Internet-Draft | Tiebreaking RPKI Trust Anchors | November 2024 |
Snijders, et al. | Expires 8 May 2025 | [Page] |
A Trust Anchor (TA) in the RPKI is represented by a self-signed X.509 Certification Authority (CA) certificate. Over time, Relying Parties (RP) may have acquired multiple different issuances of valid TA certificates from the same TA operator. This document proposes a tiebreaking scheme to be used by RPs to select one TA certificate for certification path validation. This document updates RFC 8630.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 May 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
In the Resource Public Key Infrastructure (RPKI) hierarchical structure, a Trust Anchor is an authority for which trust is assumed and not derived. TA operators periodically reissue TA certificates to introduce changes to, for example, modify the set of IP Address Delegations and/or Autonomous System Identifier Delegations included in the [RFC3779] extension(s), the content of the Subject Information Access extension (Section 4.2.2.2 of [RFC5280]), and the certificate validity period (Section 4.1.2.5 of [RFC5280]).¶
Relying Parties periodically fetch Trust Anchor certificates from well-known, remote locations and verify that the key of the self-signed certificate matches the key embedded in its associated Trust Anchor Locator [RFC8630]. This transfer may happen via an unauthenticated channel, and the certificate is verified by checking that it is signed by the public key in the TAL. After retrieving a TA certificate Relying Parties have a choice between using a previously retrieved locally cached copy of the TA certificate and the newly-retrieved instance of the TA certificate.¶
Periodic reissuance of TA certificates is a way of ensuring that the RPKI remains healthy at its root by avoiding ossification and retaining agility, consequently RPs refetch the certificates to adopt changes in the TA's INR [RFC3779] and SIA [RFC5280] extensions. In the past, some Trust Anchor certificates were issued with unreasonably long validity periods, in some cases up to a century. Since TA certificates are the root, and thus have no CRL covering them, Trust Anchor operators cannot revoke previously issued TA certificates. This means that an on-path adversary or caching network element could present Relying Parties with an older instance of the TA certificate than the TA operator intends Relying Parties to use.¶
This document proposes a tiebreaking scheme for Relying Parties, preferring (1) the 'more recently' issued certificate, and (2) the certificate with the shortest validity period among certificates with equal notBefore. This establishes a partial order over TA certificates issued by the same TA, permitting the issuance of a certificate that is preferred over any previous certificate.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
It is assumed that the reader is familiar with the terms and concepts described in "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" [RFC5280] and "A Profile for Resource Certificate Repository Structure" [RFC6481].¶
This section updates [RFC8630].¶
In Section 3, this paragraph is replaced as follows.¶
OLD¶
- Retrieve the object referenced by (one of) the TA URI(s) contained in the TAL.¶
- Confirm that the retrieved object is a current, self-signed RPKI CA certificate that conforms to the profile as specified in [RFC6487].¶
- Confirm that the public key in the TAL matches the public key in the retrieved object.¶
- Perform other checks, as deemed appropriate (locally), to ensure that the RP is willing to accept the entity publishing this self-signed CA certificate to be a TA. These tests apply to the validity of attestations made in the context of the RPKI relating to all resources described in the INR extension(s) of this certificate.¶
NEW¶
- Retrieve the object referenced by (one of) the TA URI(s) contained in the TAL. If this step fails, use the locally cached copy of the TA referenced by the TAL previously retrieved.¶
- Confirm that the retrieved object is a current, validly self-signed RPKI CA certificate that conforms to the profile as specified in [RFC6487]. If this step fails, use the locally cached copy of the retrieved TA.¶
- Confirm that the public key in the TAL matches the public key in the retrieved object. If this step fails, use the locally cached copy of the retrieved TA.¶
- Check whether the retrieved object has a more recent notBefore than the locally cached copy of the retrieved TA. If the notBefore of the retrieved object is less recent, use the locally cached copy of the retrieved TA.¶
- If the notBefore dates are equal, check whether the retrieved object has a shorter validity period than the locally cached copy of the retrieved TA. If the validity period of the retrieved object is longer, use the locally cached copy of the retrieved TA.¶
- If the validity period is equal, and the newly-retrieved certificate differs from the cached copy, use the newly-retrieved certificate.¶
When Relying Parties inadvertently use a different instance of the TA certificate than the TA operator intended for RPs to use, the certification path validation process will yield an unexpected outcome. Some examples of unexpected outcomes are validation failures, or replay attacks. Standardization of a tiebreaking scheme helps both RP and TA operators arrive at deterministic outcomes. The proposed tiebreaking scheme prevents RPs from accepting a previous certificate presented by an on-path adversary in the presence of other TA certificate material.¶
This document has no IANA actions.¶
This section is to be removed before publishing as an RFC.¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.¶
According to [RFC7942], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".¶
The authors wish to thank Tim Bruijnzeels and George Michaelson.¶