draft-ietf-stir-enhance-rfc8226-04.txt   draft-ietf-stir-enhance-rfc8226-05.txt 
Network Working Group R. Housley Network Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
Updates: 8226 (if approved) 30 June 2021 Updates: 8226 (if approved) 26 July 2021
Intended status: Standards Track Intended status: Standards Track
Expires: 1 January 2022 Expires: 27 January 2022
Enhanced JWT Claim Constraints for STIR Certificates Enhanced JWT Claim Constraints for STIR Certificates
draft-ietf-stir-enhance-rfc8226-04 draft-ietf-stir-enhance-rfc8226-05
Abstract Abstract
RFC 8226 specifies the use of certificates for Secure Telephone RFC 8226 specifies the use of certificates for Secure Telephone
Identity Credentials, and these certificates are often called "STIR Identity Credentials, and these certificates are often called "STIR
Certificates". RFC 8226 provides a certificate extension to Certificates". RFC 8226 provides a certificate extension to
constrain the JSON Web Token (JWT) claims that can be included in the constrain the JSON Web Token (JWT) claims that can be included in the
Personal Assertion Token (PASSporT) as defined in RFC 8225. If the Personal Assertion Token (PASSporT) as defined in RFC 8225. If the
PASSporT signer includes a JWT claim outside the constraint PASSporT signer includes a JWT claim outside the constraint
boundaries, then the PASSporT recipient will reject the entire boundaries, then the PASSporT recipient will reject the entire
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 January 2022. This Internet-Draft will expire on 27 January 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 4, line 19 skipping to change at page 4, line 19
claims appears in the mustExclude list, then the certificate MUST claims appears in the mustExclude list, then the certificate MUST
be treated as if the extension was not present. be treated as if the extension was not present.
Following the precedent in [RFC8226], JWT Claim Names MUST be ASCII Following the precedent in [RFC8226], JWT Claim Names MUST be ASCII
strings, which are also known as strings using the International strings, which are also known as strings using the International
Alphabet No. 5 [ISO646]. Alphabet No. 5 [ISO646].
The Enhanced JWT Claim Constraints certificate extension is The Enhanced JWT Claim Constraints certificate extension is
identified by the following object identifier (OID): identified by the following object identifier (OID):
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 33 }
The Enhanced JWT Claim Constraints certificate extension has the The Enhanced JWT Claim Constraints certificate extension has the
following syntax: following syntax:
EnhancedJWTClaimConstraints ::= SEQUENCE { EnhancedJWTClaimConstraints ::= SEQUENCE {
mustInclude [0] JWTClaimNames OPTIONAL, mustInclude [0] JWTClaimNames OPTIONAL,
-- The listed claim names MUST appear in the PASSporT -- The listed claim names MUST appear in the PASSporT
-- in addition to iat, orig, and dest. If absent, iat, orig, -- in addition to iat, orig, and dest. If absent, iat, orig,
-- and dest MUST appear in the PASSporT. -- and dest MUST appear in the PASSporT.
permittedValues [1] JWTClaimValuesList OPTIONAL, permittedValues [1] JWTClaimValuesList OPTIONAL,
skipping to change at page 6, line 9 skipping to change at page 6, line 9
1. The "confidence" claim must be present in the PASSporT. 1. The "confidence" claim must be present in the PASSporT.
2. The "confidence" claim must have a value of "high" or "medium". 2. The "confidence" claim must have a value of "high" or "medium".
3. The "priority" claim must not be present in the PASSporT. 3. The "priority" claim must not be present in the PASSporT.
NOTE: This certificate in Figure 1 will need to be corrected once NOTE: This certificate in Figure 1 will need to be corrected once
IANA assigns the object identifier for the certificate extension. IANA assigns the object identifier for the certificate extension.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICqjCCAlCgAwIBAgIUH7Zd3rQ5AsvOlzLnzUHhrVhDSlowCgYIKoZIzj0EAwIw MIICpzCCAk2gAwIBAgIUH7Zd3rQ5AsvOlzLnzUHhrVhDSlswCgYIKoZIzj0EAwIw
KTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEUJPR1VTIFNIQUtFTiBST09UMB4XDTIx KTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEUJPR1VTIFNIQUtFTiBST09UMB4XDTIx
MDQxNTEyMTg1NloXDTIyMDQxNTEyMTg1NlowbDELMAkGA1UEBhMCVVMxCzAJBgNV MDcxNTIxNTIxNVoXDTIyMDcxNTIxNTIxNVowbDELMAkGA1UEBhMCVVMxCzAJBgNV
BAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9uMR4wHAYDVQQKDBVCb2d1cyBFeGFtcGxl BAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9uMR4wHAYDVQQKDBVCb2d1cyBFeGFtcGxl
IFRlbGVjb20xDTALBgNVBAsMBFZvSVAxDzANBgNVBAMMBlNIQUtFTjBZMBMGByqG IFRlbGVjb20xDTALBgNVBAsMBFZvSVAxDzANBgNVBAMMBlNIQUtFTjBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABNR6C6nBWRA/fXTglV03aXkXy8hx9oBttVLhsTZ1 SM49AgEGCCqGSM49AwEHA0IABNR6C6nBWRA/fXTglV03aXkXy8hx9oBttVLhsTZ1
IYVRBao4OZhVf/Xv1a3xLsZ6KfdhuylSeAKuCoSbVGojYDGjggERMIIBDTAMBgNV IYVRBao4OZhVf/Xv1a3xLsZ6KfdhuylSeAKuCoSbVGojYDGjggEOMIIBCjAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUDlG3dxHyzKL/FZfS HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUDlG3dxHyzKL/FZfS
PI7rpuueRbswHwYDVR0jBBgwFoAUlToKtrQeFrwwyXpMj1qu3TQEeoEwQgYJYIZI PI7rpuueRbswHwYDVR0jBBgwFoAUlToKtrQeFrwwyXpMj1qu3TQEeoEwQgYJYIZI
AYb4QgENBDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0ZWQgZm9y AYb4QgENBDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0ZWQgZm9y
IGFueSBwdXJwb3NlLjAWBggrBgEFBQcBGgQKMAigBhYEMTIzNDBRBgsrBgEFBQcB IGFueSBwdXJwb3NlLjAWBggrBgEFBQcBGgQKMAigBhYEMTIzNDBOBggrBgEFBQcB
l4+jcARCMECgDjAMFgpjb25maWRlbmNloSAwHjAcFgpjb25maWRlbmNlMA4MBGhp IQRCMECgDjAMFgpjb25maWRlbmNloSAwHjAcFgpjb25maWRlbmNlMA4MBGhpZ2gM
Z2gMBm1lZGl1baIMMAoWCHByaW9yaXR5MAoGCCqGSM49BAMCA0gAMEUCIQC1AR9y Bm1lZGl1baIMMAoWCHByaW9yaXR5MAoGCCqGSM49BAMCA0gAMEUCIQCbNR4QK1um
WWHoUWH3KZ0UIvBamAThQvjJCyKWuHQIyR6LSAIgWhuf+di772aGlWhMpv5uSua5 +0vq2CE1B1/W3avYeREsPi/7RKHffL+5eQIgarHot+X9Rl7SOyNBq5X5JyEMx0SQ
ljiGsKx+dMEIE2uU978= hRLkCY3Zoz2OCNQ=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Figure 1. Example Certificate. Figure 1. Example Certificate.
0 64: SEQUENCE { 0 64: SEQUENCE {
2 14: [0] { 2 14: [0] {
4 12: SEQUENCE { 4 12: SEQUENCE {
6 10: IA5String 'confidence' 6 10: IA5String 'confidence'
: } : }
: } : }
skipping to change at page 7, line 18 skipping to change at page 7, line 18
and the JWTClaimConstraints extension specified in [RFC8226] MUST NOT and the JWTClaimConstraints extension specified in [RFC8226] MUST NOT
both appear in the same certificate. both appear in the same certificate.
If the situation calls for mustExclude constraints, then the If the situation calls for mustExclude constraints, then the
EnhancedJWTClaimConstraints extension is the only extension that can EnhancedJWTClaimConstraints extension is the only extension that can
express the constraints. express the constraints.
On the other hand, if the situation does not call for mustExclude On the other hand, if the situation does not call for mustExclude
constraints, then either the EnhancedJWTClaimConstraints extension or constraints, then either the EnhancedJWTClaimConstraints extension or
the JWTClaimConstraints extension can express the constraints. Until the JWTClaimConstraints extension can express the constraints. Until
such time as the EnhancedJWTClaimConstraints become widely such time as support for the EnhancedJWTClaimConstraints extension
implemented, the use of the JWTClaimConstraints extension may be more becomes widely implemented, the use of the JWTClaimConstraints
likely to be implemented. This guess is based on the presumption extension may be more likely to be supported. This guess is based on
that the first specified extension will be implemented more widely in the presumption that the first specified extension will be
the next few years. implemented more widely in the next few years.
7. IANA Considerations 7. IANA Considerations
This document makes use of object identifiers for the Enhanced JWT This document makes use of object identifiers for the Enhanced JWT
Claim Constraints certificate extension defined in Section 3 and the Claim Constraints certificate extension defined in Section 3 and the
ASN.1 module identifier defined in Appendix A. Therefore, IANA is ASN.1 module identifier defined in Appendix A. Therefore, IANA has
asked to made the following assignments within the SMI Numbers made the following assignments within the SMI Numbers Registry.
Registry.
For the Enhanced JWT Claim Constraints certificate extension in the For the Enhanced JWT Claim Constraints certificate extension in the
"SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1) "SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1)
registry: registry:
TBD1 id-pe-eJWTClaimConstraints 33 id-pe-eJWTClaimConstraints
For the ASN.1 module identifier in the "SMI Security for PKIX Module For the ASN.1 module identifier in the "SMI Security for PKIX Module
Identifier" (1.3.6.1.5.5.7.0) registry: Identifier" (1.3.6.1.5.5.7.0) registry:
TBD2 id-mod-eJWTClaimConstraints-2021 101 id-mod-eJWTClaimConstraints-2021
8. Security Considerations 8. Security Considerations
For further information on certificate security and practices, see For further information on certificate security and practices, see
[RFC5280], especially the Security Considerations section. [RFC5280], especially the Security Considerations section.
Since non-critical certificate extension are ignored by Since non-critical certificate extension are ignored by
implementations that do not recognize the extension object identifier implementations that do not recognize the extension object identifier
(OID), constraints on PASSporT validation will only be applied by (OID), constraints on PASSporT validation will only be applied by
relying parties that recognize the EnhancedJWTClaimConstraints relying parties that recognize the EnhancedJWTClaimConstraints
skipping to change at page 9, line 50 skipping to change at page 9, line 50
[I-D.ietf-stir-cert-delegation] [I-D.ietf-stir-cert-delegation]
Peterson, J., "STIR Certificate Delegation", Work in Peterson, J., "STIR Certificate Delegation", Work in
Progress, Internet-Draft, draft-ietf-stir-cert-delegation- Progress, Internet-Draft, draft-ietf-stir-cert-delegation-
04, 22 February 2021, <https://www.ietf.org/archive/id/ 04, 22 February 2021, <https://www.ietf.org/archive/id/
draft-ietf-stir-cert-delegation-04.txt>. draft-ietf-stir-cert-delegation-04.txt>.
[I-D.ietf-stir-passport-rcd] [I-D.ietf-stir-passport-rcd]
Wendt, C. and J. Peterson, "PASSporT Extension for Rich Wendt, C. and J. Peterson, "PASSporT Extension for Rich
Call Data", Work in Progress, Internet-Draft, draft-ietf- Call Data", Work in Progress, Internet-Draft, draft-ietf-
stir-passport-rcd-11, 29 March 2021, stir-passport-rcd-12, 12 July 2021,
<https://www.ietf.org/archive/id/draft-ietf-stir-passport- <https://www.ietf.org/archive/id/draft-ietf-stir-passport-
rcd-11.txt>. rcd-12.txt>.
[ISO646] International Organization for Standardization, [ISO646] International Organization for Standardization,
"Information processing - ISO 7-bit coded character set "Information processing - ISO 7-bit coded character set
for information interchange", ISO/IEC 646:1991, December for information interchange", ISO/IEC 646:1991, December
1991. 1991.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/info/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
skipping to change at page 10, line 31 skipping to change at page 10, line 31
JWT Claim Constraints certificate extension. The module defined in JWT Claim Constraints certificate extension. The module defined in
this appendix are compatible with the ASN.1 specifications published this appendix are compatible with the ASN.1 specifications published
in 2015. in 2015.
This ASN.1 module imports ASN.1 from [RFC5912]. This ASN.1 module imports ASN.1 from [RFC5912].
<CODE BEGINS> <CODE BEGINS>
EnhancedJWTClaimConstraints-2021 EnhancedJWTClaimConstraints-2021
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-eJWTClaimConstraints-2021(TBD2) } id-mod-eJWTClaimConstraints-2021(101) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN DEFINITIONS EXPLICIT TAGS ::= BEGIN
IMPORTS IMPORTS
id-pe id-pe
FROM PKIX1Explicit-2009 -- From RFC 5912 FROM PKIX1Explicit-2009 -- From RFC 5912
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-explicit-02(51) } id-mod-pkix1-explicit-02(51) }
skipping to change at page 11, line 6 skipping to change at page 11, line 6
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) } ; id-mod-pkixCommon-02(57) } ;
-- Enhanced JWT Claim Constraints Certificate Extension -- Enhanced JWT Claim Constraints Certificate Extension
ext-eJWTClaimConstraints EXTENSION ::= { ext-eJWTClaimConstraints EXTENSION ::= {
SYNTAX EnhancedJWTClaimConstraints SYNTAX EnhancedJWTClaimConstraints
IDENTIFIED BY id-pe-eJWTClaimConstraints } IDENTIFIED BY id-pe-eJWTClaimConstraints }
id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe TBD1 } id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 33 }
EnhancedJWTClaimConstraints ::= SEQUENCE { EnhancedJWTClaimConstraints ::= SEQUENCE {
mustInclude [0] JWTClaimNames OPTIONAL, mustInclude [0] JWTClaimNames OPTIONAL,
-- The listed claim names MUST appear in the PASSporT -- The listed claim names MUST appear in the PASSporT
-- in addition to iat, orig, and dest. If absent, iat, orig, -- in addition to iat, orig, and dest. If absent, iat, orig,
-- and dest MUST appear in the PASSporT. -- and dest MUST appear in the PASSporT.
permittedValues [1] JWTClaimValuesList OPTIONAL, permittedValues [1] JWTClaimValuesList OPTIONAL,
-- If the claim name is present, the claim MUST contain one -- If the claim name is present, the claim MUST contain one
-- of the listed values. -- of the listed values.
mustExclude [2] JWTClaimNames OPTIONAL } mustExclude [2] JWTClaimNames OPTIONAL }
 End of changes. 17 change blocks. 
27 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/