draft-ietf-stir-enhance-rfc8226-01.txt   draft-ietf-stir-enhance-rfc8226-02.txt 
Network Working Group R. Housley Network Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
Updates: 8226 (if approved) 23 March 2021 Updates: 8226 (if approved) 15 April 2021
Intended status: Standards Track Intended status: Standards Track
Expires: 24 September 2021 Expires: 17 October 2021
Enhanced JWT Claim Constraints for STIR Certificates Enhanced JWT Claim Constraints for STIR Certificates
draft-ietf-stir-enhance-rfc8226-01 draft-ietf-stir-enhance-rfc8226-02
Abstract Abstract
RFC 8226 provides a certificate extension to constrain the JWT claims RFC 8226 provides a certificate extension to constrain the JWT claims
that can be included in the PASSporT as defined in RFC 8225. If the that can be included in the PASSporT as defined in RFC 8225. If the
signer includes a JWT claim outside the constraint boundaries, then signer includes a JWT claim outside the constraint boundaries, then
the recipient will reject the entire PASSporT. This document defines the recipient will reject the entire PASSporT. This document defines
additional ways that the JWT claims can be constrained. an additional way that the JWT claims can be constrained.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 24 September 2021. This Internet-Draft will expire on 17 October 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 12 skipping to change at page 2, line 12
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Enhanced JWT Claim Constraints Syntax . . . . . . . . . . . . 3 3. Enhanced JWT Claim Constraints Syntax . . . . . . . . . . . . 3
4. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 4 4. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 4
5. Certificate Extension Example . . . . . . . . . . . . . . . . 5 5. Certificate Extension Example . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Normative References . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . 8
9.2. Informative References . . . . . . . . . . . . . . . . . 9 9.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
The use of certificates [RFC5280] in establishing authority over The use of certificates [RFC5280] in establishing authority over
telephone numbers is described in [RFC8226]. telephone numbers is described in [RFC8226].
Section 8 of [RFC8226] provides a certificate extension to constrain Section 8 of [RFC8226] provides a certificate extension to constrain
the JWT claims that can be included in the PASSporT [RFC8225]. If the JWT claims that can be included in the PASSporT [RFC8225]. If
the signer includes a JWT claim outside the constraint boundaries, the signer includes a JWT claim outside the constraint boundaries,
then the recipient will reject the entire PASSporT. then the recipient will reject the entire PASSporT.
This document defines an enhanced JWTClaimConstraints certificate This document defines an enhanced JWTClaimConstraints certificate
extension, which provides all of the capabilities available in the extension, which provides all of the capabilities available in the
original certificate extension as well as some additional ways to original certificate extension as well as an additional way to
constrain the allowable JWT claims. constrain the allowable JWT claims. That is, the enhanced extension
can provide a list of claims that are not allowed to be included in
the PASSporT.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Enhanced JWT Claim Constraints Syntax 3. Enhanced JWT Claim Constraints Syntax
skipping to change at page 3, line 37 skipping to change at page 3, line 37
dest claims MUST appear in the PASSporT. dest claims MUST appear in the PASSporT.
2. permittedValues indicates that if the claim name is present, the 2. permittedValues indicates that if the claim name is present, the
claim MUST exactly match one of the listed values. claim MUST exactly match one of the listed values.
3. mustExclude indicates JWT claims that MUST NOT appear in the 3. mustExclude indicates JWT claims that MUST NOT appear in the
PASSporT. The baseline PASSporT claims ("iat", "orig", and PASSporT. The baseline PASSporT claims ("iat", "orig", and
"dest") are always permitted, and these claims MUST NOT be part "dest") are always permitted, and these claims MUST NOT be part
of the mustExclude list. of the mustExclude list.
4. excludedValues indicates that if the claim name is present, the
claim MUST NOT exactly match any of the listed values.
The Enhanced JWT Claim Constraints certificate extension is The Enhanced JWT Claim Constraints certificate extension is
identified by the following object identifier (OID): identified by the following object identifier (OID):
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 }
The Enhanced JWT Claim Constraints certificate extension has the The Enhanced JWT Claim Constraints certificate extension has the
following syntax: following syntax:
EnhancedJWTClaimConstraints ::= SEQUENCE { EnhancedJWTClaimConstraints ::= SEQUENCE {
mustInclude [0] JWTClaimNames OPTIONAL, mustInclude [0] JWTClaimNames OPTIONAL,
-- The listed claim names MUST appear in the PASSporT -- The listed claim names MUST appear in the PASSporT
-- in addition to iat, orig, and dest. If absent, iat, orig, -- in addition to iat, orig, and dest. If absent, iat, orig,
-- and dest MUST appear in the PASSporT. -- and dest MUST appear in the PASSporT.
permittedValues [1] JWTClaimValuesList OPTIONAL, permittedValues [1] JWTClaimValuesList OPTIONAL,
-- If the claim name is present, the claim MUST contain one -- If the claim name is present, the claim MUST contain one
-- of the listed values. -- of the listed values.
mustExclude [2] JWTClaimNames OPTIONAL, mustExclude [2] JWTClaimNames OPTIONAL }
-- The listed claim names MUST NOT appear in the PASSporT. -- The listed claim names MUST NOT appear in the PASSporT.
excludedValues [3] JWTClaimValuesList OPTIONAL }
-- If the claim name is present, the claim MUST NOT contain
-- any of the listed values.
( WITH COMPONENTS { ..., mustInclude PRESENT } | ( WITH COMPONENTS { ..., mustInclude PRESENT } |
WITH COMPONENTS { ..., permittedValues PRESENT } | WITH COMPONENTS { ..., permittedValues PRESENT } |
WITH COMPONENTS { ..., mustExclude PRESENT } | WITH COMPONENTS { ..., mustExclude PRESENT } )
WITH COMPONENTS { ..., excludedValues PRESENT } )
JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues
JWTClaimValues ::= SEQUENCE { JWTClaimValues ::= SEQUENCE {
claim JWTClaimName, claim JWTClaimName,
values SEQUENCE SIZE (1..MAX) OF UTF8String } values SEQUENCE SIZE (1..MAX) OF UTF8String }
JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName
JWTClaimName ::= IA5String JWTClaimName ::= IA5String
4. Usage Examples 4. Usage Examples
Consider these usage examples with a PASSporT claim called Consider these usage examples with a PASSporT claim called
"confidence" with values "low", "medium", and "high". These examples "confidence" with values "low", "medium", and "high". These examples
illustrate the constraints that are imposed by mustInclude, illustrate the constraints that are imposed by mustInclude,
permittedValues, mustExclude, and excludedValues: permittedValues, and mustExclude:
* If a CA issues to an authentication service certificate that * If a CA issues to an authentication service certificate that
includes an Enhanced JWT Claim Constraints certificate extension includes an Enhanced JWT Claim Constraints certificate extension
that contains the mustInclude JWTClaimName "confidence", then an that contains the mustInclude JWTClaimName "confidence", then an
authentication service is required to include the "confidence" authentication service is required to include the "confidence"
claim in all PASSporTs it generates and signs; a verification claim in all PASSporTs it generates and signs; a verification
service will treat as invalid any PASSporT it receives with a service will treat as invalid any PASSporT it receives without a
PASSporT claim that does not include the "confidence" claim. "confidence" PASSporT claim.
* If a CA issues to an authentication service certificate that * If a CA issues to an authentication service certificate that
includes an Enhanced JWT Claim Constraints certificate extension includes an Enhanced JWT Claim Constraints certificate extension
that contains the permittedValues JWTClaimName "confidence" and a that contains the permittedValues JWTClaimName "confidence" and a
permitted "high" value, then a recipient authentication service permitted "high" value, then a verification service will treat as
will treat as invalid any PASSporT it receives with a PASSporT invalid any PASSporT it receives with a PASSporT "confidence"
"confidence" claim with a value other than "high". However, a claim with a value other than "high". However, a verification
recipient authentication service will not treat as invalid a service will not treat as invalid a PASSporT it receives without a
PASSporT it receives without a PASSporT "confidence" claim at all. PASSporT "confidence" claim at all.
* If a CA issues to an authentication service certificate that * If a CA issues to an authentication service certificate that
includes an Enhanced JWT Claim Constraints certificate extension includes an Enhanced JWT Claim Constraints certificate extension
that contains the mustExclude JWTClaimName "confidence", then a that contains the mustExclude JWTClaimName "confidence", then a
recipient authentication service will treat as invalid any verification service will treat as invalid any PASSporT it
PASSporT it receives with a PASSporT "confidence" claim regardless receives with a PASSporT "confidence" claim regardless of the
of the claim value. claim value.
* If a CA issues to an authentication service certificate that
includes an Enhanced JWT Claim Constraints certificate extension
that contains the excludedValues JWTClaimName "confidence" and a
permitted "low" value, then a recipient authentication service
will treat as invalid any PASSporT it receives with a PASSporT
"confidence" claim with a value of "low". However, a recipient
authentication service will not treat as invalid a PASSporT it
receives without a PASSporT "confidence" claim at all.
5. Certificate Extension Example 5. Certificate Extension Example
A certificate containing an example of the A certificate containing an example of the
EnhancedJWTClaimConstraints certificate extension is provided in EnhancedJWTClaimConstraints certificate extension is provided in
Figure 1. The certificate is provided in the format described in Figure 1. The certificate is provided in the format described in
[RFC7468]. The example of the EnhancedJWTClaimConstraints extension [RFC7468]. The example of the EnhancedJWTClaimConstraints extension
from the certificate is shown in Figure 2. The example imposes four from the certificate is shown in Figure 2. The example imposes four
constraints: constraints:
1. The "confidence" claim must be present in the PASSporT. 1. The "confidence" claim must be present in the PASSporT.
2. The "confidence" claim must have a value of "high" or "medium". 2. The "confidence" claim must have a value of "high" or "medium".
3. The "priority" claim must not be present in the PASSporT. 3. The "priority" claim must not be present in the PASSporT.
4. The "assurance" claim, if present in the PASSporT, must not have
a value of "low".
NOTE: This certificate in Figure 1 will need to be corrected once NOTE: This certificate in Figure 1 will need to be corrected once
IANA assigns the object identifier for the certificate extension. IANA assigns the object identifier for the certificate extension.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICwjCCAmigAwIBAgIUH7Zd3rQ5AsvOlzLnzUHhrVhDSlkwCgYIKoZIzj0EAwIw MIICqjCCAlCgAwIBAgIUH7Zd3rQ5AsvOlzLnzUHhrVhDSlowCgYIKoZIzj0EAwIw
KTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEUJPR1VTIFNIQUtFTiBST09UMB4XDTIx KTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEUJPR1VTIFNIQUtFTiBST09UMB4XDTIx
MDEyNjIwMTc1M1oXDTIyMDEyNjIwMTc1M1owbDELMAkGA1UEBhMCVVMxCzAJBgNV MDQxNTEyMTg1NloXDTIyMDQxNTEyMTg1NlowbDELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9uMR4wHAYDVQQKDBVCb2d1cyBFeGFtcGxl BAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9uMR4wHAYDVQQKDBVCb2d1cyBFeGFtcGxl
IFRlbGVjb20xDTALBgNVBAsMBFZvSVAxDzANBgNVBAMMBlNIQUtFTjBZMBMGByqG IFRlbGVjb20xDTALBgNVBAsMBFZvSVAxDzANBgNVBAMMBlNIQUtFTjBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABNR6C6nBWRA/fXTglV03aXkXy8hx9oBttVLhsTZ1 SM49AgEGCCqGSM49AwEHA0IABNR6C6nBWRA/fXTglV03aXkXy8hx9oBttVLhsTZ1
IYVRBao4OZhVf/Xv1a3xLsZ6KfdhuylSeAKuCoSbVGojYDGjggEpMIIBJTAMBgNV IYVRBao4OZhVf/Xv1a3xLsZ6KfdhuylSeAKuCoSbVGojYDGjggERMIIBDTAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUDlG3dxHyzKL/FZfS HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUDlG3dxHyzKL/FZfS
PI7rpuueRbswHwYDVR0jBBgwFoAUlToKtrQeFrwwyXpMj1qu3TQEeoEwQgYJYIZI PI7rpuueRbswHwYDVR0jBBgwFoAUlToKtrQeFrwwyXpMj1qu3TQEeoEwQgYJYIZI
AYb4QgENBDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0ZWQgZm9y AYb4QgENBDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0ZWQgZm9y
IGFueSBwdXJwb3NlLjAWBggrBgEFBQcBGgQKMAigBhYEMTIzNDBpBgsrBgEFBQcB IGFueSBwdXJwb3NlLjAWBggrBgEFBQcBGgQKMAigBhYEMTIzNDBRBgsrBgEFBQcB
l4+jcARaMFigDjAMFgpjb25maWRlbmNloSAwHjAcFgpjb25maWRlbmNlMA4MBGhp l4+jcARCMECgDjAMFgpjb25maWRlbmNloSAwHjAcFgpjb25maWRlbmNlMA4MBGhp
Z2gMBm1lZGl1baIMMAoWCHByaW9yaXR5oxYwFDASFglhc3N1cmFuY2UwBQwDbG93 Z2gMBm1lZGl1baIMMAoWCHByaW9yaXR5MAoGCCqGSM49BAMCA0gAMEUCIQC1AR9y
MAoGCCqGSM49BAMCA0gAMEUCIGEJnDIaAI0SiSh0YFWujezSpFVYPCvYh5xnNA1J WWHoUWH3KZ0UIvBamAThQvjJCyKWuHQIyR6LSAIgWhuf+di772aGlWhMpv5uSua5
xxV+AiEApm9YYpEuuzBb7sWfh7ZveMWPfTsmCM5unTUaY6skAGE= ljiGsKx+dMEIE2uU978=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Figure 1. Example Certificate. Figure 1. Example Certificate.
0 89: SEQUENCE { 0 64: SEQUENCE {
2 14: [0] { 2 14: [0] {
4 12: SEQUENCE { 4 12: SEQUENCE {
6 10: IA5String 'confidence' 6 10: IA5String 'confidence'
: } } : }
18 32: [1] { : }
20 30: SEQUENCE { 18 32: [1] {
22 28: SEQUENCE { 20 30: SEQUENCE {
24 10: IA5String 'confidence' 22 28: SEQUENCE {
36 14: SEQUENCE { 24 10: IA5String 'confidence'
38 4: UTF8String 'high' 36 14: SEQUENCE {
44 6: UTF8String 'medium' 38 4: UTF8String 'high'
: } } } } 44 6: UTF8String 'medium'
52 12: [2] { : }
54 10: SEQUENCE { : }
56 8: IA5String 'priority' : }
: } } : }
66 22: [3] { 52 12: [2] {
68 20: SEQUENCE { 54 10: SEQUENCE {
70 18: SEQUENCE { 56 8: IA5String 'priority'
72 9: IA5String 'assurance' : }
83 5: SEQUENCE { : }
85 3: UTF8String 'low' : }
: } } } } }
Figure 2. Example EnhancedJWTClaimConstraints extension. Figure 2. Example EnhancedJWTClaimConstraints extension.
6. IANA Considerations 6. IANA Considerations
This document makes use of object identifiers for the Enhanced JWT This document makes use of object identifiers for the Enhanced JWT
Claim Constraints certificate extension defined in Section 3 and the Claim Constraints certificate extension defined in Section 3 and the
ASN.1 module identifier defined in Appendix A. Therefore, IANA is ASN.1 module identifier defined in Appendix A. Therefore, IANA is
asked to made the following assignments within the SMI Numbers asked to made the following assignments within the SMI Numbers
Registry. Registry.
skipping to change at page 7, line 30 skipping to change at page 7, line 11
Identifier" (1.3.6.1.5.5.7.0) registry: Identifier" (1.3.6.1.5.5.7.0) registry:
TBD2 id-mod-eJWTClaimConstraints-2021 TBD2 id-mod-eJWTClaimConstraints-2021
7. Security Considerations 7. Security Considerations
For further information on certificate security and practices, see For further information on certificate security and practices, see
[RFC5280], especially the Security Considerations section. [RFC5280], especially the Security Considerations section.
The Enhanced JWT Claim Constraints certificate extension can be used The Enhanced JWT Claim Constraints certificate extension can be used
by certificate issuers to provide limits on the acceptable PASSporT by certificate issuers to provide limits on the acceptable PASSporTs
that will be accepted by recipient verification services. that will be accepted by verification services. Enforcement of these
Enforcement of these limits depends upon proper implementation by the limits depends upon proper implementation by the verification
recipient verification services. The digital signature on the services. The digital signature on the PASSportT data structure will
PASSportT data structure will be valid even if the limits are be valid even if the limits are violated.
violated.
Use of the Enhanced JWT Claim Constraints certificate extension
permittedValues constraint is most useful when the claim definition
allows a specified set of values. In this way, all of the values
that are not listed in the JWTClaimValuesList are prohibited in a
valid PASSporT.
Certificate issuers must take care when imposing constraints on the Certificate issuers must take care when imposing constraints on the
PASSporT claims and the claim values that can successfully validated; PASSporT claims and the claim values that can successfully validated;
some combinations can prevent any PASSporT from being successfully some combinations can prevent any PASSporT from being successfully
validated by the certificate. For example, an entry in mustInclude validated by the certificate. For example, an entry in mustInclude
and an entry in mustExclude for the same claim will prevent and an entry in mustExclude for the same claim will prevent
successful validation on any PASSporT. successful validation on any PASSporT.
Likewise, certificate issuers should not include an entry in Certificate issuers must take care when imposing constraints on the
mustExclude for the "rcdi" claim for a certificate that will be used PASSporT claims and the claim values that can successfully validated;
with the PASSporT Extension for Rich Call Data defined in some combinations can prevent any PASSporT from being successfully
validated by the certificate. For example, an entry in mustInclude
and an entry in mustExclude for the same claim will prevent
successful validation on any PASSporT.
Certificate issuers should not include an entry in mustExclude for
the "rcdi" claim for a certificate that will be used with the
PASSporT Extension for Rich Call Data defined in
[I-D.ietf-stir-passport-rcd]. Excluding this claim would prevent the [I-D.ietf-stir-passport-rcd]. Excluding this claim would prevent the
integrity protection mechanism from working properly. integrity protection mechanism from working properly.
Certificate issuers must take care when performing certificate Certificate issuers must take care when performing certificate
renewal [RFC4949] to include exactly the same Enhanced JWT Claim renewal [RFC4949] to include exactly the same Enhanced JWT Claim
Constraints certificate extension in the new certificate as the old Constraints certificate extension in the new certificate as the old
one. Renewal usually takes place before the old certificate expires, one. Renewal usually takes place before the old certificate expires,
so there is a period of time where both the new certificate and the so there is a period of time where both the new certificate and the
old certificate are valid. If different constraints appear in the old certificate are valid. If different constraints appear in the
two certificates with the same public key, some PASSporTs might be two certificates with the same public key, some PASSporTs might be
skipping to change at page 10, line 10 skipping to change at page 10, line 4
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51) } id-mod-pkix1-explicit-02(51) }
EXTENSION EXTENSION
FROM PKIX-CommonTypes-2009 -- From RFC 5912 FROM PKIX-CommonTypes-2009 -- From RFC 5912
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) } ; id-mod-pkixCommon-02(57) } ;
-- Enhanced JWT Claim Constraints Certificate Extension -- Enhanced JWT Claim Constraints Certificate Extension
ext-eJWTClaimConstraints EXTENSION ::= { ext-eJWTClaimConstraints EXTENSION ::= {
SYNTAX EnhancedJWTClaimConstraints SYNTAX EnhancedJWTClaimConstraints
IDENTIFIED BY id-pe-JWTClaimConstraints } IDENTIFIED BY id-pe-eJWTClaimConstraints }
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 }
EnhancedJWTClaimConstraints ::= SEQUENCE { EnhancedJWTClaimConstraints ::= SEQUENCE {
mustInclude [0] JWTClaimNames OPTIONAL, mustInclude [0] JWTClaimNames OPTIONAL,
-- The listed claim names MUST appear in the PASSporT -- The listed claim names MUST appear in the PASSporT
-- in addition to iat, orig, and dest. If absent, iat, orig, -- in addition to iat, orig, and dest. If absent, iat, orig,
-- and dest MUST appear in the PASSporT. -- and dest MUST appear in the PASSporT.
permittedValues [1] JWTClaimValuesList OPTIONAL, permittedValues [1] JWTClaimValuesList OPTIONAL,
-- If the claim name is present, the claim MUST contain one -- If the claim name is present, the claim MUST contain one
-- of the listed values. -- of the listed values.
mustExclude [2] JWTClaimNames OPTIONAL, mustExclude [2] JWTClaimNames OPTIONAL }
-- The listed claim names MUST NOT appear in the PASSporT. -- The listed claim names MUST NOT appear in the PASSporT.
excludedValues [3] JWTClaimValuesList OPTIONAL }
-- If the claim name is present, the claim MUST NOT contain
-- any of the listed values.
( WITH COMPONENTS { ..., mustInclude PRESENT } | ( WITH COMPONENTS { ..., mustInclude PRESENT } |
WITH COMPONENTS { ..., permittedValues PRESENT } | WITH COMPONENTS { ..., permittedValues PRESENT } |
WITH COMPONENTS { ..., mustExclude PRESENT } | WITH COMPONENTS { ..., mustExclude PRESENT } )
WITH COMPONENTS { ..., excludedValues PRESENT } )
JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues
JWTClaimValues ::= SEQUENCE { JWTClaimValues ::= SEQUENCE {
claim JWTClaimName, claim JWTClaimName,
values SEQUENCE SIZE (1..MAX) OF UTF8String } values SEQUENCE SIZE (1..MAX) OF UTF8String }
JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName
JWTClaimName ::= IA5String JWTClaimName ::= IA5String
 End of changes. 29 change blocks. 
91 lines changed or deleted 79 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/