Resource Certificate Provisioning Protocol Geoff Huston IETF 70

Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007

Problem Statement n How to automate the process of certificate issuance such that the issued certificate accurately tracks the current resource allocation status n Avoid situations where n n the issued certificate “overclaims” resources The issued certificate “underclaims” resources

Scenario Certificate Issuer Issues Resource Certificates Certificate Subject Internet Registry Allocates / Assigns Addresses Resource Holder

Scenario Certificate Issuer Issues Resource Certificate Provisioning Protocol Certificate Subject Internet Registry Allocates / Assigns Addresses Resource Holder

Protocol Characteristics n Client Simple Client / Server protocol using a request / response interaction over a secure reliable channel HTTPS POST Server HTTPS RESPONSE

Protocol Payload n Cryptographic Message Syntax (CMS) n Signed. Data object type n n n Include Signing Time in the CMS wrapper Include CMS signing cert in the CMS wrapper XML Data Objects n Carried as CMS payload

XML Message Structure [payload]

Messages n n n Query Issue Revoke

Query Message n Request: n Response: n type=“list” List of Resource “classes” n n List of allocated / assigned Number Resources within this class Issued certificate(s) for this class

Issue Message n Request: n n type=“issue” Payload: Resource “class” name PKCS#10 Certificate Request Response: n Payload: Issued certificate

Revoke Message n Request: n n type=“revoke” Payload: Resource “class” name Subject’s public key Response: n Payload: confirmation of revocation

Error Responses n Error status returned when the request could not be performed

Protocol Specification n Current (unsubmitted) draft is: http: //www. potaroo. net/drafts/draft-ietf-sidr-rescertsprovisioning-00. html

Next Steps n Adoption of the specification of this provisioning protocol as a SIDR WG Document?