draft-ietf-stir-enhance-rfc8226-00.txt   draft-ietf-stir-enhance-rfc8226-01.txt 
Network Working Group R. Housley Network Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
Updates: 8226 (if approved) 15 February 2021 Updates: 8226 (if approved) 23 March 2021
Intended status: Standards Track Intended status: Standards Track
Expires: 19 August 2021 Expires: 24 September 2021
Enhanced JWT Claim Constraints for STIR Certificates Enhanced JWT Claim Constraints for STIR Certificates
draft-ietf-stir-enhance-rfc8226-00 draft-ietf-stir-enhance-rfc8226-01
Abstract Abstract
RFC 8226 provides a certificate extension to constrain the JWT claims RFC 8226 provides a certificate extension to constrain the JWT claims
that can be included in the PASSporT as defined in RFC 8225. If the that can be included in the PASSporT as defined in RFC 8225. If the
signer includes a JWT claim outside the constraint boundaries, then signer includes a JWT claim outside the constraint boundaries, then
the recipient will reject the entire PASSporT. This document defines the recipient will reject the entire PASSporT. This document defines
additional ways that the JWT claims can be constrained. additional ways that the JWT claims can be constrained.
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 August 2021. This Internet-Draft will expire on 24 September 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 14 skipping to change at page 2, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Enhanced JWT Claim Constraints Syntax . . . . . . . . . . . . 3 3. Enhanced JWT Claim Constraints Syntax . . . . . . . . . . . . 3
4. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 4 4. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 4
5. Certificate Extension Example . . . . . . . . . . . . . . . . 5 5. Certificate Extension Example . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
The use of certificates [RFC5280] in establishing authority over The use of certificates [RFC5280] in establishing authority over
telephone numbers is described in [RFC8226]. telephone numbers is described in [RFC8226].
Section 8 of [RFC8226] provides a certificate extension to constrain Section 8 of [RFC8226] provides a certificate extension to constrain
the JWT claims that can be included in the PASSporT [RFC8225]. If the JWT claims that can be included in the PASSporT [RFC8225]. If
the signer includes a JWT claim outside the constraint boundaries, the signer includes a JWT claim outside the constraint boundaries,
skipping to change at page 3, line 7 skipping to change at page 3, line 7
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Enhanced JWT Claim Constraints Syntax 3. Enhanced JWT Claim Constraints Syntax
Certificate subjects are limited to specific values for PASSporT The Enhanced JWT Claim Constraints certificate extension limits the
claims with the Enhanced JWT Claim Constraints certificate extension; PASSporT claims and the claim values that can successfully validated
issuers permit all claims by omitting the Enhanced JWT Claim by the certificate that contains the extension. Certificate issuers
Constraints certificate extension from the extension field of the permit all claims by omitting the Enhanced JWT Claim Constraints
certificate [RFC5280]. The certificate extension is non-critical, certificate extension from the extension field of the certificate
applicable only to end-entity certificates, and defined with ASN.1 [RFC5280]. The certificate extension is non-critical, applicable
[X.680]. The syntax of the JWT claims in a PASSporT is specified in only to end-entity certificates, and defined with ASN.1 [X.680]. The
[RFC8225]. syntax of the JWT claims in a PASSporT is specified in [RFC8225].
The Enhanced JWT Claim Constraints certificate extension is optional, The Enhanced JWT Claim Constraints certificate extension is optional,
but when present, it constrains the JWT claims that authentication but when present, it constrains the JWT claims that authentication
services may include in the PASSporT objects they sign. Constraints services may include in the PASSporT objects they sign. Constraints
are applied by certificate issuers and enforced by recipients when are applied by certificate issuers and enforced by recipients when
validating PASSporT claims as follows: validating PASSporT claims as follows:
1. mustInclude indicates JWT claims that MUST appear in the PASSporT 1. mustInclude indicates JWT claims that MUST appear in the PASSporT
in addition to the iat, orig, and dest claims. The baseline in addition to the iat, orig, and dest claims. The baseline
PASSporT claims ("iat", "orig", and "dest") are considered to be PASSporT claims ("iat", "orig", and "dest") are considered to be
permitted by default, and these claims SHOULD NOT be part of the required by [RFC8225], and these claims SHOULD NOT be part of the
mustInclude list. If mustInclude is absent, the iat, orig, and mustInclude list. If mustInclude is absent, the iat, orig, and
dest claims MUST appear in the PASSporT. dest claims MUST appear in the PASSporT.
2. permittedValues indicates that if the claim name is present, the 2. permittedValues indicates that if the claim name is present, the
claim MUST contain one of the listed values. claim MUST exactly match one of the listed values.
3. mustExclude indicates JWT claims that MUST NOT appear in the 3. mustExclude indicates JWT claims that MUST NOT appear in the
PASSporT. in addition to the iat, orig, and dest claims. The PASSporT. The baseline PASSporT claims ("iat", "orig", and
baseline PASSporT claims ("iat", "orig", and "dest") are "dest") are always permitted, and these claims MUST NOT be part
considered to be permitted by default, and these claims MUST NOT of the mustExclude list.
be part of the mustExclude list.
4. excludedValues indicates that if the claim name is present, the 4. excludedValues indicates that if the claim name is present, the
claim MUST NOT contain any of the listed values. claim MUST NOT exactly match any of the listed values.
The Enhanced JWT Claim Constraints certificate extension is The Enhanced JWT Claim Constraints certificate extension is
identified by the following object identifier (OID): identified by the following object identifier (OID):
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 }
The Enhanced JWT Claim Constraints certificate extension has the The Enhanced JWT Claim Constraints certificate extension has the
following syntax: following syntax:
EnhancedJWTClaimConstraints ::= SEQUENCE { EnhancedJWTClaimConstraints ::= SEQUENCE {
skipping to change at page 7, line 37 skipping to change at page 7, line 37
[RFC5280], especially the Security Considerations section. [RFC5280], especially the Security Considerations section.
The Enhanced JWT Claim Constraints certificate extension can be used The Enhanced JWT Claim Constraints certificate extension can be used
by certificate issuers to provide limits on the acceptable PASSporT by certificate issuers to provide limits on the acceptable PASSporT
that will be accepted by recipient verification services. that will be accepted by recipient verification services.
Enforcement of these limits depends upon proper implementation by the Enforcement of these limits depends upon proper implementation by the
recipient verification services. The digital signature on the recipient verification services. The digital signature on the
PASSportT data structure will be valid even if the limits are PASSportT data structure will be valid even if the limits are
violated. violated.
Certificate issuers must take care when imposing constraints on the
PASSporT claims and the claim values that can successfully validated;
some combinations can prevent any PASSporT from being successfully
validated by the certificate. For example, an entry in mustInclude
and an entry in mustExclude for the same claim will prevent
successful validation on any PASSporT.
Likewise, certificate issuers should not include an entry in
mustExclude for the "rcdi" claim for a certificate that will be used
with the PASSporT Extension for Rich Call Data defined in
[I-D.ietf-stir-passport-rcd]. Excluding this claim would prevent the
integrity protection mechanism from working properly.
Certificate issuers must take care when performing certificate
renewal [RFC4949] to include exactly the same Enhanced JWT Claim
Constraints certificate extension in the new certificate as the old
one. Renewal usually takes place before the old certificate expires,
so there is a period of time where both the new certificate and the
old certificate are valid. If different constraints appear in the
two certificates with the same public key, some PASSporTs might be
valid when one certificate is used and invalid when the other one is
used.
8. Acknowledgements 8. Acknowledgements
Many thanks to Chris Wendt for his insight into the need for the for Many thanks to Chris Wendt for his insight into the need for the for
the Enhanced JWT Claim Constraints certificate extension. the Enhanced JWT Claim Constraints certificate extension.
Thanks to Ben Campbell for the thoughtful review and comments. The
document is much better as a result of the comments.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion [RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion
Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, Token", RFC 8225, DOI 10.17487/RFC8225, February 2018,
<https://www.rfc-editor.org/info/rfc8225>. <https://www.rfc-editor.org/info/rfc8225>.
[RFC8226] Peterson, J. and S. Turner, "Secure Telephone Identity [RFC8226] Peterson, J. and S. Turner, "Secure Telephone Identity
Credentials: Certificates", RFC 8226, Credentials: Certificates", RFC 8226,
DOI 10.17487/RFC8226, February 2018, DOI 10.17487/RFC8226, February 2018,
<https://www.rfc-editor.org/info/rfc8226>. <https://www.rfc-editor.org/info/rfc8226>.
[X.680] International Telecommunication Union, "Information [X.680] International Telecommunication Union, "Information
Technology - Abstract Syntax Notation One (ASN.1): Technology - Abstract Syntax Notation One (ASN.1):
Specification of basic notation", ISO/IEC 8824-1, August Specification of basic notation", ISO/IEC 8824-1, August
2021. 2021.
9.2. Informative References 9.2. Informative References
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [I-D.ietf-stir-passport-rcd]
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Peterson, J. and C. Wendt, "PASSporT Extension for Rich
DOI 10.17487/RFC5912, June 2010, Call Data", Work in Progress, Internet-Draft, draft-ietf-
<https://www.rfc-editor.org/info/rfc5912>. stir-passport-rcd-09, 18 November 2020,
<http://www.ietf.org/internet-drafts/draft-ietf-stir-
passport-rcd-09.txt>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>.
[RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX, [RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX,
PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468, PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468,
April 2015, <https://www.rfc-editor.org/info/rfc7468>. April 2015, <https://www.rfc-editor.org/info/rfc7468>.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
This appendix provides the ASN.1 [X.680] definitions for the Enhanced This appendix provides the ASN.1 [X.680] definitions for the Enhanced
JWT Claim Constraints certificate extension. The module defined in JWT Claim Constraints certificate extension. The module defined in
this appendix are compatible with the ASN.1 specifications published this appendix are compatible with the ASN.1 specifications published
 End of changes. 14 change blocks. 
28 lines changed or deleted 64 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/