icon-1-darkicon-1-darkicon-1-lighticon-2-darkicon-2-lighticon-3-darkicon-3-lighticon-4-darkicon-4-lighticon-5-darkicon-5-lighticon-6-darkicon-6-lighticon-7-darkicon-7-lighticon-8-darkicon-8-lighticon-9-darkISOC-IconISOC-IconISOC-IconShapeISOC-IconISOC-IconISOC-IconPage 1icon-comma-darkicon-comma-lightFill 1ISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconShapeISOC-IconISOC-IconISOC-IconBLOCKSISOC-IconISOC-IconISOC-IconISOC-IconLISTISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconLEFTISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconShapeDOWN ARROWSEARCHISOC-IconISOC-IconISOC-IconISOC-IconISOC-IconISOC-Icon-Dark-RGBISOC-Society-logo
  • Who Makes the Internet Work
  • Member Login
    en
    Donate
    Donate
    ‹ Back
    Deploy360 14 September 2016

    RFC 7935: Algorithm & Key Size Specifications for RPKI

    Kevin Meynell
    By Kevin MeynellSenior Manager, Technical and Operational Engagement

    Securing BGPLast week saw the publication of RFC 7935 that specifies the algorithms, algorithm parameters, asymmetric key formats, asymmetric key size, and signature format used by the Resource Public Key Infrastructure (RPKI). This should be read by RPKI subscribers generating digital signatures for certificates, Certificate Revocation Lists (CRLs), Cryptographic Message Syntax (CMS) signed objects and certification requests, as well as at Relying Parties (RPs) who need to verify these digital signatures.

    This RFC updates the key sizes and signature and hash algorithms specified in RFC 6485 in order to maintain an acceptable level of cryptographic security. It also updates the Object Identifier (OID) specification to follow current operational practice instead of requiring compliance with the earlier RFC.

    RPKI is a specialised PKI that aims to improve the security of the Internet routing system, specifically the Border Gateway Protocol (BGP). It does this through the issuing of X.509-based resource certificates to holders of IP addresses and AS numbers in order to prove assignment of these resources. These certificates are issued to Local Internet Registries (LIRs) by one of the five Regional Internet Registries (RIRs) – AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC – who have responsibility for allocation and assignment of these resources in their service regions.

    Each RIR acts as a Certificate Authority (CA) and trust anchor for the resources assigned within their service regions, and is responsible for issuing a CRL. These are usually generated at a defined intervals, and publish a list of the X.509 resource certificates that have been revoked before their normal expiry date. RPKI signed objects make use of CMS as a standard encapsulation format, as specified in RFC 6488.

    Normally we’d point you to our Start Here page for more information, but we’re actually looking for contributors who’d be interested in writing a good overview of RPKI for us. If you can help, please get in touch.

    In meantime, please follow the links above to the RPKI information on the RIR websites.

    ‹ Back

    Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

    Related articles

    BGPSec - A reality now
    BGPSec - A reality now
    Deploy36016 October 2017

    BGPSec – A reality now

    The Secure Inter Domain Routing (SIDR) initiative held its first BoF at IETF 64 back in November 2005, and was...

    Rough Guide to IETF 100: Internet Infrastructure Resilience
    Rough Guide to IETF 100: Internet Infrastructure Resilience
    IETF7 November 2017

    Rough Guide to IETF 100: Internet Infrastructure Resilience

    As we approach IETF 100 in Singapore next week, this post in the Rough Guide to IETF 100 has much...

    New RFC 8360 – RPKI Validation Reconsidered – Offers Alternative Validation Procedures to Improve Routing Security
    New RFC 8360 – RPKI Validation Reconsidered – Offers Alternative Validation Procedures to Improve Routing Security
    Securing Border Gateway Protocol (BGP)6 April 2018

    New RFC 8360 – RPKI Validation Reconsidered – Offers Alternative Validation Procedures to Improve Routing Security

    RFC 8360, Resource Public Key Infrastructure (RPKI) Validation Reconsidered, is now published in the RFC libraries. What is RPKI? Resource...

    Join the conversation with Internet Society members around the world