| < draft-ietf-sidr-res-certs-04.txt | draft-ietf-sidr-res-certs-05.txt > | |||
|---|---|---|---|---|
| SIDR G. Huston | SIDR G. Huston | |||
| Internet-Draft G. Michaelson | Internet-Draft G. Michaelson | |||
| Intended status: Standards Track R. Loomans | Intended status: Standards Track R. Loomans | |||
| Expires: August 24, 2007 APNIC | Expires: August 28, 2007 APNIC | |||
| February 20, 2007 | February 24, 2007 | |||
| A Profile for X.509 PKIX Resource Certificates | A Profile for X.509 PKIX Resource Certificates | |||
| draft-ietf-sidr-res-certs-04.txt | draft-ietf-sidr-res-certs-05.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 24, 2007. | This Internet-Draft will expire on August 28, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| Abstract | Abstract | |||
| This document defines a standard profile for X.509 certificates for | This document defines a standard profile for X.509 certificates for | |||
| the purposes of supporting validation of assertions of "right-to-use" | the purposes of supporting validation of assertions of "right-to-use" | |||
| of an Internet Number Resource (IP Addresses and Autonomous System | of an Internet Number Resource (IP Addresses and Autonomous System | |||
| skipping to change at page 2, line 33 ¶ | skipping to change at page 2, line 33 ¶ | |||
| 3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10 | 3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10 | 3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10 | |||
| 3.9.6. Authority Information Access . . . . . . . . . . . . . 10 | 3.9.6. Authority Information Access . . . . . . . . . . . . . 10 | |||
| 3.9.7. Subject Information Access . . . . . . . . . . . . . . 11 | 3.9.7. Subject Information Access . . . . . . . . . . . . . . 11 | |||
| 3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12 | 3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12 | |||
| 3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12 | 3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12 | |||
| 3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12 | 3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 13 | 3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4. Resource Certificate Revocation List Profile . . . . . . . . . 13 | 4. Resource Certificate Revocation List Profile . . . . . . . . . 13 | |||
| 4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14 | 4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14 | 4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14 | |||
| 4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14 | 4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14 | 4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 15 | 4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4.7.1. Authority Key Identifier . . . . . . . . . . . . . . . 15 | 4.7.1. Authority Key Identifier . . . . . . . . . . . . . . . 15 | |||
| 4.7.2. CRL Number . . . . . . . . . . . . . . . . . . . . . . 15 | 4.7.2. CRL Number . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5. Resource Certificate Request Profile . . . . . . . . . . . . . 15 | 5. Resource Certificate Request Profile . . . . . . . . . . . . . 15 | |||
| 5.1. PCKS#10 Profile . . . . . . . . . . . . . . . . . . . . . 15 | 5.1. PCKS#10 Profile . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.1.1. PKCS#10 Resource Certificate Request Template | 5.1.1. PKCS#10 Resource Certificate Request Template | |||
| Fields . . . . . . . . . . . . . . . . . . . . . . . . 15 | Fields . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.2. CRMF Profile . . . . . . . . . . . . . . . . . . . . . . . 16 | 5.2. CRMF Profile . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.2.1. CRMF Resource Certificate Request Template Fields . . 17 | 5.2.1. CRMF Resource Certificate Request Template Fields . . 17 | |||
| 5.2.2. Resource Certificate Request Control Fields . . . . . 17 | 5.2.2. Resource Certificate Request Control Fields . . . . . 17 | |||
| 5.3. Certificate Extension Attributes in Certificate | 5.3. Certificate Extension Attributes in Certificate | |||
| Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18 | Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 6. Resource Certificate Validation . . . . . . . . . . . . . . . 21 | 6. Resource Certificate Validation . . . . . . . . . . . . . . . 21 | |||
| 6.1. Trust Anchors for Resource Certificates . . . . . . . . . 21 | 6.1. Trust Anchors for Resource Certificates . . . . . . . . . 21 | |||
| 6.2. Resource Extension Validation . . . . . . . . . . . . . . 22 | 6.2. Resource Extension Validation . . . . . . . . . . . . . . 22 | |||
| 6.3. Resource Certificate Path Validation . . . . . . . . . . . 22 | 6.3. Resource Certificate Path Validation . . . . . . . . . . . 23 | |||
| 7. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 23 | 7. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11. Normative References . . . . . . . . . . . . . . . . . . . . . 24 | 11. Normative References . . . . . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. Example Resource Certificate . . . . . . . . . . . . 25 | Appendix A. Example Resource Certificate . . . . . . . . . . . . 25 | |||
| Appendix B. Example Certificate Revocation List . . . . . . . . . 27 | Appendix B. Example Certificate Revocation List . . . . . . . . . 27 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 30 | Intellectual Property and Copyright Statements . . . . . . . . . . 30 | |||
| 1. Introduction | 1. Introduction | |||
| skipping to change at page 6, line 8 ¶ | skipping to change at page 6, line 8 ¶ | |||
| the resource extension field. | the resource extension field. | |||
| 3. A test of the resource extension in the context of certificate | 3. A test of the resource extension in the context of certificate | |||
| validity includes the condition that the resources described in | validity includes the condition that the resources described in | |||
| the immediate superior certificate in the PKI hierarchy (the | the immediate superior certificate in the PKI hierarchy (the | |||
| certificate where this certificate's issuer is the subject) has a | certificate where this certificate's issuer is the subject) has a | |||
| resource set (called here the "Issuer's resource set") that must | resource set (called here the "Issuer's resource set") that must | |||
| encompass the resource set of the issued certificate. In this | encompass the resource set of the issued certificate. In this | |||
| context "encompass" allows for the issuer's resource set to be | context "encompass" allows for the issuer's resource set to be | |||
| the same as, or a strict superset of, any subject's resource set. | the same as, or a strict superset of, any subject's resource set. | |||
| The constraints imposed by this profile a certificate furthermore | ||||
| require that a the encompassing issuer's resource set be | ||||
| described in a single certificate, and not in two or more | ||||
| certificates. | ||||
| A test of certificate validity entails the identification of a | A test of certificate validity entails the identification of a | |||
| sequence of valid certificates in an issuer-subject chain (where the | sequence of valid certificates in an issuer-subject chain (where the | |||
| subject field of one certificate appears as the issuer in the next | subject field of one certificate appears as the issuer in the next | |||
| certificate in the sequence) from one, and only one, trust anchor to | certificate in the sequence) from one, and only one, trust anchor to | |||
| the certificate being validated, and that the resource extensions in | the certificate being validated, and that the resource extensions in | |||
| this certificate sequence from the trust anchor to the certificate | this certificate sequence from the trust anchor to the certificate | |||
| form a sequence of encompassing relationships. | form a sequence of encompassing relationships. | |||
| 3. Resource Certificate Fields | 3. Resource Certificate Fields | |||
| skipping to change at page 12, line 27 ¶ | skipping to change at page 12, line 22 ¶ | |||
| For End Entity certificates, where the subject is not a CA, this | For End Entity certificates, where the subject is not a CA, this | |||
| field MAY be present, and is non-critical. If present, it references | field MAY be present, and is non-critical. If present, it references | |||
| the location where objects signed by the key pair associated with the | the location where objects signed by the key pair associated with the | |||
| End Entity certificate can be accessed. The id-ad- | End Entity certificate can be accessed. The id-ad- | |||
| signedObjectRepository OID is used when the subject is an End Entity | signedObjectRepository OID is used when the subject is an End Entity | |||
| and it publishes objects signed with the matching private key in a | and it publishes objects signed with the matching private key in a | |||
| repository. | repository. | |||
| id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } | |||
| id-ad-signedObjectRepositor OBJECT IDENTIFIER ::= { id-ad 9 } | id-ad-signedObjectRepository OBJECT IDENTIFIER ::= { id-ad 9 } | |||
| 3.9.8. Certificate Policies | 3.9.8. Certificate Policies | |||
| This extension MUST reference the Resource Certificate Policy, using | This extension MUST reference the Resource Certificate Policy, using | |||
| the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field | the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field | |||
| MUST be present and MUST contain only this value for Resource | MUST be present and MUST contain only this value for Resource | |||
| Certificates. | Certificates. | |||
| PolicyQualifiers MUST NOT be used in this profile. | PolicyQualifiers MUST NOT be used in this profile. | |||
| skipping to change at page 15, line 24 ¶ | skipping to change at page 15, line 18 ¶ | |||
| identifying the public key corresponding to the private key used to | identifying the public key corresponding to the private key used to | |||
| sign a CRL. Conforming CRL issuers MUST use the key identifier | sign a CRL. Conforming CRL issuers MUST use the key identifier | |||
| method. The syntax for this CRL extension is defined in section | method. The syntax for this CRL extension is defined in section | |||
| 4.2.1.1 of [RFC3280]. | 4.2.1.1 of [RFC3280]. | |||
| This extension is non-critical. | This extension is non-critical. | |||
| 4.7.2. CRL Number | 4.7.2. CRL Number | |||
| The CRL Number extension conveys a monotonically increasing sequence | The CRL Number extension conveys a monotonically increasing sequence | |||
| number for a given CA. This extension allows users to easily | number of positive integers for a given CA. This extension allows | |||
| determine when a particular CRL supersedes another CRL. The highest | users to easily determine when a particular CRL supersedes another | |||
| CRL Number value supersedes all other CRLs issued by the CA within | CRL. The highest CRL Number value supersedes all other CRLs issued | |||
| the scope of this profile. | by the CA within the scope of this profile. | |||
| This extension is non-critical. | This extension is non-critical. | |||
| 5. Resource Certificate Request Profile | 5. Resource Certificate Request Profile | |||
| 5.1. PCKS#10 Profile | 5.1. PCKS#10 Profile | |||
| This profile refines the specification in [RFC2986], as it relates to | This profile refines the specification in [RFC2986], as it relates to | |||
| Resource Certificates. A Certificate Request Message object, | Resource Certificates. A Certificate Request Message object, | |||
| formatted according to PKCS#10, is passed to a Certificate Authority | formatted according to PKCS#10, is passed to a Certificate Authority | |||
| skipping to change at page 20, line 44 ¶ | skipping to change at page 20, line 44 ¶ | |||
| CertificatePolicies | CertificatePolicies | |||
| This field is assigned by the CA and MUST be omitted in this | This field is assigned by the CA and MUST be omitted in this | |||
| profile. | profile. | |||
| SubjectAlternateName | SubjectAlternateName | |||
| This field MAY be present, and the CA MAY use this as the | This field MAY be present, and the CA MAY use this as the | |||
| SubjectAltName in the issued Certificate. | SubjectAltName in the issued Certificate. | |||
| IPResources | IPResources | |||
| This field is assigned by the CA and MUST be omitted in this | This field is assigned by the CA if omitted by the requestor, and | |||
| profile. | shall be intereted as a request to certify all IP Resources | |||
| assigned to the requestor within the context of this CA. If | ||||
| present, this is to be interepreted as the maximal set of IP | ||||
| Resources to be certified by the CA, and the CA may reduce this to | ||||
| the the certified IP Resource set based on the IP Resources | ||||
| assigned to the request under this CA. | ||||
| ASResources | ASResources | |||
| This field is assigned by the CA and MUST be omitted in this | This field is assigned by the CA if omitted by the requestor, and | |||
| profile. | shall be intereted as a request to certify all AS Resources | |||
| assigned to the requestor within the context of this CA. If | ||||
| present, this is to be interepreted as the maximal set of AS | ||||
| Resources to be certified by the CA, and the CA may reduce this to | ||||
| the the certified IP Resource set based on the AS Resources | ||||
| assigned to the request under this CA. | ||||
| With the exception of the publicKey field, the CA is permitted to | With the exception of the publicKey field, the CA is permitted to | |||
| alter any requested field. | alter any requested field. | |||
| 6. Resource Certificate Validation | 6. Resource Certificate Validation | |||
| This section describes the Resource Certificate validation procedure. | This section describes the Resource Certificate validation procedure. | |||
| This refines the generic procedure described insection 6 of | This refines the generic procedure described insection 6 of | |||
| [RFC3280]: | [RFC3280]: | |||
| End of changes. 11 change blocks. | ||||
| 21 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||