idnits 2.17.1 draft-ietf-pkix-other-certs-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 13, 2009) is 5338 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PKIX WG S. Farrell 3 Internet-Draft Trinity College Dublin 4 Intended status: Experimental September 13, 2009 5 Expires: March 17, 2010 7 Other Certificates Extension 8 draft-ietf-pkix-other-certs-05 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt. 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 This Internet-Draft will expire on March 17, 2010. 33 Copyright Notice 35 Copyright (c) 2009 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents in effect on the date of 40 publication of this document (http://trustee.ietf.org/license-info). 41 Please review these documents carefully, as they describe your rights 42 and restrictions with respect to this document. 44 Abstract 46 Some applications that associate state information with public key 47 certificates can benefit from a way to link together a set of 48 certificates belonging to the same end entity that can safely be 49 considered to be equivalent for the purposes of referencing that 50 application state information. This memo defines a certificate 51 extension that allows applications to establish the required linkage 52 without introducing a new application protocol data unit. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. A Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3. Other Certificates Extension . . . . . . . . . . . . . . . . . 4 59 4. Another Approach using Permanent Identifiers . . . . . . . . . 6 60 5. A Possible Optimisation . . . . . . . . . . . . . . . . . . . . 6 61 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 62 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 63 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 64 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 65 9.1. Normative References . . . . . . . . . . . . . . . . . . . 8 66 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 67 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 8 68 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 1. Introduction 72 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 73 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 74 document are to be interpreted as described in RFC 2119 [RFC2119]. 76 RFC 5280 [RFC5280] defines a profile for the use of public key 77 certificates for Internet applications. If an application associates 78 application state information with a public key certificate, then 79 that association may be disrupted if the end entity changes its 80 public key certificate. Such disruption can occur due to renewals or 81 if the end entity changes its certificate issuer. Similarly, if the 82 end entity is actually a distributed system, where each instance has 83 a different private key, then the relying party (RP) has no way to 84 associate the different public key certificates with the relevant 85 application state information. 87 For example, assume a web browser retains state information (perhaps 88 passwords) about a web site, indexed (possibly indirectly) via values 89 contained in the web server's public key certificate (perhaps a DNS 90 name). When the web server certificate expires, and a new 91 certificate is acquired (perhaps with a different DNS name), then the 92 browser cannot safely map the new certificate to the relevant state 93 information. 95 This memo defines a new public key certificate extension that 96 supports such linkage, allowing the certificate issuer to attest that 97 the end entity that holds the private key for the certificate in 98 question also holds other private keys corresponding to other 99 identified certificates. 101 Other than the issuer asserting that the set of certificates belong 102 to the same end entity for use with the same application, the fine- 103 detail of the semantics of the linkage of certificates is not defined 104 here, since that is a matter for application developers and the 105 operators of certification authorities (CAs). In particular we do 106 not define how a CA can validate that the same end entity is the 107 holder of the various private keys, nor how the application should 108 make use of this information. Nor do we define what kinds of state 109 information may be shared. 111 2. A Use Case 113 Public key certificates expire, typically about a year after they are 114 created. Some applications might need to know that the same entity 115 is the subject of this certificate and a previously used certificate. 117 For example, if a web server certificate expires, it could be useful 118 for a web browser to know that the server currently presenting a 119 certificate in a TLS [RFC5246] handshake represents the same web 120 server that previously presented a certificate. This could be used 121 for example to allow the browser to automatically fill in form fields 122 for the server in question, even if the server certificate has been 123 replaced. While the same effect can be achieved based on the use of 124 the same issuer and subject fields in a certificate there could be 125 security issues involved in such comparisons, e.g. if the subject 126 name includes a DNS name and the ownership of that DNS domain has 127 changed. 129 The use of the new extension provides a way for the CA to signal to 130 the application that the same end entity is involved, regardless of 131 name changes. The new extension could also allow the web site 132 operator to more easily change CA when replacing its certificate. 134 3. Other Certificates Extension 136 This section defines the syntax for the other certificates extension. 138 The new extension is simply a list of references to the linked 139 certificates. The references make use of the SCVPCertID structure 140 from the SCVP [RFC5055] protocol which contains a hash over the 141 relevant certificate and the certificate's issuer and serial number. 143 When this extension is present the CA is asserting that the same end 144 entity is the subject of the relevant certificates. 146 This extension MUST NOT be marked critical. 148 id-pe-otherCerts OBJECT IDENTIFIER ::= { id-pe 19 } 150 OtherCertificates ::= SEQUENCE OF SCVPCertID 152 CAs MUST only issue certificates containing this extension where the 153 links created are such that the relevant consumers of the 154 certificates can safely make use of those links. This will typically 155 be the case where the certificates are only used by a single 156 application. CAs MUST NOT issue certificates that link to 157 certificates issued for a different purpose, for example, a CA SHOULD 158 NOT link a web server certificate to a VPN gateway certificate 159 (unless those can be the same, which might occur for some embedded 160 devices). The purpose for which the certificate is intended may be 161 determined by certificate policy or other means (e.g. extended key 162 usage object identifiers) that are out of scope of this 163 specification. 165 CAs MUST NOT issue certificates containing this extension unless they 166 have validated that the end entity is the holder of all of the 167 relevant private keys. 169 Applications MUST validate certificates according to the rules 170 specified in RFC 5280 [RFC5280], and MUST NOT assume that because 171 certificates are linked, that they are therefore valid. This means 172 of course that both certificates must chain up to some local trust 173 point(s). 175 If an application imposes further checks on certificate validity 176 (e.g. as is done in RFC 2818 [RFC2818] for web server certificates), 177 then both certificates MUST be valid according to those application 178 specific rules. 180 It is not required that two linked certificates are both 181 simultaneously valid. For example, an application can validate 182 certificate1 and cache that information. When the application is 183 subsequently presented with certificate2 (linked back to 184 certificate1), if it considers the cached information about 185 certificate1 trustworthy, then it can validate certificate2, and use 186 the linkage to associate certificate2 with the relevant application 187 state information. (Just as it would have done had certificate1 been 188 re-presented.) As a second example, if certificate1 has expired, but 189 would otherwise be valid, then the linkage from certificate2 can also 190 be used once certificate2 has been validated. 192 If the application checks certificate status for the certificates in 193 question, and any of the certificates concerned has been revoked, 194 then the linkage MUST NOT be used. 196 Note that there are no constraints on the contents of the certificate 197 to which the link points. The consequence is that the CA issuing the 198 new certificate can link back to legacy certificates of all kinds, 199 once the relevant RP supports this extension. 201 This extension MUST only be used in end-entity certificates, that is, 202 it MUST NOT be used in CA certificates or other similar certificates. 203 Since CA certificates are only used for certificate validation and 204 this extension has no effect on the validation procedure, this 205 extension would generally be meaningless in a CA certificate. In 206 addition, it may be wise to gain some deployment experience with this 207 extension before using it for more security sensitive certificates 208 like CA certificates. 210 4. Another Approach using Permanent Identifiers 212 RFC 4043 [RFC4043] defines a new name form (a "Permanent Identifier" 213 or PI) for public key certificates that supports similar 214 functionality to the new extension defined here. If two certificates 215 have the same PI and that PI form is globally unique, then the end- 216 entities involved can be considered to be the same. 218 The main difference between the PI and the other certificates 219 extension is that, (when more than one CA is involved), PI requires a 220 globally unique identifier, whereas the other certificates extension 221 only requires that the issuer of the new certificate be able to link 222 back to the old certificate(s). 224 As a consequence the other certificates extension can be deployed 225 "reactively" to link certificates that may not match "ideal" 226 application naming requirements. If the old certificate did make use 227 of PI, then presumably application naming issues have already been 228 handled, and then the new certificate can contain the same PI. In 229 this latter case there would be no need for the other certificates 230 extension. 232 5. A Possible Optimisation 234 The SCVPCertID structure used here contains the issuer name for the 235 CA of the linked certificate. It may happen that this issuer is also 236 the issuer of the certificate containing the other-certificates 237 extension. If a new certificate were linked back to a number of old 238 certificates from that same CA, then there would be considerable 239 redundancy since there would be many copies of the same issuer name. 241 One suggestion raised was to have a convention where if the X.500 242 Name in the SCVPCertID is an "empty" DN (see RFC5280) that that would 243 indicate that the same CA issued both the current and the linked 244 certificates. However, that scheme is not adopted in this version. 245 A future, standards-track version of this specification might adopt 246 that optimisation. 248 6. Acknowledgements 250 The use case motivating this was contributed to the W3C web security 251 context (WSC) working group by Tyler Close. See 252 http://www.w3.org/2006/WSC/wiki/SafeWebFormEditor for details. 254 Denis Pinkas pointed out that the PI extension is an alternative to 255 this one. 257 James Manger suggested the optimisation to reduce the number of 258 copies of the issuer name. 260 7. IANA Considerations 262 This memo includes no request to IANA. 264 8. Security Considerations 266 As stated above, relying parties MUST validate any certificates per 267 the algorithm given in RFC 5280 [RFC5280] before making any use of 268 those certificates. 270 Relying parties similarly MUST NOT assume that any other fields in 271 the relevant certificates have common values. For example, linked 272 certificates might have non-overlapping key usage extensions. 274 Since the issuer of the new certificate (or some superior CA) is 275 trusted by the RP, and the RP has validated the new certificate, the 276 RP is basically as reliant on the proper operation of that CA as 277 always - if the CA wished to "cheat" on the RP the other certificates 278 extension simply provides a new way to do that, but one that is 279 equivalent to existing vulnerabilities. In many cases such a bad CA 280 could simply issue a new certificate that is identical in all 281 respects (other than the key pair) and the RP would accept the 282 identity contained in that new certificate. 284 However, if the issuer of the new certificate is limited in some way 285 (e.g. via a name constraint in a superior CA certificate), and if the 286 old certificate doesn't match those limitations (e.g. the subject of 287 the old certificate doesn't fit under the name constraints of the 288 issuer of the new certificate), then the new certificate could be 289 linked back to an identity that doesn't meet the constraints intended 290 to be imposed on the issuer of the new certificate. Applications for 291 which this is an unacceptable risk SHOULD NOT make use of the other 292 certificates extension. 294 Since the SCVPCertID structure includes a hash of the other 295 certificate and hash algorithm weaknesses that produce collisions are 296 becomming more of an issue, CAs and relying parties MUST ensure that 297 currently acceptable hash functions are used. In particular the 298 default use of SHA-1 for SCVPCertID may or may not currently be 299 considered acceptable. CAs might be wise to use SHA-256 instead, but 300 will typically use whatever hash function they use as part of 301 certificate signing.. 303 9. References 305 9.1. Normative References 307 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 308 Requirement Levels", BCP 14, RFC 2119, March 1997. 310 [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. 311 Polk, "Server-Based Certificate Validation Protocol 312 (SCVP)", RFC 5055, December 2007. 314 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 315 Housley, R., and W. Polk, "Internet X.509 Public Key 316 Infrastructure Certificate and Certificate Revocation List 317 (CRL) Profile", RFC 5280, May 2008. 319 9.2. Informative References 321 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 323 [RFC4043] Pinkas, D. and T. Gindin, "Internet X.509 Public Key 324 Infrastructure Permanent Identifier", RFC 4043, May 2005. 326 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 327 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 329 Appendix A. ASN.1 Module 331 PKIX OID registrations may be viewed at: 332 http://www.imc.org/ietf-pkix/pkix-oid.asn 333 PKIXOtherCertsModule 334 { iso(1) identified-organization(3) dod(6) internet(1) 335 security(5) mechanisms(5) pkix(7) id-mod(0) 44 } 337 DEFINITIONS EXPLICIT TAGS ::= 339 BEGIN 341 -- EXPORTS ALL 343 IMPORTS 345 -- From [RFC5055] 346 SCVPCertID 347 FROM SCVP { iso(1) identified-organization(3) dod(6) internet(1) 348 security(5) mechanisms(5) pkix(7) id-mod(0) 21 } ; 350 -- The one and only new thing, a new certificate extension 352 id-pe-otherCerts OBJECT IDENTIFIER ::= 353 { iso(1) identified-organization(3) dod(6) internet(1) 354 security(5) mechanisms(5) pkix(7) id-pe(1) 19 } 356 -- The value is a sequence of cert ids. 357 OtherCertificates ::= SEQUENCE OF SCVPCertID 359 END 361 Author's Address 363 Stephen Farrell 364 Trinity College Dublin 365 Department of Computer Science 366 Trinity College 367 Dublin, 2 368 Ireland 370 Phone: +353-1-896-2354 371 Email: stephen.farrell@cs.tcd.ie