draft-ietf-sip-eku-03.txt   draft-ietf-sip-eku-04.txt 
SIP WG S. Lawrence SIP WG S. Lawrence
Internet-Draft Nortel Networks, Inc. Internet-Draft Nortel Networks, Inc.
Intended status: Standards Track V. Gurbani Intended status: Standards Track V. Gurbani
Expires: April 9, 2009 Bell Laboratories, Alcatel-Lucent Expires: October 9, 2009 Bell Laboratories, Alcatel-Lucent
October 06, 2008 April 07, 2009
Using Extended Key Usage (EKU) for Session Initiation Protocol (SIP) Using Extended Key Usage (EKU) for Session Initiation Protocol (SIP)
X.509 Certificates X.509 Certificates
draft-ietf-sip-eku-03 draft-ietf-sip-eku-04
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79. This document may contain material
have been or will be disclosed, and any of which he or she becomes from IETF Documents or IETF Contributions published or made publicly
aware will be disclosed, in accordance with Section 6 of BCP 79. available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 9, 2009. This Internet-Draft will expire on October 9, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This memo documents an extended key usage (EKU) X.509 certificate This memo documents an extended key usage (EKU) X.509 certificate
extension for identifying the holder of a certificate as extension for restricting the applicability of a certificate to use
authoritative for a Session Initiation Protocol (SIP) service in the with a Session Initiation Protocol (SIP) service. As such, in
domain named by the DNS name in the certificate. addition to providing rules for SIP implementations, this memo also
provides guidance to issuers of certificates for use with SIP.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Abstract syntax notation . . . . . . . . . . . . . . . . . 3 1.2. Abstract syntax notation . . . . . . . . . . . . . . . . . 3
2. Problem statement . . . . . . . . . . . . . . . . . . . . . . 3 2. Problem statement . . . . . . . . . . . . . . . . . . . . . . . 3
3. Restricting usage to SIP . . . . . . . . . . . . . . . . . . . 4 3. Restricting usage to SIP . . . . . . . . . . . . . . . . . . . 4
3.1. Extended Key Usage values for SIP domains . . . . . . . . 4 3.1. Extended Key Usage values for SIP domains . . . . . . . . . 5
4. Using the SIP EKU in a certificate . . . . . . . . . . . . . . 5 4. Using the SIP EKU in a certificate . . . . . . . . . . . . . . 5
5. Implications for a Certification Authority . . . . . . . . . . 6 5. Implications for a Certification Authority . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 8
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 10
1. Terminology 1. Terminology
1.1. Key Words 1.1. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
1.2. Abstract syntax notation 1.2. Abstract syntax notation
skipping to change at page 4, line 17 skipping to change at page 4, line 17
A SIP domain name is frequently textually identical to the same DNS A SIP domain name is frequently textually identical to the same DNS
name used for other purposes. For example, the DNS name example.com name used for other purposes. For example, the DNS name example.com
can serve as a SIP domain name, an email domain name, and a web can serve as a SIP domain name, an email domain name, and a web
service name. Since these different services within a single service name. Since these different services within a single
organization might be administered independently and hosted organization might be administered independently and hosted
separately, it is desirable that a certificate be able to bind the separately, it is desirable that a certificate be able to bind the
DNS name to its usage as a SIP domain name without creating the DNS name to its usage as a SIP domain name without creating the
implication that the entity presenting the certificate is also implication that the entity presenting the certificate is also
authoritative for some other purpose. A mechanism is needed to allow authoritative for some other purpose. A mechanism is needed to allow
the certificate issued to a proxy to be restricted such that the the certificate issued to a proxy to be restricted such that the
subject name(s) it contains are valid only for use in SIP. In our subject name(s) that the certificate contains are valid only for use
example, Proxy-B possesses a certificate making it authoritative as a in SIP. In our example, Proxy-B possesses a certificate making
SIP server for the domain example.net; furthermore, it has a policy Proxy-B authoritative as a SIP server for the domain example.net;
that requires the client's SIP domain be authenticated through a furthermore, Proxy-B has a policy that requires the client's SIP
similar certificate. Proxy-A is authoritative as a SIP server for domain be authenticated through a similar certificate. Proxy-A is
the domain example.com; when Proxy-A makes a TLS connection to authoritative as a SIP server for the domain example.com; when
Proxy-B, the latter accepts the connection based on its policy. Proxy-A makes a TLS connection to Proxy-B, the latter accepts the
connection based on its policy.
3. Restricting usage to SIP 3. Restricting usage to SIP
This memo defines a certificate profile for restricting the usage of This memo defines a certificate profile for restricting the usage of
a domain name binding to usage as a SIP domain name. RFC 5280 [3] a domain name binding to usage as a SIP domain name. RFC 5280 [3]
Section 4.2.1.12 defines a mechanism for this purpose: an "Extended Section 4.2.1.12 defines a mechanism for this purpose: an "Extended
Key Usage" (EKU) attribute, where the purpose of the EKU extension is Key Usage" (EKU) attribute, where the purpose of the EKU extension is
described as: described as:
"If the extension is present, then the certificate MUST only be "If the extension is present, then the certificate MUST only be
used for one of the purposes indicated. If multiple purposes are used for one of the purposes indicated. If multiple purposes are
indicated the application need not recognize all purposes indicated the application need not recognize all purposes
indicated, as long as the intended purpose is present. indicated, as long as the intended purpose is present.
Certificate using applications MAY require that the extended key Certificate using applications MAY require that the extended key
usage extension be present and that a particular purpose be usage extension be present and that a particular purpose be
indicated in order for the certificate to be acceptable to that indicated in order for the certificate to be acceptable to that
application." application."
A certificate whose purpose is to bind a SIP domain identity without A Certificate Authority issuing a certificate whose purpose is to
binding other non-SIP identities MUST include an id-kp-SIPdomain bind a SIP domain identity without binding other non-SIP identities
attribute in the Extended Key Usage extension value (see MUST include an id-kp-SIPdomain attribute in the Extended Key Usage
Section 3.1). extension value (see Section 3.1).
3.1. Extended Key Usage values for SIP domains 3.1. Extended Key Usage values for SIP domains
RFC 5280 [3] specifies the EKU X.509 certificate Extension for use in RFC 5280 [3] specifies the EKU X.509 certificate Extension for use in
the Internet. The extension indicates one or more purposes for which the Internet. The extension indicates one or more purposes for which
the certified public key is valid. The EKU extension can be used in the certified public key is valid. The EKU extension can be used in
conjunction with the key usage extension, which indicates how the conjunction with the key usage extension, which indicates how the
public key in the certificate may be used, in a more basic public key in the certificate is used, in a more basic cryptographic
cryptographic way. way.
The EKU extension syntax is repeated here for convenience: The EKU extension syntax is repeated here for convenience:
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
KeyPurposeId ::= OBJECT IDENTIFIER KeyPurposeId ::= OBJECT IDENTIFIER
This specification defines the KeyPurposeId id-kp-sipDomain. This specification defines the KeyPurposeId id-kp-sipDomain.
Inclusion of this KeyPurposeId in a certificate indicates that the Inclusion of this KeyPurposeId in a certificate indicates that the
use of any Subject names in the certificate is restricted to use by a use of any Subject names in the certificate is restricted to use by a
skipping to change at page 5, line 35 skipping to change at page 5, line 40
4. Using the SIP EKU in a certificate 4. Using the SIP EKU in a certificate
Section 7.1 of Domain Certificates in the Session Initiation Protocol Section 7.1 of Domain Certificates in the Session Initiation Protocol
[8] contains the steps for finding an identity (or a set of [8] contains the steps for finding an identity (or a set of
identities) in an X.509 certificate for SIP. In order to determine identities) in an X.509 certificate for SIP. In order to determine
whether the usage of a certificate is restricted, implementations whether the usage of a certificate is restricted, implementations
MUST perform the step given below as a part of the certificate MUST perform the step given below as a part of the certificate
validation: validation:
The Extended Key Usage value(s), if any, MUST be examined: The implementation MUST examine the Extended Key Usage value(s), if
any:
o If the certificate does not contain any EKU values (the Extended o If the certificate does not contain any EKU values (the Extended
Key Usage extension does not exist), it is a matter of local Key Usage extension does not exist), it is a matter of local
policy whether or not to accept the certificate for use as a SIP policy whether or not to accept the certificate for use as a SIP
certificate. certificate.
o If the certificate contains the id-kp-sipDomain EKU extension, o If the certificate contains the id-kp-sipDomain EKU extension,
then the certificate MUST be accepted as valid for use as a SIP then implementations MUST accept the certificate as valid for use
certificate. as a SIP certificate.
o If the certificate does not contain the id-kp-sipDomain EKU value, o If the certificate does not contain the id-kp-sipDomain EKU value,
but does contain the id-kp-anyExtendedKeyUsage EKU value, it is a but does contain the id-kp-anyExtendedKeyUsage EKU value, it is a
matter of local policy whether or not to accept it for use as a matter of local policy whether or not to accept the certificate
SIP certificate. for use as a SIP certificate.
o If the certificate does not contain the id-kp-sipDomain EKU value, o If the certificate does not contain the id-kp-sipDomain EKU value,
but does contain either the id-kp-serverAuth or id-kp-clientAuth but does contain either the id-kp-serverAuth or id-kp-clientAuth
EKU values, it is a matter of local policy whether or not to EKU values, it is a matter of local policy whether or not to
accept it for use as a SIP certificate. accept the certificate as valid for use as a SIP certificate.
id-kp-serverAuth and id-kp-clientAuth EKU values are defined in id-kp-serverAuth and id-kp-clientAuth EKU values are defined in
Section 4.2.1.12 of RFC 5280 [3]. Section 4.2.1.12 of RFC 5280 [3].
o If EKU extension exists but does not contain any of the id-kp- o If EKU extension exists but does not contain any of the id-kp-
sipDomain, id-kp-anyExtendedKeyUsage, id-kp-serverAuth, or id-kp- sipDomain, id-kp-anyExtendedKeyUsage, id-kp-serverAuth, or id-kp-
clientAuth EKU values, then the certificate MUST NOT be accepted clientAuth EKU values, then implementations MUST NOT accept the
as valid for use as a SIP certificate. certificate as valid for use as a SIP certificate.
5. Implications for a Certification Authority 5. Implications for a Certification Authority
The procedures and practices employed by a certification authority The procedures and practices employed by a certification authority
MUST ensure that the correct values for the EKU extension and MUST ensure that the correct values for the EKU extension and
subjectAltName are inserted in each certificate that is issued. For subjectAltName are inserted in each certificate that is issued. For
certificates that indicate authority over a SIP domain, but not over certificates that indicate authority over a SIP domain, but not over
services other than SIP, certificate authorities MUST include the id- services other than SIP, certificate authorities MUST include the id-
kp-sipDomain EKU extension. kp-sipDomain EKU extension.
6. Security Considerations 6. Security Considerations
This memo defines an EKU X.509 certificate extension that restricts This memo defines an EKU X.509 certificate extension that restricts
the the usage of a certificate to a SIP service belonging to an the the usage of a certificate to a SIP service belonging to an
autonomous domain. Relying parties may execute applicable policies autonomous domain. Relying parties can execute applicable policies
(such as those related to billing) on receiving a certificate with (such as those related to billing) on receiving a certificate with
the id-kp-sipDomain EKU value. An id-kp-sipDomain EKU value does not the id-kp-sipDomain EKU value. An id-kp-sipDomain EKU value does not
introduce any new security or privacy concerns. introduce any new security or privacy concerns.
7. IANA Considerations 7. IANA Considerations
The id-kp-sipDomain purpose requires an object identifier (OID). The The id-kp-sipDomain purpose requires an object identifier (OID). The
objects are defined in an arc delegated by IANA to the PKIX working objects are defined in an arc delegated by IANA to the PKIX working
group. No further action is necessary by IANA. group. No further action is necessary by IANA.
skipping to change at page 7, line 25 skipping to change at page 7, line 32
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., [2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002. Session Initiation Protocol", RFC 3261, June 2002.
[3] Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R., [3] Cooper, D., Santesson, S., Farrell, S., Boyen, S., Housley, R.,
and W. Polk, "Internet X.509 Public Key Infrastructure and W. Polk, "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile", Certificate and Certificate Revocation List (CRL) Profile",
RFC 5280, May 2008. RFC 5280, May 2008.
[4] International International Telephone and Telegraph Consultative [4] International Telecommunications Union, "Information technology
Committee, "Information Technology - Open Systems - Open Systems Interconnection - The Directory: Public-key and
Interconnection - The Directory: Authentication Framework", attribute certificate frameworks", ITU-T Recommendation X.509,
CCITT Recommendation X.509, November 1988. ISO Standard 9594-8, March 2000.
[5] International International Telephone and Telegraph Consultative [5] International International Telephone and Telegraph Consultative
Committee, "Specification of Abstract Syntax Notation One Committee, "Abstract Syntax Notation One (ASN.1): Specification
(ASN.1): Specification of Basic Notation", CCITT Recommendation of basic notation", CCITT Recommendation X.680, July 2002.
X.680, July 1994.
[6] International Telecommunications Union, "Information Technology [6] International International Telephone and Telegraph Consultative
- ASN.1 encoding rules: Specification of Basic Encoding Rules Committee, "ASN.1 encoding rules: Specification of basic
(BER), Canonical Encoding Rules (CER) and Distinguished Encoding encoding Rules (BER), Canonical encoding rules (CER) and
Rules (DER)", ITU-T Recommendation X.690, 1994. Distinguished encoding rules (DER)", CCITT Recommendation X.690,
July 2002.
[7] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol [7] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
(SIP): Location SIP Servers", RFC 3263, June 2002. (SIP): Location SIP Servers", RFC 3263, June 2002.
9.2. Informative References 9.2. Informative References
[8] Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain Certificates [8] Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain Certificates
in the Session Initiation Protocol (SIP)", in the Session Initiation Protocol (SIP)",
draft-ietf-sip-domain-certs-03.txt (work in progress), draft-ietf-sip-domain-certs-03.txt (work in progress),
July 2008. January 2009.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
SIPDomainCertExtn SIPDomainCertExtn
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-sip-domain-extns2007(VALUE-TBD) } id-mod-sip-domain-extns2007(VALUE-TBD) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
skipping to change at page 9, line 4 skipping to change at page 9, line 15
Authors' Addresses Authors' Addresses
Scott Lawrence Scott Lawrence
Nortel Networks, Inc. Nortel Networks, Inc.
600 Technology Park 600 Technology Park
Billerica, MA 01821 Billerica, MA 01821
USA USA
Phone: +1 978 248 5508 Phone: +1 978 248 5508
Email: scott.lawrence@nortel.com Email: scott.lawrence@nortel.com
Vijay K. Gurbani Vijay K. Gurbani
Bell Laboratories, Alcatel-Lucent Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane 1960 Lucent Lane
Room 9C-533 Room 9C-533
Naperville, IL 60566 Naperville, IL 60566
USA USA
Phone: +1 630 224-0216 Phone: +1 630 224-0216
Email: vkg@alcatel-lucent.com Email: vkg@alcatel-lucent.com
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 27 change blocks. 
56 lines changed or deleted 74 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/