Presentation is loading. Please wait.

Presentation is loading. Please wait.

RPKI Certificate Policy Status Update Stephen Kent.

Published bySteven Morales Modified over 10 years ago

Similar presentations

Presentation on theme: "RPKI Certificate Policy Status Update Stephen Kent."— Presentation transcript:

1 RPKI Certificate Policy Status Update Stephen Kent

2 2 Change Process We provided the MS Word master copy to Andrei Robachevsky (RIPE), who coordinated changes with all the RIRs and returned the change-tracked version to us Changes fall into a few categories l Changed terminology globally (see next slide) l Removed references to routing security l Referred to CPS for more topics l Better alignment with RIR policies l Removed references to trust anchors, LIRs, NRO l Algorithm specifications The the document did not become shorter

3 3 Changes to Terminology/Definitions allocate and assign distribute IP address(es) and AS number(s) Internet Number Resource(s) (INR) subscriber network subscriber uploading to repositories publishing via repositories certificate holder subscriber Defined INR Defined RPKI signed objects

4 4 Briefer, More General Text Removed description of RPKI infrastructure Removed references to specific uses of the RPKI, e.g., routing security, resource transfers Changed text about ROAs to be about RPKI signed objects Replaced details of applying for a certificate (4.1.1) with pointer to CPS Replaced some of the details of circumstances for revocation (4.9.1) with pointer to CPS Replaced some of the details for CA/RA termination (5.8) with pointer to CPS

5 5 Alignment with RIR Ops/Policies Removed mention of RIRs as trust anchors Removed mention of LIRs Deleted the expansion/definition of RIR names Deleted definition of NRO (1.7) Changed CP approval procedures to be made by the organizations administering the CP

6 6 Other Changes (1/2) 2.4. Access controls on repositories -- "Each CA shall implement access controls to prevent unauthorized persons from adding, modifying or deleting repository entries. A CA shall not intentionally use technical means of limiting read access to its CPS, certificates, CRLs or RPKI signed objects 4.5.2 Relying party public key and certificate usage -- reworked section to provide more detail on the responsibilities of the relying party 4.6.1 Circumstance for certificate renewal -- clarified that "Prior to the expiration of an existing subscriber's certificate, it is the responsibility of the subscriber to renew the certificate to maintain continuity of certificate usage.

7 7 Other Changes (2/2) 5.6. Key changeover -- Focused on requirement to acquire new certificate well before scheduled change of the current key pair. Deleted details re: validity period vs contractual period 6.1.3. Public key delivery to certificate issuer -- When a public key is transferred to the issuing CA to be certified, it shall be delivered through a mechanism ensuring that the public key has not been altered during transit and that the subscriber possesses the private key corresponding to the transferred public key. 6.1.5. Key sizes -- rewritten to specify algorithm/hash, need to accommodate transition to a different algorithm/hash, and key sizes.

8 8 Remaining Issues 1.6.4. CP approval procedures -- Should there be mention of where the CP and amendments can be found? 3.2.4. Non-verified subscriber information – No non- verified subscriber data is included in certificates issued under this certificate policy. but what about SIA? 4.9.2. Who can request revocation -- "The subscriber or issuer may request a revocation. Should there be reference to regional policies and CPS/business agreements (SSA)? 6.1.4. CA public key delivery to relying parties -- "The relying parties need to know who the TAs are and how are. 6.1.5. Key sizes -- Where should algorithm specs reside – certificate profile, CP, or a third document?

9 9 Questions?

Download ppt "RPKI Certificate Policy Status Update Stephen Kent."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.

2 3 Global Foundation Services Security Global Delivery Sustainability Infrastructure.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a.

Local TA Management In prior WG meetings I presented a model for local management of trust anchors for the RPKI In response to these presentations, a.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Similar presentations

Ads by Google