{"draft":"draft-ietf-sidr-rpki-validation-reconsidered-10","doc_id":"RFC8360","title":"Resource Public Key Infrastructure (RPKI) Validation Reconsidered","authors":["G. Huston","G. Michaelson","C. Martinez","T. Bruijnzeels","A. Newton","D. Shaw"],"format":["ASCII","HTML"],"page_count":"29","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Secure Inter-Domain Routing","abstract":"This document specifies an alternative to the certificate validation\r\nprocedure specified in RFC 6487 that reduces aspects of operational\r\nfragility in the management of certificates in the Resource Public\r\nKey Infrastructure (RPKI), while retaining essential security\r\nfeatures.\r\n\r\nThe procedure specified in RFC 6487 requires that Resource\r\nCertificates are rejected entirely if they are found to overclaim any\r\nresources not contained on the issuing certificate, whereas the\r\nvalidation process defined here allows an issuing Certification\r\nAuthority (CA) to chose to communicate that such Resource\r\nCertificates should be accepted for the intersection of their\r\nresources and the issuing certificate.\r\n\r\nIt should be noted that the validation process defined here considers\r\nvalidation under a single trust anchor (TA) only.  In particular,\r\nconcerns regarding overclaims where multiple configured TAs claim\r\noverlapping resources are considered out of scope for this document.\r\n\r\nThis choice is signaled by a set of alternative Object Identifiers\r\n(OIDs) per \"X.509 Extensions for IP Addresses and AS Identifiers\"\r\n(RFC 3779) and \"Certificate Policy (CP) for the Resource Public Key                                     \r\nInfrastructure (RPKI)\" (RFC 6484).  It should be noted that in case\r\nthese OIDs are not used for any certificate under a trust anchor, the\r\nvalidation procedure defined here has the same outcome as the\r\nprocedure defined in RFC 6487.\r\n\r\nFurthermore, this document provides an alternative to Route Origin\r\nAuthorization (ROA) (RFC 6482) and BGPsec Router Certificate (BGPsec\r\nPKI Profiles -- publication requested) validation.","pub_date":"April 2018","keywords":[],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC8360","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc8360"}