Internet Engineering Task Force (IETF) R. Bush
Request for Comments: 6493 Internet Initiative Japan
Category: Standards Track February 2012
ISSN: 2070-1721
Internet Engineering Task Force (IETF) R. Bush
Request for Comments: 6493 Internet Initiative Japan
Category: Standards Track February 2012
ISSN: 2070-1721
The Resource Public Key Infrastructure (RPKI) Ghostbusters Record
资源公钥基础设施(RPKI)Ghostbusters记录
Abstract
摘要
In the Resource Public Key Infrastructure (RPKI), resource certificates completely obscure names or any other information that might be useful for contacting responsible parties to deal with issues of certificate expiration, maintenance, roll-overs, compromises, etc. This document describes the RPKI Ghostbusters Record containing human contact information that may be verified (indirectly) by a Certification Authority (CA) certificate. The data in the record are those of a severely profiled vCard.
在资源公钥基础设施(RPKI)中,资源证书完全隐藏名称或任何其他信息,这些信息可能有助于联系责任方以处理证书过期、维护、延期、泄露等问题,本文件描述了RPKI Ghostbusters记录,其中包含可由认证机构(CA)证书(间接)验证的人类联系信息。记录中的数据是经过严格分析的vCard的数据。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6493.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6493.
Copyright Notice
版权公告
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2012 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . . 3
3. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . . 3
4. RPKI Ghostbusters Record Payload Example . . . . . . . . . . . 4
5. vCard Profile . . . . . . . . . . . . . . . . . . . . . . . . . 4
6. CMS Packaging . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. Validation . . . . . . . . . . . . . . . . . . . . . . . . . . 5
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
9.1. OID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.2. File Extension . . . . . . . . . . . . . . . . . . . . . . 6
9.3. Media Type . . . . . . . . . . . . . . . . . . . . . . . . 7
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.1. Normative References . . . . . . . . . . . . . . . . . . . 7
11.2. Informative References . . . . . . . . . . . . . . . . . . 8
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . . 3
3. Suggested Reading . . . . . . . . . . . . . . . . . . . . . . . 3
4. RPKI Ghostbusters Record Payload Example . . . . . . . . . . . 4
5. vCard Profile . . . . . . . . . . . . . . . . . . . . . . . . . 4
6. CMS Packaging . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. Validation . . . . . . . . . . . . . . . . . . . . . . . . . . 5
8. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
9.1. OID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.2. File Extension . . . . . . . . . . . . . . . . . . . . . . 6
9.3. Media Type . . . . . . . . . . . . . . . . . . . . . . . . 7
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.1. Normative References . . . . . . . . . . . . . . . . . . . 7
11.2. Informative References . . . . . . . . . . . . . . . . . . 8
In the operational use of the RPKI, it can become necessary to contact, human to human, the party responsible for a resource-holding CA certificate, AKA the certificate's maintainer, be it the holder of the certificate's private key or an administrative person in the organization, a NOC, etc. An important example is when the operator of a prefix described by a Route Origin Authorization (ROA) sees a problem, or an impending problem, with a certificate or Certificate Revocation List (CRL) in the path between the ROA and a trust anchor. For example, a certificate along that path has expired, is soon to expire, or a CRL associated with a CA along the path is stale, thus placing the quality of the routing of the address space described by the ROA in jeopardy.
在RPKI的操作使用过程中,可能需要人与人之间联系持有CA证书的资源负责方,即证书的维护者,无论是证书的私钥持有人还是组织中的管理人员,即NOC,等等。一个重要的例子是,当路由来源授权(ROA)描述的前缀的操作员看到ROA和信任锚之间的路径中的证书或证书撤销列表(CRL)出现问题或即将出现的问题时。例如,沿该路径的证书已过期、即将过期,或者与沿该路径的CA相关联的CRL已过期,从而使ROA所描述的地址空间的路由质量处于危险之中。
As the names in RPKI certificates are not meaningful to humans, see [RFC6484], there is no way to use a certificate itself to lead to the worrisome certificate's or CRL's maintainer. So, "Who you gonna call?"
由于RPKI证书中的名称对人类没有意义,请参见[RFC6484],因此无法使用证书本身来导致令人担忧的证书或CRL的维护者。那么,“你要给谁打电话?”
This document specifies the RPKI Ghostbusters Record, an object verified via an end-entity (EE) certificate, issued under a CA certificate, the maintainer of which may be contacted using the payload information in the Ghostbusters Record.
本文件规定了RPKI Ghostbusters记录,这是一个通过终端实体(EE)证书验证的对象,根据CA证书颁发,可使用Ghostbusters记录中的有效载荷信息联系其维护者。
The Ghostbusters Record conforms to the syntax defined in [RFC6488]. The payload of this signed object is a severely profiled vCard.
Ghostbusters记录符合[RFC6488]中定义的语法。此签名对象的有效负载是一个严重剖析的vCard。
Note that the Ghostbusters Record is not an identity certificate, but rather an attestation to the contact data made by the maintainer of the CA certificate issuing the EE certificate whose corresponding private key signs the Ghostbusters Record.
请注意,Ghostbusters记录不是身份证书,而是对CA证书的维护者(颁发EE证书,其相应的私钥在Ghostbusters记录上签名)所做联系数据的证明。
This record is not meant to supplant or be used as resource registry whois data. It gives information about an RPKI CA certificate maintainer, not a resource holder.
此记录不是要取代或用作资源注册表whois数据。它提供有关RPKI CA证书维护者的信息,而不是资源持有者的信息。
The Ghostbusters Record is optional; CA certificates in the RPKI can have zero or more associated Ghostbuster Records.
Ghostbusters记录是可选的;RPKI中的CA证书可以有零个或多个关联的Ghostbuster记录。
Given a certificate, to find the closest Ghostbuster Record, go up until a CA certificate is reached, which may be the object itself of course. That CA certificate will have Subject Information Access (SIA) to the publication point where all subsidiary objects (until you hit a down-chain CA certificate's signed objects) are published. The publication point will contain zero or more Ghostbuster Records.
给定一个证书,要查找最近的Ghostbuster记录,请向上搜索,直到到达CA证书,当然可能是对象本身。该CA证书将具有对发布点的主题信息访问(SIA),在该发布点上发布所有子对象(直到您找到下链CA证书的签名对象)。发布点将包含零个或多个Ghostbuster记录。
This specification has three main sections. The first, Section 5, is the format of the contact payload information, a severely profiled vCard. The second, Section 6, profiles the packaging of the payload as a profile of the RPKI Signed Object Template specification [RFC6488]. The third, Section 7, describes the proper validation of the signed Ghostbusters Record.
本规范有三个主要部分。第一部分,第5节,是联系人有效负载信息的格式,这是一张经过严格分析的vCard。第二部分,第6节,将有效负载的打包配置为RPKI签名对象模板规范[RFC6488]的配置文件。第三部分,第7节,描述了签名捉鬼者记录的正确验证。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
It is assumed that the reader understands the RPKI [RFC6480], the RPKI Repository Structure [RFC6481], Signed RPKI Objects [RFC6488], and vCards [RFC6350].
假设读者理解RPKI[RFC6480]、RPKI存储库结构[RFC6481]、已签名的RPKI对象[RFC6488]和vCard[RFC6350]。
An example of an RPKI Ghostbusters Record payload with all properties populated is as follows:
填充了所有属性的RPKI Ghostbusters记录有效负载示例如下:
BEGIN:VCARD
VERSION:4.0
FN:Human's Name
ORG:Organizational Entity
ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern;WA;98666;U.S.A.
TEL;TYPE=VOICE,TEXT,WORK;VALUE=uri:tel:+1-666-555-1212
TEL;TYPE=FAX,WORK;VALUE=uri:tel:+1-666-555-1213
EMAIL:human@example.com
END:VCARD
BEGIN:VCARD
VERSION:4.0
FN:Human's Name
ORG:Organizational Entity
ADR;TYPE=WORK:;;42 Twisty Passage;Deep Cavern;WA;98666;U.S.A.
TEL;TYPE=VOICE,TEXT,WORK;VALUE=uri:tel:+1-666-555-1212
TEL;TYPE=FAX,WORK;VALUE=uri:tel:+1-666-555-1213
EMAIL:human@example.com
END:VCARD
The goal in profiling the vCard is not to include as much information as possible, but rather to include as few properties as possible while providing the minimal necessary data to enable one to contact the maintainer of the RPKI data that threatens the ROA[s] of concern.
分析vCard的目的不是包含尽可能多的信息,而是包含尽可能少的属性,同时提供最低限度的必要数据,以便能够联系威胁相关ROA的RPKI数据的维护者。
The Ghostbusters vCard payload is a minimalist subset of the vCard as described in [RFC6350].
Ghostbusters vCard有效载荷是vCard的一个子集,如[RFC6350]所述。
BEGIN - pro forma packaging that MUST be the first line in the vCard and MUST have the value "BEGIN:VCARD" as described in [RFC6350].
BEGIN-形式包装,必须是vCard中的第一行,并且必须具有[RFC6350]中所述的“BEGIN:vCard”值。
VERSION - pro forma packaging that MUST be the second line in the vCard and MUST have the value "VERSION:4.0" as described in Section 3.7.9 of [RFC6350].
版本-形式包装必须是vCard中的第二行,并且必须具有[RFC6350]第3.7.9节所述的“版本:4.0”值。
FN - the name, as described in Section 6.2.1 of [RFC6350], of a contactable person or role who is responsible for the CA certificate.
FN-如[RFC6350]第6.2.1节所述,负责CA证书的可联系人员或角色的名称。
ORG - an organization as described in Section 6.6.4 of [RFC6350].
组织-如[RFC6350]第6.6.4节所述的组织。
ADR - a postal address as described in Section 6.3 of [RFC6350].
ADR-如[RFC6350]第6.3节所述的邮政地址。
TEL - a voice and/or fax phone as described in Section 6.4.1 of [RFC6350].
电话-语音和/或传真电话,如[RFC6350]第6.4.1节所述。
EMAIL - an Email address as described in Section 6.4.2 of [RFC6350]
电子邮件-如[RFC6350]第6.4.2节所述的电子邮件地址
END - pro forma packaging that MUST be the last line in the vCard and MUST have the value "END:VCARD" as described in [RFC6350].
结束-形式包装必须是vCard中的最后一行,并且必须具有[RFC6350]中所述的“结束:vCard”值。
Per [RFC6350], the BEGIN, VERSION, FN, and END properties MUST be included in a record. To be useful, at least one of ADR, TEL, and EMAIL MUST be included. Other properties MUST NOT be included.
根据[RFC6350],开始、版本、FN和结束属性必须包含在记录中。为了有用,必须至少包括ADR、电话和电子邮件中的一个。不得包括其他属性。
The Ghostbusters Record is a CMS signed-data object conforming to the "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", [RFC6488].
Ghostbusters记录是一个CMS签名数据对象,符合“资源公钥基础设施(RPKI)的签名对象模板”[RFC6488]。
The content-type of a Ghostbusters Record is defined as id-ct-rpkiGhostbusters, and has the numerical value of 1.2.840.113549.1.9.16.1.35. This OID MUST appear both within the eContentType in the encapContentInfo object as well as the content-type signed attribute in the signerInfo object. See [RFC6488].
Ghostbusters记录的内容类型定义为id ct rpkiGhostbusters,其数值为1.2.840.113549.1.9.16.1.35。此OID必须同时出现在encapContentInfo对象中的eContentType以及SignerinInfo对象中的content type signed属性中。见[RFC6488]。
eContent: The content of a Ghostbusters Record is described in Section 5.
eContent:第5节描述了Ghostbusters记录的内容。
Similarly to a ROA, a Ghostbusters Record is verified using an EE certificate issued by the resource-holding CA certificate whose maintainer is described in the vCard.
与ROA类似,Ghostbusters记录使用持有CA证书的资源颁发的EE证书进行验证,其维护者在vCard中有描述。
The EE certificate used to verify the Ghostbusters Record is the one that appears in the CMS data structure that contains the payload defined above.
用于验证Ghostbusters记录的EE证书是出现在CMS数据结构中的证书,其中包含上面定义的有效负载。
This EE certificate MUST describe its Internet Number Resources using the "inherit" attribute, rather than explicit description of a resource set; see [RFC3779].
此EE证书必须使用“继承”属性描述其Internet号码资源,而不是资源集的显式描述;参见[RFC3779]。
The validation procedure defined in Section 3 of [RFC6488] is applied to a Ghostbusters Record. After this procedure has been performed, the Version number type within the payload is checked, and the OCTET STRING containing the vCard data is extracted. These data are checked against the profile defined in Section 5 of this document. Only if all of these checks pass is the Ghostbusters payload deemed valid and made available to the application that requested the payload.
[RFC6488]第3节中定义的验证程序适用于Ghostbusters记录。执行此过程后,检查有效负载内的版本号类型,并提取包含vCard数据的八位字节字符串。根据本文件第5节中定义的配置文件检查这些数据。只有当所有这些检查都通过时,Ghostbusters有效负载才被视为有效,并可供请求有效负载的应用程序使用。
Though there is no on-the-wire protocol in this specification, there are attacks that could abuse the data described. As the data, to be useful, need to be public, little can be done to avoid this exposure.
尽管本规范中没有在线协议,但存在可能滥用所述数据的攻击。由于数据需要公开才有用,因此几乎无法避免这种暴露。
Phone Numbers: The vCards may contain real world telephone numbers, which could be abused for telemarketing, abusive calls, etc.
电话号码:vCard可能包含真实世界的电话号码,这些号码可能被滥用用于电话营销、滥用电话等。
Email Addresses: The vCards may contain Email addresses, which could be abused for purposes of spam.
电子邮件地址:vCard可能包含电子邮件地址,这些地址可能会被滥用,用于垃圾邮件。
Relying parties are hereby warned that the data in a Ghostbusters Record are self-asserted. These data have not been verified by the CA that issued the CA certificate to the entity that issued the EE certificate used to validate the Ghostbusters Record.
特此警告依赖方,Ghostbusters记录中的数据是自我声明的。这些数据尚未由向发布用于验证Ghostbusters记录的EE证书的实体颁发CA证书的CA进行验证。
The IANA has registered the OID for the Ghostbusters Record in the registry created by [RFC6488] as follows:
IANA已在[RFC6488]创建的注册表中注册了Ghostbusters记录的OID,如下所示:
Name OID Specification
-----------------------------------------------------------
Ghostbusters 1.2.840.113549.1.9.16.1.35 [RFC6493]
Name OID Specification
-----------------------------------------------------------
Ghostbusters 1.2.840.113549.1.9.16.1.35 [RFC6493]
Realizing the deep issues raised by [RFC5513], the IANA has added an item for the Ghostbusters Record file extension to the "RPKI Repository Name Scheme" created by [RFC6481] as follows:
认识到[RFC5513]提出的深层次问题,IANA在[RFC6481]创建的“RPKI存储库名称方案”中添加了一项Ghostbusters记录文件扩展名,如下所示:
Filename Extension RPKI Object Reference
-----------------------------------------------------------
.gbr Ghostbusters Record [RFC6493]
Filename Extension RPKI Object Reference
-----------------------------------------------------------
.gbr Ghostbusters Record [RFC6493]
The IANA has registered the media type application/rpki-ghostbusters as follows:
IANA已注册媒体类型应用程序/rpki ghostbusters,如下所示:
Type name: application
Subtype name: rpki-ghostbusters
Required parameters: None
Optional parameters: None
Encoding considerations: binary
Security considerations: Carries an RPKI Ghostbusters Record
[RFC6493].
Interoperability considerations: None
Published specification: This document.
Applications that use this media type: RPKI administrators.
Additional information:
Content: This media type is a signed object, as defined
in [RFC6488], which contains a payload
of a profiled vCard as defined above in this document.
Magic number(s): None
File extension(s): .gbr
Macintosh file type code(s):
Person & email address to contact for further information:
Randy Bush <randy@psg.com>
Intended usage: COMMON
Restrictions on usage: None
Author: Randy Bush <randy@psg.com>
Change controller: Randy Bush <randy@psg.com>
Type name: application
Subtype name: rpki-ghostbusters
Required parameters: None
Optional parameters: None
Encoding considerations: binary
Security considerations: Carries an RPKI Ghostbusters Record
[RFC6493].
Interoperability considerations: None
Published specification: This document.
Applications that use this media type: RPKI administrators.
Additional information:
Content: This media type is a signed object, as defined
in [RFC6488], which contains a payload
of a profiled vCard as defined above in this document.
Magic number(s): None
File extension(s): .gbr
Macintosh file type code(s):
Person & email address to contact for further information:
Randy Bush <randy@psg.com>
Intended usage: COMMON
Restrictions on usage: None
Author: Randy Bush <randy@psg.com>
Change controller: Randy Bush <randy@psg.com>
The author wishes to thank Russ Housley, the authors of [RFC6481], Stephen Kent, Sandy Murphy, Rob Austein, Michael Elkins, and Barry Leiba for their contributions.
作者希望感谢Russ Housley、[RFC6481]的作者Stephen Kent、Sandy Murphy、Rob Austein、Michael Elkins和Barry Leiba的贡献。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, June 2004.
[RFC3779]Lynn,C.,Kent,S.,和K.Seo,“IP地址和AS标识符的X.509扩展”,RFC 3779,2004年6月。
[RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, August 2011.
[RFC6350]Perreault,S.,“vCard格式规范”,RFC 63502011年8月。
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, February 2012.
[RFC6481]Huston,G.,Loomans,R.,和G.Michaelson,“资源证书存储库结构的配置文件”,RFC 64812012年2月。
[RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, February 2012.
[RFC6488]Lepinski,M.,Chi,A.,和S.Kent,“资源公钥基础设施(RPKI)的签名对象模板”,RFC 6488,2012年2月。
[RFC5513] Farrel, A., "IANA Considerations for Three Letter Acronyms", RFC 5513, April 1 2009.
[RFC5513]Farrel,A.,“三字母首字母缩写词的IANA考虑”,RFC5513,2009年4月1日。
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, February 2012.
[RFC6480]Lepinski,M.和S.Kent,“支持安全互联网路由的基础设施”,RFC 6480,2012年2月。
[RFC6484] Kent, S., Kong, D., Seo, K., and R. Watro, "Certificate Policy (CP) for the Resource Public Key Infrastructure (RPKI)"", RFC 6484, February 2012.
[RFC6484]Kent,S.,Kong,D.,Seo,K.,和R.Watro,“资源公钥基础设施(RPKI)的证书政策(CP)”,RFC 64842012年2月。
Author's Address
作者地址
Randy Bush Internet Initiative Japan 5147 Crystal Springs Bainbridge Island, Washington 98110 US
兰迪·布什互联网倡议日本5147水晶泉班布里奇岛,华盛顿98110美国
Phone: +1 206 780 0431 x1
EMail: randy@psg.com
Phone: +1 206 780 0431 x1
EMail: randy@psg.com