idnits 2.17.1 draft-deutch-lamps-client-app-encrypt-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 24, 2018) is 2065 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 5751 (Obsoleted by RFC 8551) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group B. Deutsch 2 INTERNET-DRAFT Independent Submitter 3 Intended status: Standards Track 4 Expires: February 25, 2019 August 24, 2018 6 Client Application Layer Encryption 7 draft-deutch-lamps-client-app-encrypt-00 9 This Internet-Draft is submitted in full conformance with the 10 provisions of BCP 78 and BCP 79. 12 Status of This Memo 14 This document specifies an Experimental protocol for the Internet 15 community, and requests discussion and suggestions for improvements. 16 Please refer to the current edition of the "Internet Official 17 Protocol Standards" (STD 1) for the standardization state and status 18 of this protocol. Distribution of this memo is unlimited. 20 Copyright Notice 22 Copyright (c) 2018 IETF Trust and the persons identified as the document 23 authors. All rights reserved. 25 Abstract 27 The protocol for Client Application Layer Encryption offers 28 organizations a method of securely providing users data with very 29 few authentication steps. This protocol makes use of X.509 public 30 key infrastructure and SHOULD NOT be implemented without transport 31 layer security. The protocol described below helps to ensure that 32 response messages may only be read by the intended recipient. 34 Table Of Contents 36 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 37 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 38 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 39 1.2 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . 3 40 1.3 Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 41 1.4 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 42 1.5 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 43 1.6 Strengths and Weaknesses . . . . . . . . . . . . . . . . . 4 44 2. Security Considerations . . . . . . . . . . . . . . . . . . . 5 45 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 46 4. Communication Patterns . . . . . . . . . . . . . . . . . . . . 5 47 4.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . 5 48 4.2 Standard Request . . . . . . . . . . . . . . . . . . . . . 5 49 4.3 whoami Request . . .. . . . . . . . . . . . . . . . . . . . 7 50 4.4 Server Revocation . . . . . . . . . . . . . . . . . . . . . 8 51 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 52 Normative . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 53 Informative . . . . . . . . . . . . . . . . . . . . . . . . . . 8 54 Appendix A: UML Flow Diagrams . . . . . . . . . . . . . . . . . . 9 55 A.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . 9 56 A.2 Standard Request . . . . . . . . . . . . . . . . . . . . . 10 57 A.3 whoami Request . . . . . . . . . . . . . . . . . . . . . . 11 58 Appendix B: Example Requests and Responses . . . . . . . . . . . . 12 59 B.1 Initiation . . . . . . . . . . . . . . . . . . . . . . . . 12 60 B.2 Standard Request . . . . . . . . . . . . . . . . . . . . . 15 61 B.3 whoami Request . . . . . . . . . . . . . . . . . . . . . . 20 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 63 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 22 64 Intellectual Property Statement . . . . . . . . . . . . . . . . . 22 65 1. Introduction 67 This protocol offers a way to reduce the number of network 68 communications that must occur for a system to have confidence in 69 the identity of the requester and reduces the risk in the case of 70 impersonation. This was designed with application programming 71 interfaces in mind. 73 1.1 Terminology 75 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 77 document are to be interpreted as described in RFC 2119 [RFC2119]. 79 1.2 Abbreviations 81 CN: Common Name [RFC4514] 82 CSR: certificate signing request [RFC5280] 83 DN: Distinguished Name [RFC4514] 84 GUID: Globally Unique IDentifier [RFC4122] 85 IaaS: infrastructure as a Service 86 OU: Organizational Unit [RFC4514] 87 PaaS: Platform as a Service 88 SAN: subject alternative name [RFC4514] 89 SaaS: Software as a Service 90 TLS: transport layer security [RFC5246] 92 1.3 Roles 94 resource owner: The party with rights to the data. 96 resource server: The object housing the data. 98 authorization server: The server that fulfills certificate 99 signing requests and catalogs them for validation. All calls to 100 this device should be over TLS with mutual certificate exchange 101 [RFC5246]. 103 client: The object requesting the data. 105 edge device: The object open to anonymous traffic, terminates TLS 106 [RFC5246], brokers authentication, performs authorization, then 107 forwards data. 109 origination server: The object that performs processing of the 110 request that results in the response. 112 1.4 Goals 114 Minimize exposure of client credentials and data. A client can be 115 authorized and returned a token or other sensitive information with 116 confidence that it cannot be intercepted, even by an internal bad 117 actor. To do this the authorization server must either be a signing 118 authority or have permission to submit certificate signing requests 119 to a signing authority [RFC5280]. The client certificate properties 120 may act as a vehicle for personally identifying information to be 121 passed to the origination server. The private key SHOULD NOT be 122 exported from the client device and therefore the CSR may contain 123 device properties. 125 1.5 Motivation 127 Organizations have increased the number of individuals with access 128 to subvert trusted systems with the increase in subcontracting 129 information services i.e. SaaS, PaaS, IaaS, etc; as well as contract 130 workers. 132 When users' information is unencrypted is it vulnerable to 133 exploitation. By reducing the occurrences of client data being 134 unencrypted we reduce the opportunity for attack. 136 1.6 Strengths and Weaknesses 138 This provides a mechanism for user credentials that may be valid 139 for an undefined period of time. Made possible because the 140 credentials themselves, the private key [RFC5280], never exists 141 outside the users' (resource owners') device. 143 The true proof of identity is in the ability of the client to read 144 the response message. Which makes this mechanism ideal for GET 145 requests but unsuitable for POST, PUT, or DELETE unless accompanied 146 by a secondary authentication mechanism. 148 If an attacker captured the CSR then they would be in a 149 position to build a response the client would accept, however the 150 attacker would also have to impersonate the edge device in order to 151 impersonate the authorization and origination servers. Conversely, 152 if an attacker impersonates the edge device without the CSR on file 153 then any response would appear malformed. 155 Because these certificates are not used in TLS negotiation the 156 client is not required to share it at the device layer. This 157 allows the credentials to be owned exclusively by the application 158 within the clients' device, reducing the opportunity for another 159 application running on the same device to steal the private key 160 or impersonate the organization's application to the authorization 161 server by reading their response. 163 To mitigate risk of attacks some error messages must simulate 164 successful responses reducing feedback to legitimate consumers with 165 malformed requests. 167 2. Security Considerations 169 This document defines a protocol for authenticating and authorizing 170 users for access to protected data and the secure delivery of 171 responses. 173 3. IANA Considerations 175 No IANA considerations 177 4. Communication Patterns 179 The following sections describe the various transactions that make 180 up this protocol. 182 4.1 Initiation 184 For this flow the client is also the resource owner, and the 185 authorization server is also both resource server and origination 186 server. 188 The client must use a method acceptable to the edge device to prove 189 their identity [RFC6749] [RFC7617], preferably initial registration. 190 At the conclusion of this proving the client should have packaged 191 their CSR and sent it to the edge device. 193 The edge device shall then forward the identity information with the 194 CSR and the cipher used for the TLS to the authorization server. 196 The authorization server shall store the CSR in association with the 197 user identity and return a response of the GUID of the CSR record 198 encrypted by a certificate generated from the CSR using the cipher 199 negotiated between the client and the edge device. This cipher is 200 used to ensure it is one the client knows, to be sure it is one that 201 the resource server knows; the edge device and resource servers 202 should be configured to maintain the same list (remember in this 203 flow the resource server is also the authorization server). 205 The edge device shall then return the encrypted response to the 206 client. 208 The client must decrypt the response with their private key 209 [RFC5280] used to generate the CSR and store the GUID and key for 210 future use. 212 4.2 Standard Request 214 For this flow the client is also the resource owner. These 215 credentials are sufficient if this Request is a read only operation 216 or a create that produces data that is only usable after the client 217 has read the response (proving that they are the resource owner), 218 such as token generation where the token is returned in the response 219 payload body or a request to a processing queue which must be 220 followed by an execution call using the queue identifier from the 221 response. These credentials should be supplemented by a secondary 222 mechanism if this request is expected to result in any data changes. 224 The client shall send their GUID with the request to the edge 225 device. 227 The edge device should forward the GUID to the authorization 228 server in the form of a validation request. The edge device may 229 forward the request to the origination server without performing 230 this step, which would be bad practice because it increases the 231 opportunity for capture, message replay, and in that case the 232 origination server would need to call the authorization server 233 increasing its client list and therefore attack surface. 235 The authorization server shall reply to the validation request with 236 a client certificate generated by the CSR associated with the GUID. 237 The certificate should only be valid long enough to fulfill the 238 request. 240 If the edge device receives a response from the validation call to 241 the authorization server that is not a client certificate then the 242 edge device should return an object large enough to be mistaken for 243 an encrypted response to the untrusted client. If authentication is 244 successful then the edge device should then forward the client 245 request with the certificate and the negotiated cipher to the 246 origination server without the GUID. 248 If an internal bad actor captured a request with the client's 249 certificate or GUID and used it to send a request then they would be 250 unable to read the response. Additionally, the certificate should 251 have an extremely short validity period in which this request would 252 be valid. 254 The origination server should validate the certificate by issuer, 255 subject, and expiration. No CRL is required as the certificate 256 validity should only ever be long enough for one request. This 257 enables the origination server to perform fine grained 258 authentication with high confidence without any external calls. The 259 origination server may be or make calls to the resource server(s) 260 providing the certificate and not the cipher, aggregating data as 261 required. The identity of the certificate is taken from the SAN if 262 present; wherein the CN is the resource owner, the DC is the 263 organization of the servers, and any OUs represent allowed scope(s). 265 The absence of the cipher informs any resource server(s) that their 266 response should not be encrypted by the user's certificate. This 267 request should be over TLS and should use mutual certificate 268 exchange [RFC5246] because the client's certificate in this request 269 is not for authentication, it is present as a form of query. These 270 requests are from the origination server to the resource server(s) 271 as evidenced by the origination server's need to read the response. 273 The origination server shall encrypt the response intended for the 274 client using the client's certificate and the cipher provided by the 275 edge device ensuring that only the client is able to decrypt it. The 276 origination server then returns this response to the edge device. 278 The edge device shall forward the response to the client. 280 The client shall use their private key to decrypt the response. 282 If the request is captured between the client and the edge device 283 then a message replay is possible, however the response could only 284 be read by the real client. If a request is captured between the 285 edge device and the origination server then a message replay is 286 possible only until the certificate expires and again, could only 287 be read by the real client. The flow should use TLS throughout to 288 prevent the request from being read between hops. 290 4.3 whoami Request 292 For this flow the client is also the resource owner and the 293 authorization server is also both resource server and origination 294 server. 296 The client makes a request to the edge device using their GUID. 298 The edge device receives the request and forwards the GUID to the 299 authorization server with the negotiated cipher. 301 The authorization server generates a certificate for the client 302 that expires immediately, encrypts the certificate using itself 303 and the specified cipher, and then returns this as the response to 304 the edge device. If the GUID is not known then an response 305 consisting of a random salt large enough to be reasonably mistaken 306 for an encrypted payload should be returned to the edge device with 307 a HTTP 200 code [RFC7231], this is intended to prevent a dictionary 308 attack from mapping out valid GUIDs. 310 The edge device forwards the response to the client. 312 The resource owner must then decrypt the response to read it. 314 4.4 Server Revocation 316 In the event that a set of credentials are compromised then the 317 authorization server may be required to revoke them. The resource 318 owner may be required to perform a new initiation to regain access 319 to their account. 321 References 323 Normative 325 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 326 Requirement Level", BCP 14, RFC 2119, March 1997. 328 [RFC5246] Dierks, T., "The Transport Layer Security (TLS) Protocol 329 Version 1.2", RFC 5246, August 2008. 331 [RFC5280] Cooper, D., "Internet X.509 Public Key Infrastructure 332 Certificate and Certificate Revocation List (CRL) 333 Profile", RFC 5280, May 2008. 335 Informative 337 [RFC4122] Leach, P., "A Universally Unique IDentifier (UUID) URN 338 Namespace", RFC 4122, July 2005. 340 [RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol 341 (LDAP): String Representation of Distinguished Names", 342 RFC 4514, June 2006. 344 [RFC5751] Ramsdell, B., "Secure/Multipurpose Internet Mail 345 Extensions (S/MIME) Version 3.2 Message Specification", 346 RFC 5751, January 2010. 348 [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", 349 RFC 6749, October 2012. 351 [RFC7231] Fielding, R., "Hypertext Transfer Protocol (HTTP/1.1): 352 Semantics and Content", RFC 7231, June 2014. 354 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 355 RFC 7617, September 2015. 357 [WSD] WebSequenceDiagrams software is provided by Hanov 358 Solutions Inc., of Waterloo, Ontario, Canada. 359 360 Appendix A: UML Flow Diagrams 362 Each section of this appendix corresponds to the same numbered sub 363 section of this document under section 4. The text between the 364 section heading and the flow graphic represents the flow in 365 sudo-code [WSD]. The diagrams have been simplified from the 366 sudo-code in order to fit this document format. 368 A.1 Initiation 370 title Initiation 372 note over client: 373 generate key 374 generate CSR 375 end note 376 client->edge device: Registration+CSR 377 edge device->+authorization server: ID+CSR+cipher 378 note over authorization server: 379 store CSR 380 generate GUID 381 encrypt GUID 382 end note 383 authorization server-->-edge device: encrypted GUID 384 edge device-->+client: encrypted GUID 385 note over client: 386 decrypt response 387 store GUID 388 end note 390 [client]-------------------------------------------------------[client] 391 || ^ 392 registration : 393 and csr GUID 394 || encrypted 395 \/ : 396 [edge device]---------------------------------------------[edge device] 397 || ^ 398 ID : 399 CSR GUID 400 cipher encrypted 401 || : 402 \/ : 403 [authorization server]---------------------------[authorization server] 404 A.2 Standard Request 406 title Standard Request 408 client->edge device: request+GUID 409 edge device->authorization server: GUID 410 note over authorization server: generate certificate from GUID CSR 411 authorization server-->edge device: certificate 412 edge device->origination server: request+certificate+cipher 413 note over origination server: 414 certificate validation 415 authorization 416 end note 417 opt if origination server is not resource server 418 origination server->resource server: server request+certificate 419 resource server-->origination server: server response 420 end 421 note over origination server: encrypt response 422 origination server-->edge device: encrypted response 423 edge device-->client: encrypted response 424 note over client: decrypt response 426 [client]-------------------------------------------------------[client] 427 || ^ 428 Request : 429 GUID encrypted 430 || response 431 \/ : 432 [edge device]---------------------------------------------[edge device] 433 || ^ || ^ 434 GUID : || : 435 || certificate || : 436 \/ : || : 437 [authorization server]--------||-----------------[authorization server] 438 || : 439 request : 440 certificate encrypted 441 cipher response 442 || ___________________ : 443 || |optional/ | : 444 || |~~~~~~~~ | : 445 || |if the origination | : 446 || |server is not the | : 447 \/ |resource server | : 448 [origination server]-------------|-----------------[origination server] 449 | || ^ | 450 | server : | 451 | request+ : | 452 | certificate : | 453 | || encrypted | 454 | || response | 455 | \/ : | 456 [resource server]----------------|-------------------|[resource server] 457 |___________________| 458 A.3 whoami Request 460 title whoami Request 462 client->edge device: GUID 463 edge device->authorization server: GUID+cipher 464 note over authorization server: 465 generate certificate 466 encrypt response 467 end note 468 authorization server-->edge device: encrypted response 469 edge device-->client: encrypted response 470 note over client: decrypt response 472 [client]-------------------------------------------------------[client] 473 || ^ 474 GUID : 475 || encrypted 476 || response 477 \/ : 478 [edge device]---------------------------------------------[edge device] 479 || ^ 480 GUID : 481 cipher encrypted 482 || response 483 \/ : 484 [authorization server]---------------------------[authorization server] 485 | ^ 486 |_generate and_| 487 encrypt cert 488 Appendix B: Example Requests and Responses 490 Each section of this appendix corresponds to the same numbered sub 491 section of this document under section 4. These examples contain 492 elements which fulfill the requirements described above and may be 493 met by other means. 495 B.1 Initiation 497 The below private key is used to generate the below examples and can 498 be used to execute the client decryption commands: 500 -----BEGIN RSA PRIVATE KEY----- 501 Proc-Type: 4,ENCRYPTED 502 DEK-Info: DES-EDE3-CBC,7F58E7878FA4D4A8 504 98MDLxjgMW5W71ZADD1CG2VeAMG/vxmIqpF+2japv831iSh4WC5LJfPXfKXp+nQ5 505 L74+xDt1fRSKuPfnBqPnok1lZrMqK+WtW83FSxA0wm5Rvfsa9ECSoMJP24z5roAd 506 +ipyn3v47Vmlu6gjk1wmgj2hT2LnkrwvXh6CGKc2AjA3xQieGKyzB6/m2hMc6A5z 507 nVwhwJi4Fc4J/Zs9+J/4KUFbSdobrs5Ej4iexWWTGfzVDjOmRaObol6gxldiGDH3 508 1khUSpJutOjnisiWUVkjUos9AvFi8QISeodiQr5AMCrYGVY0N5BN35hv/mqJHT3g 509 AH25psCwaT1P44qYu6CQSRkRxOE2CmJIhPvsPjC9uOx8zois3ICwCUZLUpkwsL7o 510 DfnucGNPpS5aIJenno5Cy8aY5E0BXN/m5OxLfciWAp4Sv2Fg55TKDLaysIcHNy9G 511 J56SD2QJEoF7s9LbUykGutlBOI1ozWxyhMK2ku/DjB0lQTncUaibWJ5Y3Bw1uVVe 512 8GL3HAoR8G+aos8ESy/0vcaEHmTM4iqXKZcRELvlGJ+HqCSalLVgf8XaLMNPq+8l 513 qTEHPGPVpo5BQRLCavg21hd38nBmFHQFyB5X6jQcAhBuhf8Ns12Na72V4OHyXtKD 514 hB/qfrdQukkAhCRRGFbsc3iOwM/OkUwv/z/w1NikP6Z9jhTQIC/RF/86CGAEyfdQ 515 1FC+wsDgkbmKaQIWoyqdrHiXiLI2htMSJ4aeJufjFvH86PhZiEi0gUKpkFqi58ix 516 0kfoiUO3oAEPKAoZvGDlRN+/x89hjccqmOFoKDxckUaKphTzuJwepQDNaRkPSNKd 517 d6yjD4nB9Bjnbp1bwR/iy7OCA33lRangFuUFq6gsZsj54Ioi8MOZ8aox0GdrM8so 518 eWexF7od+L6/zBh43WHE0vMDjOUX8QgkCXWF1mhP0Yd13uLsddaUeYtjDJp44t2y 519 pb8FdnfA5IS7xMyNz2XIBZJOtqSGrWvPR9o/xloZiuNBOzmns6wmz3ZGznZddVex 520 s9nM2VoPdrPe8n4bxuTRXPyGvATDdY8czqZh8/STGX5PPmCvRA1ilWrN1sP844mq 521 QSv1swG+bnDIgAZS9D7DR5pq5Ed18Zby5g6l0uUwEDQeIonMsRwHErQtB2X3rMX+ 522 lHg35WKHTRjPk6kcGWWcRuBkHmKSug4qDqjbQZLNaBA9v2XxB5CuoJ8yFMGRz8oO 523 phflxeJWA8w185UPQ9Sm8m/S6nP5NjdO4XUzzhJ7Ue/+Um2XrghRfY1+mGDo+B5a 524 PPvKf2VetChVXIpFew1fZWfQuZGluJTHdb1J7lG2Q9rKrLY7ty0P+gMQs8by8nwm 525 XYgJiqXnzr15u005JQpXhkfJ1B4x+0K5q1vVJNenlvLa40r+/wU8tNFEV9cgBtPm 526 B4+Zikt+FD2A1uU+9wCOBanXE/xCN95oTCH06FMiv8j/qzh9+c7DnNxPQ8rvCQf1 527 dH8A1kMxgOJ9zIfuZMmAUMQmI3t5qh4oGT8RycWa/e1JeMxiMqpOSY7cwH5UyzpM 528 /8ZrWLpPo7CYnTvK4LaMBzhvu6mxp348dNR8qmxIkmH7rcqXyPu+BVwTpt/2pXVe 529 -----END RSA PRIVATE KEY----- 530 B.1.1 Client Registration Request 532 The client generates a private key: 533 openssl genrsa -des3 -out privkey.key 2048 535 Then generate a certificate from the key to designate the expected 536 properties: 537 openssl req -key privkey.key -out client.crt -new -x509 539 Then generates a CSR from the key and certificate: 540 openssl x509 -x509toreq -in client.crt -out client.req -sha256 541 -signkey privkey.key 543 The request from the client to the Edge Device: 545 POST /registration HTTP/1.1 546 Host: server.example.com 547 Content-Type: application/pkcs10 549 -----BEGIN CERTIFICATE REQUEST----- 550 MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQH 551 DAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGTAX 552 BgNVBAMMEEJlbmphbWluIERldXRzY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 553 ggEKAoIBAQCpJMQQY1gzANViIIreVQvIlp2mw1ASUixRJp4SGPHpsaNJfvHcZBWl 554 zBfVfh960OsC1NasUs69WQIPeuJAYELdOXYox2J+5DSN/g3X8p3CXMrVd7xpArpx 555 q6uxevEtMP1kx4X8VC7nJsEPJO1lFhwTixWuUQv5xWL5qGuATafmtRvbBWNBMRa8 556 55HCKIcQkx4i0/DMREm0P/7fYRfuwYUWf3KJfkuCnwhbmxvFI0PDQfw/q+UhpobV 557 arxZS++S6jlMdaKh7tHLOLpfHdrLr8uaNlOB3weF6C2EGDxlzB0v3xEmdxVL7Ch6 558 GBZ7y3amfydZ5FOK1SD3lgWWYMm/6E5tAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC 559 AQEAUnKJBIenLImXFBl7J3GwL948KPbKnuc7HRex0TmSo4G7fN7RxIo+6uZEgFG0 560 met55u+5uepVyGYnph2tgwO7hYUnUA5Zl4fzJeNmXljBAfBUQ4DYhi6R5yCpzU1C 561 wJOSyWWujPPUvfsRnT5kbk7LBvHKqntZ8+s3mbUtVVb80VsaWvOzDZerS6K+OXnY 562 YpV4oqZOmhraYDDtFuGVWBYJNspZwjNHTXJjhgR0u+xhnX8PugIoULIan/SmFkt/ 563 6pvIjgOBX1NbBQo4B8S1F+l6R9CShEX6UCALkd+9BhHXDDiTZZara1YshpOEFr9W 564 qMHUCVVDTcYZomsqQqU/wKF8Hg== 565 -----END CERTIFICATE REQUEST----- 566 B.1.2 Edge Registration Request 568 The request forwarded to the authorization server with the cipher: 570 POST /registration HTTP/1.1 571 Host: server.example.com 572 Content-Type: application/pkcs10 573 Cipher: ECDHE-RSA-AES256-SHA 575 -----BEGIN CERTIFICATE REQUEST----- 576 MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQH 577 DAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGTAX 578 BgNVBAMMEEJlbmphbWluIERldXRzY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 579 ggEKAoIBAQCpJMQQY1gzANViIIreVQvIlp2mw1ASUixRJp4SGPHpsaNJfvHcZBWl 580 zBfVfh960OsC1NasUs69WQIPeuJAYELdOXYox2J+5DSN/g3X8p3CXMrVd7xpArpx 581 q6uxevEtMP1kx4X8VC7nJsEPJO1lFhwTixWuUQv5xWL5qGuATafmtRvbBWNBMRa8 582 55HCKIcQkx4i0/DMREm0P/7fYRfuwYUWf3KJfkuCnwhbmxvFI0PDQfw/q+UhpobV 583 arxZS++S6jlMdaKh7tHLOLpfHdrLr8uaNlOB3weF6C2EGDxlzB0v3xEmdxVL7Ch6 584 GBZ7y3amfydZ5FOK1SD3lgWWYMm/6E5tAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC 585 AQEAUnKJBIenLImXFBl7J3GwL948KPbKnuc7HRex0TmSo4G7fN7RxIo+6uZEgFG0 586 met55u+5uepVyGYnph2tgwO7hYUnUA5Zl4fzJeNmXljBAfBUQ4DYhi6R5yCpzU1C 587 wJOSyWWujPPUvfsRnT5kbk7LBvHKqntZ8+s3mbUtVVb80VsaWvOzDZerS6K+OXnY 588 YpV4oqZOmhraYDDtFuGVWBYJNspZwjNHTXJjhgR0u+xhnX8PugIoULIan/SmFkt/ 589 6pvIjgOBX1NbBQo4B8S1F+l6R9CShEX6UCALkd+9BhHXDDiTZZara1YshpOEFr9W 590 qMHUCVVDTcYZomsqQqU/wKF8Hg== 591 -----END CERTIFICATE REQUEST----- 592 B.1.3 Registration Response 594 After generating the GUID that identifies the record it shall be 595 encoded using the client certificate: 596 openssl smime -encrypt -binary -aes-256-cbc -in response.txt 597 client.crt 599 Resulting in the encrypted response [RFC5751]: 601 HTTP/1.1 200 OK 602 Content-Type: text/plain;charset=UTF-8 603 MIME-Version: 1.0 604 Content-Disposition: attachment; filename="smime.p7m" 605 Content-Type: application/x-pkcs7-mime; 606 smime-type=enveloped-data; name="smime.p7m" 607 Content-Transfer-Encoding: base64 609 MIICCwYJKoZIhvcNAQcDoIIB/DCCAfgCAQAxggGTMIIBjwIBADB3MGoxCzAJBgNV 610 BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYD 611 VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRkwFwYDVQQDDBBCZW5qYW1pbiBEZXV0 612 c2NoAgkAondW3eFlchkwDQYJKoZIhvcNAQEBBQAEggEACddDSDsbQ5D+eMwSqpNa 613 XHQOI1nWEYBDTx294ub67XV8ZxKGnMi/zMlSvdsNTlhXhz5/TjN8vwGF7v30znXM 614 4fvUXQpCOps8APG5y3tWe8I7XPTKsTtaJymCDAoBokLIIFfjgMo6Yh3qDZ53PSdG 615 wN2WxDlhAFyob6lX2WTPzh5RlCSmbWwEt3AnZqshHxLs8uk7ci3BU9Coizw3lVBh 616 vcH5hH6A8ad1bE4y+s3SRrPqTag4/CXz/LXC9i5WrMbXqVz6yKnH1CgkX4k0NMbe 617 DqjHnsUV7M1TuHfb+NFI329bOQKofqIIVseq4S7rIzpbrEsDehPZt5kwMxTOttUX 618 YzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCZc4CRchSYISroxg0r6twPgDCK 619 WSrODqmsS8zckitZgLcftiZ2hsGbmCUiq5pUwZdEBmMzGJIIl4w+mLmTYuhKOHU= 621 The client decrypts the response: 622 openssl smime -decrypt -binary -aes-256-cbc -in response.enc -out 623 response.txt -inkey privkey.key 624 Enter pass phrase for privkey.key: password 626 bec6dc7e-6562-4b1c-b308-6c352e6f8404 628 B.2 Standard Request 630 A request to some other services with this added protection. 632 B.2.1 Standard Client Request 634 The request to some service: 636 GET /resource HTTP/1.1 637 Host: server.example.com 638 CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404 639 B.2.2 Edge Validation Request 641 The authentication request to the authorization server: 643 GET /validate HTTP/1.1 644 Host: authority.example.com 645 CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404 647 B.2.3a Authorization Validation Response 649 Create the signed certificate with minimally applicable validity: 650 openssl ca -config openssl.cnf -startdate 180731190800Z -enddate 651 180731190810Z -keyfile ca.key -cert ca.crt -in client.req -out 652 ./client.crt -notext 654 A successful response from the authorization server: 656 HTTP/1.1 200 OK 657 Content-Type: application/x509 659 -----BEGIN CERTIFICATE----- 660 MIIEfDCCA2SgAwIBAgIRAOaxLLnaTZDrituxMDU+EwowDQYJKoZIhvcNAQELBQAw 661 czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxEZWZhdWx0IENp 662 dHkxFDASBgNVBAoMC2V4YW1wbGUuY29tMQswCQYDVQQLDAJJVDEdMBsGA1UEAwwU 663 YXV0aG9yaXphdGlvbiBzZXJ2ZXIwHhcNMTgwNzMxMTkwODAwWhcNMTgwNzMxMTkw 664 ODEwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDERlZmF1 665 bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEZMBcGA1UEAwwQ 666 QmVuamFtaW4gRGV1dHNjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 667 AKkkxBBjWDMA1WIgit5VC8iWnabDUBJSLFEmnhIY8emxo0l+8dxkFaXMF9V+H3rQ 668 6wLU1qxSzr1ZAg964kBgQt05dijHYn7kNI3+DdfyncJcytV3vGkCunGrq7F68S0w 669 /WTHhfxULucmwQ8k7WUWHBOLFa5RC/nFYvmoa4BNp+a1G9sFY0ExFrznkcIohxCT 670 HiLT8MxESbQ//t9hF+7BhRZ/col+S4KfCFubG8UjQ8NB/D+r5SGmhtVqvFlL75Lq 671 OUx1oqHu0cs4ul8d2suvy5o2U4HfB4XoLYQYPGXMHS/fESZ3FUvsKHoYFnvLdqZ/ 672 J1nkU4rVIPeWBZZgyb/oTm0CAwEAAaOCARIwggEOMAkGA1UdEwQCMAAwDgYDVR0P 673 AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4E 674 FgQUSxqn9ioM+4Im9NWszrg3xvB3Xt4wHwYDVR0jBBgwFoAU8/02wa7539I+EYiE 675 mgMYyLFLHfwwZAYIKwYBBQUHAQEEWDBWMCgGCCsGAQUFBzAChhxodHRwOi8vY2Eu 676 c2FtcGxlLmxhbi9jYS5odG1sMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5jYS5z 677 YW1wbGUubGFuOjkwODAwLAYDVR0fBCUwIzAhoB+gHYYbaHR0cDovL2NhLnNhbXBs 678 ZS5sYW4vY2EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQDM1uhIypvCU+w0ZyW4fTXg 679 Zmpp/S3HoFvthVYVfnI5fhUumntFtRQHGyi468qH1Q79UGXW3wnx4Mz//2xQamRu 680 ACv16+pDXlMxrNJPk5udSHyweqESiaQS1wYqkMsVKx7Sk2AMH8c8cWoUZkBB62ZG 681 rQMAT0XHP9l/b7qnqNmgS/YkFNfl7uK1FTWLSzGUfVSoFD6YAtLpP0jfgZy+hy69 682 eG5dRrkagxT22tK9+o+DFSGMhsIQI++UDMypCRjyFQgmWXMj4DW1olZz7u90eQCT 683 WfSkZ+Elpp19Xmboki4KVriVJm2zMZN/1+sxcWpLe2BHAxb3V+erkwNMt+wog/kS 684 -----END CERTIFICATE----- 686 B.2.3b authentication Validation Error 688 An unsuccessful response from the authorization server: 690 HTTP/1.1 403 Forbidden 691 B.2.3c Edge Device Erroneous Response 693 A successful appearing response designed to prevent dictionary 694 attack from mapping real user GUIDs (mocking B.2.7). 696 HTTP/1.1 200 OK 697 Content-Type: text/plain;charset=UTF-8 698 MIME-Version: 1.0 699 Content-Disposition: attachment; filename="smime.p7m" 700 Content-Type: application/x-pkcs7-mime; 701 smime-type=enveloped-data; name="smime.p7m" 702 Content-Transfer-Encoding: base64 704 QXQgdmVybyBlb3MgZXQgYWNjdXNhbXVzIGV0IGl1c3RvIG9kaW8gZGlnbmlzc2lt 705 b3MgZHVjaW11cyBxdWkgYmxhbmRpdGlpcyBwcmFlc2VudGl1bSB2b2x1cHRhdHVt 706 IGRlbGVuaXRpIGF0cXVlIGNvcnJ1cHRpIHF1b3MgZG9sb3JlcyBldCBxdWFzIG1v 707 bGVzdGlhcyBleGNlcHR1cmkgc2ludCBvY2NhZWNhdGkgY3VwaWRpdGF0ZSBub24g 708 cHJvdmlkZW50LCBzaW1pbGlxdWUgc3VudCBpbiBjdWxwYSBxdWkgb2ZmaWNpYSBk 709 ZXNlcnVudCBtb2xsaXRpYSBhbmltaSwgaWQgZXN0IGxhYm9ydW0gZXQgZG9sb3J1 710 bSBmdWdhLiBFdCBoYXJ1bSBxdWlkZW0gcmVydW0gZmFjaWxpcyBlc3QgZXQgZXhw 711 ZWRpdGEgZGlzdGluY3Rpby4gTmFtIGxpYmVybyB0ZW1wb3JlLCBjdW0gc29sdXRh 712 IG5vYmlzIGVzdCBlbGlnZW5kaSBvcHRpbyBjdW1xdWUgbmloaWwgaW1wZWRpdCBx 713 dW8gbWludXMgaWQgcXVvZCBtYXhpbWUgcGxhY2VhdCBmYWNlcmUgcG9zc2ltdXMs 714 IG9tbmlzIHZvbHVwdGFzIGFzc3VtZW5kYSBlc3QsIG9tbmlzIGRvbG9yIHJlcGVs 715 bGVuZHVzLiBUZW1wb3JpYnVzIGF1dGVtIHF1aWJ1c2RhbSBldCBhdXQgb2ZmaWNp 716 aXMgZGViaXRpcyBhdXQgcmVydW0gbmVjZXNzaXRhdGlidXMgc2FlcGUgZXZlbmll 717 dCB1dCBldCB2b2x1cHRhdGVzIHJlcHVkaWFuZGFlIHNpbnQgZXQgbW9sZXN0aWFl 718 IG5vbiByZWN1c2FuZGFlLiBJdGFxdWUgZWFydW0gcmVydW0gaGljIHRlbmV0dXIg 719 YSBzYXBpZW50ZSBkZWxlY3R1cywgdXQgYXV0IHJlaWNpZW5kaXMgdm9sdXB0YXRp 720 YnVzIG1haW9yZXMgYWxpYXMgY29uc2VxdWF0dXIgYXV0IHBlcmZlcmVuZGlzIGRv 721 bG9yaWJ1cyBhc3BlcmlvcmVzIHJlcGVsbGF0Lg== 722 B.2.4 Edge Forwarded Request 724 The request to some service: 726 GET /resource HTTP/1.1 727 Host: server.example.com 728 CALE-PEM: "MIIEfDCCA2SgAwIBAgIRAOaxLLnaTZDrituxMDU+EwowDQYJKoZIhvc 729 NAQELBQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxEZWZhd 730 Wx0IENpdHkxFDASBgNVBAoMC2V4YW1wbGUuY29tMQswCQYDVQQLDAJJVDEdMBsGA1U 731 EAwwUYXV0aG9yaXphdGlvbiBzZXJ2ZXIwHhcNMTgwNzMxMTkwODAwWhcNMTgwNzMxM 732 TkwODEwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDERlZmF 733 1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEZMBcGA1UEAwwQQ 734 mVuamFtaW4gRGV1dHNjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk 735 kxBBjWDMA1WIgit5VC8iWnabDUBJSLFEmnhIY8emxo0l+8dxkFaXMF9V+H3rQ6wLU1 736 qxSzr1ZAg964kBgQt05dijHYn7kNI3+DdfyncJcytV3vGkCunGrq7F68S0w/WTHhfx 737 ULucmwQ8k7WUWHBOLFa5RC/nFYvmoa4BNp+a1G9sFY0ExFrznkcIohxCTHiLT8MxES 738 bQ//t9hF+7BhRZ/col+S4KfCFubG8UjQ8NB/D+r5SGmhtVqvFlL75LqOUx1oqHu0cs 739 4ul8d2suvy5o2U4HfB4XoLYQYPGXMHS/fESZ3FUvsKHoYFnvLdqZ/J1nkU4rVIPeWB 740 ZZgyb/oTm0CAwEAAaOCARIwggEOMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0 741 GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSxqn9ioM+4Im9 742 NWszrg3xvB3Xt4wHwYDVR0jBBgwFoAU8/02wa7539I+EYiEmgMYyLFLHfwwZAYIKwY 743 BBQUHAQEEWDBWMCgGCCsGAQUFBzAChhxodHRwOi8vY2Euc2FtcGxlLmxhbi9jYS5od 744 G1sMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5jYS5zYW1wbGUubGFuOjkwODAwLAY 745 DVR0fBCUwIzAhoB+gHYYbaHR0cDovL2NhLnNhbXBsZS5sYW4vY2EuY3JsMA0GCSqGS 746 Ib3DQEBCwUAA4IBAQDM1uhIypvCU+w0ZyW4fTXgZmpp/S3HoFvthVYVfnI5fhUumnt 747 FtRQHGyi468qH1Q79UGXW3wnx4Mz//2xQamRuACv16+pDXlMxrNJPk5udSHyweqESi 748 aQS1wYqkMsVKx7Sk2AMH8c8cWoUZkBB62ZGrQMAT0XHP9l/b7qnqNmgS/YkFNfl7uK 749 1FTWLSzGUfVSoFD6YAtLpP0jfgZy+hy69eG5dRrkagxT22tK9+o+DFSGMhsIQI++UD 750 MypCRjyFQgmWXMj4DW1olZz7u90eQCTWfSkZ+Elpp19Xmboki4KVriVJm2zMZN/1+s 751 xcWpLe2BHAxb3V+erkwNMt+wog/kS" 752 Cipher: ECDHE-RSA-AES256-SHA 753 B.2.5 Aggregation Request 755 A request from the origin server to another resource server: 757 GET /aggregate HTTP/1.1 758 Host: origin.example.com 759 CALE-PEM: "MIIEfDCCA2SgAwIBAgIRAOaxLLnaTZDrituxMDU+EwowDQYJKoZIhvc 760 NAQELBQAwczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxEZWZhd 761 Wx0IENpdHkxFDASBgNVBAoMC2V4YW1wbGUuY29tMQswCQYDVQQLDAJJVDEdMBsGA1U 762 EAwwUYXV0aG9yaXphdGlvbiBzZXJ2ZXIwHhcNMTgwNzMxMTkwODAwWhcNMTgwNzMxM 763 TkwODEwWjBqMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDERlZmF 764 1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEZMBcGA1UEAwwQQ 765 mVuamFtaW4gRGV1dHNjaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKk 766 kxBBjWDMA1WIgit5VC8iWnabDUBJSLFEmnhIY8emxo0l+8dxkFaXMF9V+H3rQ6wLU1 767 qxSzr1ZAg964kBgQt05dijHYn7kNI3+DdfyncJcytV3vGkCunGrq7F68S0w/WTHhfx 768 ULucmwQ8k7WUWHBOLFa5RC/nFYvmoa4BNp+a1G9sFY0ExFrznkcIohxCTHiLT8MxES 769 bQ//t9hF+7BhRZ/col+S4KfCFubG8UjQ8NB/D+r5SGmhtVqvFlL75LqOUx1oqHu0cs 770 4ul8d2suvy5o2U4HfB4XoLYQYPGXMHS/fESZ3FUvsKHoYFnvLdqZ/J1nkU4rVIPeWB 771 ZZgyb/oTm0CAwEAAaOCARIwggEOMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0 772 GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSxqn9ioM+4Im9 773 NWszrg3xvB3Xt4wHwYDVR0jBBgwFoAU8/02wa7539I+EYiEmgMYyLFLHfwwZAYIKwY 774 BBQUHAQEEWDBWMCgGCCsGAQUFBzAChhxodHRwOi8vY2Euc2FtcGxlLmxhbi9jYS5od 775 G1sMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5jYS5zYW1wbGUubGFuOjkwODAwLAY 776 DVR0fBCUwIzAhoB+gHYYbaHR0cDovL2NhLnNhbXBsZS5sYW4vY2EuY3JsMA0GCSqGS 777 Ib3DQEBCwUAA4IBAQDM1uhIypvCU+w0ZyW4fTXgZmpp/S3HoFvthVYVfnI5fhUumnt 778 FtRQHGyi468qH1Q79UGXW3wnx4Mz//2xQamRuACv16+pDXlMxrNJPk5udSHyweqESi 779 aQS1wYqkMsVKx7Sk2AMH8c8cWoUZkBB62ZGrQMAT0XHP9l/b7qnqNmgS/YkFNfl7uK 780 1FTWLSzGUfVSoFD6YAtLpP0jfgZy+hy69eG5dRrkagxT22tK9+o+DFSGMhsIQI++UD 781 MypCRjyFQgmWXMj4DW1olZz7u90eQCTWfSkZ+Elpp19Xmboki4KVriVJm2zMZN/1+s 782 xcWpLe2BHAxb3V+erkwNMt+wog/kS" 784 B.2.6 Aggregation Response 786 A response from a resource server to the origin server: 788 HTTP/1.1 200 OK 790 {"foo": "bar"} 791 B.2.7 Origination Response 793 The encrypted response from the origination server that will be 794 passed back to the client by the edge device: 796 HTTP/1.1 200 OK 797 Content-Type: text/plain;charset=UTF-8 798 MIME-Version: 1.0 799 Content-Disposition: attachment; filename="smime.p7m" 800 Content-Type: application/x-pkcs7-mime; 801 smime-type=enveloped-data; name="smime.p7m" 802 Content-Transfer-Encoding: base64 804 MIIB6wYJKoZIhvcNAQcDoIIB3DCCAdgCAQAxggGTMIIBjwIBADB3MGoxCzAJBgNV 805 BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYD 806 VQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMRkwFwYDVQQDDBBCZW5qYW1pbiBEZXV0 807 c2NoAgkAondW3eFlchkwDQYJKoZIhvcNAQEBBQAEggEAJYwQ+oFA8nm4sp/crwHi 808 BY1+oVwqnygrXu4aZibJBA5qXQPYYVKGmjgZ1HnvtgWPdV4EW0b3FHbhI71fvalQ 809 HI3g7Jl9bcyNP0kSt4XmuAZzKrVRktBcEbhP9ePqAoH5S0u4vhwtKMZ/rt0BUPwY 810 ZQxVAQo7HQDL00+LHu2nGAbVinszn/5bQrJ7CTHO72ecs7m9DBJmaOT+ZT8toEpI 811 9zOvE4Z6AsqbbrthvIAApWfNBLYxm6fgy+5XeYPdwNnaAOMC0XXEWolp1/Suchzf 812 f84z7ayH8Xx6cP5mZQe/LH5KT4CvfxwsfhzVkMJkUOKyU7uxA+6B6lqm3t1mgIwy 813 EjA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBA7pyAHv3GrWkoZc5fiYkBLgBBL 814 JQYQttSM00rzK3y5X/sA 816 B.3 whoami Request 818 B.3.1 Client whoami Request 820 The request to some service: 822 GET /whoami HTTP/1.1 823 Host: server.example.com 824 CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404 826 B.3.2 Edge whoami Request 828 The request forwarded to the authorization server with the cipher: 830 GET /whoami HTTP/1.1 831 Host: server.example.com 832 CALE-GUID: bec6dc7e-6562-4b1c-b308-6c352e6f8404 833 Cipher: ECDHE-RSA-AES256-SHA 834 B.3.3 Authorization whoami Response 836 Generate the certificate that expires immediately: 837 openssl x509 -req -days 0 -in client.req -CA ca.crt -CAkey 838 ca.key -CAserial file.srl -out client.pem 840 The certificate is encrypted with itself using the cipher: 841 openssl smime -encrypt -binary -aes-256-cbc -in client.pem 842 client.pem 844 HTTP/1.1 200 OK 845 MIME-Version: 1.0 846 Content-Disposition: attachment; filename="smime.p7m" 847 Content-Type: application/x-pkcs7-mime; 848 smime-type=enveloped-data; name="smime.p7m" 849 Content-Transfer-Encoding: base64 851 MIIGogYJKoZIhvcNAQcDoIIGkzCCBo8CAQAxggGWMIIBkgIBADB6MHMxCzAJBgNV 852 BAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRQwEgYD 853 VQQKDAtleGFtcGxlLmNvbTELMAkGA1UECwwCSVQxHTAbBgNVBAMMFGF1dGhvcml6 854 YXRpb24gc2VydmVyAgMAhkkwDQYJKoZIhvcNAQEBBQAEggEAGbGnIDFMlf28nPpc 855 lN7RPb8Ok03T+wESUVDi3Pl9WEiE5BlV00jFPPZYJtatelJt7HOjK0b6Irz5ZHJ6 856 nzZ3xUN1nOOGPl8E/zffxfmVwBX6mh9jLZSZcPoorM58vUT1a0ci4euMH8pLQ+lZ 857 t1K+iV9bLm7Bg/xqumyhjrMq+lb5+0a3ZanhLk1LVNG6FrgG7a15pKX+t7hzWtjA 858 uLSqovn4Jr3tOGGyB9nDoRoWxBYqMlluNenqBgNiLD22DlTMD1iD/NCDEOGq5h5v 859 3v+LD1NV8yrbRF/dx/GWkH3hl8uiiBaZkGqRI09D10CpuIK2lTsrrqcJyMmiG+8n 860 gqKikDCCBO4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEMN3AKX128vExYesH/M/ 861 yzSAggTA9ak1ngvEX38Jv3hlx0Jel99rFou3EqBvZw4VvZ7y3B0ZycNu+Yk39XSn 862 yDrGBZ84K6sIF/n2DJTz8dZfLxy1iTtZRZ+f9zsbAqtKzz2JTLH4fYJSyTnAC3lU 863 38z6cLVnMyhZliU/zmE0kU+b0CGoI71ubQhJvYtyMraC5Z94/VHkeYyn1fR8YMHU 864 OCoJLtjK2Kz5VPuSZNLrBLQXSOEzLhR/QhTv8x+/nW6t1WnHjFGgq3yYyNysQgZw 865 qlkfOuYtEpLEZM3kBxY/Hbb7hhN4g2UIx3IiYxCOC97mxWfM1YbyaHmt2fuZYW+V 866 JVqiOqHyVyYI6an5z6FsrSfdFN4hSLFowL44ky669i2JlkROQ//CcCV30+gL8VvK 867 c6BvYRskuvvUDttmzVhsciugvCI5HuP3PLNGFejDqENX2nkJatPQwJv+rDsnHMN6 868 M0fh+fVbJ3vJosR22QBLF+kopxj6xD725PUQh36GyoHq3V1aT7VtH7HIqR1PMOsn 869 wZRK+lUT1Jj0Yqv2gkOM4XWMx3vL5ZJ7c7qc95i3uzUhSj8fr6TKkYMcVYQROYJd 870 GD6EODcw3jmocDx7I4uvGGnb2GP3N8QmNJrBeJnBQCZtmsgiOeFnV1QHvqoFCG/m 871 +aHrv6a6drK5bOlzK2pelUar6O/XaKcVr7ZWjgFWG6Wbudd3DVBU7muVUCiBbrqJ 872 G3aT/z+qDK1AcBe2QdUfuk0v+QTa8jDatbypor0bv/wpfSQ81yl40edMyyXv6ZxY 873 ZKBcZKGfeSn5cF3h1gt0hSrpVZIGscb/Xehx8unBl4bjzfGkaUhu7kFo5WD3fVKr 874 PKAC8GtCVa3vDFAI5d1B8PFz1DaT1QTQhlHSVmXNpsjIGZujqR1sLGQU+XWyy3qu 875 gDYZEFcK1BjUhtMG4uVKz2Cm3AVOWZU/EzVpiBnxDLirE9z6YdoXZjhiMCnOpAps 876 C8UDAqMvxRLYqadJz67qt6yaY7xFLqcihz0uME46midfMbdI94ztkLXt6D70ML15 877 Q6Q3QbHS8NKgXKJ1NZeo6CGFgagj9OoaJjr400cFz/dAhgDVvE8AAKQTZHUCIvAr 878 iKy/Y/VS1WySNETNKeUgj4uOpZqwVvhGkQYYeZVjYXrrWlyN6B4pmFXLNl5hoOsM 879 6zWm5zaKY2gQJzTbHnCqkeqxkhfZeRXpkYqiTT86hzy+AsaXGnQXJcTHROlwrkbU 880 9gxlduIKOVd0uFbpwlBp+304JsuXOfCwyAWt4y3DmCfO7rJxAr1EoCZL2wRkk+xK 881 di08gMehw8YD4rERNsxg/5kuX1VevfYBR+94cVpg+u6dJtMM1EWazmnGGxnNvItb 882 vfDAVEgFkFTRn/aLM7nzMgQkythzJS46S878HJ18plTpRJTARtpW9uqllNwh6LnL 883 NC1z1eYl5dS/s0ErVOxERwaDKx6x3vxaa5hniW8e+yABgSqunrTdnQoQ0dha2Cpr 884 uXOmwlJyBuclZSEgsgMVVswn/R8x0pIiVW96YU5H+P59bguP5hLnSFvFhLhDades 885 bG8sRC7dAW87ZHFOGO315872wVsUw0fjGwgLcF6BJ4CtDM/DD2dhV090225gXVCT 886 HOlRqS6MekpUqBmw1nooGvR1hCqeQA== 887 Author's Address 889 Benjamin Deutsch 891 Email: spreakenze@gmail.com 893 Full Copyright Statement 895 Copyright (c) 2018 IETF Trust and the persons identified as the 896 document authors. All rights reserved. 898 This document is subject to BCP 78 and the IETF Trust's Legal 899 Provisions Relating to IETF Documents 900 (http://trustee.ietf.org/license-info) in effect on the date of 901 publication of this document. Please review these documents 902 carefully, as they describe your rights and restrictions with 903 respect to this document. Code Components extracted from this 904 document must include Simplified BSD License text as described in 905 Section 4.e of the Trust Legal Provisions and are provided without 906 warranty as described in the Simplified BSD License. 908 Copyright (c) 2018 IETF Trust and the persons identified as the 909 document authors. All rights reserved. 911 This document is subject to BCP 78 and the IETF Trust's Legal 912 Provisions Relating to IETF Documents 913 (http://trustee.ietf.org/license-info) in effect on the date of 914 publication of this document. Please review these documents 915 carefully, as they describe your rights and restrictions with 916 respect to this document. 918 Intellectual Property Statement 920 This Internet-Draft is submitted in full conformance with the 921 provisions of BCP 78 and BCP 79. 923 Internet-Drafts are working documents of the Internet Engineering 924 Task Force (IETF), its areas, and its working groups. Note that 925 other groups may also distribute working documents as Internet- 926 Drafts. 928 Internet-Drafts are draft documents valid for a maximum of six 929 months and may be updated, replaced, or obsoleted by other 930 documents at any time. It is inappropriate to use Internet- 931 Drafts as reference material or to cite them other than as 932 "work in progress." 934 The list of current Internet-Drafts can be accessed at 935 http://www.ietf.org/1id-abstracts.html 937 The list of Internet-Draft Shadow Directories can be accessed at 938 http://www.ietf.org/shadow.html