| < draft-ietf-stir-certificates-12.txt | draft-ietf-stir-certificates-13.txt > | |||
|---|---|---|---|---|
| Network Working Group J. Peterson | Network Working Group J. Peterson | |||
| Internet-Draft Neustar | Internet-Draft Neustar | |||
| Intended status: Standards Track S. Turner | Intended status: Standards Track S. Turner | |||
| Expires: September 14, 2017 sn3rd | Expires: September 27, 2017 sn3rd | |||
| March 13, 2017 | March 27, 2017 | |||
| Secure Telephone Identity Credentials: Certificates | Secure Telephone Identity Credentials: Certificates | |||
| draft-ietf-stir-certificates-12.txt | draft-ietf-stir-certificates-13.txt | |||
| Abstract | Abstract | |||
| In order to prevent the impersonation of telephone numbers on the | In order to prevent the impersonation of telephone numbers on the | |||
| Internet, some kind of credential system needs to exist that | Internet, some kind of credential system needs to exist that | |||
| cryptographically asserts authority over telephone numbers. This | cryptographically asserts authority over telephone numbers. This | |||
| document describes the use of certificates in establishing authority | document describes the use of certificates in establishing authority | |||
| over telephone numbers, as a component of a broader architecture for | over telephone numbers, as a component of a broader architecture for | |||
| managing telephone numbers as identities in protocols like SIP. | managing telephone numbers as identities in protocols like SIP. | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 14, 2017. | This Internet-Draft will expire on September 27, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 21 ¶ | skipping to change at page 2, line 21 ¶ | |||
| 3. Authority for Telephone Numbers in Certificates . . . . . . . 3 | 3. Authority for Telephone Numbers in Certificates . . . . . . . 3 | |||
| 4. Certificate Usage with STIR . . . . . . . . . . . . . . . . . 5 | 4. Certificate Usage with STIR . . . . . . . . . . . . . . . . . 5 | |||
| 5. Enrollment and Authorization using the TN Authorization List 6 | 5. Enrollment and Authorization using the TN Authorization List 6 | |||
| 5.1. Constraints on Signing PASSporTs . . . . . . . . . . . . 7 | 5.1. Constraints on Signing PASSporTs . . . . . . . . . . . . 7 | |||
| 5.2. Certificate Extension Scope and Structure . . . . . . . . 8 | 5.2. Certificate Extension Scope and Structure . . . . . . . . 8 | |||
| 6. Provisioning Private Keying Material . . . . . . . . . . . . 8 | 6. Provisioning Private Keying Material . . . . . . . . . . . . 8 | |||
| 7. Acquiring Credentials to Verify Signatures . . . . . . . . . 9 | 7. Acquiring Credentials to Verify Signatures . . . . . . . . . 9 | |||
| 8. JWT Claim Constraints Syntax . . . . . . . . . . . . . . . . 10 | 8. JWT Claim Constraints Syntax . . . . . . . . . . . . . . . . 10 | |||
| 9. TN Authorization List Syntax . . . . . . . . . . . . . . . . 11 | 9. TN Authorization List Syntax . . . . . . . . . . . . . . . . 11 | |||
| 10. Certificate Freshness and Revocation . . . . . . . . . . . . 13 | 10. Certificate Freshness and Revocation . . . . . . . . . . . . 13 | |||
| 10.1. Acquiring TN Lists By Reference . . . . . . . . . . . . 13 | 10.1. Acquiring TN Lists By Reference . . . . . . . . . . . . 14 | |||
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 12. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | 12. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | |||
| 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 | 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 14.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 14.1. Normative References . . . . . . . . . . . . . . . . . . 15 | |||
| 14.2. Informative References . . . . . . . . . . . . . . . . . 17 | 14.2. Informative References . . . . . . . . . . . . . . . . . 17 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 18 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 1. Introduction | 1. Introduction | |||
| skipping to change at page 10, line 13 ¶ | skipping to change at page 10, line 13 ¶ | |||
| discriminator that the signer uses to identify their credentials. | discriminator that the signer uses to identify their credentials. | |||
| The Identity header "info" parameter itself can serve as such a | The Identity header "info" parameter itself can serve as such a | |||
| discriminator, provided implementations use that parameter as a key | discriminator, provided implementations use that parameter as a key | |||
| when accessing certificates from caches or other sources. | when accessing certificates from caches or other sources. | |||
| 8. JWT Claim Constraints Syntax | 8. JWT Claim Constraints Syntax | |||
| The subjects of certificates containing the JWT Claim Constraints | The subjects of certificates containing the JWT Claim Constraints | |||
| certificate extension are specifies values for PASSporT claims that | certificate extension are specifies values for PASSporT claims that | |||
| are permitted, values for PASSporT claims that are excluded, or both. | are permitted. The syntax of these claims is given in PASSporT; | |||
| The syntax of these claims is given in PASSporT; specifying new | specifying new claims follows the procedures in | |||
| claims follows the procedures in [I-D.ietf-stir-passport] | [I-D.ietf-stir-passport] (Section 8.3). When a verifier is | |||
| (Section 8.3). When a verifier is validating PASSporT claims, the | validating PASSporT claims, the JWT claim MUST contain permitted | |||
| JWT claim MUST contain permitted values, and MUST NOT contain | values. The non-critical JWT Claim Constraints certificate extension | |||
| excluded values. The non-critical JWT Claim Constraints certificate | is included in the extension field of end entity certificates | |||
| extension is included in the extension field of end entity | [RFC5280]. The extension is defined with ASN.1 [X.680][X.681][X.682] | |||
| certificates [RFC5280]. The extension is defined with ASN.1 | [X.683]. | |||
| [X.680][X.681][X.682] [X.683]. | ||||
| The JWT Claim Constraints certificate extension places constraints on | The JWT Claim Constraints certificate extension places constraints on | |||
| the values that are allowed in particular JWT claims. This | the values that are allowed in particular JWT claims. This | |||
| certificate extension is optional, but if present, it constraints the | certificate extension is optional, but if present, it constrains the | |||
| claims that authentication services may include in the PASSporT | claims that authentication services may included in the PASSporT | |||
| objects they sign. For example, imagine a PASSporT extension claim | objects they sign. For example, imagine a PASSporT extension claim | |||
| called "confidence". If a CA issue to an authentication service a | called "confidence" with values "low", "medium", and "high". If a CA | |||
| certificate that contains the value "confidence" in the "permitted" | issues to an authentication service a certificate that contains the | |||
| field of the JWT Claim Constraints, then an authentication service | value "confidence" in the "claim" field and "high" in the "permitted" | |||
| MAY add a "confidence" claim to any PASSporTs it generates. A | feild of the JWT Claim Constraints, then an authentication service | |||
| MAY add a "high" "confidence" claim to any PASSporTs it generates. A | ||||
| verification service MUST treat as invalid any PASSporT it receives | verification service MUST treat as invalid any PASSporT it receives | |||
| with a PASSporT extension claim that is not included in JWT Claim | with a PASSporT extension claim that is not included in JWT Claim | |||
| Constraints The baseline claims of PASSporT ("orig", "dest", "iat" | Constraints. The baseline claims of PASSporT ("orig", "dest", "iat" | |||
| and "mky") are considered to be permitted by default and SHOULD NOT | and "mky") are considered to be permitted by default and SHOULD NOT | |||
| be included in a "permitted" field of the certificate." The issuer | be included in the "claim" field. The issuer of a certificate may | |||
| of a certificate may similarly explicitly allow the use of a | similarly explicitly allow the use of a particular claim by the | |||
| particular claim by the holder of the certificate. If a certificate | holder of the certificate. If a certificate contains no JWT Claim | |||
| contains no JWT Claim Constraints, the issuer of the certificate | Constraints, the issuer of the certificate permits all claims. | |||
| permits all claims. | ||||
| The JWT Claim Constraints certificate extension is identified by the | The JWT Claim Constraints certificate extension is identified by the | |||
| following object identifier (OID), which is defined under the id-pe | following object identifier (OID), which is defined under the id-pe | |||
| OID arc defined in [RFC5280] and managed by IANA (see Section 11): | OID arc defined in [RFC5280] and managed by IANA (see Section 11): | |||
| id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } | id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } | |||
| The JWT Claim Constraints certificate extension has the following | The JWT Claim Constraints certificate extension has the following | |||
| syntax: | syntax: | |||
| JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint | JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint | |||
| JWTClaimConstraint ::= SEQUENCE { | JWTClaimConstraint ::= SEQUENCE { | |||
| claim IA5String, | claim IA5String, | |||
| permitted SEQUENCE OF IA5String | permitted SEQUENCE OF IA5String | |||
| } | } | |||
| 9. TN Authorization List Syntax | 9. TN Authorization List Syntax | |||
| The subjects of certificates containing the TN Authorization List | The subjects of certificates containing the TN Authorization List | |||
| extension are the administrative entities to whom numbers are | extension are the administrative entities to whom numbers are | |||
| assigned or delegated. When a verifier is validating a caller's | assigned or delegated. When a verifier is validating a caller's | |||
| identity, local policy always determines the circumstances under | identity, local policy always determines the circumstances under | |||
| which any particular subject may be trusted, but the purpose of the | which any particular subject may be trusted, but the purpose of the | |||
| TN Authorization List extension in particular is to allow a verifier | TN Authorization List extension in particular is to allow a verifier | |||
| to ascertain when the CA has designated that the subject has | to ascertain when the CA has designated that the subject has | |||
| skipping to change at page 11, line 37 ¶ | skipping to change at page 11, line 37 ¶ | |||
| The subjects of certificates containing the TN Authorization List | The subjects of certificates containing the TN Authorization List | |||
| extension are the administrative entities to whom numbers are | extension are the administrative entities to whom numbers are | |||
| assigned or delegated. In an end entity certificate, TN | assigned or delegated. In an end entity certificate, TN | |||
| Authorization List indicates the TNs which the certificate has been | Authorization List indicates the TNs which the certificate has been | |||
| authorized. In a CA certificate, the TN Authorization List limits | authorized. In a CA certificate, the TN Authorization List limits | |||
| the set of TNs for certification paths that include this certificate. | the set of TNs for certification paths that include this certificate. | |||
| The Telephony Number (TN) Authorization List certificate extension is | The Telephony Number (TN) Authorization List certificate extension is | |||
| identified by the following object identifier (OID), which is defined | identified by the following object identifier (OID), which is defined | |||
| under the id-pe OID arc defined in [RFC5280] and managed by IANA (see | under the id-pe OID arc defined in [RFC5280] and managed by IANA (see | |||
| Section 11). | Section 11): | |||
| id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } | id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } | |||
| The TN Authorization List certificate extension has the following | The TN Authorization List certificate extension has the following | |||
| syntax: | syntax: | |||
| TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry | TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry | |||
| TNEntry ::= CHOICE { | TNEntry ::= CHOICE { | |||
| spc [0] ServiceProviderCodeList, | spc [0] ServiceProviderCodeList, | |||
| range [1] TelephoneNumberRange, | range [1] TelephoneNumberRange, | |||
| one E164Number } | one E164Number | |||
| } | ||||
| ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF | ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF IA5String | |||
| IA%String | ||||
| -- Service Provider Codes may be OCNs, various SPIDs, or other SP identifiers from the telephone network | -- Service Provider Codes may be OCNs, various SPIDs, or other | |||
| -- SP identifiers from the telephone network | ||||
| TelephoneNumberRange ::= SEQUENCE { | TelephoneNumberRange ::= SEQUENCE { | |||
| start E164Number, | start E164Number, | |||
| count INTEGER } | count INTEGER | |||
| } | ||||
| E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789#*")) | E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789#*")) | |||
| The TN Authorization List certificate extension indicates the | The TN Authorization List certificate extension indicates the | |||
| authorized phone numbers for the call setup signer. It indicates one | authorized phone numbers for the call setup signer. It indicates one | |||
| or more blocks of telephone number entries that have been authorized | or more blocks of telephone number entries that have been authorized | |||
| for use by the call setup signer. There are three ways to identify | for use by the call setup signer. There are three ways to identify | |||
| the block: | the block: | |||
| 1. Service Provider Codes as described in this document are a | 1. Service Provider Codes as described in this document are a | |||
| generic term for the identifiers used to designate service | generic term for the identifiers used to designate service | |||
| providers in the telepohone networks today. In North American | providers in the telepohone networks today. In North American | |||
| skipping to change at page 18, line 33 ¶ | skipping to change at page 18, line 39 ¶ | |||
| The modules defined in this document are compatible with the most | The modules defined in this document are compatible with the most | |||
| current ASN.1 specification published in 2015 (see [X.680], [X.681], | current ASN.1 specification published in 2015 (see [X.680], [X.681], | |||
| [X.682], [X.683]). None of the newly defined tokens in the 2008 | [X.682], [X.683]). None of the newly defined tokens in the 2008 | |||
| ASN.1 (DATE, DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE- | ASN.1 (DATE, DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE- | |||
| OID-IRI, TIME, TIME-OF-DAY)) are currently used in any of the ASN.1 | OID-IRI, TIME, TIME-OF-DAY)) are currently used in any of the ASN.1 | |||
| specifications referred to here. | specifications referred to here. | |||
| This ASN.1 module imports ASN.1 from [RFC5912]. | This ASN.1 module imports ASN.1 from [RFC5912]. | |||
| TN-Module-2016 { | TN-Module-2016 | |||
| iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) id-mod-tn-module(88) } | |||
| id-mod-tn-module(88) } | ||||
| DEFINITIONS EXPLICIT TAGS ::= BEGIN | DEFINITIONS EXPLICIT TAGS ::= BEGIN | |||
| IMPORTS | IMPORTS | |||
| id-ad, id-ad-ocsp, id-pe -- From [RFC5912] | ||||
| FROM PKIX1Explicit-2009 { | ||||
| iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } | ||||
| EXTENSION -- From [RFC5912] | id-ad, id-pe | |||
| FROM PKIX-CommonTypes-2009 { | FROM PKIX1Explicit-2009 -- From [RFC5912] | |||
| iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } | |||
| id-mod-pkixCommon-02(57) } | ||||
| ; | ||||
| -- | EXTENSION | |||
| -- JWT Claim Constraints Certificate Extension | FROM PKIX-CommonTypes-2009 -- From [RFC5912] | |||
| -- | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } | ||||
| ext-jwtClaimConstraints EXTENSION ::= { | ; | |||
| SYNTAX JWTClaimConstraints IDENTIFIED BY id-pe-JWTClaimConstraints } | ||||
| id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } | -- | |||
| -- JWT Claim Constraints Certificate Extension | ||||
| -- | ||||
| JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint | ext-jwtClaimConstraints EXTENSION ::= { | |||
| SYNTAX JWTClaimConstraints IDENTIFIED BY id-pe-JWTClaimConstraints | ||||
| } | ||||
| JWTClaimConstraint ::= SEQUENCE { | id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } | |||
| claim IA5String, | ||||
| permitted [1] SEQUENCE OF IA5String OPTIONAL, | ||||
| excluded [2] SEQUENCE OF IA5String OPTIONAL } | ||||
| ( WITH COMPONENTS { ..., permitted PRESENT } | | ||||
| WITH COMPONENTS { ..., excluded PRESENT } ) | ||||
| -- | JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint | |||
| -- Telephone Number Authorization List Certificate Extension | ||||
| -- | ||||
| ext-tnAuthList EXTENSION ::= { | JWTClaimConstraint ::= SEQUENCE { | |||
| SYNTAX TNAuthorizationList IDENTIFIED BY id-pe-TNAuthList } | claim IA5String, | |||
| permitted SEQUENCE OF IA5String | ||||
| } | ||||
| id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } | -- | |||
| -- Telephone Number Authorization List Certificate Extension | ||||
| -- | ||||
| TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry | ext-tnAuthList EXTENSION ::= { | |||
| SYNTAX TNAuthorizationList IDENTIFIED BY id-pe-TNAuthList | ||||
| } | ||||
| TNEntry ::= CHOICE { | id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } | |||
| spc [0] ServiceProviderCodeList, | ||||
| range [1] TelephoneNumberRange, | ||||
| one E164Number } | ||||
| ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF | TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry | |||
| IA5STRING | ||||
| -- Service Provider Codes may be OCNs, various SPIDs, or other SP identifiers from the telephone network | TNEntry ::= CHOICE { | |||
| spc [0] ServiceProviderCodeList, | ||||
| range [1] TelephoneNumberRange, | ||||
| one E164Number | ||||
| } | ||||
| TelephoneNumberRange ::= SEQUENCE { | ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF IA5String | |||
| start E164Number, | ||||
| count INTEGER } | ||||
| E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789")) | -- Service Provider Codes may be OCNs, various SPIDs, or other | |||
| -- TN Access Descriptor | -- SP identifiers from the telephone network | |||
| id-ad-stirTNList OBJECT IDENTIFIER ::= { id-ad 14 } | TelephoneNumberRange ::= SEQUENCE { | |||
| start E164Number, | ||||
| count INTEGER | ||||
| } | ||||
| END | E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789")) | |||
| -- TN Access Descriptor | ||||
| id-ad-stirTNList OBJECT IDENTIFIER ::= { id-ad 14 } | ||||
| END | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jon Peterson | Jon Peterson | |||
| Neustar, Inc. | Neustar, Inc. | |||
| Email: jon.peterson@neustar.biz | Email: jon.peterson@neustar.biz | |||
| Sean Turner | Sean Turner | |||
| sn3rd | sn3rd | |||
| End of changes. 38 change blocks. | ||||
| 91 lines changed or deleted | 95 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||