[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04 05 06 RFC 4212

Internet Engineering Task Force                                 C. Adams
INTERNET DRAFT                                      Entrust Technologies
29 June 2000


              Alternative Certificate Formats for PKIX-CMP
                     draft-adams-cmpaltcert-00.txt



Status of This Memo

   Distribution of this memo is unlimited.

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.





Abstract

   The PKIX Certificate Management Protocols (PKIX-CMP) specification
   [1], while primarily focused on X.509v3 public-key certificates,
   allows the messages it defines to be used for the management of
   alternative certificate formats as well.  This document specifies
   precisely how such formats may be incorporated into PKIX-CMP and
   provides the relevant syntax for some important certificate types.











Adams                    Expires 29 December 2000               [Page 1]

Internet Draft       Alternative Cert Formats for CMP      29 June  2000


1. Introduction

   Full certificate life-cycle management in a Public-Key Infrastructure
   (PKI) requires protocol support in order to achieve automated
   processing and end user transparency.  Such protocols require
   standardization in order to allow more than one vendor to supply
   various pieces -- End Entity (EE), Certification Authority (CA),
   Registration Authority (RA) -- in the PKI deployment of a single
   organization, or to allow multiple, independently-deployed PKIs to
   be interconnected usefully.

   The IETF PKIX Working Group currently has certificate management
   protocol specifications on the standards track.  The specification
   PKIX-CMP [1], looking beyond PKIX-specific environments to the
   more-general certificate management requirements of other domains,
   defines a syntactic structure for the "Certificate" data element
   that allows certificate formats other than X.509 to be included
   easily into the management messages.  In particular, other types of
   certificates may be requested from a CA, retrieved from a public
   repository, recovered from a backup facility, updated/replaced when
   nearing the end of their validity period, and revoked when required.
   This specification takes the flexible syntax defined in PKIX-CMP and
   fills in the details regarding how to incorporate alternative
   certificate formats when this is desired.



2. Including Alternative Certificate Formats

   In Appendix C of PKIX-CMP, the ASN.1 construct, and corresponding
   comment, for "Certificate" is given as follows.

      Certificate ::= CHOICE {
         x509v3PKCert        X509v3PKCert
      }

      X509v3PKCert ::= SEQUENCE {
         tbsCertificate      TBSCertificate, -- from pkix1 module
         signatureAlgorithm  AlgorithmIdentifier,
         signature           BIT STRING
      }

      -- This syntax, while bits-on-the-wire compatible with the
      -- standard X.509 definition of "Certificate", allows the
      -- possibility of future certificate types (such as X.509
      -- attribute certificates, ANSI X9.68 "short" certificates,
      -- or WAP WTLS certificates) within this certificate management
      -- protocol, should a need ever arise to support such generality.




Adams                    Expires 29 December 2000               [Page 2]

Internet Draft       Alternative Cert Formats for CMP      29 June  2000

   Building on this framework, then, this document expands the above
   CHOICE construct as follows.

      Certificate ::= CHOICE {
         x509v3PKCert        X509v3PKCert,
         x509v2AttCert   [0] X509v2AttCert,
         wapWTLSCert     [1] WAPWTLSCert
      }

      X509v3PKCert ::= SEQUENCE {
         tbsCertificate      TBSCertificate,
         -- from PKIX1Explicit88 module in RFC 2459 [2]
         signatureAlgorithm  AlgorithmIdentifier,
         signature           BIT STRING
      }

      X509v2AttCert ::= SEQUENCE {
         attCertinfo         AttributeCertificateInfo,
         -- from X.509 (2000) [3]
         signatureAlgorithm  AlgorithmIdentifier,
         signature           BIT STRING
      }

      WAPWTLSCert ::= OCTET STRING
         -- contains the structure WTLSCertificate from the WAP
         -- WTLS specification [4], encoded as an ASN.1 OCTET STRING


   Expanding the CHOICE construct as above allows X.509 attribute
   certificates and WAP (Wireless Application Protocol) WTLS
   Wireless Transport Layer Security) certificates to be used within
   the PKIX-CMP management messages.  In the future, this construct
   may be expanded further (in subsequent revisions of this document)
   to accomodate other certificate types if this is found to be
   necessary.



3. Initialization Request

   One of the features of PKIX-CMP is its use of the CertTemplate
   construct, which allows a requester (EE, or RA acting on behalf
   of an EE) to specify as much or as little as they wish regarding
   the content of the requested certificate.  It is explicitly noted
   that the CA has final authority over the actual certificate
   content; that is, the CA may alter certificate fields or may add,
   delete, or alter extensions according to its operating policy
   (if the resulting certificate is unacceptable to the EE or RA,
   then that certificate may be rejected and/or revoked prior to any
   publication/use).



Adams                    Expires 29 December 2000               [Page 3]

Internet Draft       Alternative Cert Formats for CMP      29 June  2000

   For the new certificate types included in this document, a
   similar flexibility in the request message must be available.
   Appendix D of PKIX-CMP accomodates this in the following way
   (where id-regCtrl = {1 3 6 1 5 5 7 5 1}; see [5]).

      CertRequest ::= SEQUENCE {
          certReqId     INTEGER,
          certTemplate  CertTemplate,
          controls      Controls OPTIONAL }
      -- If certTemplate is an empty SEQUENCE (i.e., all fields
      -- omitted), then controls MAY contain the
      -- id-regCtrl-altCertTemplate control, specifying a template
      -- for a certificate other than an X.509v3 public-key
      -- certificate.  Conversely, if certTemplate is not empty
      -- (i.e., at least one field is present), then controls
      -- MUST NOT contain id-regCtrl-altCertTemplate.  The new
      -- control is defined as follows:
      id-regCtrl-altCertTemplate OBJECT IDENTIFIER ::= {id-regCtrl 7}
      AltCertTemplate ::= AttributeTypeAndValue

   In this section, an AltCertTemplate is specified for each of
   the alternative certificates defined in Section 2.

3.1. X.509 Attribute Certificate CertTemplate

   A CertTemplate for an X.509 attribute certificate can be used
   by simply defining an object identifier (OID) and corresponding
   value for use in the id-regCtrl-altCertTemplate control.  These
   are specified as follows.

   OID:

      id-acTemplate OBJECT IDENTIFIER ::=
         {id-regCtrl-altCertTemplate xx}

   Value:

      AttCertTemplate ::= SEQUENCE {
         version                 AttCertVersion            OPTIONAL,
         holder                  Holder                    OPTIONAL,
         issuer                  AttCertIssuer             OPTIONAL,
         signature               AlgorithmIdentifier       OPTIONAL,
         serialNumber            CertificateSerialNumber   OPTIONAL,
         attrCertValidityPeriod  OptionalAttCertValidity   OPTIONAL,
         attributes              SEQUENCE OF Attribute     OPTIONAL,
         issuerUniqueID          UniqueIdentifier          OPTIONAL,
         extensions              Extensions                OPTIONAL
      }
      OptionalAttCertValidity  ::= SEQUENCE {
         notBeforeTime  GeneralizedTime  OPTIONAL,
         notAfterTime   GeneralizedTime  OPTIONAL
      } -- at least one must be present

Adams                    Expires 29 December 2000               [Page 4]

Internet Draft       Alternative Cert Formats for CMP      29 June  2000

3.2. WTLS Certificate CertTemplate

   A CertTemplate for a WAP Wireless Transport Layer Security
   certificate can be used by simply defining an object identifier (OID)
   and corresponding value for use in the id-regCtrl-altCertTemplate
   control.  These are specified as follows.

   OID:

      id-wtlsTemplate OBJECT IDENTIFIER ::=
         {id-regCtrl-altCertTemplate yy}

   Value:

      WTLSCertTemplate ::= OCTET STRING
      -- actual content to be defined in the WAP Security Group and
      -- then encoded as an ASN.1 OCTET STRING


4. Security Considerations

   This entire memo is about security.  It describes a mechanism
   that may be used to incorporate multiple certificate formats into
   the PKIX-CMP certificate management protocol.


5. References

   [1] C. Adams,  S. Farrell, "Internet X.509 Public Key Infrastructure:
          Certificate Management Protocols", Internet Draft draft-ietf-
          rfc2510bis-00.txt (work in progress).

   [2] R. Housley, W. Ford, W. Polk, D. Solo, "Internet X.509 Public Key
          Infrastructure: Certificate and CRL Profile", Internet Request
          for Comments RFC 2459, January 1999.

   [3] ITU-T Recommendation X.509 | ISO/IEC 9594-8, "Information
          Technology -- Open Systems Interconnection -- The Directory:
          Public-Key and Attribute Certificate Frameworks", 2000.

   [4] WAP Forum, "Wireless Transport Layer Security Specification",
          18-Feb-2000, http://www.wapforum.org/

   [5] M. Myers, C. Adams, D. Solo, D. Kemp, "Internet X.509 Certificate
          Request Message Format", Internet Request for Comments RFC
          2511, March 1999.







Adams                    Expires 29 December 2000               [Page 5]

Internet Draft       Alternative Cert Formats for CMP      29 June  2000




6. Author's Address

   Questions about this memo can be directed to:

   Carlisle Adams
   Entrust Technologies
   750 Heron Road, Suite E08
   Ottawa, Ontario, Canada
   K1V 1A7
   e-mail:  cadams@entrust.com




Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However,
   this document itself may not be modified in any way, such as by
   removing the copyright notice or references to the Internet Society
   or other Internet organizations, except as needed for the purpose
   of developing Internet standards in which case the procedures
   for copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."









Adams                    Expires 29 December 2000               [Page 6]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/