diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/signed-manifests | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/docs/signed-manifests b/docs/signed-manifests index f1815cca..c49bfcf1 100644 --- a/docs/signed-manifests +++ b/docs/signed-manifests @@ -20,17 +20,36 @@ ;;; RPKI repositories can contain objects not covered by CRLs (eg, ;;; ROAs), and we may well decide just to sign the manifest with CMS. ;;; -;;; See RFC 3280 5.1 for the CRL layout. +;;; See RFC 3280 section 5 for CRL layout and extensions. ;;; ;;; We're only trying to cover objects in the same SIA collection ;;; (directory) as the manifest. We will probably want to name the ;;; manifest itself with a name derived from the g(ski) of the cert of ;;; which this is the SIA collection. We'll need an EE cert to sign ;;; the manifest; the EE cert should probably just use RFC 3779 -;;; inheritance to cover all the resources that its issuer holds. +;;; inheritance to cover all the resources that its issuer holds. If we +;;; use CMS, we might just want to include the EE cert in the CMS +;;; bag of certs. ;;; ;;; One possible way of representing the objects in a collection would ;;; be with pairs of: ;;; ;;; filename of the object (within the collection, eg, "fnord.cer") ;;; hash of the object (eg sha256(fnord.cer)) +;;; +;;; For the moment I assume we're signing with CMS, so the signature +;;; parameters and signature itself are not included below. I'm including +;;; some fields we may decide to drop later, because it's easier to see +;;; extraneous fields than it is to see missing ones. + +(manifest :version 1 + :collection-uri "rsync://foo.example/wombat/" + :this-update timestamp + :next-update timestamp + :manifest-serial 17 + :hash-algorithm :sha256 + (:name foo.cer :hash b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c) + (:name bar.cer :hash b00b9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c) + (:name foo.roa :hash a00b9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c) + (:name baz.crl :hash c00b9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c) + ...) |