Using Extended Key Usage (EKU) for Session Initiation Protocol (SIP) X.509 Certificates
DOCNAME

Status of this Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on April 9, 2009.

Abstract

This memo documents an extended key usage (EKU) X.509 certificate extension for identifying the holder of a certificate as authoritative for a Session Initiation Protocol (SIP) service in the domain named by the DNS name in the certificate.

Table of Contents

1.  Terminology
    1.1.  Key Words
    1.2.  Abstract syntax notation
2.  Problem statement
3.  Restricting usage to SIP
    3.1.  Extended Key Usage values for SIP domains
4.  Using the SIP EKU in a certificate
5.  Implications for a Certification Authority
6.  Security Considerations
7.  IANA Considerations
8.  Acknowledgments
9.  References
    9.1.  Normative References
    9.2.  Informative References
Appendix A.  ASN.1 Module
§  Authors' Addresses
§  Intellectual Property and Copyright Statements

1.  Terminology

1.1.  Key Words

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.) [1].

1.2.  Abstract syntax notation

All X.509 certificate X.509 (International International Telephone and Telegraph Consultative Committee, “Information Technology - Open Systems Interconnection - The Directory: Authentication Framework,” November 1988.) [4] extensions are defined using ASN.1 X.680 (International International Telephone and Telegraph Consultative Committee, “Specification of Abstract Syntax Notation One (ASN.1): Specification of Basic Notation,” July 1994.) [5],X.690 (International Telecommunications Union, “Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER),” 1994.) [6].

2.  Problem statement

Consider the SIP RFC 3261 (Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, “SIP: Session Initiation Protocol,” June 2002.) [2] trapezoid shown in Figure 1 (SIP Trapezoid).

  Proxy-A.example.com           Proxy-B.example.net
     +-------+                    +-------+
     | Proxy |--------------------| Proxy |
     +----+--+                    +---+---+
          |                           |
          |                           |
          |                           |
          |                         +---+
        0---0                       |   |
         /-\                        |___|
        +---+                      /    /
                                  +----+
   alice@example.com          bob@example.net

Assume that alice@example.com creates an INVITE for bob@example.net; her user agent routes the request to some proxy in her domain, example.com. Suppose also that example.com is a large organization that maintains several SIP proxies, and her INVITE arrived at an outbound proxy Proxy-A.example.com. In order to route the request onward, Proxy-A uses RFC 3263 (Rosenberg, J. and H. Schulzrinne, “Session Initiation Protocol (SIP): Location SIP Servers,” June 2002.) [7] resolution and finds that Proxy-B.example.net is a valid proxy for example.net that uses TLS. Proxy-A.example.com requests a TLS connection to Proxy-B.example.net, and in the TLS handshake each presents a certificate to authenticate that connection. The validation of these certificates by each proxy to determine whether or not their peer is authoritative for the appropriate SIP domain is defined in Domain Certificates in the Session Initiation Protocol (SIP) (Gurbani, V., Lawrence, S., and A. Jeffrey, “Domain Certificates in the Session Initiation Protocol (SIP),” July 2008.) [8].

A SIP domain name is frequently textually identical to the same DNS name used for other purposes. For example, the DNS name example.com can serve as a SIP domain name, an email domain name, and a web service name. Since these different services within a single organization might be administered independently and hosted separately, it is desirable that a certificate be able to bind the DNS name to its usage as a SIP domain name without creating the implication that the entity presenting the certificate is also authoritative for some other purpose. A mechanism is needed to allow the certificate issued to a proxy to be restricted such that the subject name(s) it contains are valid only for use in SIP. In our example, Proxy-B possesses a certificate making it authoritative as a SIP server for the domain example.net; furthermore, it has a policy that requires the client's SIP domain be authenticated through a similar certificate. Proxy-A is authoritative as a SIP server for the domain example.com; when Proxy-A makes a TLS connection to Proxy-B, the latter accepts the connection based on its policy.

3.  Restricting usage to SIP

This memo defines a certificate profile for restricting the usage of a domain name binding to usage as a SIP domain name. RFC 5280 (Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R., and W. Polk, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” May 2008.) [3] Section 4.2.1.12 defines a mechanism for this purpose: an "Extended Key Usage" (EKU) attribute, where the purpose of the EKU extension is described as:

"If the extension is present, then the certificate MUST only be used for one of the purposes indicated. If multiple purposes are indicated the application need not recognize all purposes indicated, as long as the intended purpose is present. Certificate using applications MAY require that the extended key usage extension be present and that a particular purpose be indicated in order for the certificate to be acceptable to that application."

A certificate whose purpose is to bind a SIP domain identity without binding other non-SIP identities MUST include an id-kp-SIPdomain attribute in the Extended Key Usage extension value (see Section 3.1 (Extended Key Usage values for SIP domains)).

3.1.  Extended Key Usage values for SIP domains

RFC 5280 (Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R., and W. Polk, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” May 2008.) [3] specifies the EKU X.509 certificate Extension for use in the Internet. The extension indicates one or more purposes for which the certified public key is valid. The EKU extension can be used in conjunction with the key usage extension, which indicates how the public key in the certificate may be used, in a more basic cryptographic way.

The EKU extension syntax is repeated here for convenience:

      ExtKeyUsageSyntax  ::=  SEQUENCE SIZE (1..MAX) OF KeyPurposeId

      KeyPurposeId  ::=  OBJECT IDENTIFIER

This specification defines the KeyPurposeId id-kp-sipDomain. Inclusion of this KeyPurposeId in a certificate indicates that the use of any Subject names in the certificate is restricted to use by a SIP service (along with any usages allowed by other EKU values).

      id-kp  OBJECT IDENTIFIER  ::=
         { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) 3 }

      id-kp-sipDomain  OBJECT IDENTIFIER  ::=  { id-kp 20 }

4.  Using the SIP EKU in a certificate

Section 7.1 of Domain Certificates in the Session Initiation Protocol (Gurbani, V., Lawrence, S., and A. Jeffrey, “Domain Certificates in the Session Initiation Protocol (SIP),” July 2008.) [8] contains the steps for finding an identity (or a set of identities) in an X.509 certificate for SIP. In order to determine whether the usage of a certificate is restricted, implementations MUST perform the step given below as a part of the certificate validation:

The Extended Key Usage value(s), if any, MUST be examined:

• If the certificate does not contain any EKU values (the Extended Key Usage extension does not exist), it is a matter of local policy whether or not to accept the certificate for use as a SIP certificate.
• If the certificate contains the id-kp-sipDomain EKU extension, then the certificate MUST be accepted as valid for use as a SIP certificate.
• If the certificate does not contain the id-kp-sipDomain EKU value, but does contain the id-kp-anyExtendedKeyUsage EKU value, it is a matter of local policy whether or not to accept it for use as a SIP certificate.
• If the certificate does not contain the id-kp-sipDomain EKU value, but does contain either the id-kp-serverAuth or id-kp-clientAuth EKU values, it is a matter of local policy whether or not to accept it for use as a SIP certificate.

  id-kp-serverAuth and id-kp-clientAuth EKU values are defined in Section 4.2.1.12 of RFC 5280 [3] (Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R., and W. Polk, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” May 2008.).

• If EKU extension exists but does not contain any of the id-kp-sipDomain, id-kp-anyExtendedKeyUsage, id-kp-serverAuth, or id-kp-clientAuth EKU values, then the certificate MUST NOT be accepted as valid for use as a SIP certificate.

5.  Implications for a Certification Authority

The procedures and practices employed by a certification authority MUST ensure that the correct values for the EKU extension and subjectAltName are inserted in each certificate that is issued. For certificates that indicate authority over a SIP domain, but not over services other than SIP, certificate authorities MUST include the id-kp-sipDomain EKU extension.

6.  Security Considerations

This memo defines an EKU X.509 certificate extension that restricts the the usage of a certificate to a SIP service belonging to an autonomous domain. Relying parties may execute applicable policies (such as those related to billing) on receiving a certificate with the id-kp-sipDomain EKU value. An id-kp-sipDomain EKU value does not introduce any new security or privacy concerns.

7.  IANA Considerations

The id-kp-sipDomain purpose requires an object identifier (OID). The objects are defined in an arc delegated by IANA to the PKIX working group. No further action is necessary by IANA.

8.  Acknowledgments

The following IETF contributors provided substantive input to this document: Jeroen van Bemmel, Michael Hammer, Cullen Jennings, Paul Kyzivat, Derek MacDonald, Dave Oran, Jon Peterson, Eric Rescorla, Jonathan Rosenberg, Russ Housley, Paul Hoffman, and Stephen Kent.

Sharon Boyen and Trevor Freeman reviewed the document and facilitated the discussion on id-kp-anyExtendedKeyUsage, id-kpServerAuth and id-kp-ClientAuth purposes in certificates.

9.  References

9.1. Normative References

9.2. Informative References

Appendix A.  ASN.1 Module

   SIPDomainCertExtn
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0)
       id-mod-sip-domain-extns2007(VALUE-TBD) }

   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN

   -- OID Arcs

   id-pe  OBJECT IDENTIFIER  ::=
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) 1 }

   id-kp  OBJECT IDENTIFIER  ::=
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) 3 }

   id-aca  OBJECT IDENTIFIER  ::=
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) 10 }

   -- Extended Key Usage Values

   id-kp-sipDomain  OBJECT IDENTIFIER  ::=  { id-kp 20 }

   END

Authors' Addresses

Full Copyright Statement

Copyright © The IETF Trust (2008).

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.