rpkid BPKI Diagram

inline_dotgraph_1.dot

Black objects belong to the hosting entity, blue objects belong to the hosted entities, red objects are cross-certified objects from peers. The arrows indicate certificate issuance: solid arrows are the ones that this RPKI engine will care about during certificate validation, dotted arrows show the origin of EE certificates this engine uses to sign things.

There's one nasty bit here: it's not possible to use exactly the same BPKI keys and certificates for HTTPS and CMS. The reason for this is simple: each hosted entity has its own BPKI, as does the hosting entity, but the HTTPS listener is shared. The only ways to avoid this would be to use separate listeners for each hosted entity, which scales poorly, or to rely on the TLS "Server Name Indication" extension (RFC 4366 3.1) which is not yet widely implemented.

The certificate tree looks complicated, but the set of certificates needed to build a particular validation chain is obvious, again excepting the HTTPS server case, where client certificate is the first hint that the engine has of the client's identity, so the server must be prepared to accept any current client certificate.


Generated on Sat Jun 21 07:55:39 2008 for RPKI Engine by  doxygen 1.5.5