idnits 2.17.1 draft-lear-ietf-pkix-mud-extension-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 02, 2016) is 3003 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'IEEE8021X' is defined on line 152, but no explicit reference was found in the text == Outdated reference: A later version (-04) exists of draft-lear-ietf-netmod-mud-00 ** Downref: Normative reference to an Informational RFC: RFC 7299 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 pkix E. Lear 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track February 02, 2016 5 Expires: August 5, 2016 7 An X.509 Extension for Manufacturer Usage Description URI 8 draft-lear-ietf-pkix-mud-extension-00 10 Abstract 12 Manufacturer User Descriptions are used by device manufacturers to 13 provide indications to the network as to the intended use of a 14 particular device and with what end points it might communicate. A 15 URI points to those descriptions. This memo specifies an X.509 16 certificate extension to specify that URI in a device certificate to 17 be used with IEEE 802.1AR. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on August 5, 2016. 36 Copyright Notice 38 Copyright (c) 2016 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. The Manufacturer Usage Description (MUD) URI Extension . . . 2 55 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 56 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 57 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 3 58 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 6.1. Normative References . . . . . . . . . . . . . . . . . . 3 60 6.2. Informative References . . . . . . . . . . . . . . . . . 4 61 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 63 1. Introduction 65 [I-D.lear-mud-framework] introduces the concept of manufacturer usage 66 description. In other documents, DHCP is used to identify a URI that 67 network systems can use to retrieve YANG-based XML that advises the 68 network on appropriate usage of a device. 70 Use of DHCP as a means of transmission may not be appropriate for all 71 use cases, particularly for devices intended for use in critical 72 environments. The IEEE has developed [IEEE8021AR] that provides a 73 certificate-based approach to communicate device characteristics, 74 which itself relies on [RFC5280]. 76 This document specifies an X.509 extension so that such MUD URI may 77 be communicated via 802.1AR. The MUD URI extension is non-critical, 78 as required by IEEE 802.1AR. 80 2. The Manufacturer Usage Description (MUD) URI Extension 82 [RFC7299] provides a procedure and means to specify extensions to 83 X.509 certificates. The object identifier (OID) for extensions is as 84 follows: 86 - PKIX certificate extensions id-pe OBJECT IDENTIFIER ::= { id-pkix 1 87 } 89 The choice of id-pe is based on guidance found in Section 4.2.2 of 90 [RFC5280]: 92 These extensions may be used to direct applications to on-line 93 information about the issuer or the subject. 95 The MUD URI is precisely that: online information about the 96 particular subject. 98 The new extension is identified as follows: 100 - The MUD URI extension id-pe-mud-uri OBJECT IDENTIFER ::= { id-pe 101 TBD } 103 The extension returns a single value: 105 mud-uri ::= uniformResourceIdentifier - for use with mud 106 architecture. 108 The semantics of the URI are defined [I-D.lear-ietf-netmod-mud]. 110 3. Security Considerations 112 This document specifies a certificate extension to communicate a 113 Manufacturer Usage Description URI. The semantics of the URI are 114 defined in draft-lear-ietf-netmod-mud. At this time, no security 115 concerns are visible to the author for inclusion of such an 116 extension. 118 4. IANA Considerations 120 The IANA is requested to assign a value for id-pe-mud-uri in the "SMI 121 Security for PKIX Certificate Extension" Registry. 123 5. Acknowledgments 125 The author wishes to thank Max Pritikin for his review and 126 suggestions. 128 6. References 130 6.1. Normative References 132 [I-D.lear-ietf-netmod-mud] 133 Lear, E., "Manufacturer Usage Description YANG Model", 134 draft-lear-ietf-netmod-mud-00 (work in progress), January 135 2016. 137 [RFC7299] Housley, R., "Object Identifier Registry for the PKIX 138 Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, 139 . 141 6.2. Informative References 143 [I-D.lear-mud-framework] 144 Lear, E., "Manufacturer Usage Description Framework", 145 draft-lear-mud-framework-00 (work in progress), January 146 2016. 148 [IEEE8021AR] 149 Institute for Electrical and Electronics Engineers, 150 "Secure Device Identity", 1998. 152 [IEEE8021X] 153 Institute for Electrical and Electronics Engineers, "Port 154 Based Network Access Control", 1998. 156 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 157 Housley, R., and W. Polk, "Internet X.509 Public Key 158 Infrastructure Certificate and Certificate Revocation List 159 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 160 . 162 Author's Address 164 Eliot Lear 165 Cisco Systems 166 Richtistrasse 7 167 Wallisellen CH-8304 168 Switzerland 170 Phone: +41 44 878 9200 171 Email: lear@cisco.com