| rfc9829v1.txt | rfc9829.txt | |||
|---|---|---|---|---|
| skipping to change at line 145 ¶ | skipping to change at line 145 ¶ | |||
| status of a given resource certificate. It is the unique CRL object | status of a given resource certificate. It is the unique CRL object | |||
| that is simultaneously: | that is simultaneously: | |||
| * the target of the certificate's CRL Distribution Points extension, | * the target of the certificate's CRL Distribution Points extension, | |||
| and | and | |||
| * listed in the issuing CA's current Manifest fileList and has a | * listed in the issuing CA's current Manifest fileList and has a | |||
| matching hash (see Section 4.2.1 of [RFC9286]). | matching hash (see Section 4.2.1 of [RFC9286]). | |||
| In particular, a resource certificate cannot be validated without | In particular, a resource certificate cannot be validated without | |||
| recourse to the current Manifest of the certificate's issuer. | consulting the current Manifest of the certificate's issuer. | |||
| 3. Updates to RFC 6487 | 3. Updates to RFC 6487 | |||
| 3.1. Updates to Section 5 | 3.1. Updates to Section 5 | |||
| This section updates Section 5 of [RFC6487] as follows: | This section updates Section 5 of [RFC6487] as follows: | |||
| * First change: | * First change: | |||
| OLD | OLD | |||
| skipping to change at line 188 ¶ | skipping to change at line 188 ¶ | |||
| NEW | NEW | |||
| | An RPKI CA MUST include exactly two extensions in every CRL | | An RPKI CA MUST include exactly two extensions in every CRL | |||
| | that it issues: an Authority Key Identifier (AKI) and a CRL | | that it issues: an Authority Key Identifier (AKI) and a CRL | |||
| | Number. No other CRL extensions are allowed. | | Number. No other CRL extensions are allowed. | |||
| | | | | |||
| | - RPs MUST process the AKI extension. | | - RPs MUST process the AKI extension. | |||
| | | | | |||
| | - RPs MUST ignore the CRL Number extension except for checking | | - RPs MUST ignore the CRL Number extension except for checking | |||
| | that it is marked as non-critical and contains a non- | | that it is marked as non-critical and contains a non- | |||
| | negative integer less than or equal to 2^(159-1). | | negative integer less than or equal to 2^159-1. | |||
| 3.2. Update to Section 7.2 | 3.2. Update to Section 7.2 | |||
| This section updates Section 7.2 of [RFC6487] as follows: | This section updates Section 7.2 of [RFC6487] as follows: | |||
| OLD | OLD | |||
| | 5. The issuer has not revoked the certificate. A revoked | | 5. The issuer has not revoked the certificate. A revoked | |||
| | certificate is identified by the certificate's serial number | | certificate is identified by the certificate's serial number | |||
| | being listed on the issuer's current CRL, as identified by the | | being listed on the issuer's current CRL, as identified by the | |||
| skipping to change at line 215 ¶ | skipping to change at line 215 ¶ | |||
| | 5. The issuer has not revoked the certificate. A revoked | | 5. The issuer has not revoked the certificate. A revoked | |||
| | certificate is identified by the certificate's serial number | | certificate is identified by the certificate's serial number | |||
| | being listed on the issuer's current CRL, as identified by the | | being listed on the issuer's current CRL, as identified by the | |||
| | issuer's current Manifest and the CRLDP of the certificate. | | issuer's current Manifest and the CRLDP of the certificate. | |||
| | The CRL is itself valid and the public key used to verify the | | The CRL is itself valid and the public key used to verify the | |||
| | signature on the CRL is the same public key used to verify the | | signature on the CRL is the same public key used to verify the | |||
| | certificate itself. | | certificate itself. | |||
| 4. Operational Considerations | 4. Operational Considerations | |||
| This document has no additional operational considerations compared | This document has no additional operational considerations beyond | |||
| to Section 9 of [RFC6487]. | those described in Section 9 of [RFC6487]. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The Security Considerations of [RFC3779], [RFC5280], and [RFC6487] | The Security Considerations of [RFC3779], [RFC5280], and [RFC6487] | |||
| apply to Resource Certificates and CRLs. | apply to Resource Certificates and CRLs. | |||
| This document explicates that, in the RPKI, the CRL listed on the | This document explicates that, in the RPKI, the CRL listed on the | |||
| certificate issuer's current Manifest is the one relevant and | certificate issuer's current Manifest is the one relevant and | |||
| appropriate for determining the revocation status of a resource | appropriate for determining the revocation status of a resource | |||
| certificate. By way of the hash in the manifest's fileList this | certificate. The hash in the manifest's FileList provides a | |||
| provides a cryptographic guarantee on the Certification Authority's | cryptographic guarantee on the Certification Authority's intent that | |||
| intent that this is the most recent CRL and removes possible replay | this is the most recent CRL and removes possible replay vectors. | |||
| vectors. | ||||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| End of changes. 4 change blocks. | ||||
| 8 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||