< draft-housley-spasm-eku-constraints-00.txt   draft-housley-spasm-eku-constraints-01.txt >
INTERNET-DRAFT R. Housley INTERNET-DRAFT R. Housley
Intended Status: Standards Track Vigil Security Intended Status: Standards Track Vigil Security
Updates: RFC 5280 (if approved) Updates: RFC 5280 (if approved)
Expires: 14 November 2016 13 May 2016 Expires: 18 November 2016 17 May 2016
Extended Key Usage Constraints Extended Key Usage Constraints
draft-housley-spasm-eku-constraints-00 draft-housley-spasm-eku-constraints-01
Abstract Abstract
This document specifies the extended key usage constraints This document specifies the extended key usage constraints
certificate extension, which is used to place restrictions on the key certificate extension, which is used to place restrictions on the key
purpose identifiers that are authorized to appear in subsequent purpose identifiers that are authorized to appear in the end-entity
certificates in a certification path. Restrictions apply to the certificate in a certification path. Restrictions apply to the
extended key usage certificate extension, which is described in RFC extended key usage certificate extension, which is described in
5280. RFC 5280.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as Internet-
Internet-Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
skipping to change at page 2, line 27 skipping to change at page 2, line 32
Section 4.2.1.12 of RFC 5280 [RFC5280]. Section 4.2.1.12 of RFC 5280 [RFC5280].
1.1 Terminology 1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
1.2. ASN.1 1.2. ASN.1
Certificates are generated using ASN.1 [X680], which uses the Basic Certificates are generated using ASN.1 [X680] and the Distinguished
Encoding Rules (BER) and the Distinguished Encoding Rules (DER) Encoding Rules (DER) [X690].
[X690].
RFC 5280 [RFC5280] contains two ASN.1 modules that make use of an
older version of the syntax (the 1988 Syntax). RFC 5912 [RFC5912]
provides these same ASN.1 modules in the newer syntax. The appendix
of this document provides an ASN.1 module; it employs the newer
syntax.
2. Extended Key Usage Constraints Certificate Extension 2. Extended Key Usage Constraints Certificate Extension
The extended key usage (EKU) constraints certificate extension, which The extended key usage (EKU) constraints certificate extension, which
MUST be used only in a CA certificate, indicates the extended key MUST be used only in a CA certificate, indicates the extended key
usage values that are authorized to appear in subsequent certificates usage values that are authorized to appear in subsequent certificates
in a certification path. Restrictions apply to the extended key in a certification path. Restrictions apply to the extended key
usage certificate extension, which is described in Section 4.2.1.12 usage certificate extension, which is described in Section 4.2.1.12
of RFC 5280 [RFC5280]. of RFC 5280 [RFC5280].
Restrictions are defined in terms of permitted or excluded key Restrictions are defined in terms of permitted or excluded key
purpose identifiers. Any key purpose identifier matching an entry in purpose identifiers.
the excludedKeyPurposeIds field is invalid regardless of information
appearing in the permittedKeyPurposeIds. The permitted key purpose identifiers begins with the universal set.
Then, as each certificate in the certification path is processed, the
permitted key purpose identifiers are reduced to the intersection of
the previous set and the ones listed in the permittedKeyPurposeIds
field. Finally, each key purpose identifier in the extended key
usage extension of the end-entity certificate MUST appear in the
permitted key purpose identifiers set.
The excluded key purpose identifiers begins with the empty set.
Then, as each certificate in the certification path is processed, the
excluded key purpose identifiers are increased to the union of the
previous set and the ones listed in the excludedKeyPurposeIds field.
Finally, each key purpose identifier in the extended key usage
extension of the end-entity certificate MUST NOT appear in the
excluded key purpose identifiers set.
The special key purpose identifier anyExtendedKeyUsage is not treated
differently than any other key purpose identifier in processing the
constraints. If the anyExtendedKeyUsage key purpose identifier
appears in the extended key usage extension of the end-entity
certificate, then the anyExtendedKeyUsage key purpose identifier MUST
appear in the permitted key purpose identifiers set and the
anyExtendedKeyUsage key purpose identifier MUST NOT appear in the
excluded key purpose identifiers set.
Conforming CAs MUST mark this extension as critical, and conforming Conforming CAs MUST mark this extension as critical, and conforming
CAs MUST NOT issue certificates where this extension is an empty CAs MUST NOT issue certificates where this extension is an empty
sequence. That is, either the permittedKeyPurposeIds field or the sequence. That is, at least one of the permittedKeyPurposeIds field
excludedKeyPurposeIds field MUST be present. or the excludedKeyPurposeIds field MUST be present.
Conforming applications MUST be able to process this extension. If Conforming applications MUST be able to process this extension. If
any CA certificate in the certification path includes an EKU any CA certificate in the certification path includes an extended key
constraints extension that is marked as critical, and the end-entity usage constraints extension and the end-entity certificate includes
certificate includes an extended key usage certificate extension, an extended key usage certificate extension, then the application
then the application MUST either process the EKU constraint or reject MUST either process the extended key usage extension constraint or
the certificate. reject the certificate.
ekuConstraints EXTENSION ::= { SYNTAX EKUConstraints ext-ExtKeyUsageConstraints EXTENSION ::= {
SYNTAX EKUConstraints
IDENTIFIED BY id-ce-ekuConstraints } IDENTIFIED BY id-ce-ekuConstraints }
id-ce-ekuConstraints OBJECT IDENTIFIER ::= { id-ce TBD } id-ce-ekuConstraints OBJECT IDENTIFIER ::= { id-pe TBD }
EKUConstraints ::= SEQUENCE { EKUConstraints ::= SEQUENCE {
permittedKeyPurposeIds [0] KeyPurposeIds OPTIONAL, permittedKeyPurposeIds [0] KeyPurposeIds OPTIONAL,
excludedKeyPurposeIds [1] KeyPurposeIds OPTIONAL } excludedKeyPurposeIds [1] KeyPurposeIds OPTIONAL }
( WITH COMPONENTS { ..., permittedKeyPurposeIds PRESENT } |
WITH COMPONENTS { ..., excludedKeyPurposeIds PRESENT } )
KeyPurposeIds ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeIds ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
3. Basic Path Validation 3. Basic Path Validation
Certification path validation is described in Section 6.1 of RFC 5280 Certification path validation is described in Section 6.1 of RFC 5280
[RFC5280]. Certification path processing verifies the binding [RFC5280]. Certification path processing verifies the binding
between the subject name and the subject public key. The binding is between the subject name and the subject public key. The binding is
limited by constraints that are specified in the certificates that limited by constraints that are specified in the certificates that
comprise the path and inputs that are specified by the relying party. comprise the path and inputs that are specified by the relying party.
skipping to change at page 3, line 49 skipping to change at page 4, line 36
all of the key purpose identifiers in the end-entity certificate all of the key purpose identifiers in the end-entity certificate
MUST be included in this set. If the set is empty, then the MUST be included in this set. If the set is empty, then the
certification path will be considered invalid if the end-entity certification path will be considered invalid if the end-entity
certificate includes an extended key usage extension. The certificate includes an extended key usage extension. The
initial value is a special value that represents the universal initial value is a special value that represents the universal
set. set.
(m) excluded_key_purpose_ids: a set of key purpose identifiers; the (m) excluded_key_purpose_ids: a set of key purpose identifiers; the
key purpose identifiers in the end-entity certificate MUST NOT key purpose identifiers in the end-entity certificate MUST NOT
be included in this set. If the set is empty, then no key be included in this set. If the set is empty, then no key
purpose identifiers are excluded. The initial value is a is the purpose identifiers are excluded. The initial value is the
empty set. empty set.
3.3. Basic Certificate Processing 3.3. Basic Certificate Processing
No additional processing steps are needed. No additional processing steps are needed.
3.4. Preparation for Certificate i+1 3.4. Preparation for Certificate i+1
One additional processing step is needed. One additional processing step is needed.
skipping to change at page 4, line 36 skipping to change at page 5, line 32
3.5. Wrap-Up Procedure 3.5. Wrap-Up Procedure
One additional processing step is needed. One additional processing step is needed.
(h) If the EKU extension is included in the end-entity certificate, (h) If the EKU extension is included in the end-entity certificate,
then confirm that the values meet the restrictions in the then confirm that the values meet the restrictions in the
permitted_key_purpose_ids and excluded_key_purpose_ids state permitted_key_purpose_ids and excluded_key_purpose_ids state
variables as follows: variables as follows:
(1) If permitted_key_purpose_ids state variable is not special (1) If permitted_key_purpose_ids state variable is empty, then
value that represents the universal set, then confirm that return a failure indication and an appropriate reason.
all of the key purpose identifiers are present in the set.
If any are missing, then returning a failure indication and
an appropriate reason.
(2) If excluded_key_purpose_ids state variable is not empty, (2) If excluded_key_purpose_ids state variable is not empty,
then confirm that none of the key purpose identifiers are then confirm that none of the key purpose identifiers in
present in the set. If any are present, then returning a the state variable are present in the end-entity
failure indication and an appropriate reason. certificate. If any are present, then return a failure
indication and an appropriate reason.
(3) If permitted_key_purpose_ids state variable is not the
special value that represents the universal set, then
confirm that all of the key purpose identifiers in the end-
entity certificate are present in the state variable. If
any are missing, then return a failure indication and an
appropriate reason.
3.6. Outputs 3.6. Outputs
No additional output values are returned. No additional output values are returned.
4. IANA Considerations 4. IANA Considerations
Please assign an object identifier for the certificate extension Please assign an object identifier for the certificate extension
specified in this document. Once the ASN.1 module is added, then an specified in this document. Once the ASN.1 module is added, then an
object identifier for that will be needed too. object identifier for that will be needed too.
5. Security Considerations 5. Security Considerations
TBD When a CA includes the extended key usage constraints certificate
extension for a subordinate CA, the OCSPSigning key purpose
identifier SHOULD be included in the permittedKeyPurposeIds field to
enable the issuance of delegated OCSP Responder certificates.
6. Normative References 6. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <http://www.rfc- 10.17487/RFC2119, March 1997, <http://www.rfc-
editor.org/info/rfc2119>. editor.org/info/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>. <http://www.rfc-editor.org/info/rfc5280>.
[X680] ITU-T, "Information technology -- Abstract Syntax Notation
One (ASN.1): Specification of basic notation", ITU-T
Recommendation X.680, 2002.
[X690] ITU-T, "Information technology -- ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, 2002.
7. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, <http://www.rfc-
editor.org/info/rfc5912>.
Appendix: ASN.1 Module Appendix: ASN.1 Module
TBD EKUConstraints2016 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-ekuConstraints2016(TBD) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN
-- EXPORTS ALL --
IMPORTS
EXTENSION
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
id-pe
FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51) }
KeyPurposeId
FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-implicit-02(59) } ;
MoreCertExtensions EXTENSION ::= {
ext-ExtKeyUsageConstraints, ... }
ext-ExtKeyUsageConstraints EXTENSION ::= {
SYNTAX EKUConstraints
IDENTIFIED BY id-ce-ekuConstraints }
id-ce-ekuConstraints OBJECT IDENTIFIER ::= { id-pe TBD }
EKUConstraints ::= SEQUENCE {
permittedKeyPurposeIds [0] KeyPurposeIds OPTIONAL,
excludedKeyPurposeIds [1] KeyPurposeIds OPTIONAL }
( WITH COMPONENTS { ..., permittedKeyPurposeIds PRESENT } |
WITH COMPONENTS { ..., excludedKeyPurposeIds PRESENT } )
KeyPurposeIds ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
END
Acknowledgements
Many thanks to review and insightful comments from Santosh Chokhani,
Stephen Farrell, Tom Gindin, Sean Leonard, Michael Richardson, Jim
Schaad, and Mike St.Johns.
Author's Address Author's Address
Russell Housley Russell Housley
Vigil Security, LLC Vigil Security, LLC
918 Spring Knoll Drive 918 Spring Knoll Drive
Herndon, VA 20170 Herndon, VA 20170
USA USA
EMail: housley@vigilsec.com EMail: housley@vigilsec.com
 End of changes. 17 change blocks. 
34 lines changed or deleted 139 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/