1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
|
;;; -*- Lisp -*-
;;; $URL$
;;; $Id$
;;;
;;; Scratch pad for working out API design for RPKI engine.
;;;
;;; This file is psuedocode, I just wanted to take advantage of
;;; emacs's built-in support for languages with reasonable syntax.
;;;
;;; Terminology:
;;;
;;; - IRBE: Internet Registry Back End
;;;
;;; - RE: RPKI Engine
;;; Current problems:
;;; Need revoke and rekey operations.
;;; And, er, how do things like publication URIs (which also go into
;;; some of the X.509 extensions in the resource certs) get into the
;;; RE anyway? This is close to being the same question as how do we
;;; configure the publication point, as the data are largely the same.
;;; Part of the problem is that, if we create CAs on the fly in
;;; response to what we learn from our parent, how do we map that to
;;; any kind of preconfigured data on where we should publish? This
;;; is a mess.
;;;
;;; Might it help to have per-parent config for this, since we have to
;;; config parents anyway? That'd give us the head of the publication
;;; URI, leaving us to figure out just the tail. Could gensym name
;;; tail for dynamically created CAs, could take name tail from chat
;;; with parent (risky? evil parent gives us dangerous name?), could
;;; take name tail from local config but it's hard to see how.
;;;
;;; We now think that there's a negotiation involved here with both
;;; the parent and the publisher. The publication URI directory
;;; breaks into three pieces: head/middle/tail/. head comes from the
;;; publisher, middle comes from the parent, and tail comes from this
;;; RE. head is just the prefix for where we're allowed to put stuff
;;; within the publication repository; this could be configured by the
;;; IRBE or we could ask the publication repository, we currently
;;; think the latter is better. Middle comes from this RE's parent,
;;; and should be a new attribute in the up-down XML protocol: it's
;;; the parent's advice on where to put this particular CA's outputs
;;; in order to get the nice hierarchical properties we want. Tail is
;;; something this RE comes up with, it's per-CA, and all that really
;;; matters is that it's stable; it could be gensymed, or could be our
;;; internal name for the CA, whatever. This hack may require finding
;;; out the parent's publication URI (which we might get from the
;;; parent's cert or not to be decided later), sort this out later.
;;;
;;; If there is any preliminary negotation with publisher before
;;; publication, it is all hypothetical and assumes that proof will be
;;; given with actual publication request. Thing that needs to be
;;; proven is that publication client A is not stepping on publication
;;; client B even when B is A's parent.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Protocol operations between IRBE and RE.
;;;
;;; This is really two separate protocols over channels that might or
;;; not be the same. Both are client/server protocols, but for some
;;; the RE is the client and for others the IRBE is the client.
;;;
;;; This set of operations are initiated by the IRBE.
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(create-self-id)
=> (self-id)
(destroy-self-id :self-id 42)
=> ()
(list-self-ids)
=> (self-id ...)
;; RobK wonders whether there needs to be an operation that blows away
;; most of the context but preserves things like audit logs. No
;; current consensus on need for this.
(get-preference :self-id 42
:preference-name :favorite-color)
=> ("obsidian")
(set-preference :self-id 42
:name :favorite-color
:value "obsidian")
=> ()
;; Extensions might also show up as preferences that nobody but this
;; IRBE operator has ever heard of
;; This creates both a context and a keypair. Do we need to specify
;; what kind of key in addition to length?
(create-biz-signing-context :self-id 42
&optional
:key-type :rsa
:key-length 2048)
=> (biz-signing-context-id pkcs10-cert-request)
(destroy-biz-signing-context :self-id 42
:biz-signing-context-id biz-context-id)
=> ()
(list-biz-signing-contexts :self-id 42)
=> (biz-signing-context-id ...)
(get-biz-signing-certs :self-id 42
:biz-signing-context-id splat)
=> (cert ...)
(set-biz-signing-certs :self-id 42
:biz-signing-context-id splat
:certs (cert ...))
=> ()
(create-parent-context :self-id 42)
=> (parent)
(destroy-parent-context :self-id 42
:parent foo)
=> ()
(list-parents :self-id 42)
=> (parent ...)
(set-parent-ta :self-id 42
:parent foo
:ta ta)
=> ()
(get-parent-ta :self-id 42
:parent foo)
=> (ta)
(get-parent-uri :self-id 42
:parent foo)
=> (uri)
(set-parent-uri :self-id 42
:parent foo
:uri uri)
=> ()
(get-parent-biz-signing-context :self-id 42
:parent foo)
=> (biz-signing-context)
(set-parent-biz-signing-context :self-id 42
:parent foo
:biz-signing-context bar)
=> ()
(get-parent-repository :self-id 42
:parent foo)
=> (repository)
(set-parent-repository :self-id 42
:parent foo
:repository bar)
=> ()
(create-child :self-id 42)
=> (child)
(destroy-child :self-id 42
:child bar)
=> ()
(list-children :self-id id)
=> (child ...)
(get-child-id :self-id 42
:child foo)
=> (child-id)
(set-child-id :self-id 42
:child foo
:id bar)
=> ()
(set-child-ta :self-id 42
:child foo
:ta bar)
=> ()
(get-child-ta :self-id 42
:child foo)
=> (ta)
(set-child-biz-signing-context :self-id 42
:child foo
:biz-signing-context bar)
=> ()
(get-child-biz-signing-context :self-id 42
:child foo)
=> (signing-context)
;;; The following repo stuff is now wrong, need to come back to it
(create-repository :self-id 42)
=> (repo)
(destroy-repository :self-id 42
:repository repo)
=> ()
(get-repository-biz-signing-context :self-id 42
:repository foo)
=> (signing-context)
(set-repository-biz-signing-context :self-id 42
:repository foo
:biz-signing-context bar)
=> ()
(get-repository-uri :self-id 42
:repository foo)
=> (uri)
(set-repository-uri :self-id 42
:repository foo
:uri uri)
=> ()
(please-run-this-self-id-now :self-id 42)
=> ()
(please-publish-world-right-now :self-id 42)
=> ()
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Protocol operations between IRBE and RE.
;;;
;;; This is really two separate protocols over channels that might or
;;; not be the same. Both are client/server protocols, but for some
;;; the rpki engine and for others the irbe is the client.
;;;
;;; This set of operations are initiated by the RE.
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(list-resources :self-id 42 ; issuer id
&optional ; If left off, we're asking about self rather than child
:child id) ; subject id
=> ((:ipv4-address "10.0.0.44/32" "10.3.0.44/32")
(:ipv6-address "fe80:dead:beef::/24")
(:as-number "666")
...)
(list-rights-to-route :self-id 42) ; Self
=> ((as-number :ipv4 prefix-or-range :ipv6 prefix-or-range ...)
(as-number "ipv6 prefix-or-range :ipv6 prefix-or-range :ipv4 prefix-or-range ...)
...)
(report-error :self-id 42
:error-token :your-hair-is-on-fire
:bag-of-data whatever)
=> ()
|
