ROA Format -04

I have submitted a revision to the ROA Format specification (see attached).

As per recent discussions on the SIDR list, I have changed the 
validation text in Section 3 to indicate that a ROA is valid if its IP 
address prefix(es) are contained within the set of IP addresses 
specified by the RFC 3779 extension in the EE certificate (previously 
the text had required an exact match between the IP addresses in a ROA 
and the Ip addresses in the RFC 3779 extension of the EE cert).

The draft remains silent with regards to multiple signatures on a single 
ROA (as the discussion of this issue did not seem to yield any concensus).

- Matt Lepinski

Secure Inter-Domain Routing (sidr)                          M. Lepinski
Internet Draft                                                  S. Kent
Expires: May 2009                                               D. Kong
Intended Status: Proposed Standard                     BBN Technologies
                                                       November 3, 2008

             A Profile for Route Origin Authorizations (ROAs)
                     draft-ietf-sidr-roa-format-04.txt

Status of this Memo 

   By submitting this Internet-Draft, each author represents that       
   any applicable patent or other IPR claims of which he or she is       
   aware have been or will be disclosed, and any of which he or she       
   becomes aware will be disclosed, in accordance with Section 6 of       

I-D Action:draft-ietf-sidr-roa-format-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.

	Title           : A Profile for Route Origin Authorizations (ROAs)
	Author(s)       : M. Lepinski, et al.
	Filename        : draft-ietf-sidr-roa-format-04.txt
	Pages           : 14
	Date            : 2008-11-03

This document defines a standard profile for Route Origin 
Authorizations (ROAs).  A ROA is a digitally signed object that 
provides a means of verifying that an IP address block holder has 
authorized an Autonomous System (AS) to originate routes to that one 
or more prefixes within the address block.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-roa-format-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.

CPS's for RIRs and ISPs

Folks,

We just re-submitted the following two I-Ds so as to re-activate 
them. The submission system indicated it would take up to 2 days 
before the draft was processed. There were no changes except for 
updating the dates.  So if you wish to review them prior to their 
being posted, you can use the previous versions of these drafts at 
http://tools.ietf.org/wg/sidr/

   Template for an Internet Service Provider's Certification Practice
         Statement (CPS) for the Resource PKI (RPKI)
   draft-ietf-sidr-cps-isp-03.txt

   Template for an Internet Registry's Certification Practice Statement
         (CPS) for the Resource PKI (RPKI)
   draft-ietf-sidr-cps-irs-04.txt

Looking forward to your feedback.  Thank you,
Karen

I-D Action:draft-ietf-sidr-arch-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.

	Title           : An Infrastructure to Support Secure Internet Routing
	Author(s)       : M. Lepinski, S. Kent
	Filename        : draft-ietf-sidr-arch-04.txt
	Pages           : 27
	Date            : 2008-11-03

This document describes an architecture for an infrastructure to 
support improved security of Internet routing. The foundation of this 
architecture is a public key infrastructure (PKI) that represents the 
allocation hierarchy of IP address space and Autonomous System 
Numbers; and a distributed repository system for storing and 
disseminating the data objects that comprise the PKI, as well as 

 
 other signed objects necessary for improved routing security. As an 
initial application of this architecture, the document describes how 
a holder of IP address space can explicitly and verifiably authorize 
one or more ASes to originate routes to that address space. Such 
verifiable authorizations could be used, for example, to more 
securely construct BGP route filters.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-arch-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

I-D ACTION:draft-ietf-sidr-cps-irs-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.

	Title		: Template for an Internet Registry's Certification Practice Statement (CPS) for the Resource
PKI (RPKI)
	Author(s)	: D. Kong, K. Seo, S. Kent
	Filename	: draft-ietf-sidr-cps-irs-04.txt
	Pages		: 45
	Date		: 2008-11-3
	
This document contains a template to be used for creating a 
   Certification Practice Statement (CPS) for an Internet Registry 
   (e.g., NIR or RIR) that is part of the Resource Public Key 
   Infrastructure (RPKI).

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-cps-irs-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.

I-D ACTION:draft-ietf-sidr-cps-isp-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.

	Title		: Template for an Internet Service Provider's Certification Practice Statement (CPS) for the
Resource PKI (RPKI)
	Author(s)	: K. Seo, S. Kent, D. Kong
	Filename	: draft-ietf-sidr-cps-isp-03.txt
	Pages		: 48
	Date		: 2008-11-3
	
This document contains a template to be used for creating a 
   Certification Practice Statement (CPS) for a Local Internet Registry 
   (LIR) or Internet Service Provider (ISP) that is part of the Resource 
   Public Key Infrastructure (PKI).

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-cps-isp-03.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.

I-D ACTION:draft-ietf-sidr-cp-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF.

	Title		: Certificate Policy (CP) for the Resource PKI (RPKI)
	Author(s)	: S. Kent, D. Kong, K. Seo
	Filename	: draft-ietf-sidr-cp-04.txt
	Pages		: 47
	Date		: 2008-11-3
	
This document describes the certificate policy for a PKI used to 
   support improved routing security. Each organization that allocates 
   IP addresses or Autonomous System (AS) numbers to an organization 
   will, in parallel, issue a certificate reflecting this allocation. 
   These certificates will enable verification that the holder of the    associated private key has been
allocated the resources indicated in 
   the certificate, and is the current, unique holder of these 
   resources. The PKI in which the certificates issued under this 
   policy are employed, in conjunction with ancillary digitally signed 
   data structures, will provide critical inputs for routing security 
   mechanisms, e.g., generation of route filters by ISPs.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-cp-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the

light agenda?

I've seen only one suggestion for an agenda item.

Hopefully authors of some of the new versions that have been submitted 
recently will be able to present.

I will post an agenda today but I hope to have reason to amend it later.

--Sandy

status of draft-ietf-sidr-res-certs-14

On 26 Oct 2008 08:12:06 +1100, Geoff Huston wrote:

>This version (14) incorporates review comments received during the last
>call on the document. The section on trust anchors was revised for
>clarity with suggestions from Steven kent, but no changes in the
>specification of the certificates have been made.

Steve Kent's text added to the Trust Anchor section has never been seen by 
the wg and represents a change from the previous text's representation and 
handling of trust anchor material.

I have therefoere decided that this draft as is can not be passed to the 
IESG without a SHORT last call for the wg to comment on this change.

Because this draft has been through last call twice before, I believe that 
a last call of one week is all that is required.

The last call will end November 13, 2008.

To avoid a subsequent last call to approve any changes, all comments 
suggesting changes in the draft should be made to the list and accompanied 
by suggested new text.  This way, the wg can see and comment on suggested 
changes so we won't need ANY MORE LAST CALLs on this document.

The substantive changed text occurs in Section 6.3.  All changes can be 
seen at

http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=http://tools.ietf.org/id/draft-ietf-sidr-res-certs-14.txt

--Sandy

draft-ietf-res-certs

WG Chair Hat OFF

Since Sandy's Last Call on this document there have been a few changes  
to the document which I should note here.

The first set of changes concerns the revision from -13 to -14
(http://smakd.potaroo.net/cgi-bin/htmlwdiff?f1=..%2fall-ids%2fdraft-ietf-sidr-res-certs-14.txt&f2=..%2fall-ids%2fdraft-ietf-sidr-res-certs-13.txt 
)

Following advice from Steve Kent, the section on Trust Anchors was
revised (section 6). The change has concerned the terminology used to
described the various structures proposed in the TA model.

Other changes include typography, and some clarification regarding the
treatment of signed objects and EE certificates with key rollover.

The -14 rev of the document was submitted to the drafts repository on
the 25th October.

I have prepared a -15 rev of the document to address a couple of other
concerns that appeared after the draft cut off date. This document is
at: http://www.potaroo.net/drafts/draft-ietf-sidr-res-certs-15.txt
until the draft submission process reopens in a couple of weeks.

The differences are:

a) consistent use of OID labels (GeneralNames, accessMethod,
     accessLocation) throughout the document

b) typo referring to id-ad-rpkiManifest