APNIC has deployed a testbed for the ‘signed TAL‘ method of Trust Anchor (TA) key rollover.
What is a signed TAL?
The signed Trust Anchor Locator (TAL) is a proposal to add a new object called the Trust Anchor Keys (TAK) object to the Resource Public Key Infrastructure (RPKI) system. This can be used to signal when a TA needs to ‘roll’ to a new signing key, so that relying parties can detect and change their configuration to point to the new key.
When do we use a key roll?
Key rolls are needed when the old key cannot be used. This can happen in various scenarios:
- The key is stored in a hardware security module (HSM); the HSM cannot be used anymore, and the HSM does not support key export.
- A new trust model is adopted (for example, M of N secret sharing), and that model requires a new TA key.
- The existing TA key is compromised.
The signed TAL draft covers planned key rolls, because it depends on the current key being trusted. Key compromise would still require clients to update their local configuration manually with the new key.
What’s in the draft?
The draft discusses different scenarios that would invoke use of the TAK object to move between keys, and to repudiate use of keys.
The Signed TAL website: https://rpki-testbed.apnic.net/signed-tal.html has a list of various testbed TAs that can be used to test different signed TAL scenarios:
- Single TA with a TAK for the current key.
- Two TAs with a TAK for the first key only.
- Two TAs with TAKs for both keys, and the first is revoked.
- Single TA with a TAK for the current key, and the key is revoked.
This is to aid developers in understanding how to make this in-band signalling mechanism work.
Where can I see it?
A simple example script using this testbed is available on GitHub.
APNIC presented an update on the signed TAL draft at the SIDROPS working group at IETF 109.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.