…FC 8209 BGPsec Router PKI Profile September 2017 This document is a profile of [RFC6487], which is a profile of [RFC5280]; thus, this document updates [RFC6487]. It establishes requirements imposed on a Resource Certificate that is used as a BGPsec Router Certificate, i.e., it de…

…C 8209 BGPsec Router PKI Profile September 2017 This document is a profile of [ RFC6487 ], which is a profile of RFC5280 ]; thus, this document updates [ RFC6487 ]. It establishes requirements imposed on a Resource Certificate that is used as a BGPsec Router Certificate, i.e., it…

…286 and Certificate Revocation List (CRL) published by that TA ( Section 5 of [ RFC6487 ). However, before processing any other objects, it will first validate the TAK object if it is present. If the TAK object lists only the current public key, then the RP continues processing a…

…de the RPKI Certificate Policy (CP) [ RFC6484 ], the RPKI Certificate Profile [ RFC6487 ], the RPKI Architecture [ RFC6480 ], and the Signed Object Template for the RPKI [ RFC6488 ]. Familiarity with these documents is assumed. 1.1 . Terminology The key words "MUST", "MUST NOT", …

…resource information is carried in X.509 certificates via RFC 3779 extensions [ RFC6487 ]. Other information assertions about resources are expressed via digitally signed, non-X.509 data structures that are referred to as "signed objects" in the RPKI context [ RFC6480 ]. This doc…

…sitory publication point of the certificates issued by this CA, as specified in RFC6487 ]. The id-ad-rpkiManifest accessMethod element has an associated accessLocation element that points to the manifest object, as an object URI (as distinct to a directory URI), that is associate…

…ublic Key Infrastructure (RPKI), Certificate Authorities publish certificates [ RFC6487 ], RPKI signed objects RFC6488 ], manifests [ RFC6486 ], and CRLs to repositories. CAs may have an embedded mechanism to publish to these repositories, or they may use a separate Repository Se…

… Party (RP) has verified to be valid according to the rules for validation (see RFC6487 RFC6488 RFC9286 ). CCR is a data interchange format using Distinguished Encoding Rules (DER, X.690 ) which can be used to represent various aspects of the state of a validated cache at a parti…

…ce certificates, and conform to the certificate profile for such certificates [ RFC6487 ]. Resource certificates attest to the allocation by the (certificate) issuer of IP addresses or AS numbers to the subject. They do this by binding the public key contained in the resource cer…

… an SIA entry with an accessMethod of id-ad-rpkiManifest ( Section 4.8.8.1 of [ RFC6487 ). For the purposes of this document, the manifest filename is the final segment of the path of the accessLocation URI from that SIA entry. Section 4.8.8.1 of [ RFC6487 states that a CA may in…

… CA, and all published signed objects that are verifiable using EE certificates RFC6487 issued by this CA (other than the manifest itself). Every RPKI signed object includes, in the Cryptographic Message Syntax (CMS) RFC5652 wrapper of the object, the EE certificate used to verif…

…t, self-signed RPKI CA certificate that conforms to the profile as specified in RFC6487 Confirm that the public key in the TAL matches the public key in the retrieved object. Perform other checks, as deemed appropriate (locally), to ensure that the RP is willing to accept the ent…

…ce certificates, and conform to the certificate profile for such certificates [ RFC6487 ]. Resource certificates attest to the allocation by the (certificate) issuer of IP addresses or AS numbers to the subject. They do this by binding the public key contained in the resource cer…

…, uses, and interpretations described in the following: RFC3779 RFC6480 RFC6481 RFC6487 , and RFC6488 A process to construct and sign RPKI Trust Anchor constraints is specified in I-D.nro-sidrops-ta-constraints Such signed distributed constraints can serve as an input to the meth…

…ile makes use of certificates adhering to the RPKI resource certificate profile RFC6487 ; thus, familiarity with that profile is also assumed. 3. The ROA Content Type The content-type for a ROA is defined as id-ct-routeOriginAuthz and has the numerical value 1.2.840.113549.1.9.16…