Resource Public Key Infrastructure (RPKI) Validation Reconsidered

摘要: This document specifies an alternative to the certificate validation procedure specified in RFC 6487 that reduces aspects of operational fragility management certificates Resource Public Key Infrastructure (RPKI), while retaining essential security features. The procedure requires Resource Certificates are rejected entirely if they found overclaim any resources not contained on issuing certificate, whereas the validation process defined here allows Certification Authority (CA) chose communicate such Certificates should be accepted for intersection their resources and the issuing certificate. It should noted validation process defined considers under a single trust anchor (TA) only. In particular, concerns regarding overclaims where multiple configured TAs claim overlapping considered out scope for this document. choice is signaled by set alternative Object Identifiers (OIDs) per "X.509 Extensions IP Addresses and AS Identifiers" (RFC 3779) "Certificate Policy (CP) the Resource Key Infrastructure (RPKI)" 6484). be noted case these OIDs used any a trust anchor, has same outcome as 6487. Furthermore, this document provides Route Origin Authorization (ROA) (RFC 6482) BGPsec Router Certificate (BGPsec PKI Profiles -- publication requested) validation.