1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
|
;;; -*- Lisp -*-
;;; $URL$
;;; $Id$
;;;
;;; Scratch pad for working out API design for RPKI engine.
;;;
;;; This file is psuedocode, I just wanted to take advantage of
;;; emacs's built-in support for languages with reasonable syntax.
;;;
;;; Terminology:
;;;
;;; - IRBE: Internet Registry Back End
;;;
;;; - RE: RPKI Engine
;;; Current problems:
;;; Need revoke and rekey operations. The IRBE tells the RE to delete
;;; and likely replace a biz key (so this acts on business signing
;;; context objects); it doesn't revoke in the CRL sense. The RE may
;;; learn from the IRBE that the key of a parent or child has changed;
;;; these are set operations on the TA field of a parent, child, or
;;; repository object. So this is almost covered, except that we
;;; bundled keypair creation into business signing context creation
;;; (knew that was a mistake...).
;;; Need revoke and rekey operations, RPKI keys this time. First
;;; problem is how does the IRBE name the key that is to roll if
;;; keypairs are created on the fly? Hmm. We can say "roll all the
;;; keys associated with this child" easily enough, will that suffice?
;;; How do we construct publication URIs (which also go into some of
;;; the X.509 extensions in the resource certs)? We create CAs on the
;;; fly in response to what we learn from our parent, so it's hard to
;;; preconfigure this.
;;;
;;; Might it help to have per-parent config for this, since we have to
;;; config parents anyway? That'd give us the head of the publication
;;; URI, leaving us to figure out just the tail. Could gensym name
;;; tail for dynamically created CAs, could take name tail from chat
;;; with parent (risky? evil parent gives us dangerous name?), could
;;; take name tail from local config but it's hard to see how.
;;;
;;; We now think that there's a negotiation involved here with both
;;; the parent and the publisher. The publication URI directory
;;; breaks into three pieces: head/middle/tail/. head comes from the
;;; publisher, middle comes from the parent, and tail comes from this
;;; RE. head is just the prefix for where we're allowed to put stuff
;;; within the publication repository; this could be configured by the
;;; IRBE or we could ask the publication repository, we currently
;;; think the latter is better. Middle comes from this RE's parent,
;;; and should be a new attribute in the up-down XML protocol: it's
;;; the parent's advice on where to put this particular CA's outputs
;;; in order to get the nice hierarchical properties we want. Tail is
;;; something this RE comes up with, it's per-CA, and all that really
;;; matters is that it's stable; it could be gensymed, or could be our
;;; internal name for the CA, whatever. This hack may require finding
;;; out the parent's publication URI (which we might get from the
;;; parent's cert or not to be decided later), sort this out later.
;;;
;;; If there is any preliminary negotation with publisher before
;;; publication, it is all hypothetical and assumes that proof will be
;;; given with actual publication request. Thing that needs to be
;;; proven is that publication client A is not stepping on publication
;;; client B even when B is A's parent.
;;;
;;; Not yet sure into which object we need to be stuffing various bits
;;; of this URI. The head portion is per, um, er, can we assume it's
;;; per repository object? Maybe. The middle comes down on the fly
;;; from the parent and is probably per class; dunno whether we store
;;; it as is or just use it on the fly to construct the complete SIA
;;; URI and store that. And where do we store the resulting computed
;;; SIA URIs, in the CA objects?
;;; Operations on keys need to specify signature algorithm (currently
;;; only RSA, but need agility) and key length. Signing operations
;;; need to specify hash algorithms as well (currently default
;;; SHA-256, option for higher SHA functions, we expect crypto world
;;; to hand us new hash functions within a few years).
;;; Explanation for many-many mapping beween CA and child objects
;;; (courtesy of RobL): Each child is an entity; each CA can have
;;; multiple children, and each child can hold certs from multiple
;;; CAs.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Protocol operations between IRBE and RE.
;;;
;;; This is really two separate protocols over channels that might or
;;; not be the same. Both are client/server protocols, but for some
;;; the RE is the client and for others the IRBE is the client.
;;;
;;; This set of operations are initiated by the IRBE.
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(create-self-id)
=> (self-id)
(destroy-self-id :self-id 42)
=> ()
(list-self-ids)
=> (self-id ...)
;; RobK wonders whether there needs to be an operation that blows away
;; most of the context but preserves things like audit logs. No
;; current consensus on need for this.
(get-preference :self-id 42
:preference-name :favorite-color)
=> ("obsidian")
(set-preference :self-id 42
:name :favorite-color
:value "obsidian")
=> ()
;; Extensions might also show up as preferences that nobody but this
;; IRBE operator has ever heard of
;; This creates both a context and a keypair. Do we need to specify
;; what kind of key in addition to length?
(create-biz-signing-context :self-id 42
&optional
:key-type :rsa
:key-length 2048
:hash-alg :sha1)
=> (biz-signing-context-id pkcs10-cert-request)
(destroy-biz-signing-context :self-id 42
:biz-signing-context-id biz-context-id)
=> ()
(list-biz-signing-contexts :self-id 42)
=> (biz-signing-context-id ...)
(get-biz-signing-certs :self-id 42
:biz-signing-context-id splat)
=> (cert ...)
(set-biz-signing-certs :self-id 42
:biz-signing-context-id splat
:certs (cert ...))
=> ()
(create-parent-context :self-id 42)
=> (parent)
(destroy-parent-context :self-id 42
:parent foo)
=> ()
(list-parents :self-id 42)
=> (parent ...)
(get-parent-ta :self-id 42
:parent foo)
=> (ta)
(set-parent-ta :self-id 42
:parent foo
:ta ta)
=> ()
(get-parent-uri :self-id 42
:parent foo)
=> (uri)
(set-parent-uri :self-id 42
:parent foo
:uri uri)
=> ()
(get-parent-biz-signing-context :self-id 42
:parent foo)
=> (biz-signing-context)
(set-parent-biz-signing-context :self-id 42
:parent foo
:biz-signing-context bar)
=> ()
(get-parent-repository :self-id 42
:parent foo)
=> (repository)
(set-parent-repository :self-id 42
:parent foo
:repository bar)
=> ()
(create-child :self-id 42)
=> (child)
(destroy-child :self-id 42
:child bar)
=> ()
(list-children :self-id id)
=> (child ...)
(get-child-id :self-id 42
:child foo)
=> (child-id)
(set-child-id :self-id 42
:child foo
:id bar)
=> ()
(get-child-ta :self-id 42
:child foo)
=> (ta)
(set-child-ta :self-id 42
:child foo
:ta bar)
=> ()
(get-child-biz-signing-context :self-id 42
:child foo)
=> (signing-context)
(set-child-biz-signing-context :self-id 42
:child foo
:biz-signing-context bar)
=> ()
(create-repository :self-id 42)
=> (repository)
(destroy-repository :self-id 42
:repository foo)
=> ()
(list-repositories :self-id 42)
=> (repository ...)
(get-repository-biz-signing-context :self-id 42
:repository foo)
=> (signing-context)
(set-repository-biz-signing-context :self-id 42
:repository foo
:biz-signing-context bar)
=> ()
(get-repository-uri :self-id 42
:repository foo)
=> (uri)
(set-repository-uri :self-id 42
:repository foo
:uri uri)
=> ()
(get-repository-ta :self-id 42
:repository foo)
=> (ta)
(set-repository-ta :self-id 42
:repository foo
:ta ta)
=> ()
(please-run-this-self-id-now :self-id 42)
=> ()
(please-publish-world-right-now :self-id 42)
=> ()
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Protocol operations between IRBE and RE.
;;;
;;; This is really two separate protocols over channels that might or
;;; not be the same. Both are client/server protocols, but for some
;;; the rpki engine and for others the irbe is the client.
;;;
;;; This set of operations are initiated by the RE.
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(list-resources :self-id 42 ; issuer id
&optional ; If left off, we're asking about self rather than child
:child id) ; subject id
=> ((:ipv4-address "10.0.0.44/32" "10.3.0.44/32")
(:ipv6-address "fe80:dead:beef::/24")
(:as-number "666")
...)
(list-rights-to-route :self-id 42) ; Self
=> ((as-number :ipv4 prefix-or-range :ipv6 prefix-or-range ...)
(as-number "ipv6 prefix-or-range :ipv6 prefix-or-range :ipv4 prefix-or-range ...)
...)
(report-error :self-id 42
:error-token :your-hair-is-on-fire
:bag-of-data whatever)
=> ()
|
