Enhanced JSON Web Token (JWT) Claim Constraints for Secure Telephone Identity Revisited (STIR) CertificatesVigil Security, LLC516 Dranesville RoadHerndonVA20170United States of Americahousley@vigilsec.com
ART
STIRX.509 Certificate ExtensionRFC 8226 specifies the use of certificates for Secure Telephone Identity
Credentials; these certificates are often called "Secure Telephone Identity
Revisited (STIR) Certificates".
RFC 8226 provides a certificate extension to constrain the JSON Web Token
(JWT) claims that can be included in the Personal Assertion Token (PASSporT),
as defined in RFC 8225. If the PASSporT signer includes a JWT claim outside
the constraint boundaries, then the PASSporT recipient will reject the entire
PASSporT. This document updates RFC 8226; it provides all of the capabilities
available in the original certificate extension as well as an additional way
to constrain the allowable JWT claims. The enhanced extension can also
provide a list of claims that are not allowed to be included in the PASSporT.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Terminology
. Enhanced JWT Claim Constraints Syntax
. Usage Examples
. Certificate Extension Example
. Guidance to Certification Authorities
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
. ASN.1 Module
Acknowledgements
Author's Address
IntroductionThe use of certificates in establishing authority over
telephone numbers is described in . These certificates are
often called "STIR Certificates". STIR certificates are an important
element of the overall system that prevents the impersonation of
telephone numbers on the Internet. provides a certificate extension to constrain
the JSON Web Token (JWT) claims that can be included in the Personal
Assertion Token (PASSporT) . If the PASSporT signer includes
a JWT claim outside the constraint boundaries, then the PASSporT recipient
will reject the entire PASSporT.This document defines an enhanced JWTClaimConstraints certificate extension,
which provides all of the capabilities available in the original certificate
extension as well as an additional way to constrain the allowable JWT
claims. That is, the enhanced extension can provide a list of claims that
are not allowed to be included in the PASSporT.The Enhanced JWT Claim Constraints certificate extension is needed to limit
the authority when a parent STIR certificate delegates to a subordinate STIR
certificate. For example, describes the
situation where service providers issue a STIR certificate to enterprises or
other customers to sign PASSporTs, and the Enhanced JWT Claim Constraints
certificate extension can be used to prevent specific claims from being
included in PASSporTs and accepted as valid by the PASSporT recipient.The JWT Claim Constraints certificate extension defined in
provides a list of claims that must be included in a valid PASSporT as well
as a list of permitted values for selected claims. The Enhanced JWT Claim
Constraints certificate extension defined in this document includes those
capabilities and adds a list of claims that must not be included in a
valid PASSporT.Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Enhanced JWT Claim Constraints SyntaxThe Enhanced JWT Claim Constraints certificate extension is non-critical,
applicable only to end-entity certificates, and defined with
ASN.1 . The syntax of the JWT claims in a PASSporT is
specified in .The Enhanced JWT Claim Constraints certificate extension is optional, but,
when present, it constrains the JWT claims that authentication services may
include in the PASSporT objects they sign. Constraints are applied by
certificate issuers and enforced by recipients when validating PASSporT
claims as follows:
mustInclude indicates JWT claims that MUST appear in the PASSporT
in addition to the iat, orig, and dest claims. The baseline PASSporT
claims ("iat", "orig", and "dest") are considered to be required by
, and these claims SHOULD NOT
be part of the mustInclude
list. If mustInclude is absent, the iat, orig, and dest claims MUST
appear in the PASSporT.
permittedValues indicates that, if the claim name is present, the
claim MUST exactly match one of the listed values.
mustExclude indicates JWT claims that MUST NOT appear in the
PASSporT. The baseline PASSporT claims ("iat", "orig", and "dest") are always
permitted, and these claims MUST NOT be part of the mustExclude list.
If one of these baseline PASSporT claims appears in the mustExclude list, then the
certificate MUST be treated as if the extension was not present.
Following the precedent in , JWT Claim Names MUST be ASCII strings,
which are also known as strings using the International Alphabet No. 5 .The Enhanced JWT Claim Constraints certificate extension is identified by the
following object identifier (OID):
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 33 }
The Enhanced JWT Claim Constraints certificate extension has the following syntax:
EnhancedJWTClaimConstraints ::= SEQUENCE {
mustInclude [0] JWTClaimNames OPTIONAL,
-- The listed claim names MUST appear in the PASSporT
-- in addition to iat, orig, and dest. If absent, iat, orig,
-- and dest MUST appear in the PASSporT.
permittedValues [1] JWTClaimValuesList OPTIONAL,
-- If the claim name is present, the claim MUST contain one
-- of the listed values.
mustExclude [2] JWTClaimNames OPTIONAL }
-- The listed claim names MUST NOT appear in the PASSporT.
( WITH COMPONENTS { ..., mustInclude PRESENT } |
WITH COMPONENTS { ..., permittedValues PRESENT } |
WITH COMPONENTS { ..., mustExclude PRESENT } )
JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues
JWTClaimValues ::= SEQUENCE {
claim JWTClaimName,
values SEQUENCE SIZE (1..MAX) OF UTF8String }
JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName
JWTClaimName ::= IA5String
Usage ExamplesConsider these usage examples with a PASSporT claim called "confidence" with
values "low", "medium", and "high". These examples illustrate the constraints
that are imposed by mustInclude, permittedValues, and mustExclude:
If a certification authority (CA) issues a certificate to an authentication
service that includes
an Enhanced JWT Claim Constraints certificate extension that contains the
mustInclude JWTClaimName "confidence", then an authentication service is
required to include the "confidence" claim in all PASSporTs it generates
and signs. A verification service will treat any PASSporT it
receives without a "confidence" PASSporT claim as invalid.
If a CA issues a certificate to an authentication service that includes
an Enhanced JWT Claim Constraints certificate extension that contains the
permittedValues JWTClaimName "confidence" and a permitted "high" value,
then a verification service will treat any PASSporT
it receives with a PASSporT "confidence" claim with a value other than
"high" as invalid. However, a verification service will not treat a
PASSporT it receives without a PASSporT "confidence" claim at all as invalid, unless
"confidence" also appears in mustInclude.
If a CA issues a certificate to an authentication service that includes
an Enhanced JWT Claim Constraints certificate extension that contains the
mustExclude JWTClaimName "confidence", then a verification service will
treat any PASSporT it receives with a PASSporT "confidence"
claim as invalid regardless of the claim value.
Certificate Extension ExampleA certificate containing an example of the EnhancedJWTClaimConstraints
certificate extension is provided in . The certificate is
provided in the format described in . The example of the
EnhancedJWTClaimConstraints extension from the certificate
is shown in .
The example imposes three constraints:
The "confidence" claim must be present in the PASSporT.
The "confidence" claim must have a value of "high" or "medium".
The "priority" claim must not be present in the PASSporT.
Guidance to Certification AuthoritiesThe EnhancedJWTClaimConstraints extension specified in this document and the
JWTClaimConstraints extension specified in MUST NOT both appear
in the same certificate.If the situation calls for mustExclude constraints, then the
EnhancedJWTClaimConstraints extension is the only extension that
can express the constraints.On the other hand, if the situation does not call for mustExclude constraints,
then either the EnhancedJWTClaimConstraints extension or the JWTClaimConstraints
extension can express the constraints. Until such time as support for the
EnhancedJWTClaimConstraints extension becomes widely implemented, the use of
the JWTClaimConstraints extension may be more likely to be supported. This
guess is based on the presumption that the first specified extension will be
implemented more widely in the next few years.IANA ConsiderationsThis document makes use of object identifiers for the Enhanced JWT
Claim Constraints certificate extension defined in and the
ASN.1 module identifier defined in . Therefore, IANA has
made the following assignments within the "Structure of Management Information (SMI) Numbers (MIB Module Registrations)" registry.For the Enhanced JWT Claim Constraints certificate extension in the
"SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1) registry:
Decimal
Description
33
id-pe-eJWTClaimConstraints
For the ASN.1 module identifier in the "SMI Security for PKIX Module
Identifier" (1.3.6.1.5.5.7.0) registry:
Decimal
Description
101
id-mod-eJWTClaimConstraints-2021
Security ConsiderationsFor further information on certificate security and practices,
see , especially the Security Considerations section.Since non-critical certificate extensions are ignored by implementations
that do not recognize the extension object identifier (OID), constraints
on PASSporT validation will only be applied by relying parties
that recognize the EnhancedJWTClaimConstraints extension.The Enhanced JWT Claim Constraints certificate extension can be
used by certificate issuers to provide limits on the acceptable
PASSporTs that can be accepted by verification services. Enforcement
of these limits depends upon proper implementation by the verification
services. The digital signature on the PASSporT data structure will
be valid even if the limits are violated.Use of the Enhanced JWT Claim Constraints certificate extension
permittedValues constraint is most useful when the claim definition
allows a specified set of values. In this way, all of the values
that are not listed in the JWTClaimValuesList are prohibited in a
valid PASSporT.Certificate issuers must take care when imposing constraints on the
PASSporT claims and the claim values that can be successfully validated;
some combinations can prevent any PASSporT from being successfully
validated by the certificate. For example, an entry in mustInclude and
an entry in mustExclude for the same claim will prevent successful
validation on any PASSporT.Certificate issuers SHOULD NOT include an entry in mustExclude for the
"rcdi" claim for a certificate that will be used with the PASSporT
Extension for Rich Call Data defined in .
Excluding this claim would prevent the integrity protection mechanism
from working properly.Certificate issuers must take care when performing certificate renewal
to include exactly the same Enhanced JWT Claim Constraints certificate extension
in the new certificate as the old one. Renewal usually takes place before the
old certificate expires, so there is a period of time where both the new
certificate and the old certificate are valid. If different constraints
appear in the two certificates with the same public key, some PASSporTs
might be valid when one certificate is used and invalid when the other
one is used.ReferencesNormative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileThis memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.PASSporT: Personal Assertion TokenThis document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.Secure Telephone Identity Credentials: CertificatesIn order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notationITU-TInformative ReferencesInformation technology - ISO 7-bit coded character set for information interchangeISOInternet Security Glossary, Version 2This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community.Textual Encodings of PKIX, PKCS, and CMS StructuresThis document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate.Secure Telephone Identity Revisited (STIR) Certificate DelegationPASSporT Extension for Rich Call DataComcastNeustar Inc. This document extends PASSporT, a token for conveying
cryptographically-signed call information about personal
communications, to include rich meta-data about a call and caller
that can be signed and integrity protected, transmitted, and
subsequently rendered to the intended called party. This framework
is intended to include and extend caller and call specific
information beyond human-readable display name comparable to the
"Caller ID" function common on the telephone network. The JSON
element defined for this purpose, Rich Call Data (RCD), is an
extensible object defined to either be used as part of STIR or with
SIP Call-Info to include related information about calls that helps
people decide whether to pick up the phone. This signing of the RCD
information is also enhanced with a integrity mechanism that is
designed to protect the authoring and transport of this information
between authoritative and non-authoritative parties generating and
signing the Rich Call Data for support of different usage and content
policies.
Work in ProgressASN.1 ModuleThis appendix provides the ASN.1 definitions for
the Enhanced JWT Claim Constraints certificate extension. The module
defined in this appendix is compatible with the ASN.1 specifications
published in 2015.This ASN.1 module imports ASN.1 from .
EnhancedJWTClaimConstraints-2021
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-eJWTClaimConstraints-2021(101) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN
IMPORTS
id-pe
FROM PKIX1Explicit-2009 -- From RFC 5912
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51) }
EXTENSION
FROM PKIX-CommonTypes-2009 -- From RFC 5912
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) } ;
-- Enhanced JWT Claim Constraints Certificate Extension
ext-eJWTClaimConstraints EXTENSION ::= {
SYNTAX EnhancedJWTClaimConstraints
IDENTIFIED BY id-pe-eJWTClaimConstraints }
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 33 }
EnhancedJWTClaimConstraints ::= SEQUENCE {
mustInclude [0] JWTClaimNames OPTIONAL,
-- The listed claim names MUST appear in the PASSporT
-- in addition to iat, orig, and dest. If absent, iat, orig,
-- and dest MUST appear in the PASSporT.
permittedValues [1] JWTClaimValuesList OPTIONAL,
-- If the claim name is present, the claim MUST contain one
-- of the listed values.
mustExclude [2] JWTClaimNames OPTIONAL }
-- The listed claim names MUST NOT appear in the PASSporT.
( WITH COMPONENTS { ..., mustInclude PRESENT } |
WITH COMPONENTS { ..., permittedValues PRESENT } |
WITH COMPONENTS { ..., mustExclude PRESENT } )
JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues
JWTClaimValues ::= SEQUENCE {
claim JWTClaimName,
values SEQUENCE SIZE (1..MAX) OF UTF8String }
JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName
JWTClaimName ::= IA5String
END
AcknowledgementsMany thanks to for his insight into the need for
the for the Enhanced JWT Claim Constraints certificate extension.Thanks to
,
,
,
,
, and
for their thoughtful review and comments. The document is much
better as a result of their efforts.Author's AddressVigil Security, LLC516 Dranesville RoadHerndonVA20170United States of Americahousley@vigilsec.com