< draft-ietf-pkix-ac509prof-06.txt   draft-ietf-pkix-ac509prof-07.txt >
PKIX Working Group S. Farrell PKIX Working Group S. Farrell
INTERNET-DRAFT Baltimore Technologies INTERNET-DRAFT Baltimore Technologies
Expires in six months R. Housley Expires in six months R. Housley
SPYRUS SPYRUS
10th January 2001 1st June 2001
An Internet Attribute Certificate An Internet Attribute Certificate
Profile for Authorization Profile for Authorization
<draft-ietf-pkix-ac509prof-06.txt> <draft-ietf-pkix-ac509prof-07.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of [RFC2026]. all provisions of Section 10 of [RFC2026].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Internet-Drafts are draft documents valid for a maximum of Drafts. Internet-Drafts are draft documents valid for a maximum of
skipping to change at page 2, line 28 skipping to change at page 2, line 28
4.2 Profile of Standard Fields............................10 4.2 Profile of Standard Fields............................10
4.2.1 Version.........................................10 4.2.1 Version.........................................10
4.2.2 Holder..........................................10 4.2.2 Holder..........................................10
4.2.3 Issuer..........................................11 4.2.3 Issuer..........................................11
4.2.4 Signature.......................................12 4.2.4 Signature.......................................12
4.2.5 Serial Number...................................12 4.2.5 Serial Number...................................12
4.2.6 Validity Period.................................12 4.2.6 Validity Period.................................12
4.2.7 Attributes......................................13 4.2.7 Attributes......................................13
4.2.8 Issuer Unique Identifier........................13 4.2.8 Issuer Unique Identifier........................13
4.2.9 Extensions......................................13 4.2.9 Extensions......................................13
4.3 Extensions............................................13 4.3 Extensions............................................14
4.3.1 Audit Identity..................................14 4.3.1 Audit Identity..................................14
4.3.2 AC Targeting....................................15 4.3.2 AC Targeting....................................15
4.3.3 Authority Key Identifier........................16 4.3.3 Authority Key Identifier........................16
4.3.4 Authority Information Access....................16 4.3.4 Authority Information Access....................16
4.3.5 CRL Distribution Points.........................17 4.3.5 CRL Distribution Points.........................17
4.3.6 No Revocation Available.........................17 4.3.6 No Revocation Available.........................17
4.4 Attribute Types.......................................17 4.4 Attribute Types.......................................17
4.4.1 Service Authentication Information..............18 4.4.1 Service Authentication Information..............18
4.4.2 Access Identity.................................18 4.4.2 Access Identity.................................18
4.4.3 Charging Identity...............................19 4.4.3 Charging Identity...............................19
skipping to change at page 2, line 51 skipping to change at page 2, line 51
4.4.6 Clearance.......................................20 4.4.6 Clearance.......................................20
4.5 Profile of AC issuer's PKC............................21 4.5 Profile of AC issuer's PKC............................21
5. Attribute Certificate Validation............................22 5. Attribute Certificate Validation............................22
6. Revocation..................................................23 6. Revocation..................................................23
7. Optional Features...........................................24 7. Optional Features...........................................24
7.1 Attribute Encryption..................................24 7.1 Attribute Encryption..................................24
7.2 Proxying..............................................25 7.2 Proxying..............................................25
7.3 Use of ObjectDigestInfo...............................26 7.3 Use of ObjectDigestInfo...............................26
7.4 AA Controls...........................................27 7.4 AA Controls...........................................27
8. Security Considerations.....................................29 8. Security Considerations.....................................29
9. References..................................................31 9. IANA Considerations.........................................30
10.References..................................................30
Author's Addresses.............................................32 Author's Addresses.............................................32
Full Copyright Statement.......................................32 Full Copyright Statement.......................................32
Appendix A: Object Identifiers.................................33 Appendix A: Object Identifiers.................................33
Appendix B: ASN.1 Module.......................................34 Appendix B: ASN.1 Module.......................................34
1. Introduction 1. Introduction
The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY" The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
in this document are to be interpreted as described in [RFC2119]. in this document are to be interpreted as described in [RFC2119].
skipping to change at page 8, line 44 skipping to change at page 8, line 44
X.509 contains the definition of an AC given below. All types that X.509 contains the definition of an AC given below. All types that
are not defined in this document can be found in [PKIXPROF]. are not defined in this document can be found in [PKIXPROF].
AttributeCertificate ::= SEQUENCE { AttributeCertificate ::= SEQUENCE {
acinfo AttributeCertificateInfo, acinfo AttributeCertificateInfo,
signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING signatureValue BIT STRING
} }
AttributeCertificateInfo ::= SEQUENCE { AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion DEFAULT v1, version AttCertVersion -- version is v2,
holder Holder, holder Holder,
issuer AttCertIssuer, issuer AttCertIssuer,
signature AlgorithmIdentifier, signature AlgorithmIdentifier,
serialNumber CertificateSerialNumber, serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod, attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF Attribute, attributes SEQUENCE OF Attribute,
issuerUniqueID UniqueIdentifier OPTIONAL, issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions OPTIONAL extensions Extensions OPTIONAL
} }
AttCertVersion ::= INTEGER { v1(0), v2(1) } AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE { Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL,
-- the issuer and serial number of -- the issuer and serial number of
-- the holder's Public Key Certificate -- the holder's Public Key Certificate
entityName [1] GeneralNames OPTIONAL, entityName [1] GeneralNames OPTIONAL,
-- the name of the claimant or role -- the name of the claimant or role
objectDigestInfo [2] ObjectDigestInfo OPTIONAL objectDigestInfo [2] ObjectDigestInfo OPTIONAL
-- if present, version must be v2 -- if present, version must be v2
} }
skipping to change at page 10, line 41 skipping to change at page 10, line 41
krb5PrincipalName OID and the KerberosName syntax as defined in krb5PrincipalName OID and the KerberosName syntax as defined in
[PKINIT]. [PKINIT].
Conforming implementations MUST be able to support the dNSName, Conforming implementations MUST be able to support the dNSName,
directoryName, uniformResourceIdentifier, and iPAddress fields in directoryName, uniformResourceIdentifier, and iPAddress fields in
all cases where GeneralName is used. This is compatible with the all cases where GeneralName is used. This is compatible with the
GeneralName requirements in [PKIXPROF] (mainly in section 4.2.1.7). GeneralName requirements in [PKIXPROF] (mainly in section 4.2.1.7).
4.2.1 Version 4.2.1 Version
The version field MUST be the (non-default) value of v2. That is, The version field MUST be have the value of v2. That is, the
the version field is present in the DER encoding. version field is present in the DER encoding.
Note: This version (v2) is not backwards compatible with the
previous attribute certificate definition (v1) from the 1997 X.509
standard [X.509-1997], but is compatible with the v2 definition from
X.509 (2000) [X.509-2000].
4.2.2 Holder 4.2.2 Holder
The Holder field is a SEQUENCE allowing three different (optional) The Holder field is a SEQUENCE allowing three different (optional)
syntaxes: baseCertificateID, entityName and objectDigestInfo. Where syntaxes: baseCertificateID, entityName and objectDigestInfo. Where
only one option is present the meaning of the Holder field is clear. only one option is present the meaning of the Holder field is clear.
However, where more than one option is used, there is potential for However, where more than one option is used, there is potential for
confusion as to which option is "normative", which is a "hint" etc. confusion as to which option is "normative", which is a "hint" etc.
Since the correct position is not clear from [X.509-2000] this Since the correct position is not clear from [X.509-2000] this
specification RECOMMENDS that only one of the options be used in any specification RECOMMENDS that only one of the options be used in any
skipping to change at page 20, line 47 skipping to change at page 20, line 47
If present, the SecurityCategory field provides further If present, the SecurityCategory field provides further
authorization information. The security policy identified by the authorization information. The security policy identified by the
policyId field indicates the syntaxes that are allowed to be present policyId field indicates the syntaxes that are allowed to be present
in the securityCategories SET. An OBJECT IDENTIFIER identifies each in the securityCategories SET. An OBJECT IDENTIFIER identifies each
of the allowed syntaxes. When one of these syntaxes is present in of the allowed syntaxes. When one of these syntaxes is present in
the securityCategories SET, the OBJECT IDENTIFIER associated with the securityCategories SET, the OBJECT IDENTIFIER associated with
that syntax is carried in the SecurityCategory.type field. that syntax is carried in the SecurityCategory.type field.
Clearance ::= SEQUENCE { Clearance ::= SEQUENCE {
policyId OBJECT IDENTIFIER, policyId [0] OBJECT IDENTIFIER,
classList ClassList DEFAULT {unclassified}, classList [1] ClassList DEFAULT {unclassified},
securityCategories securityCategories
SET OF SecurityCategory OPTIONAL [2] SET OF SecurityCategory OPTIONAL
} }
ClassList ::= BIT STRING { ClassList ::= BIT STRING {
unmarked (0), unmarked (0),
unclassified (1), unclassified (1),
restricted (2) restricted (2)
confidential (3), confidential (3),
secret (4), secret (4),
topSecret (5) topSecret (5)
} }
skipping to change at page 22, line 38 skipping to change at page 22, line 38
AC validity. If the evaluation time is equal to either AC validity. If the evaluation time is equal to either
notBeforeTime or notAfterTime, then the AC is timely and this notBeforeTime or notAfterTime, then the AC is timely and this
check succeeds. Note that in some applications, the evaluation check succeeds. Note that in some applications, the evaluation
time MAY not be the same as the current time. time MAY not be the same as the current time.
6. The AC targeting check MUST pass as specified in section 4.3.2. 6. The AC targeting check MUST pass as specified in section 4.3.2.
7. If the AC contains an unsupported critical extension, then the 7. If the AC contains an unsupported critical extension, then the
AC MUST be rejected. AC MUST be rejected.
Support for an extension in this context means: Support for an extension in this context means:
1. The AC verifier MUST be able to parse the extension value. 1. The AC verifier MUST be able to parse the extension value.
2. Where the extension value SHOULD cause the AC to be rejected, 2. Where the extension value SHOULD cause the AC to be rejected,
the AC verifier MUST reject the AC. the AC verifier MUST reject the AC.
Additional Checks: Additional Checks:
1. The AC MAY be rejected on the basis of further AC verifier 1. The AC MAY be rejected on the basis of further AC verifier
configuration. For example, an AC verifier may be configured to configuration. For example, an AC verifier may be configured to
reject ACs which contain or lack certain attributes. reject ACs which contain or lack certain attributes.
2. If the AC verifier provides an interface that allows 2. If the AC verifier provides an interface that allows
applications to query the contents of the AC, then the AC applications to query the contents of the AC, then the AC
verifier MAY filter the attributes from the AC on the basis of verifier MAY filter the attributes from the AC on the basis of
configured information. For example, an AC verifier might be configured information. For example, an AC verifier might be
skipping to change at page 31, line 5 skipping to change at page 30, line 32
than one AC issuer. than one AC issuer.
There is often a requirement to map between the authentication There is often a requirement to map between the authentication
supplied by a particular security protocol (e.g. TLS, S/MIME) and supplied by a particular security protocol (e.g. TLS, S/MIME) and
the AC holder's identity. If the authentication uses PKCs, then this the AC holder's identity. If the authentication uses PKCs, then this
mapping is straightforward. However, it is envisaged that ACs will mapping is straightforward. However, it is envisaged that ACs will
also be used in environments where the holder may be authenticated also be used in environments where the holder may be authenticated
using other means. Implementers SHOULD be very careful in mapping using other means. Implementers SHOULD be very careful in mapping
the authenticated identity to the AC holder. the authenticated identity to the AC holder.
9. References 9. IANA Considerations
The OIDs used in this document have been delegated by the IANA and
no further action by the IANA is necessary for this document or any
anticipated updates.
10. References
[CMC] Myers, M., et al. "Certificate Management Messages over [CMC] Myers, M., et al. "Certificate Management Messages over
CMS", RFC2797. CMS", RFC2797.
[CMP] Adams, C., Farrell, S., "Internet X.509 Public Key [CMP] Adams, C., Farrell, S., "Internet X.509 Public Key
Infrastructure - Certificate Management Protocols", Infrastructure - Certificate Management Protocols",
RFC2510. RFC2510.
[CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630. [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630.
[ESS] Hoffman, P., "Enhanced Security Services for S/MIME", [ESS] Hoffman, P., "Enhanced Security Services for S/MIME",
RFC2634. RFC2634.
[KRB] Kohl, J., Neuman, C., "The Kerberos Network [KRB] Kohl, J., Neuman, C., "The Kerberos Network
skipping to change at page 32, line 13 skipping to change at page 32, line 13
and Attribute Certificate Frameworks. 2000 and Attribute Certificate Frameworks. 2000
Author's Addresses Author's Addresses
Stephen Farrell Stephen Farrell
Baltimore Technologies Baltimore Technologies
39/41 Parkgate Street 39/41 Parkgate Street
Dublin 8 Dublin 8
IRELAND IRELAND
tel: +353-1-881-6000
email: stephen.farrell@baltimore.ie email: stephen.farrell@baltimore.ie
Russell Housley Russell Housley
SPYRUS RSA Laboratories
381 Elden Street 918 Spring Knoll Drive
Suite 1120
Herndon, VA 20170 Herndon, VA 20170
USA USA
tel: +1-703-707-0696 email: rhousley@rsasecurity.com
email: housley@spyrus.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (date). All Rights Reserved. Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
skipping to change at page 34, line 11 skipping to change at page 34, line 11
id-at-clearance OBJECT IDENTIFIER ::= id-at-clearance OBJECT IDENTIFIER ::=
{ joint-iso-ccitt(2) ds(5) module(1) { joint-iso-ccitt(2) ds(5) module(1)
selected-attribute-types(5) clearance (55) } selected-attribute-types(5) clearance (55) }
Appendix B: ASN.1 Module Appendix B: ASN.1 Module
PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6) PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-attribute-cert(12)} id-mod-attribute-cert(12)}
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS ALL -- -- EXPORTS ALL --
IMPORTS IMPORTS
-- IMPORTed module OIDs MAY change if [PKIXPROF] changes -- IMPORTed module OIDs MAY change if [PKIXPROF] changes
-- PKIX Certificate Extensions -- PKIX Certificate Extensions
Attribute, AlgorithmIdentifier, CertificateSerialNumber, Attribute, AlgorithmIdentifier, CertificateSerialNumber,
skipping to change at page 35, line 9 skipping to change at page 35, line 9
-- Uncomment this if using a 1988 level ASN.1 compiler -- Uncomment this if using a 1988 level ASN.1 compiler
-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
AttributeCertificate ::= SEQUENCE { AttributeCertificate ::= SEQUENCE {
acinfo AttributeCertificateInfo, acinfo AttributeCertificateInfo,
signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING signatureValue BIT STRING
} }
AttributeCertificateInfo ::= SEQUENCE { AttributeCertificateInfo ::= SEQUENCE {
version AttCertVersion DEFAULT v1, version AttCertVersion -- version is v2,
holder Holder, holder Holder,
issuer AttCertIssuer, issuer AttCertIssuer,
signature AlgorithmIdentifier, signature AlgorithmIdentifier,
serialNumber CertificateSerialNumber, serialNumber CertificateSerialNumber,
attrCertValidityPeriod AttCertValidityPeriod, attrCertValidityPeriod AttCertValidityPeriod,
attributes SEQUENCE OF Attribute, attributes SEQUENCE OF Attribute,
issuerUniqueID UniqueIdentifier OPTIONAL, issuerUniqueID UniqueIdentifier OPTIONAL,
extensions Extensions OPTIONAL extensions Extensions OPTIONAL
} }
AttCertVersion ::= INTEGER {v1(0), v2(1) } AttCertVersion ::= INTEGER { v2(1) }
Holder ::= SEQUENCE { Holder ::= SEQUENCE {
baseCertificateID [0] IssuerSerial OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL,
-- the issuer and serial number of -- the issuer and serial number of
-- the holder's Public Key Certificate -- the holder's Public Key Certificate
entityName [1] GeneralNames OPTIONAL, entityName [1] GeneralNames OPTIONAL,
-- the name of the claimant or role -- the name of the claimant or role
objectDigestInfo [2] ObjectDigestInfo OPTIONAL objectDigestInfo [2] ObjectDigestInfo OPTIONAL
-- if present, version must be v2 -- if present, version must be v2
} }
skipping to change at page 36, line 50 skipping to change at page 36, line 50
ident GeneralName, ident GeneralName,
authInfo OCTET STRING OPTIONAL authInfo OCTET STRING OPTIONAL
} }
RoleSyntax ::= SEQUENCE { RoleSyntax ::= SEQUENCE {
roleAuthority [0] GeneralNames OPTIONAL, roleAuthority [0] GeneralNames OPTIONAL,
roleName [1] GeneralName roleName [1] GeneralName
} }
Clearance ::= SEQUENCE { Clearance ::= SEQUENCE {
policyId OBJECT IDENTIFIER, policyId [0] OBJECT IDENTIFIER,
classList ClassList DEFAULT {unclassified}, classList [1] ClassList DEFAULT {unclassified},
securityCategories securityCategories
SET OF SecurityCategory OPTIONAL [2] SET OF SecurityCategory OPTIONAL
} }
ClassList ::= BIT STRING { ClassList ::= BIT STRING {
unmarked (0), unmarked (0),
unclassified (1), unclassified (1),
restricted (2), restricted (2),
confidential (3), confidential (3),
secret (4), secret (4),
topSecret (5) topSecret (5)
} }
skipping to change at page 38, line 13 skipping to change at page 38, line 13
END END
Appendix C: Change History Appendix C: Change History
<<This Appendix to be deleted before RFC>> <<This Appendix to be deleted before RFC>>
This appendix lists major changes since the previous revision. This appendix lists major changes since the previous revision.
Major changes since last revision: Major changes since last revision:
Changes from -06 to -07:
1. Added IANA considerations section
2. Changed DEFAULT version to v2
3. Further deprecated v1 syntax since X.509 did
4. Fixed ASN.1 tagging nits
Changes from -05 to -06: Changes from -05 to -06:
1. Added new item 1 to validation rules in section 5. 5. Added new item 1 to validation rules in section 5.
2. Added security considerations text about "rogue" CAs. 6. Added security considerations text about "rogue" CAs.
3. Changed to allow holder.entityName = PKC.subject or 7. Changed to allow holder.entityName = PKC.subject or
PKC.subjectAltName for the relevant cases & clarified that Holder PKC.subjectAltName for the relevant cases & clarified that Holder
should only have one value. should only have one value.
4. Changed to insist on version 2 to avoid clash with possibly ISO 8. Changed to insist on version 2 to avoid clash with possibly ISO
syntax issue. syntax issue.
5. Updated references. 9. Updated references.
Changes from -04 to -05: Changes from -04 to -05:
1. Changed from referencing rfc2459 to new-part1 and pkalgs. 1. Changed from referencing rfc2459 to new-part1 and pkalgs.
Changes from -03 to -04 Changes from -03 to -04
1. Folding in last call comments. 1. Folding in last call comments.
2. Last bits of synchronizing with X.509 2000 spec. 2. Last bits of synchronizing with X.509 2000 spec.
 End of changes. 23 change blocks. 
32 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/