A BPKI key rollover protocol for the Resource Public Key Infrastructure (RPKI)

Protocol specification

Protocol negotiation This document does not define a method to negotiate usage of these new extensions. It is up to operators to use out-of-band mechanisms to agree on support for this document.

XML Namespace All new XML elements defined in this document belong to the namespace of https://as207960.net/spec/rpki/setup-update/. This document uses the XML namespace prefix of setup_update however compliant implementations MUST accept other namespace prefixes.

New message types The type field of the message element in the http://www.apnic.net/specs/rescerts/up-down/ namespace, and the type field of the msg element in the http://www.hactrn.net/uris/rpki/publication-spec/ namespace are extended with the following new values:

update_client_certificate
updated_client_certificate_accepted
request_updated_server_certificate
updated_server_certificate
accept_updated_server_certificate

The messages for these extensions are defined below.

The update_client_certificate message The value of the message type element for this request is: type="update_client_certificate" Payload: [New child TA CA] ]]> The child CA MUST be encoded as specified in This command directs the server to update its stored TA for the client. The server MUST update its stored certificate or respond with a Request-Not-Performed Response. If the client receives a Request-Not-Performed Response it MUST continue to use its old TA.

The updated_client_certificate_accepted message The value of the message type element for this request is: type="updated_client_certificate_accepted" This message has no payload. Receipt of this message by a client in response to an update_client_certificate message indicates the server has accepted the client's new TA and that the client MUST use its new TA in all future exchanges.

The request_updated_server_certificate message The value of the message type element for this request is: type="request_updated_server_certificate" This message has no payload. This message indicates a request from the client to the server for the server's new TA CA, if available. Servers MUST respond with an updated_server_certificate unless an internal error occurred. Clients SHOULD send this message periodically to check for a new TA from the parent.

The updated_server_certificate message The value of the message type element for this request is: type="updated_server_certificate" Payload: [New parent TA CA] ]]> OR ]]> The parent CA MUST be encoded as specified in This response either includes the parents new TA if one is available, or a statement that the parent doesn't have a new TA it wishes to communicate to its client.

The "accept_updated_server_certificate" message The value of the message "type" element for this request is: type="accept_updated_server_certificate" This message has no payload. This message indicates that the client has accepted the server's new TA. Future exchanges MUST use the parent's new TA.

End Entity Certificates for updating the Trust Anchor Each CMS message in and must be signed by an EE certificate. Due to the sensitive nature of updating the TA a standard EE cannot be used to update the TA and ensure sufficient security. The EE certificate used to sign a CMS message containing a message relating to a TA MUST include an rpkiBpkiTAUpdate X.509 extendedKeyUsage. If a client or a server receives a message relating to TAs not including this EKU it MUST reject the message. The rpkiBpkiTAUpdate has the OID of 1.3.6.1.4.1.56292.1.2.1

Error codes The error codes are extended with the following additional codes:

1401: The new TA presented by the child wasn't acceptable to the server, the reasons SHOULD be elaborated in the "description" element.

The error codes are extended with the following additional codes:

unacceptable_child_ca: The new TA presented by the child wasn't acceptable to the server, the reasons SHOULD be elaborated in the "error_text" element.