idnits 2.17.1 

draft-mtis-lamps-8410-ku-clarifications-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (12 January 2022) is 827 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                          S. Turner
3	Internet-Draft                                                     sn3rd
4	Updates: 8410 (if approved)                                 S. Josefsson
5	Intended status: Standards Track                                  SJD AB
6	Expires: 16 July 2022                                        D. McCarney
7	                                                             Square Inc.
8	                                                                  T. Ito
9	                                                         SECOM CO., LTD.
10	                                                         12 January 2022

12	     Clarifications for Ed25519, Ed448, X25519, and X448 Algorithm
13	                              Identifiers
14	               draft-mtis-lamps-8410-ku-clarifications-00

16	Abstract

18	   This document updates RFC 8410 to clarify existing and specify
19	   missing semantics for key usage bits when used in certificates that
20	   support the Ed25519, Ed448, X25519, and X448 Elliptic Curve
21	   Cryptography algorithms.

23	About This Document

25	   This note is to be removed before publishing as an RFC.

27	   Status information for this document may be found at
28	   https://datatracker.ietf.org/doc/draft-mtis-lamps-8410-ku-
29	   clarifications/.

31	   Source for this draft and an issue tracker can be found at
32	   https://github.com/seanturner/draft-mtis-lamps-8410-ku-
33	   clarifications.

35	Status of This Memo

37	   This Internet-Draft is submitted in full conformance with the
38	   provisions of BCP 78 and BCP 79.

40	   Internet-Drafts are working documents of the Internet Engineering
41	   Task Force (IETF).  Note that other groups may also distribute
42	   working documents as Internet-Drafts.  The list of current Internet-
43	   Drafts is at https://datatracker.ietf.org/drafts/current/.

45	   Internet-Drafts are draft documents valid for a maximum of six months
46	   and may be updated, replaced, or obsoleted by other documents at any
47	   time.  It is inappropriate to use Internet-Drafts as reference
48	   material or to cite them other than as "work in progress."
49	   This Internet-Draft will expire on 16 July 2022.

51	Copyright Notice

53	   Copyright (c) 2022 IETF Trust and the persons identified as the
54	   document authors.  All rights reserved.

56	   This document is subject to BCP 78 and the IETF Trust's Legal
57	   Provisions Relating to IETF Documents (https://trustee.ietf.org/
58	   license-info) in effect on the date of publication of this document.
59	   Please review these documents carefully, as they describe your rights
60	   and restrictions with respect to this document.  Code Components
61	   extracted from this document must include Revised BSD License text as
62	   described in Section 4.e of the Trust Legal Provisions and are
63	   provided without warranty as described in the Revised BSD License.

65	Table of Contents

67	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
68	   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
69	   3.  New Section 5 for RFC 8410  . . . . . . . . . . . . . . . . .   3
70	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
71	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
72	   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
73	     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
74	     6.2.  Informative References  . . . . . . . . . . . . . . . . .   5
75	   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   5
76	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

78	1.  Introduction

80	   [RFC8410] specifies the syntax and semantics for the Subject Public
81	   Key Information field in certificates that support Ed25519, Ed448,
82	   X25519, and X448 Elliptic Curve Cryptography (ECC) algorithms.  As
83	   part of these semantics, it defines what combinations are permissible
84	   for the values of the key usage extension [RFC5280].  [RFC8410] did
85	   not define what values are not permissible nor did it refer to
86	   keyEncipherment or dataEncipherment.  [ERRATA] has also been
87	   submitted to clarify that keyCertSign is always set in certification
88	   authority certificates.  To address these changes, this document
89	   replaces Section 5 of [RFC8410] with Section 3.

91	2.  Terminology

93	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
94	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
95	   "OPTIONAL" in this document are to be interpreted as described in
96	   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
97	   capitals, as shown here.

99	3.  New Section 5 for RFC 8410

101	   The intended application for the key is indicated in the keyUsage
102	   certificate extension.

104	   If the keyUsage extension is present in a certificate that indicates
105	   id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST
106	   be present:

108	     keyAgreement;

110	   one of the following MAY also be present:

112	     encipherOnly; or
113	     decipherOnly;

115	   and the following MUST NOT be present:

117	     digitalSignature;
118	     nonRepudiation;
119	     keyEncipherment;
120	     dataEncipherment;
121	     keyCertSign; and
122	     cRLSign.

124	   If the keyUsage extension is present in an end-entity certificate
125	   that indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then
126	   the keyUsage extension MUST contain one or both of the following:

128	     nonRepudiation; and
129	     digitalSignature;

131	   the following MAY also be present:

133	     cRLSign;

135	   and the following MUST NOT be present:

137	     keyEncipherment;
138	     dataEncipherment;
139	     keyAgreement;
140	     keyCertSign;
141	     encipherOnly; and
142	     decipherOnly.

144	   If the keyUsage extension is present in a certification authority
145	   certificate that indicates id-Ed25519 or id-Ed448 in
146	   SubjectPublicKeyInfo, then the keyUsage extension MUST contain
147	   keyCertSign, and zero, or more of the following:

149	     nonRepudiation;
150	     digitalSignature; and
151	     cRLSign;

153	   and the following MUST NOT be present:

155	     keyEncipherment;
156	     dataEncipherment;
157	     keyAgreement;
158	     encipherOnly; and
159	     decipherOnly.

161	4.  Security Considerations

163	   This document introduces no new security considerations beyond those
164	   found in [RFC8410].

166	5.  IANA Considerations

168	   This document has no IANA actions.

170	6.  References

172	6.1.  Normative References

174	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
175	              Requirement Levels", BCP 14, RFC 2119,
176	              DOI 10.17487/RFC2119, March 1997,
177	              <https://www.rfc-editor.org/rfc/rfc2119>.

179	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
180	              Housley, R., and W. Polk, "Internet X.509 Public Key
181	              Infrastructure Certificate and Certificate Revocation List
182	              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
183	              <https://www.rfc-editor.org/rfc/rfc5280>.

185	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
186	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
187	              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

189	   [RFC8410]  Josefsson, S. and J. Schaad, "Algorithm Identifiers for
190	              Ed25519, Ed448, X25519, and X448 for Use in the Internet
191	              X.509 Public Key Infrastructure", RFC 8410,
192	              DOI 10.17487/RFC8410, August 2018,
193	              <https://www.rfc-editor.org/rfc/rfc8410>.

195	6.2.  Informative References

197	   [ERRATA]   Liao, L., "Errata 5696", 17 April 2019,
198	              <https://www.rfc-editor.org/errata/eid5696>.

200	Acknowledgments

202	   TODO acknowledge.

204	Authors' Addresses

206	   Sean Turner
207	   sn3rd

209	   Email: sean@sn3rd.com

211	   Simon Josefsson
212	   SJD AB

214	   Email: simon@josefsson.org

216	   Daniel McCarney
217	   Square Inc.

219	   Email: daniel@binaryparadox.net

221	   Tadahiko Ito
222	   SECOM CO., LTD.

224	   Email: tadahiko.ito.public@gmail.com