| < draft-ietf-acme-authority-token-04.txt | draft-ietf-acme-authority-token-05.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Peterson | Network Working Group J. Peterson | |||
| Internet-Draft Neustar | Internet-Draft Neustar | |||
| Intended status: Informational M. Barnes | Intended status: Informational M. Barnes | |||
| Expires: May 7, 2020 Independent | Expires: September 10, 2020 Independent | |||
| D. Hancock | D. Hancock | |||
| C. Wendt | C. Wendt | |||
| Comcast | Comcast | |||
| November 4, 2019 | March 9, 2020 | |||
| ACME Challenges Using an Authority Token | ACME Challenges Using an Authority Token | |||
| draft-ietf-acme-authority-token-04.txt | draft-ietf-acme-authority-token-05 | |||
| Abstract | Abstract | |||
| Some proposed extensions to the Automated Certificate Management | Some proposed extensions to the Automated Certificate Management | |||
| Environment (ACME) rely on proving eligibility for certificates | Environment (ACME) rely on proving eligibility for certificates | |||
| through consulting an external authority that issues a token | through consulting an external authority that issues a token | |||
| according to a particular policy. This document specifies a generic | according to a particular policy. This document specifies a generic | |||
| Authority Token challenge for ACME which supports subtype claims for | Authority Token challenge for ACME which supports subtype claims for | |||
| different identifiers or namespaces that can be defined separately | different identifiers or namespaces that can be defined separately | |||
| for specific applications. | for specific applications. | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 7, 2020. | This Internet-Draft will expire on September 10, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 31 ¶ | skipping to change at page 2, line 31 ¶ | |||
| 5.1. Basic REST Interface . . . . . . . . . . . . . . . . . . 7 | 5.1. Basic REST Interface . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Using an Authority Token in a Challenge . . . . . . . . . . . 8 | 6. Using an Authority Token in a Challenge . . . . . . . . . . . 8 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 10. Normative References . . . . . . . . . . . . . . . . . . . . 10 | 10. Normative References . . . . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| ACME [I-D.ietf-acme-acme] is a mechanism for automating certificate | ACME [RFC8555] is a mechanism for automating certificate management | |||
| management on the Internet. It enables administrative entities to | on the Internet. It enables administrative entities to prove | |||
| prove effective control over resources like domain names, and | effective control over resources like domain names, and automates the | |||
| automates the process of generating and issuing certificates. | process of generating and issuing certificates. | |||
| In some cases, proving effective control over an identifier requires | In some cases, proving effective control over an identifier requires | |||
| an attestation from a third party who has authority over the | an attestation from a third party who has authority over the | |||
| resource, for example, an external policy administrator for a | resource, for example, an external policy administrator for a | |||
| namespace other than the DNS application ACME was originally designed | namespace other than the DNS application ACME was originally designed | |||
| to support. In order to automate the process of issuing certificates | to support. In order to automate the process of issuing certificates | |||
| for those resources, this specification defines a generic Authority | for those resources, this specification defines a generic Authority | |||
| Token challenge that ACME servers can issue in order to require | Token challenge that ACME servers can issue in order to require | |||
| clients to return such a token. The challenge contains a type | clients to return such a token. The challenge contains a type | |||
| indication that tells the client what sort of token it needs to | indication that tells the client what sort of token it needs to | |||
| skipping to change at page 3, line 15 ¶ | skipping to change at page 3, line 15 ¶ | |||
| (CSPs) can delegate authority over numbers to their customers, and | (CSPs) can delegate authority over numbers to their customers, and | |||
| those CSPs who support ACME can then help customers to acquire | those CSPs who support ACME can then help customers to acquire | |||
| certificates for those numbering resources with ACME. This can | certificates for those numbering resources with ACME. This can | |||
| permit number acquisition flows compatible with those shown in | permit number acquisition flows compatible with those shown in | |||
| [RFC8396]. Another, similar example would a mechanism that permits | [RFC8396]. Another, similar example would a mechanism that permits | |||
| CSPs to delegate authority for particular telephone numbers to | CSPs to delegate authority for particular telephone numbers to | |||
| customers, as described in [I-D.ietf-acme-telephone]. | customers, as described in [I-D.ietf-acme-telephone]. | |||
| 2. Terminology | 2. Terminology | |||
| In this document, the key words "MUST", "MUST NOT", "REQUIRED", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| described in [RFC2119]. | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | ||||
| 3. Challenges for an Authority Token | 3. Challenges for an Authority Token | |||
| Proving that a device on the Internet has effective control over a | Proving that a device on the Internet has effective control over a | |||
| non-Internet resource is not as straightforward as proving control | non-Internet resource is not as straightforward as proving control | |||
| over an Internet resources like a DNS zone or a web page. Provided | over an Internet resources like a DNS zone or a web page. Provided | |||
| that the issuer of identifiers in a namespace, or someone acting on | that the issuer of identifiers in a namespace, or someone acting on | |||
| the issuer's behalf, can implement a service that grants Authority | the issuer's behalf, can implement a service that grants Authority | |||
| Tokens to the people to whom it has issued identifiers, a generic | Tokens to the people to whom it has issued identifiers, a generic | |||
| token could be used as a response to an ACME challenge. This | token could be used as a response to an ACME challenge. This | |||
| skipping to change at page 10, line 13 ¶ | skipping to change at page 10, line 13 ¶ | |||
| The "atc" field in this response contains the Authority Token. | The "atc" field in this response contains the Authority Token. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| We would like to thank you for your contributions to this problem | We would like to thank you for your contributions to this problem | |||
| statement and framework. | statement and framework. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| This document requests that the IANA registers a new ACME identifier | This document requests that the IANA registers a new ACME identifier | |||
| type (per [I-D.ietf-acme-acme]) for the label "atc", for which the | type (per [RFC8555]) for the label "atc", for which the reference is | |||
| reference is [RFCThis]. | [RFCThis]. | |||
| This document further requests that the IANA create a registry for | This document further requests that the IANA create a registry for | |||
| "token types" as used in these challenges, following the requirements | "token types" as used in these challenges, following the requirements | |||
| in Section 3.1, pre-populated with the label of "atc" per Section 4 | in Section 3.1, pre-populated with the label of "atc" per Section 4 | |||
| with a value of [RFCThis]. | with a value of [RFCThis]. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| Per the guidance in [I-D.ietf-acme-acme], ACME transactions MUST use | Per the guidance in [RFC8555], ACME transactions MUST use TLS, and | |||
| TLS, and similarly the HTTPS REST transactions used to request and | similarly the HTTPS REST transactions used to request and acquire | |||
| acquire authority tokens MUST use TLS. These measures are intended | authority tokens MUST use TLS. These measures are intended to | |||
| to prevent the capture of Authority Tokens by eavesdroppers. | prevent the capture of Authority Tokens by eavesdroppers. The | |||
| security considerations of [RFC8555] apply to the use of the | ||||
| mechanism in this specification. | ||||
| The capture of Authority Tokens by an adversary could enable an | The capture of Authority Tokens by an adversary could enable an | |||
| attacker to acquire a certificate from a CA. Therefore, all | attacker to acquire a certificate from a CA. Therefore, all | |||
| Authority Tokens MUST contain a field that identifies to the CA which | Authority Tokens MUST contain a field that identifies to the CA which | |||
| ACME client requested the token from the authority; here that is the | ACME client requested the token from the authority; here that is the | |||
| fingerprint specified in Section 4). All Authority Tokens must | fingerprint specified in Section 4). All Authority Tokens must | |||
| specify an expiry (of the token itself as proof for a CA, as opposed | specify an expiry (of the token itself as proof for a CA, as opposed | |||
| to the expiry of the name), and for some application, it may make | to the expiry of the name), and for some application, it may make | |||
| sense of that expiry to be quite short. Any protocol used to | sense of that expiry to be quite short. Any protocol used to | |||
| retrieve Authority Tokens from an authority MUST use confidentiality | retrieve Authority Tokens from an authority MUST use confidentiality | |||
| to prevent eavesdroppers from acquiring an Authority Token. | to prevent eavesdroppers from acquiring an Authority Token. | |||
| 10. Normative References | 10. Normative References | |||
| [I-D.ietf-acme-acme] | ||||
| Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. | ||||
| Kasten, "Automatic Certificate Management Environment | ||||
| (ACME)", draft-ietf-acme-acme-18 (work in progress), | ||||
| December 2018. | ||||
| [I-D.ietf-acme-authority-token-tnauthlist] | [I-D.ietf-acme-authority-token-tnauthlist] | |||
| Wendt, C., Hancock, D., Barnes, M., and J. Peterson, | Wendt, C., Hancock, D., Barnes, M., and J. Peterson, | |||
| "TNAuthList profile of ACME Authority Token", draft-ietf- | "TNAuthList profile of ACME Authority Token", draft-ietf- | |||
| acme-authority-token-tnauthlist-04 (work in progress), | acme-authority-token-tnauthlist-05 (work in progress), | |||
| September 2019. | November 2019. | |||
| [I-D.ietf-acme-service-provider] | [I-D.ietf-acme-service-provider] | |||
| Barnes, M. and C. Wendt, "ACME Identifiers and Challenges | Barnes, M. and C. Wendt, "ACME Identifiers and Challenges | |||
| for VoIP Service Providers", draft-ietf-acme-service- | for VoIP Service Providers", draft-ietf-acme-service- | |||
| provider-02 (work in progress), October 2017. | provider-02 (work in progress), October 2017. | |||
| [I-D.ietf-acme-star] | [I-D.ietf-acme-star] | |||
| Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. | Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. | |||
| Fossati, "Support for Short-Term, Automatically-Renewed | Fossati, "Support for Short-Term, Automatically-Renewed | |||
| (STAR) Certificates in Automated Certificate Management | (STAR) Certificates in Automated Certificate Management | |||
| skipping to change at page 11, line 40 ¶ | skipping to change at page 11, line 35 ¶ | |||
| <https://www.rfc-editor.org/info/rfc7340>. | <https://www.rfc-editor.org/info/rfc7340>. | |||
| [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | |||
| 2015, <https://www.rfc-editor.org/info/rfc7515>. | 2015, <https://www.rfc-editor.org/info/rfc7515>. | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, | [RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, | |||
| "Authenticated Identity Management in the Session | "Authenticated Identity Management in the Session | |||
| Initiation Protocol (SIP)", RFC 8224, | Initiation Protocol (SIP)", RFC 8224, | |||
| DOI 10.17487/RFC8224, February 2018, | DOI 10.17487/RFC8224, February 2018, | |||
| <https://www.rfc-editor.org/info/rfc8224>. | <https://www.rfc-editor.org/info/rfc8224>. | |||
| [RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion | [RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion | |||
| Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, | Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, | |||
| <https://www.rfc-editor.org/info/rfc8225>. | <https://www.rfc-editor.org/info/rfc8225>. | |||
| skipping to change at page 12, line 16 ¶ | skipping to change at page 12, line 11 ¶ | |||
| Credentials: Certificates", RFC 8226, | Credentials: Certificates", RFC 8226, | |||
| DOI 10.17487/RFC8226, February 2018, | DOI 10.17487/RFC8226, February 2018, | |||
| <https://www.rfc-editor.org/info/rfc8226>. | <https://www.rfc-editor.org/info/rfc8226>. | |||
| [RFC8396] Peterson, J. and T. McGarry, "Managing, Ordering, | [RFC8396] Peterson, J. and T. McGarry, "Managing, Ordering, | |||
| Distributing, Exposing, and Registering Telephone Numbers | Distributing, Exposing, and Registering Telephone Numbers | |||
| (MODERN): Problem Statement, Use Cases, and Framework", | (MODERN): Problem Statement, Use Cases, and Framework", | |||
| RFC 8396, DOI 10.17487/RFC8396, July 2018, | RFC 8396, DOI 10.17487/RFC8396, July 2018, | |||
| <https://www.rfc-editor.org/info/rfc8396>. | <https://www.rfc-editor.org/info/rfc8396>. | |||
| [RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J. | ||||
| Kasten, "Automatic Certificate Management Environment | ||||
| (ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019, | ||||
| <https://www.rfc-editor.org/info/rfc8555>. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jon Peterson | Jon Peterson | |||
| Neustar, Inc. | Neustar, Inc. | |||
| 1800 Sutter St Suite 570 | 1800 Sutter St Suite 570 | |||
| Concord, CA 94520 | Concord, CA 94520 | |||
| US | US | |||
| Email: jon.peterson@team.neustar | Email: jon.peterson@team.neustar | |||
| End of changes. 13 change blocks. | ||||
| 27 lines changed or deleted | 33 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||