Dear WG, This version was uploaded because looking at this on-line proved more convenient for IESG review, as opposed to the version of this that I sent as an email attachment. We have a had a discussion about remaining DISCUSS items and a -10 version is coming soon as well. Possibly still before I board my plane home tomorrow, otherwise early next week.
Kind regards, Tim > On 16 Nov 2017, at 15:59, internet-dra...@ietf.org wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing WG of the IETF. > > Title : RPKI Validation Reconsidered > Authors : Geoff Huston > George Michaelson > Carlos M. Martinez > Tim Bruijnzeels > Andrew Lee Newton > Daniel Shaw > Filename : draft-ietf-sidr-rpki-validation-reconsidered-09.txt > Pages : 22 > Date : 2017-11-15 > > Abstract: > This document specifies an alternative to the certificate validation > procedure specified in RFC 6487 that reduces aspects of operational > fragility in the management of certificates in the RPKI, while > retaining essential security features. > > Where the procedure specified in RFC 6487 requires that Resource > Certificates are rejecting entirely if they are found to over-claim > any resources not contained on the issuing certificate, the > validation process defined here allows an issuing Certificate > Authority to chose to communicate that such Resource Certificates > should be accepted for the intersection of their resources and the > issuing certificate. > > This choice is signalled by form of a set of alternative Object > Identifiers (OIDs) of RFC 3779 X.509 Extensions for IP Addresses and > AS Identifiers, and certificate policy for the Resource Public Key > Infrastructure (RFC 6484). It should be noted that in case these > OIDs are not used for any certificate under a Trust Anchor, the > validation procedure defined here has the same outcome as the > procedure defined in RFC 6487 > > Furthermore this document provides an alternative to ROA (RFC 6482), > and BGPSec Router Certificate (BGPSec PKI Profiles - publication > requested) validation. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-09 > https://datatracker.ietf.org/doc/html/draft-ietf-sidr-rpki-validation-reconsidered-09 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-09 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr