A Profile for Resource Certificate Repository Structure
RFC 6481
Internet Engineering Task Force (IETF) G. Huston
Request for Comments: 6481 R. Loomans
Category: Standards Track G. Michaelson
ISSN: 2070-1721 APNIC
February 2012
A Profile for Resource Certificate Repository Structure
Abstract
This document defines a profile for the structure of the Resource
Public Key Infrastructure (RPKI) distributed repository. Each
individual repository publication point is a directory that contains
files that correspond to X.509/PKIX Resource Certificates,
Certificate Revocation Lists and signed objects. This profile
defines the object (file) naming scheme, the contents of repository
publication points (directories), and a suggested internal structure
of a local repository cache that is intended to facilitate
synchronization across a distributed collection of repository
publication points and to facilitate certification path construction.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6481.
Huston, et al. Standards Track [Page 1]
RFC 6481 ResCert Repository Structure February 2012
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Terminology ................................................3
2. RPKI Repository Publication Point Content and Structure .........4
2.1. Manifests ..................................................5
2.2. CA Repository Publication Points ...........................6
3. Resource Certificate Publication Repository Considerations ......8
4. Certificate Reissuance and Repositories ........................10
5. Synchronizing Repositories with a Local Cache ..................10
6. Security Considerations ........................................11
7. IANA Considerations ............................................12
7.1. Media Types ...............................................12
7.1.1. application/rpki-manifest ..........................12
7.1.2. application/rpki-roa ...............................13
7.2. RPKI Repository Name Scheme Registry ......................13
8. Acknowledgements ...............................................13
9. References .....................................................14
9.1. Normative References ......................................14
9.2. Informative References ....................................14
Huston, et al. Standards Track [Page 2]
RFC 6481 ResCert Repository Structure February 2012
1. Introduction
To validate attestations made in the context of the Resource Public
Key Infrastructure (RPKI) [RFC6480], relying parties (RPs) need
access to all the X.509/PKIX Resource Certificates, Certificate
Revocation Lists (CRLs), and signed objects that collectively define
the RPKI.
Each issuer of a certificate, CRL, or a signed object makes it
available for download to RPs through the publication of the object
in an RPKI repository.
The repository system is a collection of all signed objects that MUST
be globally accessible to all RPs. When certificates, CRLs and
signed objects are created, they are uploaded to a repository
publication point, from whence they can be downloaded for use by RPs.
This profile defines the recommended object (file) naming scheme, the
recommended contents of repository publication points (directories),
and a suggested internal structure of a local repository cache that
Show full document text