idnits 2.17.1 draft-miller-jose-pkix-key-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (February 21, 2013) is 4075 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159) -- Possible downref: Non-RFC (?) normative reference: ref. 'DSS' -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994' == Outdated reference: A later version (-40) exists of draft-ietf-jose-json-web-algorithms-08 == Outdated reference: A later version (-40) exists of draft-ietf-jose-json-web-encryption-08 == Outdated reference: A later version (-41) exists of draft-ietf-jose-json-web-signature-08 == Outdated reference: A later version (-41) exists of draft-ietf-jose-json-web-key-08 ** Downref: Normative reference to an Informational RFC: RFC 4949 -- Obsolete informational reference (is this intentional?): RFC 2898 (ref. 'RFC3447') (Obsoleted by RFC 8018) Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 JOSE Working Group M. Miller 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track B. Campbell 5 Expires: August 25, 2013 Ping Identity Corp. 6 February 21, 2013 8 JavaScript Object Notation (JSON) Web Key (JWK) for Public Key 9 Infrastructure (X.509) (PKIX) Certificates 10 draft-miller-jose-pkix-key-01 12 Abstract 14 This document defines a JavaScript Object Notation (JSON) Web Key 15 (JWK) object to wrap Public Key Infrastructure (X.509) (PKIX) 16 certificate chains, to allow for some interoperability between 17 existing PKIX-based systems and newer JOSE-based systems. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on August 25, 2013. 36 Copyright Notice 38 Copyright (c) 2013 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. PKIX Key Type . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3.1. 'x5c' (X.509 Certificate Chain) Parameter . . . . . . . . 3 57 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 59 5.1. JSON Web Key Type Registration . . . . . . . . . . . . . 5 60 5.2. JSON Web Key Parameters Registration . . . . . . . . . . 5 61 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 62 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 64 7.2. Informative References . . . . . . . . . . . . . . . . . 7 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 7 66 Appendix B. Document History . . . . . . . . . . . . . . . . . . 7 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 69 1. Introduction 71 JavaScript Object Notation (JSON) Web Key ([JWK]) describes an 72 abstract data structure to represent public keys using JSON 73 [RFC4627]. The JSON Web Algorithms ([JWA]) define specific key 74 representations for raw asymmetric key types, such as RSA [RFC3447] 75 or Elliptic Curve [DSS]. However, there are times when it is 76 desirable to represent a Public Key Infrastructure (X.509) (PKIX) 77 certificate chain, such as to associate with a JSON Web Encryption 78 ([JWE]) or JSON Web Signature ([JWS]) object. This document 79 specifies an approach which encodes a chain of PKIX certificates as 80 an array of strings within a JWK object. 82 PKIX certificates have a number of advantages, such as an established 83 process of certification and attribution of entities. It is also 84 sometimes desirable for JSON-based cryptographic operations to 85 support the existing and widespread deployment of PKIX-based 86 technologies. 88 2. Terminology 90 This document inherits JSON Web Algorithms (JWA)-related terminology 91 from [JWA], JSON Web Encryption (JWE)-related terminology from [JWE], 92 and JSON Web Key (JWK)-related terminology from [JWK]. Security- 93 related terms are to be understood in the sense defined in [RFC4949]. 95 The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", 96 "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and 97 "OPTIONAL" in this document are to be interpreted as described in 98 [RFC2119]. 100 3. PKIX Key Type 102 The "PKIX" key type is used to contain a chain of PKIX certificates. 103 The following parameters are defined: 105 3.1. 'x5c' (X.509 Certificate Chain) Parameter 107 The REQUIRED "x5c" parameter contains a chain of one or more PKIX 108 certificates [RFC5280]. The certificate chain is represented as an 109 array of certificate value strings. Each string in the array is a 110 DER [ITU.X690.1994] PKIX certificate encoded as base64 [RFC4648] (not 111 base64url). The array MUST have at least one value, which MUST be 112 the PKIX certificate of the actor (e.g., the singer of a [JWS], or a 113 recipient of a [JWE]). Each additional value of the array (if any) 114 MUST be the PKIX certificate that certifies the previous certificate. 116 4. Examples 118 The following is a non-normative example of a JWK Set containing a 119 single JWK utilizing the PKIX Key Type ("kty") defined in this 120 document. 122 {"keys":[ 123 {"kty":"PKIX", 124 "x5c":[ 125 "MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVM 126 xITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR2 127 8gRGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExM 128 TYwMTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UE 129 CBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWR 130 keS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYW 131 RkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlc 132 nRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJ 133 KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTt 134 wY6vj3D3HKrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqV 135 Tr9vcyOdQmVZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aL 136 GbqGmu75RpRSgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo 137 7RJlbmr2EkRTcDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgW 138 JCJjPOq8lh8BJ6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAw 139 EAAaOCATIwggEuMB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVH 140 SMEGDAWgBTSxLDSkdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEA 141 MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWR 142 keS5jb20wRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2 143 RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVH 144 SAAMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j 145 b20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggE 146 BANKGwOy9+aG2Z+5mC6IGOgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPI 147 UyIXvJxwqoJKSQ3kbTJSMUA2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL 148 5CkKSkB2XIsKd83ASe8T+5o0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9 149 p0iRFEUOOjZv2kWzRaJBydTXRE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsx 150 uxN89txJx9OjxUUAiKEngHUuHqDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZ 151 EjYx8WnM25sgVjOuH0aBsXBTWVU+4=", 152 "MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Z 153 hbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIE 154 luYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb 155 24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8x 156 IDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MDY 157 yMFoXDTI0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZS 158 BHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgM 159 iBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN 160 ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XC 161 APVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux 162 6wwdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLO 163 tXiEqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWo 164 riMYavx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZ 165 Eewo+YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjggHhMIIB3TAdBgNVHQ 166 4EFgQU0sSw0pHUTBFxs2HLPaH+3ahq1OMwgdIGA1UdIwSByjCBx6GBwaSBvjCBu 167 zEkMCIGA1UEBxMbVmFsaUNlcnQgVmFsaWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQK 168 Ew5WYWxpQ2VydCwgSW5jLjE1MDMGA1UECxMsVmFsaUNlcnQgQ2xhc3MgMiBQb2x 169 pY3kgVmFsaWRhdGlvbiBBdXRob3JpdHkxITAfBgNVBAMTGGh0dHA6Ly93d3cudm 170 FsaWNlcnQuY29tLzEgMB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5jb22CA 171 QEwDwYDVR0TAQH/BAUwAwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGG 172 F2h0dHA6Ly9vY3NwLmdvZGFkZHkuY29tMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA 173 6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9yb290LmNybD 174 BLBgNVHSAERDBCMEAGBFUdIAAwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRpZ 175 mljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5MA4GA1UdDwEB/wQEAwIBBjAN 176 BgkqhkiG9w0BAQUFAAOBgQC1QPmnHfbq/qQaQlpE9xXUhUaJwL6e4+PrxeNYiY+ 177 Sn1eocSxI0YGyeR+sBjUZsE4OWBsUs5iB0QQeyAfJg594RAoYC5jcdnplDQ1tgM 178 QLARzLrUc+cb53S8wGd9D0VmsfSxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j 179 09VZw==", 180 "MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ 181 0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNT 182 AzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0a 183 G9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkq 184 hkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE 185 5MDYyNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTm 186 V0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZ 187 XJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQD 188 ExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9 189 AdmFsaWNlcnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5a 190 vIWZJV16vYdA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zf 191 N1SLUzm1NZ9WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwb 192 P7RfZHM047QSv4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQU 193 AA4GBADt/UG9vUJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQ 194 C1u+mNr0HZDzTuIYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMM 195 j4QssxsodyamEwCW/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd"], 196 "use":"sig", 197 "kid":"somekey"}] 198 } 200 5. IANA Considerations 202 5.1. JSON Web Key Type Registration 204 This document registers the following to the JSON Web Key Types 205 registry: 207 o "kty" Paramater value: "PKIX" 209 o Implementation Requirements: OPTIONAL 211 o Change Controller: IETF 213 o Specification Document(s): Section 3 of [[ this document ]] 215 5.2. JSON Web Key Parameters Registration 217 This document registers the following to the JSON Web Key Parameters 218 registry: 220 o Parameter Name: "x5c" 222 o Change Controller: IETF 224 o Specification Document(s): Section 3.1 of [[ this document ]] 226 6. Security Considerations 228 This document does not introduce any new considerations beyond those 229 specified by [JWK]. 231 7. References 233 7.1. Normative References 235 [RFC4627] Crockford, D., "The application/json Media Type for 236 JavaScript Object Notation (JSON)", RFC 4627, July 2006. 238 [DSS] National Institute of Standards and Technology, "Digital 239 Signature Standard (DSS)", FIPS PUB 186-3, June 2009. 241 [ITU.X690.1994] 242 International Telecommunications Union, "Information 243 Technology - ASN.1 encoding rules: Specification of Basic 244 Encoding Rules (BER), Canonical Encoding Rules (CER) and 245 Distinguished Encoding Rules (DER)", ITU-T Recommendation 246 X.690, 1994. 248 [JWA] Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose- 249 json-web-algorithms-08 (work in progress), December 2012. 251 [JWE] Jones, M., Rescola, E., and J. Hildebrand, "JSON Web 252 Encryption (JWE)", draft-ietf-jose-json-web-encryption-08 253 (work in progress), December 2012. 255 [JWS] Jones, M., "JSON Web Signature (JWS)", draft-ietf-jose- 256 json-web-signature-08 (work in progress), December 2012. 258 [JWK] Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web- 259 key-08 (work in progress), December 2012. 261 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 262 Requirement Levels", BCP 14, RFC 2119, March 1997. 264 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 265 Encodings", RFC 4648, October 2006. 267 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 268 4949, August 2007. 270 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 271 Housley, R., and W. Polk, "Internet X.509 Public Key 272 Infrastructure Certificate and Certificate Revocation List 273 (CRL) Profile", RFC 5280, May 2008. 275 7.2. Informative References 277 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 278 Standards (PKCS) #1: RSA Cryptography Specifications 279 Version 2.1", RFC 2898, February 2003. 281 Appendix A. Acknowledgements 283 Appendix B. Document History 285 -01 Minor typos and nits 287 -00 Initial revision 289 Authors' Addresses 291 Matthew Miller 292 Cisco Systems, Inc. 293 1899 Wynkoop Street, Suite 600 294 Denver, CO 80202 295 USA 297 Phone: +1-303-308-3204 298 Email: mamille2@cisco.com 300 Brian Campbell 301 Ping Identity Corp. 303 Email: brian.d.campbell@gmail.com