publication URLs # Publication URLs.
uri_t = xsd:anyURI { maxLength="4096" } uri_t = xsd:anyURI { maxLength="4096" }
uri = attribute uri { uri_t } uri = attribute uri { uri_t }
# Handles on remote objects (replaces passing raw SQL IDs). NB: # Handles on remote objects (replaces passing raw SQL IDs).
# Unlike the up-down protocol, handles in this protocol allow
# "/" as a hierarchy delimiter.
object_handle = xsd:string { object_handle = xsd:string {
maxLength="255" pattern="[\-_A-Za-z0-9/]*" } maxLength = "255"
pattern="[\-_A-Za-z0-9/]*"
}
# Error codes.
error = xsd:token { maxLength="1024" }
# <config/> element (use restricted to repository operator) # <config/> element (use restricted to repository operator)
# config_handle attribute: create, list, and destroy commands
# omitted deliberately.
config_payload = (element bpki_crl { base64 }?) config_payload = (element bpki_crl { base64 }?)
config_query |= element config { attribute action { "set" }, tag?,
config_payload } config_query |= element config {
config_reply |= element config { attribute action { "set" }, tag? } attribute action { "set" },
config_query |= element config { attribute action { "get" }, tag? } tag?,
config_reply |= element config { attribute action { "get" }, tag?, config_payload
config_payload } }
config_reply |= element config {
attribute action { "set" },
tag?
}
config_query |= element config {
attribute action { "get" },
tag?
}
config_reply |= element config {
attribute action { "get" },
tag?,
config_payload
}
# <client/> element (use restricted to repository operator) # <client/> element (use restricted to repository operator)
client_handle = attribute client_handle { object_handle } client_handle = attribute client_handle { object_handle }
client_payload = (attribute base_uri { uri_t }?, element bpki_cert {
base64 }?, element bpki_glue { base64 }?)
client_bool = attribute clear_replay_protection { "yes" }?
client_query |= element client { attribute action { "create" }, client_payload = (
tag?, client_handle, client_bool, client_payload } attribute base_uri { uri_t }?,
client_reply |= element client { attribute action { "create" }, element bpki_cert { base64 }?,
tag?, client_handle } element bpki_glue { base64 }?
client_query |= element client { attribute action { "set" }, tag?, )
client_handle, client_bool, client_payload }
client_reply |= element client { attribute action { "set" }, tag?, client_clear_replay = (
client_handle } attribute clear_replay_protection { "yes" }?
client_query |= element client { attribute action { "get" }, tag?, )
client_handle }
client_reply |= element client { attribute action { "get" }, tag?, client_query |= element client {
client_handle, client_payload } attribute action { "create" },
client_query |= element client { attribute action { "list" }, tag? } tag?,
client_reply |= element client { attribute action { "list" }, tag?, client_handle,
client_handle, client_payload } client_clear_replay,
client_query |= element client { attribute action { "destroy" }, client_payload
tag?, client_handle } }
client_reply |= element client { attribute action { "destroy" },
tag?, client_handle } client_reply |= element client {
attribute action { "create" },
tag?,
client_handle
}
client_query |= element client {
attribute action { "set" },
tag?,
client_handle,
client_clear_replay,
client_payload
}
client_reply |= element client {
attribute action { "set" },
tag?,
client_handle
}
client_query |= element client {
attribute action { "get" },
tag?,
client_handle
}
client_reply |= element client {
attribute action { "get" },
tag?,
client_handle,
client_payload
}
client_query |= element client {
attribute action { "list" },
tag?
}
client_reply |= element client {
attribute action { "list" },
tag?,
client_handle,
client_payload
}
client_query |= element client {
attribute action { "destroy" },
tag?,
client_handle
}
client_reply |= element client {
attribute action { "destroy" },
tag?,
client_handle
}
# <publish/> element # <publish/> element
publish_query |= element publish { tag?, uri, base64 }
publish_reply |= element publish { tag?, uri } publish_query |= element publish {
tag?,
uri,
base64
}
publish_reply |= element publish {
tag?,
uri
}
# <withdraw/> element # <withdraw/> element
withdraw_query |= element withdraw { tag?, uri }
withdraw_reply |= element withdraw { tag?, uri } withdraw_query |= element withdraw {
tag?,
uri
}
withdraw_reply |= element withdraw {
tag?,
uri
}
# <report_error/> element # <report_error/> element
error = xsd:token { maxLength="1024" }
report_error_reply = element report_error { report_error_reply = element report_error {
tag?, tag?,
attribute error_code { error }, attribute error_code { error },
xsd:string { maxLength="512000" }? xsd:string { maxLength="512000" }?
} }
4. Examples 4. Examples
Following are various queries and the corresponding replies for the Following are examples of various queries and the corresponding
RPKI publication protocol replies for the RPKI publication protocol
4.1. Config Set Query and Response
A. Config "Set" Query 4.1. <config/> Set Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
type="query" version="2"> type="query"
<config action="set"> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<config
action="set">
<bpki_crl> <bpki_crl>
MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vyd MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vy
GlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1Wq dGlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1
AOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/ WqAOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljV
CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6U qX/CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDW
G6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5f AV6UG6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ1
ubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAF 6aF5fubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ft
pDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0W F8zZAFpDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHS
uuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4 Ibjiy0WuuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoi
Y0GySdj98fV+OuiRTH9vt/M= sHKkehy4Y0GySdj98fV+OuiRTH9vt/M=
</bpki_crl> </bpki_crl>
</config> </config>
</msg> </msg>
B. Config "Set" Reply 4.2. <config/> Set Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
type="reply" version="2"> type="reply"
<config action="set"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<config
action="set"/>
</msg> </msg>
4.2. Config Get Query and Response 4.3. <config/> Get Query
A. Config "Get" Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
type="query" version="2"> type="query"
<config action="get"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<config
action="get"/>
</msg> </msg>
B. Config "Get" Reply 4.4. <config/> Get Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"
type="reply" version="2"> <msg
<config action="get"> type="reply"
version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<config
action="get">
<bpki_crl> <bpki_crl>
MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vyd MIIBezBlAgEBMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNVBAMTGFRlc3QgQ2Vy
GlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1Wq dGlmaWNhdGUgcHViZCBUQRcNMDgwNjAyMjE0OTQ1WhcNMDgwNzAyMjE0OTQ1
AOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljVqX/ WqAOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAFWCWgBl4ljV
CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDWAV6U qX/CHo+RpqYtvmKMnjPVflMXUB7i28RGP4DAq4l7deDU7Q82xEJyE4TXMWDW
G6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ16aF5f AV6UG6uUGum0VHWOcj9ohqyiZUGfOsKg2hbwkETm8sAENOsi1yNdyKGk6jZ1
ubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ftF8zZAF 6aF5fubxQqZa1pdGCSac1/ZYC5sLLhEz3kmz+B9z9mXFVc5TgAh4dN3Gy5ft
pDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHSIbjiy0W F8zZAFpDGnS4biCnRVqhGv6R0Lh/5xmii+ZU6kNDhbeMsjJg+ZOmtN+wMeHS
uuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoisHKkehy4 Ibjiy0WuuaZ3k2xSh0C94anrHBZAvvCRhbazjR0Ef5OMZ5lcllw3uO8IHuoi
Y0GySdj98fV+OuiRTH9vt/M= sHKkehy4Y0GySdj98fV+OuiRTH9vt/M=
</bpki_crl> </bpki_crl>
</config> </config>
</msg> </msg>
4.3. Example 3: Client Create Query and Reply 4.5. <client/> Create Query
A. Client "Create" Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="query"> type="query"
<client action="create" client_handle="3" version="2"
base_uri="rsync://wombat.invalid/"> xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="create"
base_uri="rsync://wombat.invalid/"
client_handle="3">
<bpki_cert> <bpki_cert>
MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg
gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1
EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj
lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p
dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE
N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL
qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m
a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP
kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV
H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV
DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC
1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0
Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh
D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep
eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6
1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
</bpki_cert> </bpki_cert>
</client> </client>
</msg> </msg>
B. Client "Create" Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" 4.6. <client/> Create Reply
version="2" type="reply">
<client action="create" client_handle="3"/>
</msg>
4.4. Example 4: Client Set Query and Reply <msg
type="reply"
version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="create"
client_handle="3"/>
</msg>
A. Client "Set" Query 4.7. <client/> Set Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="query"> type="query"
<client action="set" client_handle="3"> version="2"
<bpki_glue> xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB <client
gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz action="set"
EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR client_handle="3">
lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU <bpki_cert>
tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg
dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1
N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj
qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p
kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE
H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL
DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m
1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP
Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV
D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV
eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC
+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0
1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh
</bpki_glue> MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep
6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6
hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
</bpki_cert>
</client> </client>
</msg> </msg>
B. Client "Set" Reply 4.8. <client/> Set Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<client action="set" client_handle="3"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="set"
client_handle="3"/>
</msg> </msg>
4.5. Example 5: Client Get Query and Reply 4.9. <client/> Get Query
A. Client "Get" Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="query"> type="query"
<client action="get" client_handle="3"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="get"
client_handle="3"/>
</msg> </msg>
B. Client "Get" Reply 4.10. <client/> Get Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<client action="get" client_handle="3" version="2"
base_uri="rsync://wombat.invalid/"> xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="get"
base_uri="rsync://wombat.invalid/"
client_handle="3">
<bpki_cert> <bpki_cert>
MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg
gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1
EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj
lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p
dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE
N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL
qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m
a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP
kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV
H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV
DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC
1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0
Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh
D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep
eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6
1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
</bpki_cert> </bpki_cert>
</client> </client>
</msg> </msg>
4.6. Example 6: Client List Query and Reply 4.11. <client/> List Query
A. Client "List" Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="query"> type="query"
<client action="list"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="list"/>
</msg> </msg>
B. Client "List" Reply 4.12. <client/> List Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/"
version="2" type="reply"> <msg
<client action="list" client_handle="3"> type="reply"
version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="list"
client_handle="3">
<bpki_cert> <bpki_cert>
MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAgB MIIDGzCCAgOgAwIBAgIJAKi+/+wUhQlxMA0GCSqGSIb3DQEBBQUAMCQxIjAg
gNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1Mz BgNVBAMTGVRlc3QgQ2VydGlmaWNhdGUgQm9iIFJvb3QwHhcNMDcwODAxMTk1
EwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmljYXR MzEwWhcNMDcwODMxMTk1MzEwWjAkMSIwIAYDVQQDExlUZXN0IENlcnRpZmlj
lIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKYU YXRlIEJvYiBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79pWf3GI rKYUtJaM5PH5917SG2ACc7iBYdQO2HYyu8Gb6i9Q2Gxc3cWEX7RTBvgOL79p
dnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuEPPOG8U Wf3GIdnoupzMnoZVtY3GUx2G/0WkmLui2TCeDhcfXdQ4rcp8J3V/6ESj+yuE
N17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShLi8GKgVd PPOG8UN17mUKKgujrch6ZvgCDO9AyOK/uXu+ABQXTPsn2pVe2EVh3V004ShL
qb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8mAkGf79Tb i8GKgVdqb/rW/6GTg0Xb/zLT6WWMuT++6sXTlztJdQYkRamJvKfQDU1naC8m
a0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZePr79j7LK/h AkGf79Tba0xyBGAUII0GfREY6t4/+NAP2Yyb3xNlBqcJoTov0JfNKHZcCZeP
kZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNVHRMEBTADAQ r79j7LK/hkZxxip+Na9xDpE+oQRV+DRukCRJdiqg+wIDAQABo1AwTjAMBgNV
H/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNVHSMEGDAWgBT HRMEBTADAQH/MB0GA1UdDgQWBBTDEsXJe6pjAQD4ULlB7+GMDBlimTAfBgNV
DEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOCAQEAWWkNcW6S HSMEGDAWgBTDEsXJe6pjAQD4ULlB7+GMDBlimTANBgkqhkiG9w0BAQUFAAOC
1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0n96P7CUHOWP8Q AQEAWWkNcW6S1tKKqtzJsdfhjJiAAPQmOXJskv0ta/8f6Acgcum1YieNdtT0
Bb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHhMW+Dv0PhIKu2Cg n96P7CUHOWP8QBb91JzeewR7b6WJLwb1Offs3wNq3kk75pJe89r4XY39EZHh
D4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep6LAlFj62qqaIJzN MW+Dv0PhIKu2CgD4LeyH1FVTQkF/QObGEmkn+s+HTsuzd1l2VLwcP1Smsqep
eQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdHYyMNrG2xMOtIC7T4 6LAlFj62qqaIJzNeQ9NVkBqtkygnYlBOkaBTHfQTux3jYNpEo8JJB5e/WFdH
+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6hdEq3ORv7RZMJNYqv YyMNrG2xMOtIC7T4+IOHgT8PgrNhaeDg9ctewj0X8Qi9nI9nXeinicLX8vj6
1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ== hdEq3ORv7RZMJNYqv1HQ3wUE2B7fCPFv7EUwzaCds1kgRQ==
</bpki_cert> </bpki_cert>
</client> </client>
</msg> </msg>
4.7. Example 7: Client Destroy Query and Reply 4.13. <client/> Destroy Query
A. Client "Destroy" Query
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="query"> type="query"
<client action="destroy" client_handle="3"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="destroy"
client_handle="3"/>
</msg> </msg>
B. Client "Destroy" Reply 4.14. <client/> Destroy Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<client action="destroy" client_handle="3"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<client
action="destroy"
client_handle="3"/>
</msg> </msg>
4.8. Example 8: Publish Query and Reply 4.15. <publish/> Query
A. Publish Query <msg
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query"
version="2" type="query"> version="2"
<publish uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCr xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
cCp9ltyPDNzYKPfxc.cer"> <publish
MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhER uri="rsync://wombat.invalid/Alice/blCrcCp9ltyPDNzYKPfxc.cer">
jRBODAxN0U2NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4MD MIIE+jCCA+KgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhE
UyMjE4MDUxMloXDTA4MDUyNDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIxOEY RjRBODAxN0U2NkE5RTkxNzJFNDYxMkQ4Q0Y0QzgzRjIzOERFMkEzMB4XDTA4
wNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4MjhGN0YxNzCCASIwDQYJKoZIhvcN MDUyMjE4MDUxMloXDTA4MDUyNDE3NTQ1M1owMzExMC8GA1UEAxMoOEZCODIx
AQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNsXIMQYRgNtC6Fr/9Xm OEYwNkU1MEFCNzAyQTdEOTZEQzhGMENEQ0Q4MjhGN0YxNzCCASIwDQYJKoZI
/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3F5qrKl hvcNAQEBBQADggEPADCCAQoCggEBAMeziKp0k5nP7v6SZoNsXIMQYRgNtC6F
Z4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQluffiNDjz r/9Xm/1yQHomiPqHUk47rHhGojYiK5AhkrwoYhkH4UjJl2iwklDYczXuaBU3
teCCvoyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSmUDuZ1HDz F5qrKlZ4aZnjIxdlP7+hktVpeApL6yuJTUAYeC3UIxnLDVdD6phydZ/FOQlu
1nDuYvIVKjB/MpH9aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/o8qFdC300 ffiNDjzteCCvoyOUatqt8WB+oND6LToHp028g1YUYLHG6mur0dPdcHOVXLSm
VQfoTZ+rKPGDE8K1cI906BL4kiwx9z0oiDcE96QCz+B0vsjc9mGaA1jgAxlXW UDuZ1HDz1nDuYvIVKjB/MpH9aW9XeaQ6ZFIlZVPwuuvI2brR+ThH7Gv27GL/
sCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGPBuUKtwKn2W3I8M3Ngo9/FzA o8qFdC300VQfoTZ+rKPGDE8K1cI906BL4kiwx9z0oiDcE96QCz+B0vsjc9mG
fBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNVHR8ETjBMMEqg aA1jgAxlXWsCAwEAAaOCAhcwggITMB0GA1UdDgQWBBSPuCGPBuUKtwKn2W3I
SKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSLzEvMzBxQ 8M3Ngo9/FzAfBgNVHSMEGDAWgBTfSoAX5mqekXLkYS2M9Mg/I43iozBVBgNV
UYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEFBQcBAQQ5MDcwNQ HR8ETjBMMEqgSKBGhkRyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQv
YIKwYBBQUHMAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAvdGVzdGJlZC9XT01 UklSLzEvMzBxQUYtWnFucEZ5NUdFdGpQVElQeU9ONHFNLmNybDBFBggrBgEF
CQVQuY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIwDwYDVR0TAQH/BAUw BQcBAQQ5MDcwNQYIKwYBBQUHMAKGKXJzeW5jOi8vbG9jYWxob3N0OjQ0MDAv
AwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsGCCsGAQUFBwELBIGOMIGLMDQGCCsGA dGVzdGJlZC9XT01CQVQuY2VyMBgGA1UdIAEB/wQOMAwwCgYIKwYBBQUHDgIw
QUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQvUklSL1IwLz DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgZsGCCsGAQUFBwEL
EvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rlc3RiZWQ BIGOMIGLMDQGCCsGAQUFBzAFhihyc3luYzovL2xvY2FsaG9zdDo0NDAwL3Rl
vUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56WUtQZnhjLm1uZjAaBggr c3RiZWQvUklSL1IwLzEvMFMGCCsGAQUFBzAKhkdyc3luYzovL2xvY2FsaG9z
BgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYBBQUHAQcBAf8ELzAtMCsEA dDo0NDAwL3Rlc3RiZWQvUklSL1IwLzEvajdnaGp3YmxDcmNDcDlsdHlQRE56
gABMCUDAwAKAzAOAwUAwAACAQMFAcAAAiAwDgMFAsAAAiwDBQDAAAJkMA0GCS WUtQZnhjLm1uZjAaBggrBgEFBQcBCAEB/wQLMAmgBzAFAgMA/BUwPgYIKwYB
qGSIb3DQEBCwUAA4IBAQCEhuH7jtI2PJY6+zwv306vmCuXhtu9Lr2mmRw2ZEr BQUHAQcBAf8ELzAtMCsEAgABMCUDAwAKAzAOAwUAwAACAQMFAcAAAiAwDgMF
B8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yAThM81FPNRsU5mM0acIRnAPtxjH AsAAAiwDBQDAAAJkMA0GCSqGSIb3DQEBCwUAA4IBAQCEhuH7jtI2PJY6+zwv
vPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFURazENztppsolHeTpm0cpLItK7m 306vmCuXhtu9Lr2mmRw2ZErB8EMcb5xypMrNqMoKeu14K2x4a4RPJkK4yATh
NpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel/SM/UvOArCCOBvf0Gz7kSuupDS M81FPNRsU5mM0acIRnAPtxjHvPME7PHN2w2nGLASRsZmaa+b8A7SSOxVcFUR
Z7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxdx28qIj7ejZkRzNFw/3pi8/XK281 azENztppsolHeTpm0cpLItK7mNpudUg1JGuFo94VLf1MnE2EqARG1vTsNhel
h8zeHoFVu6ghRPy5dbOA4akX/KG6b8XIx0iwPYdLiDbdWFbtTdPcXBauY /SM/UvOArCCOBvf0Gz7kSuupDSZ7qx+LiDmtEsLdbGNQBiYPbLrDk41PHrxd
x28qIj7ejZkRzNFw/3pi8/XK281h8zeHoFVu6ghRPy5dbOA4akX/KG6b8XIx
0iwPYdLiDbdWFbtTdPcXBauY
</publish> </publish>
</msg> </msg>
B. Publish Reply 4.16. <publish/> Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<publish uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCr version="2"
cCp9ltyPDNzYKPfxc.cer"/> xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<publish
uri="rsync://wombat.invalid/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/>
</msg> </msg>
4.9. Example 9: Withdraw Query and Reply 4.17. <withdraw/> Query
A. Withdraw Query <msg
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" type="query"
version="2" type="query"> version="2"
<withdraw uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCr xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
cCp9ltyPDNzYKPfxc.cer"/> <withdraw
uri="rsync://wombat.invalid/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/>
</msg> </msg>
B. Withdraw Reply 4.18. <withdraw/> Reply
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<withdraw uri="rsync://wombat.invalid/testbed/RIR/1/j7ghjwblCr version="2"
cCp9ltyPDNzYKPfxc.cer"/> xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<withdraw
uri="rsync://wombat.invalid/Alice/blCrcCp9ltyPDNzYKPfxc.cer"/>
</msg> </msg>
4.10. Example 10: Report Error Reply 4.19. <report_error/> With Text
A. Report Error Reply 1
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<report_error error_code="your_hair_is_on_fire">text string</ version="2"
report_error> xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<report_error
error_code="your_hair_is_on_fire">
Shampooing with sterno again, are we?
</report_error>
</msg> </msg>
B. Report Error Reply 2 4.20. <report_error/> Without Text
<msg xmlns="http://www.hactrn.net/uris/rpki/publication-spec/" <msg
version="2" type="reply"> type="reply"
<report_error error_code="your_hair_is_on_fire"/> version="2"
xmlns="http://www.hactrn.net/uris/rpki/publication-spec/">
<report_error
error_code="your_hair_is_on_fire"/>
</msg> </msg>
5. Operational Considerations 5. Operational Considerations
There are two basic options open to the repository operator as to how There are two basic options open to the repository operator as to how
the publication tree is laid out. The first option is simple: each the publication tree is laid out. The first option is simple: each
publication client is given its own directory one level below the top publication client is given its own directory one level below the top
of the rcynic module, and there is no overlap between the publication of the rcynic module, and there is no overlap between the publication
spaces used by different clients. For example: spaces used by different clients. For example:
skipping to change at page 19, line 8 skipping to change at page 21, line 43
attacker gaining access to BPKI keys could use this protocol delete attacker gaining access to BPKI keys could use this protocol delete
(withdraw) RPKI objects, leading to routing changes or failures. (withdraw) RPKI objects, leading to routing changes or failures.
Accordingly, as in most PKIs, good key management practices are Accordingly, as in most PKIs, good key management practices are
important. important.
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", RFC 2119, BCP 14, March 1997.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
RFC 5652, September 2009. 5652, STD 70, September 2009.
[RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A [RFC6492] Huston, G., Loomans, R., Ellacott, B., and R. Austein, "A
Protocol for Provisioning Resource Certificates", Protocol for Provisioning Resource Certificates", RFC
RFC 6492, February 2012. 6492, February 2012.
8.2. Informative References 8.2. Informative References
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, February 2012. Secure Internet Routing", RFC 6480, February 2012.
Authors' Addresses Authors' Addresses
Samuel Weiler Samuel Weiler
SPARTA, Inc. SPARTA, Inc.
7110 Samuel Morse Drive 7110 Samuel Morse Drive
Columbia, Maryland 21046 Columbia, Maryland 21046
US US
Email: weiler@tislabs.com Email: weiler@tislabs.com
Anuja Sonalker Anuja Sonalker
Battelle Memorial Institute Battelle Memorial Institute
Columbia, Maryland 21046
US
Email: sonalkera@battelle.org Email: sonalkera@battelle.org
Rob Austein Rob Austein
Dragon Research Labs Dragon Research Labs
Email: sra@hactrn.net Email: sra@hactrn.net
 End of changes. 81 change blocks. 
329 lines changed or deleted 492 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/