datatracker.ietf.org
Sign in
Version 5.6.2.p2, 2014-07-24
Report a bug

A Profile for Resource Certificate Repository Structure
RFC 6481

Internet Engineering Task Force (IETF)                         G. Huston
Request for Comments: 6481                                    R. Loomans
Category: Standards Track                                  G. Michaelson
ISSN: 2070-1721                                                    APNIC
                                                           February 2012

        A Profile for Resource Certificate Repository Structure

Abstract

   This document defines a profile for the structure of the Resource
   Public Key Infrastructure (RPKI) distributed repository.  Each
   individual repository publication point is a directory that contains
   files that correspond to X.509/PKIX Resource Certificates,
   Certificate Revocation Lists and signed objects.  This profile
   defines the object (file) naming scheme, the contents of repository
   publication points (directories), and a suggested internal structure
   of a local repository cache that is intended to facilitate
   synchronization across a distributed collection of repository
   publication points and to facilitate certification path construction.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc6481.

Huston, et al.               Standards Track                    [Page 1]
RFC 6481              ResCert Repository Structure         February 2012

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Terminology ................................................3
   2. RPKI Repository Publication Point Content and Structure .........4
      2.1. Manifests ..................................................5
      2.2. CA Repository Publication Points ...........................6
   3. Resource Certificate Publication Repository Considerations ......8
   4. Certificate Reissuance and Repositories ........................10
   5. Synchronizing Repositories with a Local Cache ..................10
   6. Security Considerations ........................................11
   7. IANA Considerations ............................................12
      7.1. Media Types ...............................................12
           7.1.1. application/rpki-manifest ..........................12
           7.1.2. application/rpki-roa ...............................13
      7.2. RPKI Repository Name Scheme Registry ......................13
   8. Acknowledgements ...............................................13
   9. References .....................................................14
      9.1. Normative References ......................................14
      9.2. Informative References ....................................14

Huston, et al.               Standards Track                    [Page 2]
RFC 6481              ResCert Repository Structure         February 2012

1.  Introduction

   To validate attestations made in the context of the Resource Public
   Key Infrastructure (RPKI) [RFC6480], relying parties (RPs) need
   access to all the X.509/PKIX Resource Certificates, Certificate
   Revocation Lists (CRLs), and signed objects that collectively define
   the RPKI.

   Each issuer of a certificate, CRL, or a signed object makes it
   available for download to RPs through the publication of the object
   in an RPKI repository.

   The repository system is a collection of all signed objects that MUST
   be globally accessible to all RPs.  When certificates, CRLs and
   signed objects are created, they are uploaded to a repository
   publication point, from whence they can be downloaded for use by RPs.

[include full document text]