idnits 2.17.00 (12 Aug 2021) /tmp/idnits45685/draft-huston-sidr-rpki-algs-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 30, 2009) is 4671 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: draft-ietf-sidr-arch has been published as RFC 6480 == Outdated reference: draft-ietf-sidr-cp has been published as RFC 6484 == Outdated reference: draft-ietf-sidr-res-certs has been published as RFC 6487 ** Obsolete normative reference: RFC 3447 (Obsoleted by RFC 8017) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Individual Submission G. Huston 3 Internet-Draft APNIC 4 Intended status: Informational July 30, 2009 5 Expires: January 31, 2010 7 A Profile for Algorithms and Key Sizes for use in the Resource Public 8 Key Infrastructure 9 draft-huston-sidr-rpki-algs-00.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on January 31, 2010. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This document defines a profile for the algorithm and key size to be 48 used for signatures applied to certificates, Certificate Revocation 49 Lists, and signed objects in the context of the Resource Public Key 50 Infrastructure. 52 1. Introduction 54 This document defines a profile for the algorithm and key size to be 55 used for signatures applied to certificates, Certificate Revocation 56 Lists (CRLs), and signed objects in the context of the Resource 57 Public Key Infrastructure (RPKI) [I-D.ietf-sidr-arch]. 59 This section of the profile is specified in a distinct profile 60 document, referenced by the RPKI Certificate Policy (CP) 61 [I-D.ietf-sidr-cp] and the RPKI Certificate Profile 62 [I-D.ietf-sidr-res-certs], in order to allow for a degree of 63 algorithm and key agility in the RPKI, while permitting some longer 64 term stability in the CP and Certificate Profile specifications. 66 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 67 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 68 document are to be interpreted as described in RFC 2119. 70 2. Algorithm and Key Size 72 This profile specifies the use of the RSA algorithm [RFC3447] to 73 compute the signature of certificates, CRLs and signed objects in the 74 context of the RPKI. This profile specifies a default of SHA-256 75 with RSA (sha256WithRSAEncryption), and allows for the use of SHA-384 76 (sha384WithRSAEncryption) or SHA-512 (sha384WithRSAEncryption). 77 Accordingly, The OID values used in the RPKI for such signatures MUST 78 be one of { pkcs-1 11 }, { pkcs-1 12 } or { pkcs-1 13 } [RFC4055]. 80 The required RSA key size MUST be 2048 bits. 82 The public exponent (e) of the RSA algorithm is F4 (65,537). 84 3. Future Upates 86 It is anticipated that the RPKI will require the adoption of updated 87 key sizes and a different set of signature and hash algorithms over 88 time, in order to maintain an acceptable level of cryptographic 89 security to protect the integrity of signed products in the RPKI. 90 This profile should be updated to specify such future requirements, 91 as and when appropriate. 93 Certification Authorities (CAs) and Relying Parties (RPs) should be 94 capable of supporting a transition to allow for the phased 95 introduction of additional encryption algorithms and key 96 specifications, and also accomodate the orderly deprecation of 97 previously specified algorithms and keys. Accordingly, CAs and RPs 98 SHOULD be capable of supporting multiple RPKI algorithm and key 99 profiles simultaneously within the scope of such anticipated 100 transitions. 102 4. Security Considerations 104 The Security Considerations of [RFC3779], [RFC5280], and [RFC4055] 105 apply to signatures as defined by this profile, and their use. 107 5. IANA Considerations 109 [There are no IANA considerations in this document.] 111 6. Acknowledgments 113 The author acknowledges the re-use in this draft of material 114 originally contained in working drafts the RPKI Certificate Policy 115 and Resource Certificate profile documents. The co-authors of these 116 two documents, namely Stephen Kent, Derrick Kong, Karen Seo, Ronald 117 Watro, George Michaelson and Robert Loomans, are acknowledged with 118 thanks. The constraint on key size noted in this profile is the 119 outcome of comments from Stephen Kent and review comments from David 120 Cooper. 122 7. Normative References 124 [I-D.ietf-sidr-arch] 125 Lepinski, M. and S. Kent, "An Infrastructure to Support 126 Secure Internet Routing", draft-ietf-sidr-arch (work in 127 progress), July 2009. 129 [I-D.ietf-sidr-cp] 130 Seo, K., Watro, R., Kong, D., and S. Kent, "Certificate 131 Policy (CP) for the Resource PKI (RPKI)", 132 draft-ietf-sidr-cp (work in progress), July 2009. 134 [I-D.ietf-sidr-res-certs] 135 Husotn, G., Michaelson, G., and R. Loomans, "A Profile for 136 X.509 PKIX Resource Certificates", 137 draft-ietf-sidr-res-certs (work in progress), 138 February 2008. 140 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 141 Standards (PKCS) #1: RSA Cryptography Specifications 142 Version 2.1", RFC 3447, February 2003. 144 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 145 Addresses and AS Identifiers", RFC 3779, June 2004. 147 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 148 Algorithms and Identifiers for RSA Cryptography for use in 149 the Internet X.509 Public Key Infrastructure Certificate 150 and Certificate Revocation List (CRL) Profile", RFC 4055, 151 June 2005. 153 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 154 Housley, R., and W. Polk, "Internet X.509 Public Key 155 Infrastructure Certificate and Certificate Revocation List 156 (CRL) Profile", RFC 5280, May 2008. 158 Author's Address 160 Geoff Huston 161 Asia Pacific Network Information Centre 163 Email: gih@apnic.net