A Profile for X.509 PKIX Resource Certificates
RFC 6487

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: RFC Editor <rfc-editor@rfc-editor.org>,
    sidr mailing list <sidr@ietf.org>,
    sidr chair <sidr-chairs@tools.ietf.org>
Subject: Protocol Action: 'A Profile for X.509 PKIX Resource Certificates' to Proposed Standard (draft-ietf-sidr-res-certs-22.txt)

The IESG has approved the following document:
- 'A Profile for X.509 PKIX Resource Certificates'
  (draft-ietf-sidr-res-certs-22.txt) as a Proposed Standard

This document is the product of the Secure Inter-Domain Routing Working
Group.

The IESG contact persons are Stewart Bryant and Adrian Farrel.

A URL of this Internet Draft is:
http://datatracker.ietf.org/doc/draft-ietf-sidr-res-certs/


Technical Summary

This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of assertions of "right-of-use"
of Resources (INRs).  The certificates issued under this profile are
used to convey the Issuer's authorisation of the Subject to be
regarded as the current holder of a "right-of-use" of the INRs that
are described in the certificate.  This document contains the
normative specification of Certificate and Certificate Revocation
List (CRL) syntax in the Resource Public Key Infrastructure (RPKI).
The document also specifies profiles for the format of certificate
requests.  The document also specifies the Relying Party RPKI
certificate path validation procedure.

Working Group Summary

This draft was the first draft presented to the working group and has
been a basis for other work in the working group.  Several implementators
of this certificate profile have conveyed implementation experience that
has been incorporated into the draft.  

Document Quality

This document is well written and clear.  Over the years, portions have
been extracted to become independent drafts and the language has become
more concise as a result of detailed reviews.  Although this profile
does not define a protocol, several independent implementations of this
certificate profile exist, indicating careful review.

There have been careful reviews by X.509 PKI experts and by ASN.1 experts
and their comments have been addressed.

Personnel

Sandra Murphy is the Document Shepherd for this document.
Stewart Bryant  is the  Responsible Area Director.

RFC Editor Note
 In the References:

OLD
[ID.sidr-cp]
              Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate
              Policy (CP) for the Resource PKI (RPKI)", Work in
              progress: Internet Drafts draft-ietf-sidr-c-13.txt,
              September 2010.
NEW
[ID.sidr-cp]
              Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate
              Policy (CP) for the Resource PKI (RPKI)", Work in
              progress: Internet Drafts draft-ietf-sidr-cp-13.txt,
              September 2010.
END

In Section 4.9.6, 3rd paragraph:

OLD:
  The CRL Distribution Points (CRLDP) extension identifies the
  location(s) of the CRL(s) associated with certificates issued by this
  Issuer.  The RPKI uses the URI form of object identification.  The
  preferred URI access mechanism is a single RSYNC URI ("rsync://")
  [RFC5781] that references a single inclusive CRL for each Issuer.

NEW:
  The CRL Distribution Points (CRLDP) extension identifies the
  location(s) of the CRL(s) associated with certificates issued by this
  Issuer.  The RPKI uses the URI [RFC3986] form of object identification.  The
  preferred URI access mechanism is a single RSYNC URI ("rsync://")
  [RFC5781] that references a single inclusive CRL for each Issuer.

Please add [RFC3986] to the list of Normative References.

Please move [RFC5781] to the Normative References.