| < draft-turner-deviceowner-attribute-02.txt | draft-turner-deviceowner-attribute-03.txt > | |||
|---|---|---|---|---|
| Network Working Group Sean Turner, IECA | Network Working Group Sean Turner, IECA | |||
| Internet Draft October 19, 2009 | Internet Draft February 1, 2010 | |||
| Intended Status: Informational Track | Intended Status: Informational Track | |||
| Expires: April 19, 2010 | Expires: August 1, 2010 | |||
| Device Owner Attribute | Device Owner Attribute | |||
| draft-turner-deviceowner-attribute-02.txt | draft-turner-deviceowner-attribute-03.txt | |||
| Abstract | ||||
| This document defines the Device Owner attribute. It indicates the | ||||
| entity (e.g., company, organization, department, agency) that owns | ||||
| the device. This attribute may be included in public key | ||||
| certificates and attribute certificates. | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 31 ¶ | skipping to change at page 1, line 38 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| This Internet-Draft will expire on April 19, 2010. | This Internet-Draft will expire on August 1, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents | |||
| publication of this document (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | ||||
| Abstract | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | ||||
| This document defines the Device Owner attribute. This attribute may | described in the Simplified BSD License. | |||
| be included in locations or protocols that support ASN.1 attributes. | ||||
| 1. Introduction | 1. Introduction | |||
| This document specifies the Device Owner attribute. This attribute | This document specifies the Device Owner attribute. It indicates the | |||
| may be included in locations or protocols that support ASN.1 | entity (e.g., company, organization, department, agency) that owns | |||
| attribute definitions to indicate the country or group that owns the | the device. This attribute is intended to be used in public key | |||
| device. | certificates [RFC5280] and attribute certificates [RFC5755]. | |||
| This attribute may be used in authorization decisions. For example, a | This attribute may be used in automated authorization decisions. For | |||
| router deciding whether to connect to another router could check that | example, when two peers are deciding whether to communicate each | |||
| the device owner present in the device's certificate is on an | could check that the device owner present in the other device's | |||
| "approved" list. | certificate is on an "approved" list. This check is performed in | |||
| addition to certification path validation [RFC5280]. The mechanism | ||||
| for managing the "approved" list is beyond the scope of this | ||||
| document. | ||||
| NOTE: This document does not provide LDAP equivalent schema | NOTE: This document does not provide an equivalent LDAP schema | |||
| specification as this attribute is targeted at public key | specification as this attribute is targeted at public key | |||
| certificates [RFC5280] and attribute certificates [RFC3281bis]. This | certificates [RFC5280] and attribute certificates [RFC5755]. | |||
| is left to a future specification. | Definition of an equivalent LDAP schema is left to a future | |||
| specification. | ||||
| 1.1. Terminology | 1.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 1.2. ASN.1 Syntax Notation | 1.2. ASN.1 Syntax Notation | |||
| The attributes are defined using ASN.1 [X.680]. | The attribute is defined using ASN.1 [X.680] through [X.683]. | |||
| 2. Device Owner | 2. Device Owner | |||
| The Device Owner attribute indicates the country or organization that | The Device Owner attribute indicates the entity (e.g., company, | |||
| owns the Device with which this attribute is associated. Device | organization, department, agency) that owns the Device with which | |||
| Owner is a choice of ISO 3166 [ISO3166-1] and [ISO3166-2] country | this attribute is associated. Device Owner is an object identifier. | |||
| codes or an object identifier that represents a group of nations, an | ||||
| organization, or any entity other than a nation. | ||||
| The following object identifier identifies the Device Owner | The following object identifier identifies the Device Owner | |||
| attribute: | attribute: | |||
| id-deviceOwner OBJECT IDENTIFIER ::= { | id-deviceOwner OBJECT IDENTIFIER ::= { | |||
| joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | |||
| dod(2) infosec(1) attributes(5) 69 | dod(2) infosec(1) attributes(5) 69 | |||
| } | } | |||
| The ASN.1 syntax for the Device Owner attribute is as follows: | The ASN.1 syntax for the Device Owner attribute is as follows: | |||
| deviceOwner ATTRIBUTE ::= { | at-deviceOwner ATTRIBUTE ::= { | |||
| WITH SYNTAX DeviceOwner | TYPE OBJECT IDENTIFIER | |||
| EQUALITY MATCHING RULE deviceOwnerMatch | EQUALITY MATCHING RULE objectIdentifierMatch | |||
| SINGLE VALUE TRUE | IDENTIFIED BY id-deviceOwner | |||
| ID id-deviceOwner | ||||
| } | ||||
| DeviceOwner ::= CHOICE { | ||||
| alpha2Country [0] PrintableString ( SIZE (2) ), | ||||
| -- ISO 3166-1 2 Letter Codes (aka diagram). | ||||
| alpha3Country [1] PrintableString ( SIZE (3) ), | ||||
| -- ISO 3166-1 3 Letter Codes (aka trigram). | ||||
| alpha4Country [2] PrintableString ( SIZE (4) ), | ||||
| -- ISO 3166-2 4 Letter Codes (ISO 3166-1 diagram and a hyphen | ||||
| -- followed by one alpha or numeric code). | ||||
| alpha5Country [3] PrintableString ( SIZE (5) ), | ||||
| -- ISO 3166-2 5 Letter Codes (ISO 3166-1 diagram and a hyphen | ||||
| -- followed by two alpha or numeric codes). | ||||
| alpha6Country [4] PrintableString ( SIZE (6) ), | ||||
| -- ISO 3166-2 6 Letter Codes (ISO 3166-1 diagram and a hyphen | ||||
| -- followed by three alpha or numeric codes). | ||||
| numericCountry INTEGER (0..999), | ||||
| -- ISO 3166-1 3 Digit Codes. | ||||
| group OBJECT IDENTIFIER | ||||
| } | } | |||
| There MUST only be one value of Device Owner associated with a | There MUST only be one value of Device Owner associated with a | |||
| device, as distinct owners SHOULD be represented in separate | device. Distinct owners MUST be represented in separate | |||
| certificates. | certificates. | |||
| NOTE: When an environment uses the Device Owner attribute, it is | ||||
| important that the same CHOICE be used throughout the environment. | ||||
| The following object identifier identifies the Device Owner matching | ||||
| rule: | ||||
| id-matching-rule-deviceOwnerMatch OBJECT IDENTIFIER ::= { | ||||
| joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | ||||
| dod(2) infosec(1) matching-rules(9) 6 | ||||
| } | ||||
| When performing a match the following matching rule is used: | ||||
| deviceOwnerMatch MATCHING-RULE ::= { | ||||
| SYNTAX DeviceOwner | ||||
| ID id-matching-rule-deviceOwnerMatch | ||||
| } | ||||
| This rule returns a TRUE if the strings are the same length and | ||||
| corresponding characters are identical except possibly with regard to | ||||
| case. | ||||
| 3. Security Considerations | 3. Security Considerations | |||
| If this attribute is used as part of an authorization process, the | If this attribute is used as part of an authorization process, the | |||
| procedures employed by the entity that assigns each value must ensure | procedures employed by the entity that assigns each value must ensure | |||
| that the correct value is applied. Further, once applied to the | that the correct value is applied. Including this attribute in a | |||
| object it must be bound to the object; this binding is normally | public key certificate or attribute certificate ensures the value for | |||
| performed by digitally signing over the object and the attribute to | the device owner is integrity protected. | |||
| ensure data integrity. | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| None: All identifiers are already registered. Please remove this | None: All identifiers are already registered. Please remove this | |||
| section prior to publication as an RFC. | section prior to publication as an RFC. | |||
| 5. References | 5. References | |||
| 5.1. Normative References | 5.1. Normative References | |||
| [ISO3166-1] ISO 3166-1: Codes for the Representation of Names of | ||||
| Countries and Their Subdivisions - Part 1: Country | ||||
| Codes, 2006. | ||||
| [ISO3166-2] ISO 3166-2: Codes for the Representation of Names of | ||||
| Countries and Their Subdivisions - Part 2: Country | ||||
| Subdivision Code, 2007. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824- | ||||
| 1:2002, Information technology - Abstract Syntax | ||||
| Notation One (ASN.1): Specification of basic notation. | ||||
| [RFC5280] Cooper, D., et. al., "Internet X.509 Public Key | [RFC5280] Cooper, D., et. al., "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certification Revocation | Infrastructure Certificate and Certification Revocation | |||
| List (CRL) Profile", RFC 5280, May 2008. | List (CRL) Profile", RFC 5280, May 2008. | |||
| [RFC3281bis] Farrell, S., Housley, R., and S. Turner, "An Internet | [RFC5755] Farrell, S., Housley, R., and S. Turner, "An Internet | |||
| Attribute Certificate Profile for Authorization", | Attribute Certificate Profile for Authorization", RFC | |||
| draft-ietf-pkix-3281update-05.txt, work-in-progress. | 5755, January 2010. | |||
| [RFCTBD] Schaad, J., and P. Hoffman, "New ASN.1 Modules for | ||||
| PKIX", draft-ietf-pkix-new-asn1-07.txt, work-in- | ||||
| progress. | ||||
| /** | /** | |||
| RFC Edit: Please replace "RFC3281bis" with "RFC####" where ### | RFC Editor: Please replace "RFCTBD" with "RFC####" where #### is the | |||
| is the number of the published RFC in both the references and | number of the published RFC. Please do this in both the references | |||
| the text. | and the text. | |||
| **/ | **/ | |||
| [X.501] ITU-T Recommendation X.520 (2002) | ISO/IEC 9594- | ||||
| 2:2002, Information technology - The Directory: Models. | ||||
| [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824- | ||||
| 1:2002, Information technology - Abstract Syntax | ||||
| Notation One (ASN.1): Specification of basic notation. | ||||
| [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824- | ||||
| 2:2002. Information Technology - Abstract Syntax | ||||
| Notation One: Information Object Specification. | ||||
| [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824- | ||||
| 3:2002. Information Technology - Abstract Syntax | ||||
| Notation One: Constraint Specification. | ||||
| [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824- | ||||
| 4:2002. Information Technology - Abstract Syntax | ||||
| Notation One: Parameterization of ASN.1 Specifications. | ||||
| 5.2. Informative References | 5.2. Informative References | |||
| None | None | |||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| This appendix provides the normative ASN.1 [X.680] definition for the | This appendix provides the normative ASN.1 [X.680] definitions for | |||
| structure described in this specification. | the structures described in this specification using ASN.1 as defined | |||
| in [X.680] through [X.683]. | ||||
| DeviceOwnerAttribute-2008 | DeviceOwnerAttribute-2008 | |||
| { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | |||
| dod(2) infosec(1) module(0) id-deviceOwnerAttribute-2008(34) } | dod(2) infosec(1) module(0) id-deviceOwnerAttribute-2008(34) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| -- IMPORTS NOTHING -- | IMPORTS | |||
| -- device owner attribute OID and syntax | ||||
| id-deviceOwner OBJECT IDENTIFIER ::= { | ||||
| joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | ||||
| dod(2) infosec(1) attributes(5) 69 | ||||
| } | ||||
| deviceOwner ATTRIBUTE ::= { | ||||
| WITH SYNTAX DeviceOwner | ||||
| EQUALITY MATCHING RULE deviceOwnerMatch | ||||
| SINGLE VALUE TRUE | ||||
| ID id-deviceOwner | ||||
| } | ||||
| DeviceOwner ::= CHOICE { | -- IMPORTS from New PKIX ASN.1 [RFCTBD] | |||
| alpha2Country [0] PrintableString ( SIZE (2) ), | ||||
| -- ISO 3166-1 2 Letter Codes (aka diagram). | ||||
| alpha3Country [1] PrintableString ( SIZE (3) ), | ||||
| -- ISO 3166-1 3 Letter Codes (aka trigram). | ||||
| alpha4Country [2] PrintableString ( SIZE (4) ), | ||||
| -- ISO 3166-2 4 Letter Codes (ISO 3166-1 diagram and a hyphen | ||||
| -- followed by one alpha or numeric code). | ||||
| alpha5Country [3] PrintableString ( SIZE (5) ), | ||||
| -- ISO 3166-2 5 Letter Codes (ISO 3166-1 diagram and a hyphen | ||||
| -- followed by two alpha or numeric codes). | ||||
| alpha6Country [4] PrintableString ( SIZE (6) ), | ||||
| -- ISO 3166-2 6 Letter Codes (ISO 3166-1 diagram and a hyphen | ||||
| -- followed by three alpha or numeric codes). | ||||
| numericCountry INTEGER (0..999), | ||||
| -- ISO 3166-1 3 Digit Codes. | ||||
| group OBJECT IDENTIFIER | ||||
| } | ||||
| id-matching-rule-deviceOwnerMatch OBJECT IDENTIFIER ::= { | ATTRIBUTE | |||
| joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | FROM PKIX-CommonTypes-2009 | |||
| dod(2) infosec(1) matching-rules(9) 6 | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| } | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkixCommon-02(57) } | ||||
| deviceOwnerMatch MATCHING-RULE ::= { | -- Imports from ITU-T X.501 [X.501] | |||
| SYNTAX DeviceOwner | ||||
| ID id-matching-rule-deviceOwnerMatch | ||||
| } | ||||
| ATTRIBUTE ::= CLASS { | ||||
| &derivation ATTRIBUTE OPTIONAL, | ||||
| &Type OPTIONAL, | ||||
| -- either &Type or &derivation required | ||||
| &equality-match MATCHING-RULE OPTIONAL, | ||||
| &ordering-match MATCHING-RULE OPTIONAL, | ||||
| &substrings-match MATCHING-RULE OPTIONAL, | ||||
| &single-valued BOOLEAN DEFAULT FALSE, | ||||
| &collective BOOLEAN DEFAULT FALSE, | ||||
| -- operational extensions | ||||
| &no-user-modification BOOLEAN DEFAULT FALSE, | ||||
| &usage AttributeUsage DEFAULT userApplications, | ||||
| &id OBJECT IDENTIFIER UNIQUE } | ||||
| WITH SYNTAX { | ||||
| [ SUBTYPE OF &derivation ] | ||||
| [ WITH SYNTAX &Type ] | ||||
| [ EQUALITY MATCHING RULE &equality-match ] | ||||
| [ ORDERING MATCHING RULE &ordering-match ] | ||||
| [ SUBSTRINGS MATCHING RULE &substrings-match ] | ||||
| [ SINGLE VALUE &single-valued ] | ||||
| [ COLLECTIVE &collective ] | ||||
| [ NO USER MODIFICATION &no-user-modification ] | ||||
| [ USAGE &usage ] | ||||
| ID &id } | ||||
| MATCHING-RULE ::= CLASS { | objectIdentifierMatch | |||
| &AssertionType OPTIONAL, | FROM InformationFramework | |||
| &id OBJECT IDENTIFIER UNIQUE } | { joint-iso-itu-t ds(5) module(1) informationFramework(1) 4 } | |||
| WITH SYNTAX { | ||||
| [ SYNTAX &AssertionType ] | ||||
| ID &id } | ||||
| AttributeType ::= ATTRIBUTE.&id | ; | |||
| AttributeValue ::= ATTRIBUTE.&Type | -- device owner attribute OID and syntax | |||
| AttributeUsage ::= ENUMERATED { | id-deviceOwner OBJECT IDENTIFIER ::= { | |||
| userApplications (0), | joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) | |||
| directoryOperation (1), | dod(2) infosec(1) attributes(5) 69 | |||
| distributedOperation (2), | } | |||
| dSAOperation (3) } | ||||
| at-deviceOwner ATTRIBUTE ::= { | ||||
| TYPE OBJECT IDENTIFIER | ||||
| EQUALITY MATCHING RULE objectIdentifierMatch | ||||
| IDENTIFIED BY id-deviceOwner | ||||
| } | ||||
| END | END | |||
| Author's Addresses | Author's Address | |||
| Sean Turner | Sean Turner | |||
| IECA, Inc. | IECA, Inc. | |||
| 3057 Nutley Street, Suite 106 | 3057 Nutley Street, Suite 106 | |||
| Fairfax, VA 22031 | Fairfax, VA 22031 | |||
| USA | USA | |||
| EMail: turners@ieca.com | EMail: turners@ieca.com | |||
| End of changes. 32 change blocks. | ||||
| 180 lines changed or deleted | 102 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||