idnits 2.17.1 draft-miller-jose-pkix-key-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (February 12, 2013) is 4090 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) -- Possible downref: Non-RFC (?) normative reference: ref. 'DSS' -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994' == Outdated reference: A later version (-40) exists of draft-ietf-jose-json-web-algorithms-08 == Outdated reference: A later version (-40) exists of draft-ietf-jose-json-web-encryption-08 == Outdated reference: A later version (-41) exists of draft-ietf-jose-json-web-signature-08 == Outdated reference: A later version (-41) exists of draft-ietf-jose-json-web-key-08 ** Downref: Normative reference to an Informational RFC: RFC 4949 -- Obsolete informational reference (is this intentional?): RFC 2898 (ref. 'RFC3447') (Obsoleted by RFC 8018) Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Miller 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track B. Campbell 5 Expires: August 16, 2013 Ping Identity Corp. 6 February 12, 2013 8 JSON Web Key (JWK) for PKIX Certificates 9 draft-miller-jose-pkix-key-00 11 Abstract 13 This document defines a JSON Web Key (JWK) object to wrap PKIX 14 certificate chains. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on August 16, 2013. 33 Copyright Notice 35 Copyright (c) 2013 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 50 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 51 3. PKIX Key Type . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3.1. 'x5c' (X.509 Certificate Chain) Parameter . . . . . . . . 3 53 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 55 5.1. JSON Web Key Type Registration . . . . . . . . . . . . . 5 56 5.2. JSON Web Key Parameters Registration . . . . . . . . . . 5 57 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 58 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 60 7.2. Informative References . . . . . . . . . . . . . . . . . 6 61 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6 62 Appendix B. Document History . . . . . . . . . . . . . . . . . . 6 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 65 1. Introduction 67 JSON Web Key ([JWK]) describes an abstract data structure to 68 represent public keys using JavaScript Object Notation (JSON) 69 [RFC4627]. The JSON Web Algorithms ([JWA]) define specific key 70 representations for raw asymmetric key types, such as RSA [RFC3447] 71 or Elliptic Curve [DSS]. However, there are times when it is 72 desirable to represent a Public Key Infrastructure (X.509) 73 certificate chain, such as to associate with a JSON Web Encryption 74 ([JWE]) or JSON Web Signature ([JWS]) object. This document 75 specifies an approach which encodes a chain of PKIX certificates as 76 an array of strings within a JWK object. 78 PKIX certificates have a number of advantages, such as an established 79 process of certification and attribution of entities. It is also 80 sometimes desirable for JSON-based cryptographic operations to 81 support the existing and widespread deployment of PKIX-based 82 technologies. 84 2. Terminology 86 This document inherits JSON Web Algorithms (JWA)-related terminology 87 from [JWA], JSON Web Encryption (JWE)-related terminology from [JWE], 88 and JSON Web Key (JWK)-related terminology from [JWK]. Security- 89 related terms are to be understood in the sense defined in [RFC4949]. 91 The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", 92 "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and 93 "OPTIONAL" in this document are to be interpreted as described in 94 [RFC2119]. 96 3. PKIX Key Type 98 The "PKIX" key type is used to contain a chain of PKIX certificates. 99 The following parameters are defined: 101 3.1. 'x5c' (X.509 Certificate Chain) Parameter 103 The REQUIRED "x5c" parameter contains a chain of one or more PKIX 104 certificates [RFC5280]. The certificate chain is represented as an 105 array of certificate value strings. Each string in the array is a 106 DER [ITU.X690.1994] PKIX certificate encoded as base64 [RFC4648] (not 107 base64url). The array MUST have at least one value, which MUST be 108 the PKIX certificate of the actor (e.g., the singer of a [JWS], or a 109 recipient of a [JWE]). Each additional value of the array (if any) 110 MUST be the PKIX certificate that certifies the previous certificate. 112 4. Examples 114 The following is a non-normative example of a JWK Set containing a 115 single JWK utilizing the PKIX Key Type ("kty") defined in this 116 document. 118 {"keys":[ 119 {"kty":"PKIX", 120 "x5c":[ 121 "MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVM 122 xITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR2 123 8gRGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExM 124 TYwMTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UE 125 CBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWR 126 keS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYW 127 RkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlc 128 nRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJ 129 KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTt 130 wY6vj3D3HKrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqV 131 Tr9vcyOdQmVZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aL 132 GbqGmu75RpRSgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo 133 7RJlbmr2EkRTcDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgW 134 JCJjPOq8lh8BJ6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAw 135 EAAaOCATIwggEuMB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVH 136 SMEGDAWgBTSxLDSkdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEA 137 MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWR 138 keS5jb20wRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2 139 RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVH 140 SAAMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j 141 b20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggE 142 BANKGwOy9+aG2Z+5mC6IGOgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPI 143 UyIXvJxwqoJKSQ3kbTJSMUA2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL 144 5CkKSkB2XIsKd83ASe8T+5o0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9 145 p0iRFEUOOjZv2kWzRaJBydTXRE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsx 146 uxN89txJx9OjxUUAiKEngHUuHqDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZ 147 EjYx8WnM25sgVjOuH0aBsXBTWVU+4=", 148 "MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Z 149 hbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIE 150 luYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb 151 24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8x 152 IDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MDY 153 yMFoXDTI0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZS 154 BHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgM 155 iBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN 156 ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XC 157 APVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux 158 6wwdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLO 159 tXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWo 160 riMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZ 161 Eewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjggHhMIIB3TAdBgNVHQ 162 4EFgQU0sSw0pHUTBFxs2HLPaH+3ahq1OMwgdIGA1UdIwSByjCBx6GBwaSBvjCBu 163 zEkMCIGA1UEBxMbVmFsaUNlcnQgVmFsaWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQK 164 Ew5WYWxpQ2VydCwgSW5jLjE1MDMGA1UECxMsVmFsaUNlcnQgQ2xhc3MgMiBQb2x 165 pY3kgVmFsaWRhdGlvbiBBdXRob3JpdHkxITAfBgNVBAMTGGh0dHA6Ly93d3cudm 166 FsaWNlcnQuY29tLzEgMB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5jb22CA 167 QEwDwYDVR0TAQH/BAUwAwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGG 168 F2h0dHA6Ly9vY3NwLmdvZGFkZHkuY29tMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA 169 6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9yb290LmNybD 170 BLBgNVHSAERDBCMEAGBFUdIAAwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRpZ 171 mljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5MA4GA1UdDwEB/wQEAwIBBjAN 172 BgkqhkiG9w0BAQUFAAOBgQC1QPmnHfbq/qQaQlpE9xXUhUaJwL6e4+PrxeNYiY+ 173 Sn1eocSxI0YGyeR+sBjUZsE4OWBsUs5iB0QQeyAfJg594RAoYC5jcdnplDQ1tgM 174 QLARzLrUc+cb53S8wGd9D0VmsfSxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j 175 09VZw==", 176 "MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ 177 0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNT 178 AzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0a 179 G9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkq 180 hkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE 181 5MDYyNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTm 182 V0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZ 183 XJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQD 184 ExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9 185 AdmFsaWNlcnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5a 186 vIWZJV16vYdA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zf 187 N1SLUzm1NZ9WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwb 188 P7RfZHM047QSv4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQU 189 AA4GBADt/UG9vUJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQ 190 C1u+mNr0HZDzTuIYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMM 191 j4QssxsodyamEwCW/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd"], 193 "use":"sign", 194 "kid":"somekey"}] 195 } 197 5. IANA Considerations 199 5.1. JSON Web Key Type Registration 201 o "kty" Paramater value: "PKIX" 203 o Implementation Requirements: OPTIONAL 205 o Change Controller: IETF 207 o Specification Document(s): Section 3 of [[ this document ]] 209 5.2. JSON Web Key Parameters Registration 211 o Parameter Name: "x5c" 213 o Change Controller: IETF 215 o Specification Document(s): Section 3.1 of [[ this document ]] 217 6. Security Considerations 219 This document does not introduce any new considerations beyond those 220 specified by [JWK]. 222 7. References 224 7.1. Normative References 226 [RFC4627] Crockford, D., "The application/json Media Type for 227 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 229 [DSS] National Institute of Standards and Technology, "Digital 230 Signature Standard (DSS)", FIPS PUB 186-3, June 2009. 232 [ITU.X690.1994] 233 International Telecommunications Union, "Information 234 Technology - ASN.1 encoding rules: Specification of Basic 235 Encoding Rules (BER), Canonical Encoding Rules (CER) and 236 Distinguished Encoding Rules (DER)", ITU-T Recommendation 237 X.690, 1994. 239 [JWA] Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose- 240 json-web-algorithms-08 (work in progress), December 2012. 242 [JWE] Jones, M., Rescola, E., and J. Hildebrand, "JSON Web 243 Encryption (JWE)", draft-ietf-jose-json-web-encryption-08 244 (work in progress), December 2012. 246 [JWS] Jones, M., "JSON Web Signature (JWS)", draft-ietf-jose- 247 json-web-signature-08 (work in progress), December 2012. 249 [JWK] Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web- 250 key-08 (work in progress), December 2012. 252 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 253 Requirement Levels", BCP 14, RFC 2119, March 1997. 255 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 256 Encodings", RFC 4648, October 2006. 258 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 259 4949, August 2007. 261 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 262 Housley, R., and W. Polk, "Internet X.509 Public Key 263 Infrastructure Certificate and Certificate Revocation List 264 (CRL) Profile", RFC 5280, May 2008. 266 7.2. Informative References 268 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 269 Standards (PKCS) #1: RSA Cryptography Specifications 270 Version 2.1", RFC 2898, February 2003. 272 Appendix A. Acknowledgements 274 Appendix B. Document History 276 -00 Initial revision 278 Authors' Addresses 279 Matthew Miller 280 Cisco Systems, Inc. 281 1899 Wynkoop Street, Suite 600 282 Denver, CO 80202 283 USA 285 Phone: +1-303-308-3204 286 Email: mamille2@cisco.com 288 Brian Campbell 289 Ping Identity Corp. 291 Email: brian.d.campbell@gmail.com