Internet Engineering Task Force (IETF)                         G. Huston
Request for Comments: 8630                                         APNIC
Obsoletes: 7730                                                S. Weiler
Category: Standards Track                                        W3C/MIT
ISSN: 2070-1721                                            G. Michaelson
                                                                   APNIC
                                                                 S. Kent
                                                            Unaffiliated
                                                          T. Bruijnzeels
                                                              NLnet Labs
                                                             August 2019
        
Internet Engineering Task Force (IETF)                         G. Huston
Request for Comments: 8630                                         APNIC
Obsoletes: 7730                                                S. Weiler
Category: Standards Track                                        W3C/MIT
ISSN: 2070-1721                                            G. Michaelson
                                                                   APNIC
                                                                 S. Kent
                                                            Unaffiliated
                                                          T. Bruijnzeels
                                                              NLnet Labs
                                                             August 2019
        

Resource Public Key Infrastructure (RPKI) Trust Anchor Locator

资源公钥基础结构(RPKI)信任锚定位器

Abstract

摘要

This document defines a Trust Anchor Locator (TAL) for the Resource Public Key Infrastructure (RPKI). The TAL allows Relying Parties in the RPKI to download the current Trust Anchor (TA) Certification Authority (CA) certificate from one or more locations and verify that the key of this self-signed certificate matches the key on the TAL. Thus, Relying Parties can be configured with TA keys but can allow these TAs to change the content of their CA certificate. In particular, it allows TAs to change the set of IP Address Delegations and/or Autonomous System Identifier Delegations included in the extension(s) (RFC 3779) of their certificate.

本文档为资源公钥基础结构(RPKI)定义了信任锚定位器(TAL)。TAL允许RPKI中的依赖方从一个或多个位置下载当前信任锚(TA)证书颁发机构(CA)证书,并验证此自签名证书的密钥与TAL上的密钥匹配。因此,依赖方可以配置TA密钥,但可以允许这些TA更改其CA证书的内容。特别是,它允许TA更改其证书扩展(RFC 3779)中包含的IP地址委派和/或自治系统标识符委派集。

This document obsoletes the previous definition of the TAL as provided in RFC 7730 by adding support for Uniform Resource Identifiers (URIs) (RFC 3986) that use HTTP over TLS (HTTPS) (RFC 7230) as the scheme.

本文档通过添加对使用HTTP over TLS(HTTPS)(RFC 7230)作为方案的统一资源标识符(URI)(RFC 3986)的支持,废除了先前在RFC 7730中提供的TAL定义。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8630.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8630.

Copyright Notice

版权公告

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

版权(c)2019 IETF信托基金和被确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Changes from RFC 7730 ......................................3
   2. Trust Anchor Locator ............................................3
      2.1. Trust Anchor Locator Motivation ............................3
      2.2. Trust Anchor Locator File Format ...........................4
      2.3. TAL and TA Certificate Considerations ......................4
      2.4. Example ....................................................6
   3. Relying Party Use ...............................................6
   4. URI Scheme Considerations .......................................7
   5. Security Considerations .........................................8
   6. IANA Considerations .............................................8
   7. References ......................................................8
      7.1. Normative References .......................................8
      7.2. Informative References ....................................10
   Acknowledgements ..................................................10
   Authors' Addresses ................................................11
        
   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Changes from RFC 7730 ......................................3
   2. Trust Anchor Locator ............................................3
      2.1. Trust Anchor Locator Motivation ............................3
      2.2. Trust Anchor Locator File Format ...........................4
      2.3. TAL and TA Certificate Considerations ......................4
      2.4. Example ....................................................6
   3. Relying Party Use ...............................................6
   4. URI Scheme Considerations .......................................7
   5. Security Considerations .........................................8
   6. IANA Considerations .............................................8
   7. References ......................................................8
      7.1. Normative References .......................................8
      7.2. Informative References ....................................10
   Acknowledgements ..................................................10
   Authors' Addresses ................................................11
        
1. Introduction
1. 介绍

This document defines a Trust Anchor Locator (TAL) for the Resource Public Key Infrastructure (RPKI) [RFC6480]. This format may be used to distribute Trust Anchor (TA) material using a mix of out-of-band and online means. Procedures used by Relying Parties (RPs) to verify RPKI signed objects SHOULD support this format to facilitate interoperability between creators of TA material and RPs. This document obsoletes [RFC7730] by adding support for Uniform Resource Identifiers (URIs) [RFC3986] that use HTTP over TLS (HTTPS) [RFC7230] as the scheme.

本文档为资源公钥基础结构(RPKI)[RFC6480]定义了信任锚定位器(TAL)。该格式可用于混合使用带外和在线方式分发信任锚(TA)材料。依赖方(RPs)用于验证RPKI签名对象的程序应支持此格式,以促进TA材料创建者和RPs之间的互操作性。本文档通过添加对使用HTTP over TLS(HTTPS)[RFC7230]作为方案的统一资源标识符(URI)[RFC3986]的支持,淘汰了[RFC7730]。

1.1. Terminology
1.1. 术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。

1.2. Changes from RFC 7730
1.2. RFC 7730的变更

The TAL format defined in this document differs from the definition in [RFC7730] in that:

本文件中定义的TAL格式与[RFC7730]中的定义的不同之处在于:

o it allows for the use of the HTTPS scheme in URIs [RFC7230], and

o 它允许在URI[RFC7230]中使用HTTPS方案,以及

o it allows for the inclusion of an optional comment section.

o 它允许包含可选的注释部分。

Note that current RPs may not support this new format yet. Therefore, it is RECOMMENDED that a TA operator maintain a TAL file as defined in [RFC7730] for a time as well, until they are satisfied that RP tooling has been updated.

请注意,当前的RPs可能还不支持这种新格式。因此,建议TA操作员也保留[RFC7730]中定义的TAL文件一段时间,直到他们确信RP工具已更新。

2. Trust Anchor Locator
2. 信任锚定位器
2.1. Trust Anchor Locator Motivation
2.1. 信任锚定位动机

This document does not propose a new format for TA material. A TA in the RPKI is represented by a self-signed X.509 Certification Authority (CA) certificate, a format commonly used in PKIs and widely supported by RP software. This document specifies a format for data used to retrieve and verify the authenticity of a TA in a very simple fashion. That data is referred to as the TAL.

本文件并未提出TA材料的新格式。RPKI中的TA由自签名的X.509证书颁发机构(CA)证书表示,该证书是PKI中常用的格式,并得到RP软件的广泛支持。本文档以非常简单的方式指定了用于检索和验证TA真实性的数据格式。该数据称为TAL。

The motivation for defining the TAL is to enable selected data in the TA to change, without needing to redistribute the TA per se.

定义TAL的动机是使TA中的选定数据能够更改,而无需重新分发TA本身。

In the RPKI, certificates contain one or more extensions [RFC3779] that can contain a set of IP Address Delegations and/or Autonomous System Identifier Delegations. In this document, we refer to these delegations as the Internet Number Resources (INRs) contained in an RPKI certificate.

在RPKI中,证书包含一个或多个扩展[RFC3779],这些扩展可以包含一组IP地址委托和/或自治系统标识符委托。在本文件中,我们将这些授权称为RPKI证书中包含的互联网号码资源(INRs)。

The set of INRs associated with an entity acting as a TA is likely to change over time. Thus, if one were to use the common PKI convention of distributing a TA to RPs in a secure fashion, then this procedure would need to be repeated whenever the INR set for the entity acting as a TA changed. By distributing the TAL (in a secure fashion)

与充当TA的实体相关的INR集可能会随着时间的推移而变化。因此,如果要使用以安全方式将TA分发给RPs的公共PKI约定,则每当充当TA的实体的INR设置发生变化时,都需要重复此过程。通过分发TAL(以安全的方式)

instead of distributing the TA, this problem is avoided, i.e., the TAL is constant so long as the TA's public key and its location do not change.

不分发TA,而是避免了这个问题,即只要TA的公钥及其位置不变,TAL就保持不变。

The TAL is analogous to the TrustAnchorInfo data structure specified in [RFC5914], which is on the Standards Track. That specification could be used to represent the TAL, if one defined an rsync or HTTPS URI extension for that data structure. However, the TAL format was adopted by RPKI implementors prior to the PKIX TA work, and the RPKI implementor community has elected to utilize the TAL format rather than define the requisite extension. The community also prefers the simplicity of the ASCII encoding of the TAL, versus the binary (ASN.1) encoding for TrustAnchorInfo.

TAL类似于[RFC5914]中规定的TrustAnchorInfo数据结构,该数据结构处于标准轨道上。如果为该数据结构定义了rsync或HTTPS-URI扩展,则该规范可用于表示TAL。然而,在PKIX TA工作之前,RPKI实现者采用了TAL格式,RPKI实现者社区选择使用TAL格式,而不是定义必要的扩展。社区还更喜欢TAL的ASCII编码的简单性,而不是TrustAnchorInfo的二进制(ASN.1)编码。

2.2. Trust Anchor Locator File Format
2.2. 信任锚点定位器文件格式

In this document, we define a TA URI as a URI that can be used to retrieve a current TA certificate. This URI MUST be either an rsync URI [RFC5781] or an HTTPS URI [RFC7230].

在本文档中,我们将TA URI定义为可用于检索当前TA证书的URI。此URI必须是rsync URI[RFC5781]或HTTPS URI[RFC7230]。

The TAL is an ordered sequence of:

TAL是以下各项的有序序列:

1. an optional comment section consisting of one or more lines each starting with the "#" character, followed by human-readable informational UTF-8 text, conforming to the restrictions defined in Section 2 of [RFC5198], and ending with a line break,

1. 可选注释部分,由一行或多行组成,每行以“#”字符开头,后跟人类可读的信息性UTF-8文本,符合[RFC5198]第2节中定义的限制,并以换行符结尾,

2. a URI section that is comprised of one or more ordered lines, each containing a TA URI, and ending with a line break,

2. 由一个或多个有序行组成的URI部分,每个有序行包含一个TA URI,并以换行符结尾,

3. a line break, and

3. 换行,然后

4. a subjectPublicKeyInfo [RFC5280] in DER format [X.509], encoded in base64 (see Section 4 of [RFC4648]). To avoid long lines, line breaks MAY be inserted into the base64-encoded string.

4. DER格式[X.509]的subjectPublicKeyInfo[RFC5280],以base64编码(见[RFC4648]第4节)。为了避免长行,可以将换行符插入base64编码的字符串中。

Note that line breaks in this file can use either "<CRLF>" or "<LF>".

请注意,此文件中的换行符可以使用“<CRLF>”或“<LF>”。

2.3. TAL and TA Certificate Considerations
2.3. TAL和TA证书注意事项

Each TA URI in the TAL MUST reference a single object. It MUST NOT reference a directory or any other form of collection of objects. The referenced object MUST be a self-signed CA certificate that conforms to the RPKI certificate profile [RFC6487]. This certificate is the TA in certification path discovery [RFC4158] and validation [RFC5280] [RFC3779].

TAL中的每个TA URI必须引用单个对象。它不能引用目录或任何其他形式的对象集合。引用的对象必须是符合RPKI证书配置文件[RFC6487]的自签名CA证书。此证书是证书路径发现[RFC4158]和验证[RFC5280][RFC3779]中的TA。

The validity interval of this TA is chosen such that (1) the "notBefore" time predates the moment that this certificate is published and (2) the "notAfter" time is after the planned time of reissuance of this certificate.

选择本TA的有效期间隔时,应确保(1)“notBefore”时间早于本证书发布的时间,(2)“notAfter”时间晚于本证书重新颁发的计划时间。

The INR extension(s) of this TA MUST contain a non-empty set of number resources. It MUST NOT use the "inherit" form of the INR extension(s). The INR set described in this certificate is the set of number resources for which the issuing entity is offering itself as a putative TA in the RPKI [RFC6480].

此TA的INR扩展必须包含一组非空的数字资源。不得使用INR扩展的“继承”形式。本证书中所述的INR集合是一组数字资源,发行实体在RPKI[RFC6480]中将其自身作为假定TA提供。

The public key used to verify the TA MUST be the same as the subjectPublicKeyInfo in the CA certificate and in the TAL.

用于验证TA的公钥必须与CA证书和TAL中的subjectPublicKeyInfo相同。

The TA MUST contain a stable key that does not change when the certificate is reissued due to changes in the INR extension(s), when the certificate is renewed prior to expiration.

TA必须包含一个稳定的密钥,该密钥在证书到期前续订时,不会因INR扩展的更改而在重新颁发证书时发生更改。

Because the public key in the TAL and the TA MUST be stable, this motivates operation of that CA in an offline mode. In that case, a subordinate CA certificate containing the same INRs, or, in theory, any subset of INRs, can be issued for online operations. This allows the entity that issues the TA to keep the corresponding private key of this certificate offline, while issuing all relevant child certificates under the immediate subordinate CA. This measure also allows the Certificate Revocation List (CRL) issued by that entity to be used to revoke the subordinate CA certificate in the event of suspected key compromise of this online operational key pair that is potentially more vulnerable.

因为TAL和TA中的公钥必须是稳定的,这会促使CA在脱机模式下运行。在这种情况下,可以为在线操作颁发包含相同INR的从属CA证书,或者理论上是INR的任何子集。这允许颁发TA的实体保持此证书的相应私钥脱机,同时颁发直接下级CA下的所有相关子证书。此措施还允许证书吊销列表(CRL)由该实体颁发,用于在该在线操作密钥对可能更易受攻击的可疑密钥泄露事件中撤销从属CA证书。

The TA MUST be published at a stable URI. When the TA is reissued for any reason, the replacement CA certificate MUST be accessible using the same URI.

TA必须以稳定的URI发布。当TA因任何原因重新发布时,必须使用相同的URI访问替换CA证书。

Because the TA is a self-signed certificate, there is no corresponding CRL that can be used to revoke it, nor is there a manifest [RFC6486] that lists this certificate.

由于TA是自签名证书,因此没有相应的CRL可用于撤销它,也没有列出此证书的清单[RFC6486]。

If an entity wishes to withdraw a self-signed CA certificate as a putative TA, for any reason, including key rollover, the entity MUST remove the object from the location referenced in the TAL.

如果实体出于任何原因(包括密钥翻转)希望撤回自签名CA证书作为假定TA,则该实体必须从TAL中引用的位置移除该对象。

Where the TAL contains two or more TA URIs, the same self-signed CA certificate MUST be found at each referenced location. In order to increase operational resilience, it is RECOMMENDED that (1) the domain name parts of each of these URIs resolve to distinct

如果TAL包含两个或多个TA URI,则必须在每个引用位置找到相同的自签名CA证书。为了提高操作弹性,建议(1)每个URI的域名部分解析为不同的

IP addresses that are used by a diverse set of repository publication points and (2) these IP addresses be included in distinct Route Origin Authorization (ROA) objects signed by different CAs.

由一组不同的存储库发布点使用的IP地址,以及(2)这些IP地址包含在由不同CA签名的不同路由源授权(ROA)对象中。

2.4. Example
2.4. 实例
         # This TAL is intended for documentation purposes only.
         # Do not attempt to use this in a production setting.
         rsync://rpki.example.org/rpki/hedgehog/root.cer
         https://rpki.example.org/rpki/hedgehog/root.cer
        
         # This TAL is intended for documentation purposes only.
         # Do not attempt to use this in a production setting.
         rsync://rpki.example.org/rpki/hedgehog/root.cer
         https://rpki.example.org/rpki/hedgehog/root.cer
        
         MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx
         GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6
         Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
         nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa
         BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG
         ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9
         aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB
        
         MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovWQL2lh6knDx
         GUG5hbtCXvvh4AOzjhDkSHlj22gn/1oiM9IeDATIwP44vhQ6L/xvuk7W6
         Kfa5ygmqQ+xOZOwTWPcrUbqaQyPNxokuivzyvqVZVDecOEqs78q58mSp9
         nbtxmLRW7B67SJCBSzfa5XpVyXYEgYAjkk3fpmefU+AcxtxvvHB5OVPIa
         BfPcs80ICMgHQX+fphvute9XLxjfJKJWkhZqZ0v7pZm2uhkcPx1PMGcrG
         ee0WSDC3fr3erLueagpiLsFjwwpX6F+Ms8vqz45H+DKmYKvPSstZjCCq9
         aJ0qANT9OtnfSDOS+aLRPjZryCNyvvBHxZXqj5YCGKtwIDAQAB
        
3. Relying Party Use
3. 依赖方使用

In order to use the TAL to retrieve and validate a (putative) TA, an RP SHOULD:

为了使用TAL检索和验证(假定)TA,RP应:

1. Retrieve the object referenced by (one of) the TA URI(s) contained in the TAL.

1. 检索TAL中包含的(其中一个)TA URI引用的对象。

2. Confirm that the retrieved object is a current, self-signed RPKI CA certificate that conforms to the profile as specified in [RFC6487].

2. 确认检索到的对象是符合[RFC6487]中指定的配置文件的当前自签名RPKI CA证书。

3. Confirm that the public key in the TAL matches the public key in the retrieved object.

3. 确认TAL中的公钥与检索到的对象中的公钥匹配。

4. Perform other checks, as deemed appropriate (locally), to ensure that the RP is willing to accept the entity publishing this self-signed CA certificate to be a TA. These tests apply to the validity of attestations made in the context of the RPKI relating to all resources described in the INR extension(s) of this certificate.

4. 执行其他适当的检查(本地),以确保RP愿意接受发布此自签名CA证书的实体为TA。这些测试适用于与本证书INR扩展部分中描述的所有资源相关的RPKI上下文中所做证明的有效性。

An RP SHOULD perform these functions for each instance of a TAL that it is holding for this purpose every time the RP performs a resynchronization across the local repository cache. In any case, an RP also SHOULD perform these functions prior to the expiration of the locally cached copy of the retrieved TA referenced by the TAL.

每次RP跨本地存储库缓存执行重新同步时,RP都应为此目的对其持有的TAL的每个实例执行这些功能。在任何情况下,RP也应该在TAL引用的检索到的TA的本地缓存副本过期之前执行这些功能。

In the case where a TAL contains multiple TA URIs, an RP MAY use a locally defined preference rule to select the URI to retrieve the self-signed RPKI CA certificate that is to be used as a TA. Some examples are:

在TAL包含多个TA URI的情况下,RP可以使用本地定义的首选项规则来选择URI以检索要用作TA的自签名RPKI CA证书。例如:

o Using the order provided in the TAL

o 使用TAL中提供的顺序

o Selecting the TA URI randomly from the available list

o 从可用列表中随机选择TA URI

o Creating a prioritized list of URIs based on RP-specific parameters, such as connection establishment delay

o 基于RP特定参数(如连接建立延迟)创建URI的优先级列表

If the connection to the preferred URI fails or the retrieved CA certificate public key does not match the TAL public key, the RP SHOULD retrieve the CA certificate from the next URI, according to the local preference ranking of URIs.

如果与首选URI的连接失败,或者检索到的CA证书公钥与TAL公钥不匹配,RP应根据URI的本地首选项排序从下一个URI检索CA证书。

4. URI Scheme Considerations
4. URI方案注意事项

Please note that the RSYNC protocol provides neither transport security nor any means by which the RP can validate that they are connected to the proper host. Therefore, it is RECOMMENDED that HTTPS be used as the preferred scheme.

请注意,RSYNC协议既不提供传输安全性,也不提供RP验证其是否连接到正确主机的任何方法。因此,建议使用HTTPS作为首选方案。

Note that, although a Man in the Middle (MITM) cannot produce a CA certificate that would be considered valid according to the process described in Section 3, this type of attack can prevent the RP from learning about an updated CA certificate.

注意,虽然中间人(MITM)不能产生根据第3节中描述的过程被认为有效的CA证书,但是这种类型的攻击可以防止RP学习到更新的CA证书。

RPs MUST do TLS certificate and host name validation when they fetch a CA certificate using an HTTPS URI on a TAL. RPs SHOULD log any TLS certificate or host name validation issues found so that an operator can investigate the cause.

RPs在TAL上使用HTTPS URI获取CA证书时,必须执行TLS证书和主机名验证。RPs应记录发现的任何TLS证书或主机名验证问题,以便操作员调查原因。

It is RECOMMENDED that RPs and Repository Servers follow the Best Current Practices outlined in [RFC7525] on the use of HTTPS [RFC7230]. RPs SHOULD do TLS certificate and host name validation using subjectAltName dNSName identities as described in [RFC6125]. The rules and guidelines defined in [RFC6125] apply here, with the following considerations:

建议RPs和存储库服务器在使用HTTPS[RFC7230]时遵循[RFC7525]中概述的当前最佳实践。RPs应使用[RFC6125]中所述的subjectAltName dNSName标识进行TLS证书和主机名验证。[RFC6125]中定义的规则和指南适用于此处,并考虑以下因素:

o RPs and Repository Servers SHOULD support the DNS-ID identifier type. The DNS-ID identifier type SHOULD be present in Repository Server certificates.

o RPs和存储库服务器应支持DNS-ID标识符类型。DNS-ID标识符类型应存在于存储库服务器证书中。

o DNS names in Repository Server certificates SHOULD NOT contain the wildcard character "*".

o 存储库服务器证书中的DNS名称不应包含通配符“*”。

o This protocol does not require the use of SRV-IDs.

o 此协议不需要使用SRV ID。

o This protocol does not require the use of URI-IDs.

o 此协议不需要使用URI ID。

5. Security Considerations
5. 安全考虑

Compromise of a TA private key permits unauthorized parties to masquerade as a TA, with potentially severe consequences. Reliance on an inappropriate or incorrect TA has similar potentially severe consequences.

TA私钥的泄露允许未经授权的各方伪装成TA,并可能造成严重后果。依赖不适当或不正确的TA会产生类似的潜在严重后果。

This TAL does not directly provide a list of resources covered by the referenced self-signed CA certificate. Instead, the RP is referred to the TA itself and the INR extension(s) within this certificate. This provides necessary operational flexibility, but it also allows the certificate issuer to claim to be authoritative for any resource. RPs should either (1) have great confidence in the issuers of such certificates that they are configuring as TAs or (2) issue their own self-signed certificate as a TA and, in doing so, impose constraints on the subordinate certificates.

此TAL不直接提供引用的自签名CA证书所涵盖的资源列表。相反,RP指的是TA本身和本证书中的INR扩展。这提供了必要的操作灵活性,但也允许证书颁发者声明对任何资源具有权威性。RPs应(1)对其配置为TA的此类证书的颁发者非常信任,或(2)将其自己的自签名证书作为TA颁发,并在这样做时对下级证书施加约束。

6. IANA Considerations
6. IANA考虑

This document has no IANA actions.

本文档没有IANA操作。

7. References
7. 工具书类
7.1. Normative References
7.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.

[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, DOI 10.17487/RFC3779, June 2004, <https://www.rfc-editor.org/info/rfc3779>.

[RFC3779]Lynn,C.,Kent,S.,和K.Seo,“IP地址和AS标识符的X.509扩展”,RFC 3779,DOI 10.17487/RFC3779,2004年6月<https://www.rfc-editor.org/info/rfc3779>.

[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>.

[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,DOI 10.17487/RFC3986,2005年1月<https://www.rfc-editor.org/info/rfc3986>.

[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, <https://www.rfc-editor.org/info/rfc4648>.

[RFC4648]Josefsson,S.,“Base16、Base32和Base64数据编码”,RFC 4648,DOI 10.17487/RFC4648,2006年10月<https://www.rfc-editor.org/info/rfc4648>.

[RFC5198] Klensin, J. and M. Padlipsky, "Unicode Format for Network Interchange", RFC 5198, DOI 10.17487/RFC5198, March 2008, <https://www.rfc-editor.org/info/rfc5198>.

[RFC5198]Klensin,J.和M.Padlipsky,“网络交换的Unicode格式”,RFC 5198,DOI 10.17487/RFC5198,2008年3月<https://www.rfc-editor.org/info/rfc5198>.

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<https://www.rfc-editor.org/info/rfc5280>.

[RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, February 2010, <https://www.rfc-editor.org/info/rfc5781>.

[RFC5781]Weiler,S.,Ward,D.,和R.Housley,“rsync URI方案”,RFC 5781,DOI 10.17487/RFC5781,2010年2月<https://www.rfc-editor.org/info/rfc5781>.

[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 2011, <https://www.rfc-editor.org/info/rfc6125>.

[RFC6125]Saint Andre,P.和J.Hodges,“在传输层安全(TLS)环境下使用X.509(PKIX)证书在互联网公钥基础设施内表示和验证基于域的应用程序服务身份”,RFC 6125,DOI 10.17487/RFC6125,2011年3月<https://www.rfc-editor.org/info/rfc6125>.

[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480, February 2012, <https://www.rfc-editor.org/info/rfc6480>.

[RFC6480]Lepinski,M.和S.Kent,“支持安全互联网路由的基础设施”,RFC 6480,DOI 10.17487/RFC6480,2012年2月<https://www.rfc-editor.org/info/rfc6480>.

[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, <https://www.rfc-editor.org/info/rfc6487>.

[RFC6487]Huston,G.,Michaelson,G.,和R.Loomans,“X.509 PKIX资源证书的配置文件”,RFC 6487,DOI 10.17487/RFC6487,2012年2月<https://www.rfc-editor.org/info/rfc6487>.

[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <https://www.rfc-editor.org/info/rfc7230>.

[RFC7230]Fielding,R.,Ed.和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):消息语法和路由”,RFC 7230,DOI 10.17487/RFC7230,2014年6月<https://www.rfc-editor.org/info/rfc7230>.

[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015, <https://www.rfc-editor.org/info/rfc7525>.

[RFC7525]Sheffer,Y.,Holz,R.,和P.Saint Andre,“安全使用传输层安全性(TLS)和数据报传输层安全性(DTLS)的建议”,BCP 195,RFC 7525,DOI 10.17487/RFC7525,2015年5月<https://www.rfc-editor.org/info/rfc7525>.

[RFC7730] Huston, G., Weiler, S., Michaelson, G., and S. Kent, "Resource Public Key Infrastructure (RPKI) Trust Anchor Locator", RFC 7730, DOI 10.17487/RFC7730, January 2016, <https://www.rfc-editor.org/info/rfc7730>.

[RFC7730]Huston,G.,Weiler,S.,Michaelson,G.,和S.Kent,“资源公钥基础设施(RPKI)信任锚定位器”,RFC 7730,DOI 10.17487/RFC7730,2016年1月<https://www.rfc-editor.org/info/rfc7730>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.

[X.509] ITU-T, "Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks", ITU-T Recommendation X.509, October 2016, <https://www.itu.int/rec/T-REC-X.509>.

[X.509]ITU-T,“信息技术-开放系统互连-目录:公钥和属性证书框架”,ITU-T建议X.509,2016年10月<https://www.itu.int/rec/T-REC-X.509>.

7.2. Informative References
7.2. 资料性引用

[RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. Nicholas, "Internet X.509 Public Key Infrastructure: Certification Path Building", RFC 4158, DOI 10.17487/RFC4158, September 2005, <https://www.rfc-editor.org/info/rfc4158>.

[RFC4158]Cooper,M.,Dzambasow,Y.,Hesse,P.,Joseph,S.,和R.Nicholas,“互联网X.509公钥基础设施:认证路径构建”,RFC 4158,DOI 10.17487/RFC4158,2005年9月<https://www.rfc-editor.org/info/rfc4158>.

[RFC5914] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor Format", RFC 5914, DOI 10.17487/RFC5914, June 2010, <https://www.rfc-editor.org/info/rfc5914>.

[RFC5914]Housley,R.,Ashmore,S.,和C.Wallace,“信任锚格式”,RFC 5914,DOI 10.17487/RFC59142010年6月<https://www.rfc-editor.org/info/rfc5914>.

[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, <https://www.rfc-editor.org/info/rfc6486>.

[RFC6486]Austein,R.,Huston,G.,Kent,S.,和M.Lepinski,“资源公钥基础设施(RPKI)清单”,RFC 6486,DOI 10.17487/RFC6486,2012年2月<https://www.rfc-editor.org/info/rfc6486>.

Acknowledgements

致谢

This approach to TA material was originally described by Robert Kisteleki.

这种TA材料的方法最初由Robert Kisteleki描述。

The authors acknowledge the contributions of Rob Austein and Randy Bush, who assisted with drafting this document and with helpful review comments.

作者感谢Rob Austein和Randy Bush的贡献,他们协助起草了本文件并提出了有益的评论意见。

The authors acknowledge the work of Roque Gagliano, Terry Manderson, and Carlos Martinez-Cagnazzo in developing the ideas behind the inclusion of multiple URIs in the TAL.

作者们感谢罗克·加利亚诺、特里·曼德森和卡洛斯·马丁内斯·卡格纳佐在开发TAL中包含多个URI背后的想法方面所做的工作。

The authors acknowledge Job Snijders for suggesting the inclusion of comments at the start of the TAL.

作者感谢Job Snijders建议在TAL开始时加入评论。

Authors' Addresses

作者地址

Geoff Huston APNIC

杰夫·休斯顿呼吸暂停

   Email: gih@apnic.net
   URI:   https://www.apnic.net
        
   Email: gih@apnic.net
   URI:   https://www.apnic.net
        

Samuel Weiler W3C/MIT

塞缪尔·韦勒W3C/MIT

   Email: weiler@csail.mit.edu
        
   Email: weiler@csail.mit.edu
        

George Michaelson APNIC

乔治·迈克尔森呼吸暂停综合征

   Email: ggm@apnic.net
   URI:   https://www.apnic.net
        
   Email: ggm@apnic.net
   URI:   https://www.apnic.net
        

Stephen Kent Unaffiliated

斯蒂芬·肯特无关联

   Email: kent@alum.mit.edu
        
   Email: kent@alum.mit.edu
        

Tim Bruijnzeels NLnet Labs

Tim Bruijnzeels NLnet实验室

   Email: tim@nlnetlabs.nl
   URI:   https://www.nlnetlabs.nl
        
   Email: tim@nlnetlabs.nl
   URI:   https://www.nlnetlabs.nl