Change Publication Server used by an RPKI CA

Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Introduction There are a number of reasons why a CA may wish to migrate from its current Publication Server to a new one. One reason may be that an organization is running their own Publication Server, but wishes to migrate to a server operated by their parent (e.g., a Regional Internet Registry), possibly because their parent did not offer this service when they first set up their CA, but now they do. Another reason may be that the current Publication Server used by a CA is falling behind in terms of their availability on either the publication protocol , or the public rsync or RRDP repository compared to other options. If the current Publication Server has become unavailable and there is no sign that it will become available again, then that may constitute an even more urgent reason to migrate to a new server. This document describes a modified RPKI Key Rollover process that can be used to change the Publication Server used by an RPKI CA.

Migration Process This section assumes familiarity with RPKI Key Rollovers . The migration process is similar to the process described in section 2 of with some notable differences that we will describe below. This document uses the three CA states CURRENT, NEW and OLD as described in section 2 of .

Upload new Repository Response Before initiating the Publication Server migration the relationship between the publishing CA and the new server MUST be estiblished and verified. First, a Publisher Request XML file MUST be retrieved from the CA. The CA MAY re-use the same XML and BPKI TA certificate that was used for the setup of the current Publication Server for this purpose. Then, the Publication Server MAY generate a Repository Response XML file for this CA. If the Publication Server refuses to execute this step, then the migration MUST be cancelled. When the CA receives the Respository Response XML file it MUST verify that it can communicate with the new server by sending it an list query. If the query is successful, the new server is accepted and the CA proceeds to the next step. If the query is unsuccessful then the migration process MUST be cancelled.

Create new Key The second step in the process is to generate a key pair for the NEW CA, and then request a new certificate for it from its parent as described in steps 1 and 2 in section 2 of .

Use the new Key The NEW CA MUST reissue all signed certificates and RPKI signed objects as described in section 4 of and publish them at its (new) Publication Server. This is necessary because if the NEW CA were to delay re-issuance and publication until it is promoted to become the CURRENT CA and the then OLD CA is revoked immediately as described in steps 3-6 in section 2 of , then this would lead to a situation where no certificates and RPKI signed objects could be found by RP software due to timing issues in fetching both repositories. This issue does not apply to the normal Key Rollover process as all the updates would be published at the same Publication Server in that case as a single atomic delta.

Staging Period During the staging period the CA MUST maintain signed content under both its current and new key, and MUST ensure that these are in sync. A staging period of 24 hours SHOULD be used to avoid any race conditions where RP software was not yet able to get the content from the NEW CA repository before revoking the CURRENT CA as per the next step in this process. However, if there is any operational issue with the Publication Server and/or its repository used by the CURRENT CA then this staging period SHOULD be skipped. After the staging period has passed, or has been skipped, the CURRENT CA becomes the OLD CA and NEW CA becomes the CURRENT CA.

Revoke OLD CA The final step in the process is that the OLD CA MUST be revoked by sending an revocation request for its key. Furthermore, all content for the OLD CA SHOULD be removed from the (old) Publication Server used by it. Note that this may be impossible in cases where a non-functioning Publication Server prompted this migration. The private key for the OLD CA MUST be destroyed.

Relying Party Considerations

Authority Information Access It should be noted that the Authority Information Access (AIA) URIs for delegated CA certificates will change when the NEW CA key and repository are used. Relying Parties MAY warn when AIA URIs in the RPKI signed objects (Manifest, ROAs, etc) and possible certificates (delegated CA or BGPSec Router Certificates) published do not match the location of the signing CA certificate in the new publication point, but they MUST accept them as long as they are otherwise valid.

Implementation Status This section is to be removed if and before this document becomes an RFC. Version -00 of this document is implemented by release 0.9.2 and later.

IANA Considerations OID needs to be requested.

Security Considerations TBD

Acknowledgements TBD