Technical Summary
This document specifies an alternative to the certificate validation
procedure specified in RFC 6487 that reduces aspects of operational
fragility in the management of certificates in the RPKI, while
retaining essential security features.
The use of this updated procedure is signalled by form of a set of
alternative Object Identifiers (OIDs) indicating that the alternative
version of RFC 3779 X.509 Extensions for IP Addresses and AS
Identifiers, and certificate policy for the Resource Public Key
Infrastructure (RFC 6484) defined in this document should be used.
Furthermore this document provides an alternative to ROA (RFC 6482),
and BGPSec Router Certificate (BGPSec PKI Profiles - publication
requested) validation.
Working Group Summary
The discussion of this document in the WG was contentious at the start,
but it eventually settled and consensus was reached.
Document Quality
This is not a protocol change, but a mechanics change. The existing
CA/RP code implementations will support this once published.
Personnel
Shepherd: Chris Morrow (morrowc@ops-netman.net)
Reponsible AD: Alvaro Retana (aretana@cisco.com)