idnits 2.17.1 draft-housley-stir-enhance-rfc8226-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC8226, but the abstract doesn't seem to directly say this. It does mention RFC8226 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (21 January 2021) is 1185 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 133 -- Looks like a reference, but probably isn't: '1' on line 137 -- Looks like a reference, but probably isn't: '2' on line 140 -- Looks like a reference, but probably isn't: '3' on line 142 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Housley 3 Internet-Draft Vigil Security 4 Updates: 8226 (if approved) 21 January 2021 5 Intended status: Standards Track 6 Expires: 25 July 2021 8 Enhanced JWT Claim Constraints for STIR Certificates 9 draft-housley-stir-enhance-rfc8226-00 11 Abstract 13 RFC 8226 provides a certificate extension to constrain the JWT claims 14 that can be included in the PASSporT as defined in RFC 8225. If the 15 signer includes a JWT claim outside the constraint boundaries, then 16 the recipient will reject the entire PASSporT. This document defines 17 additional ways that the JWT claims can be constrained. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on 25 July 2021. 36 Copyright Notice 38 Copyright (c) 2021 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 43 license-info) in effect on the date of publication of this document. 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. Code Components 46 extracted from this document must include Simplified BSD License text 47 as described in Section 4.e of the Trust Legal Provisions and are 48 provided without warranty as described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Enhanced JWT Claim Constraints Syntax . . . . . . . . . . . . 2 55 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 57 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 58 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 59 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 61 8.2. Informative References . . . . . . . . . . . . . . . . . 6 62 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 6 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 65 1. Introduction 67 The use of certificates [RFC5280] in establishing authority over 68 telephone numbers is described in [RFC8226]. 70 Section 8 of [RFC8226] provides a certificate extension to constrain 71 the JWT claims that can be included in the PASSporT [RFC8225]. If 72 the signer includes a JWT claim outside the constraint boundaries, 73 then the recipient will reject the entire PASSporT. 75 This document defines an enhanced JWTClaimConstraints certificate 76 extension, which provides all of the capabilities available in the 77 original certificate extension as well as some additional ways to 78 constrain the allowable JWT claims. 80 2. Terminology 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 84 "OPTIONAL" in this document are to be interpreted as described in 85 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 86 capitals, as shown here. 88 3. Enhanced JWT Claim Constraints Syntax 90 Certificate subjects are limited to specific values for PASSporT 91 claims with the Enhanced JWT Claim Constraints certificate extension; 92 issuers permit all claims by omitting the Enhanced JWT Claim 93 Constraints certificate extension from the extension field of the 94 certificate [RFC5280]. The certificate extension is non-critical, 95 applicable only to end-entity certificates, and defined with ASN.1 96 [X.680]. The syntax of the JWT claims in a PASSporT is specified in 97 [RFC8225]. 99 The Enhanced JWT Claim Constraints certificate extension is optional, 100 but when present, it constrains the JWT claims that authentication 101 services may include in the PASSporT objects they sign. Constraints 102 are applied by certificate issuers and enforced by recipients when 103 validating PASSporT claims as follows: 105 1. mustInclude indicates JWT claims that MUST appear in the PASSporT 106 in addition to the iat, orig, and dest claims. The baseline 107 PASSporT claims ("iat", "orig", and "dest") are considered to be 108 permitted by default, and these claims SHOULD NOT be part of the 109 mustInclude list. If mustInclude is absent, the iat, orig, and 110 dest claims MUST appear in the PASSporT. 112 2. permittedValues indicates that if the claim name is present, the 113 claim MUST contain one of the listed values. 115 3. mustExclude indicates JWT claims that MUST NOT appear in the 116 PASSporT. in addition to the iat, orig, and dest claims. The 117 baseline PASSporT claims ("iat", "orig", and "dest") are 118 considered to be permitted by default, and these claims MUST NOT 119 be part of the mustExclude list. 121 4. excludedValues indicates that if the claim name is present, the 122 claim MUST NOT contain any of the listed values. 124 The Enhanced JWT Claim Constraints certificate extension is 125 identified by the following object identifier (OID): 127 id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } 129 The Enhanced JWT Claim Constraints certificate extension has the 130 following syntax: 132 EnhancedJWTClaimConstraints ::= SEQUENCE { 133 mustInclude [0] JWTClaimNames OPTIONAL, 134 -- The listed claim names MUST appear in the PASSporT 135 -- in addition to iat, orig, and dest. If absent, iat, orig, 136 -- and dest MUST appear in the PASSporT. 137 permittedValues [1] JWTClaimValuesList OPTIONAL, 138 -- If the claim name is present, the claim MUST contain one 139 -- of the listed values. 140 mustExclude [2] JWTClaimNames OPTIONAL, 141 -- The listed claim names MUST NOT appear in the PASSporT. 142 excludedValues [3] JWTClaimValuesList OPTIONAL } 143 -- If the claim name is present, the claim MUST NOT contain 144 -- any of the listed values. 146 ( WITH COMPONENTS { ..., mustInclude PRESENT } | 147 WITH COMPONENTS { ..., permittedValues PRESENT } | 148 WITH COMPONENTS { ..., mustExclude PRESENT } | 149 WITH COMPONENTS { ..., excludedValues PRESENT } ) 151 JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues 153 JWTClaimValues ::= SEQUENCE { 154 claim JWTClaimName, 155 values SEQUENCE SIZE (1..MAX) OF UTF8String } 157 JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName 159 JWTClaimName ::= IA5String 161 4. Examples 163 Consider two examples with a PASSporT claim called "confidence" with 164 values "low", "medium", and "high": 166 * If a CA issues to an authentication service certificate that 167 includes an Enhanced JWT Claim Constraints certificate extension 168 that contains the mustInclude JWTClaimName "confidence", then an 169 authentication service is required to include the "confidence" 170 claim in all PASSporTs it generates and signs; a verification 171 service will treat as invalid any PASSporT it receives with a 172 PASSporT claim that does not include the "confidence" claim. 174 * If a CA issues to an authentication service certificate that 175 includes an Enhanced JWT Claim Constraints certificate extension 176 that contains the permittedValues JWTClaimName "confidence" and a 177 permitted "high" value, then a recipient authentication service 178 will treat as invalid any PASSporT it receives with a PASSporT 179 "confidence" claim with a value other than "high". However, a 180 recipient authentication service will not treat as invalid a 181 PASSporT it receives without a PASSporT "confidence" claim at all. 183 * If a CA issues to an authentication service certificate that 184 includes an Enhanced JWT Claim Constraints certificate extension 185 that contains the mustExclude JWTClaimName "confidence", then a 186 recipient authentication service will treat as invalid any 187 PASSporT it receives with a PASSporT "confidence" claim regardless 188 of the claim value. 190 * If a CA issues to an authentication service certificate that 191 includes an Enhanced JWT Claim Constraints certificate extension 192 that contains the excludedValues JWTClaimName "confidence" and a 193 permitted "low" value, then a recipient authentication service 194 will treat as invalid any PASSporT it receives with a PASSporT 195 "confidence" claim with a value of "low". However, a recipient 196 authentication service will not treat as invalid a PASSporT it 197 receives without a PASSporT "confidence" claim at all. 199 5. IANA Considerations 201 This document makes use of object identifiers for the Enhanced JWT 202 Claim Constraints certificate extension defined in Section 3 and the 203 ASN.1 module identifier defined in Appendix A. Therefore, IANA is 204 asked to made the following assignments within the SMI Numbers 205 Registry. 207 For the Enhanced JWT Claim Constraints certificate extension in the 208 "SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1) 209 registry: 211 TBD1 id-pe-eJWTClaimConstraints 213 For the ASN.1 module identifier in the "SMI Security for PKIX Module 214 Identifier" (1.3.6.1.5.5.7.0) registry: 216 TBD2 id-mod-eJWTClaimConstraints-2021 218 6. Security Considerations 220 For further information on certificate security and practices, see 221 [RFC5280], especially the Security Considerations section. 223 The Enhanced JWT Claim Constraints certificate extension can be used 224 by certificate issuers to provide limits on the acceptable PASSporT 225 that will be accepted by recipient verification services. 226 Enforcement of these limits depends upon proper implementation by the 227 recipient verification services. The digital signature on the 228 PASSportT data structure will be valid even if the limits are 229 violated. 231 7. Acknowledgements 233 Many thanks to Chris Wendt for his insight into the need for the for 234 the Enhanced JWT Claim Constraints certificate extension. 236 8. References 238 8.1. Normative References 240 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 241 Requirement Levels", BCP 14, RFC 2119, 242 DOI 10.17487/RFC2119, March 1997, 243 . 245 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 246 Housley, R., and W. Polk, "Internet X.509 Public Key 247 Infrastructure Certificate and Certificate Revocation List 248 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 249 . 251 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 252 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 253 May 2017, . 255 [RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion 256 Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, 257 . 259 [RFC8226] Peterson, J. and S. Turner, "Secure Telephone Identity 260 Credentials: Certificates", RFC 8226, 261 DOI 10.17487/RFC8226, February 2018, 262 . 264 [X.680] International Telecommunication Union, "Information 265 Technology - Abstract Syntax Notation One (ASN.1): 266 Specification of basic notation", ISO/IEC 8824-1, August 267 2021. 269 8.2. Informative References 271 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 272 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 273 DOI 10.17487/RFC5912, June 2010, 274 . 276 Appendix A. ASN.1 Module 278 This appendix provides the ASN.1 [X.680] definitions for the Enhanced 279 JWT Claim Constraints certificate extension. The module defined in 280 this appendix are compatible with the ASN.1 specifications published 281 in 2015. 283 This ASN.1 module imports ASN.1 from [RFC5912]. 285 286 EnhancedJWTClaimConstraints-2021 287 { iso(1) identified-organization(3) dod(6) internet(1) 288 security(5) mechanisms(5) pkix(7) id-mod(0) 289 id-mod-eJWTClaimConstraints-2021(TBD2) } 291 DEFINITIONS EXPLICIT TAGS ::= BEGIN 293 IMPORTS 295 id-pe 296 FROM PKIX1Explicit-2009 -- From RFC 5912 297 { iso(1) identified-organization(3) dod(6) internet(1) 298 security(5) mechanisms(5) pkix(7) id-mod(0) 299 id-mod-pkix1-explicit-02(51) } 301 EXTENSION 302 FROM PKIX-CommonTypes-2009 -- From RFC 5912 303 { iso(1) identified-organization(3) dod(6) internet(1) 304 security(5) mechanisms(5) pkix(7) id-mod(0) 305 id-mod-pkixCommon-02(57) } ; 307 -- Enhanced JWT Claim Constraints Certificate Extension 309 ext-eJWTClaimConstraints EXTENSION ::= { 310 SYNTAX EnhancedJWTClaimConstraints 311 IDENTIFIED BY id-pe-JWTClaimConstraints } 313 id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } 315 EnhancedJWTClaimConstraints ::= SEQUENCE { 316 mustInclude [0] JWTClaimNames OPTIONAL, 317 -- The listed claim names MUST appear in the PASSporT 318 -- in addition to iat, orig, and dest. If absent, iat, orig, 319 -- and dest MUST appear in the PASSporT. 320 permittedValues [1] JWTClaimValuesList OPTIONAL, 321 -- If the claim name is present, the claim MUST contain one 322 -- of the listed values. 323 mustExclude [2] JWTClaimNames OPTIONAL, 324 -- The listed claim names MUST NOT appear in the PASSporT. 325 excludedValues [3] JWTClaimValuesList OPTIONAL } 326 -- If the claim name is present, the claim MUST NOT contain 327 -- any of the listed values. 328 ( WITH COMPONENTS { ..., mustInclude PRESENT } | 329 WITH COMPONENTS { ..., permittedValues PRESENT } | 330 WITH COMPONENTS { ..., mustExclude PRESENT } | 331 WITH COMPONENTS { ..., excludedValues PRESENT } ) 333 JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues 335 JWTClaimValues ::= SEQUENCE { 336 claim JWTClaimName, 337 values SEQUENCE SIZE (1..MAX) OF UTF8String } 339 JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName 341 JWTClaimName ::= IA5String 343 END 344 346 Author's Address 348 Russ Housley 349 Vigil Security, LLC 350 516 Dranesville Road 351 Herndon, VA, 20170 352 United States of America 354 Email: housley@vigilsec.com