| < draft-ietf-lamps-documentsigning-eku-02.txt | draft-ietf-lamps-documentsigning-eku-03.txt > | |||
|---|---|---|---|---|
| LAMPS Working Group T. Ito | LAMPS Working Group T. Ito | |||
| Internet-Draft SECOM CO., LTD. | Internet-Draft SECOM CO., LTD. | |||
| Intended status: Standards Track T. Okubo | Intended status: Standards Track T. Okubo | |||
| Expires: 8 September 2022 DigiCert, Inc. | Expires: 3 October 2022 DigiCert, Inc. | |||
| S. Turner | S. Turner | |||
| sn3rd | sn3rd | |||
| 7 March 2022 | 1 April 2022 | |||
| General Purpose Extended Key Usage (EKU) for Document Signing X.509 | General Purpose Extended Key Usage (EKU) for Document Signing X.509 | |||
| Certificates | Certificates | |||
| draft-ietf-lamps-documentsigning-eku-02 | draft-ietf-lamps-documentsigning-eku-03 | |||
| Abstract | Abstract | |||
| RFC5280 specifies several extended key purpose identifiers | RFC5280 specifies several extended key purpose identifiers | |||
| (KeyPurposeIds) for X.509 certificates. This document defines a | (KeyPurposeIds) for X.509 certificates. This document defines a | |||
| general purpose document signing KeyPurposeId for inclusion in the | general purpose document signing KeyPurposeId for inclusion in the | |||
| Extended Key Usage (EKU) extension of X.509 public key certificates. | Extended Key Usage (EKU) extension of X.509 public key certificates. | |||
| Document Signing applications may require that the EKU extension be | Document Signing applications may require that the EKU extension be | |||
| present and that a document signing KeyPurposeId be indicated in | present and that a document signing KeyPurposeId be indicated in | |||
| order for the certificate to be acceptable to that Document Signing | order for the certificate to be acceptable to that Document Signing | |||
| skipping to change at page 2, line 15 ¶ | skipping to change at page 2, line 15 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 8 September 2022. | This Internet-Draft will expire on 3 October 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 4, line 16 ¶ | skipping to change at page 4, line 16 ¶ | |||
| This specification defines the KeyPurposeId id-kp-documentSigning. | This specification defines the KeyPurposeId id-kp-documentSigning. | |||
| As described in [RFC5280], If the Extended Key Usage extension is | As described in [RFC5280], If the Extended Key Usage extension is | |||
| present, then the certificate MUST only be used for one of the | present, then the certificate MUST only be used for one of the | |||
| purposes indicated. [RFC5280] also describes that If multiple key | purposes indicated. [RFC5280] also describes that If multiple key | |||
| purposes are indicated the application need not recognize all | purposes are indicated the application need not recognize all | |||
| purposes indicated, as long as the intended purpose is present. | purposes indicated, as long as the intended purpose is present. | |||
| Document Signing applications MAY require that the Extended Key Usage | Document Signing applications MAY require that the Extended Key Usage | |||
| extension be present and that a id-kp-documentSigning be indicated in | extension be present and that the id-kp-documentSigning be indicated | |||
| order for the certificate to be acceptable to that Document Signing | in order for the certificate to be acceptable to that Document | |||
| application. | Signing application. | |||
| The term "Document Signing" in this document refers to digitally | The term "Document Signing" in this document refers to digitally | |||
| signing contents that are consumed by people. To be more precise, | signing contents that are consumed by people. To be more precise, | |||
| contents are intended to be shown to a person with printable or | contents are intended to be shown to a person with printable or | |||
| displayable form by means of services or software, rather than | displayable form by means of services or software, rather than | |||
| processed by machines. | processed by machines. | |||
| 3.1. Including the Extended Key Purpose for Document Signing in | 3.1. Including the Extended Key Purpose for Document Signing in | |||
| Certificates | Certificates | |||
| skipping to change at page 4, line 41 ¶ | skipping to change at page 4, line 41 ¶ | |||
| the certified public key is valid. The EKU extension can be used in | the certified public key is valid. The EKU extension can be used in | |||
| conjunction with the key usage extension, which indicates the set of | conjunction with the key usage extension, which indicates the set of | |||
| basic cryptographic operations for which the certified key may be | basic cryptographic operations for which the certified key may be | |||
| used. | used. | |||
| The EKU extension syntax is repeated here for convenience: | The EKU extension syntax is repeated here for convenience: | |||
| ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId | ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId | |||
| KeyPurposeId ::= OBJECT IDENTIFIER | KeyPurposeId ::= OBJECT IDENTIFIER | |||
| As described in [RFC5280], EKU extension may, at the option of the | ||||
| certificate issuer, be either critical or non-critical. | ||||
| This specification defines the KeyPurposeId id-kp-documentSigning. | This specification defines the KeyPurposeId id-kp-documentSigning. | |||
| Inclusion of this KeyPurposeId in a certificate indicates that the | Inclusion of this KeyPurposeId in a certificate indicates that the | |||
| public key encoded in the certificate has been certified to be used | public key encoded in the certificate has been certified to be used | |||
| for cryptographic operations on contents that are consumed by people. | for cryptographic operations on contents that are consumed by people. | |||
| id-kp OBJECT IDENTIFIER ::= | id-kp OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) 3 } | security(5) mechanisms(5) pkix(7) 3 } | |||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp XX } | id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp XX } | |||
| skipping to change at page 5, line 34 ¶ | skipping to change at page 5, line 34 ¶ | |||
| during certificate validation: | during certificate validation: | |||
| The implementation MAY examine the KeyPurposeId(s) included in the | The implementation MAY examine the KeyPurposeId(s) included in the | |||
| Extended Key Usage extension as follows: A Restriction on Extended | Extended Key Usage extension as follows: A Restriction on Extended | |||
| Key Usage is derived and implemented from (or configured with) the | Key Usage is derived and implemented from (or configured with) the | |||
| policy to which the implementation conforms. | policy to which the implementation conforms. | |||
| 1. If there are no restrictions set for the relying party and the | 1. If there are no restrictions set for the relying party and the | |||
| relying party software, the certificate is acceptable. | relying party software, the certificate is acceptable. | |||
| 2. If there are restrictions set for the replying party and relying | 2. If there are restrictions set for the relying party and relying | |||
| party software, then process the KeyPurposeId(s) as described | party software, then process the KeyPurposeId(s) as described | |||
| below. | below. | |||
| Each restriction on "Excluded KeyPurposeId" or "Permitted | Each restriction on "Excluded KeyPurposeId" or "Permitted | |||
| KeyPurposeId" is handled as described below. | KeyPurposeId" is handled as described below. | |||
| This procedure is intended to permit or prohibit presence of a | This procedure is intended to permit or prohibit presence of a | |||
| certain KeyPurposeId or complete absence of KeyPurposeIds. It is | certain KeyPurposeId or complete absence of KeyPurposeIds. It is | |||
| outside the scope of this document, but the relying party can | outside the scope of this document, but the relying party can | |||
| permit or prohibit combinations of KeyPurposeIds. A | permit or prohibit combinations of KeyPurposeIds. A | |||
| skipping to change at page 6, line 9 ¶ | skipping to change at page 6, line 9 ¶ | |||
| Excluded KeyPurposeId procedure: "Excluded KeyPurposeId" is a | Excluded KeyPurposeId procedure: "Excluded KeyPurposeId" is a | |||
| KeyPurposeId which the relying party or the relying party | KeyPurposeId which the relying party or the relying party | |||
| software prohibits. Examples of "Excluded KeyPurposeId" are, | software prohibits. Examples of "Excluded KeyPurposeId" are, | |||
| presence of the anyExtendedKeyUsage KeyPurposeId or complete | presence of the anyExtendedKeyUsage KeyPurposeId or complete | |||
| absence of the EKU extension in a certificate. If a | absence of the EKU extension in a certificate. If a | |||
| KeyPurposeId of the certificate meets the conditions set by | KeyPurposeId of the certificate meets the conditions set by | |||
| the "Excluded KeyPurposeId" restriction, the relying party or | the "Excluded KeyPurposeId" restriction, the relying party or | |||
| the relying party software rejects the certificate. | the relying party software rejects the certificate. | |||
| Permitted KeyPurposeId procedure: | Permitted KeyPurposeId procedure: "Permitted KeyPurposeId" is a | |||
| KeyPurposeId which the relying party or the relying party | ||||
| : "Permitted KeyPurposeId" is a KeyPurposeId which the relying | software accepts. Examples of "Permitted KeyPurposeId" are, | |||
| party or the relying party software accepts. Examples of | presence of this general document signing KeyPurposeId and/or | |||
| "Permitted KeyPurposeId" are, presence of this general document | protocol specific document signing-type KeyPurposeIds. If a | |||
| signing KeyPurposeId and/or protocol specific document signing- | KeyPurposeId of the certificate meets the condition set by a | |||
| type KeyPurposeIds. If a KeyPurposeId of the certificate meets | "Permitted KeyPurposeId" restriction, the certificate is | |||
| the condition set by a "Permitted KeyPurposeId" restriction, the | acceptable. Otherwise, relying party or the relying party | |||
| certificate is acceptable. Otherwise, relying party or the | software rejects the certificate. | |||
| relying party software rejects the certificate. | ||||
| When a single application has the capability to process various data | When a single application has the capability to process various data | |||
| formats, the software may choose to make the excluded and permitted | formats, the software may choose to make the excluded and permitted | |||
| decisions separately in accordance with the format it is handling | decisions separately in accordance with the format it is handling | |||
| (e.g. text, pdf, etc). | (e.g. text, pdf, etc). | |||
| 5. Implications for a Certification Authority | 5. Implications for a Certification Authority | |||
| The procedures and practices employed by a certification authority | The procedures and practices employed by a certification authority | |||
| MUST ensure that the correct values for the EKU extension are | MUST ensure that the correct values for the EKU extension are | |||
| skipping to change at page 7, line 10 ¶ | skipping to change at page 7, line 10 ¶ | |||
| To reduce the risk of specific cross-protocol attacks, the relying | To reduce the risk of specific cross-protocol attacks, the relying | |||
| party or relying party software may additionally prohibit use of | party or relying party software may additionally prohibit use of | |||
| specific combinations of KeyPurposeIds. | specific combinations of KeyPurposeIds. | |||
| While a specific protocol or signing scheme may choose to come up | While a specific protocol or signing scheme may choose to come up | |||
| with their own KeyPurposeIds, some may not have significant motive or | with their own KeyPurposeIds, some may not have significant motive or | |||
| resources to set up and manage their own KeyPurposeIds. This general | resources to set up and manage their own KeyPurposeIds. This general | |||
| document signing KeyPurposeId may be used as a stop-gap for those | document signing KeyPurposeId may be used as a stop-gap for those | |||
| that intend to define their own KeyPurposeId or those who do not | that intend to define their own KeyPurposeId or those who do not | |||
| intend to set up an KeyPurposeId but still would like to distinguish | intend to set up a KeyPurposeId but still would like to distinguish | |||
| document signing from other usages. | document signing from other usages. | |||
| Introduction of this id-kp-documentSigning KeyPurposeId does not | Introduction of this id-kp-documentSigning KeyPurposeId does not | |||
| introduce any new security or privacy concerns. | introduce any new security or privacy concerns. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document requests that IANA make two assignments. One | This document requests that IANA make two assignments. One | |||
| assignment is for the addition of the id-kp-documentSigning object | assignment is for the addition of the id-kp-documentSigning object | |||
| identifier (OID), as defined in Section 3.1, to the "SMI Security for | identifier (OID), as defined in Section 3.1, to the "SMI Security for | |||
| skipping to change at page 8, line 45 ¶ | skipping to change at page 8, line 45 ¶ | |||
| -- Document Signing Extended Key Usage -- | -- Document Signing Extended Key Usage -- | |||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp TBD2 } | id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp TBD2 } | |||
| END | END | |||
| Acknowledgments | Acknowledgments | |||
| We would like to thank Russ Housley for verifying the ASN.1 module. | We would like to thank Russ Housley for verifying the ASN.1 module. | |||
| Additionally, we would like to thank Corey Bonnell, Wendy Brown, Russ | ||||
| Housley, Prachi Jain, and Stefan Santesson for their comments. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Tadahiko Ito | Tadahiko Ito | |||
| SECOM CO., LTD. | SECOM CO., LTD. | |||
| Email: tadahiko.ito.public@gmail.com | Email: tadahiko.ito.public@gmail.com | |||
| Tomofumi Okubo | Tomofumi Okubo | |||
| DigiCert, Inc. | DigiCert, Inc. | |||
| Email: tomofumi.okubo+ietf@gmail.com | Email: tomofumi.okubo+ietf@gmail.com | |||
| End of changes. 10 change blocks. | ||||
| 19 lines changed or deleted | 23 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||