Extended Key Usage Constraints
draft-housley-spasm-eku-constraints-00
The information below is for an old version of the document.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Russ Housley | ||
| Last updated | 2016-05-13 | ||
| Stream | (None) | ||
| Formats | plain text htmlized pdfized bibtex | ||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-housley-spasm-eku-constraints-00
INTERNET-DRAFT R. Housley
Intended Status: Standards Track Vigil Security
Updates: RFC 5280 (if approved)
Expires: 14 November 2016 13 May 2016
Extended Key Usage Constraints
draft-housley-spasm-eku-constraints-00
Abstract
This document specifies the extended key usage constraints
certificate extension, which is used to place restrictions on the key
purpose identifiers that are authorized to appear in subsequent
certificates in a certification path. Restrictions apply to the
extended key usage certificate extension, which is described in RFC
5280.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright and License Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Housley Expires 14 November 2016 [Page 1]
INTERNET-DRAFT EKU Constraints 13 May 2016
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1 Introduction
This document specifies the extended key usage constraints
certificate extension, which is used to place restrictions on the key
purpose identifiers that are authorized to appear in subsequent
certificates in a certification path. Restrictions apply to the
extended key usage certificate extension, which is described in
Section 4.2.1.12 of RFC 5280 [RFC5280].
1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
1.2. ASN.1
Certificates are generated using ASN.1 [X680], which uses the Basic
Encoding Rules (BER) and the Distinguished Encoding Rules (DER)
[X690].
2. Extended Key Usage Constraints Certificate Extension
The extended key usage (EKU) constraints certificate extension, which
MUST be used only in a CA certificate, indicates the extended key
usage values that are authorized to appear in subsequent certificates
in a certification path. Restrictions apply to the extended key
usage certificate extension, which is described in Section 4.2.1.12
of RFC 5280 [RFC5280].
Restrictions are defined in terms of permitted or excluded key
purpose identifiers. Any key purpose identifier matching an entry in
the excludedKeyPurposeIds field is invalid regardless of information
appearing in the permittedKeyPurposeIds.
Conforming CAs MUST mark this extension as critical, and conforming
CAs MUST NOT issue certificates where this extension is an empty
sequence. That is, either the permittedKeyPurposeIds field or the
excludedKeyPurposeIds field MUST be present.
Conforming applications MUST be able to process this extension. If
any CA certificate in the certification path includes an EKU
Housley Expires 14 November 2016 [Page 2]
INTERNET-DRAFT EKU Constraints 13 May 2016
constraints extension that is marked as critical, and the end-entity
certificate includes an extended key usage certificate extension,
then the application MUST either process the EKU constraint or reject
the certificate.
ekuConstraints EXTENSION ::= { SYNTAX EKUConstraints
IDENTIFIED BY id-ce-ekuConstraints }
id-ce-ekuConstraints OBJECT IDENTIFIER ::= { id-ce TBD }
EKUConstraints ::= SEQUENCE {
permittedKeyPurposeIds [0] KeyPurposeIds OPTIONAL,
excludedKeyPurposeIds [1] KeyPurposeIds OPTIONAL }
KeyPurposeIds ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
3. Basic Path Validation
Certification path validation is described in Section 6.1 of RFC 5280
[RFC5280]. Certification path processing verifies the binding
between the subject name and the subject public key. The binding is
limited by constraints that are specified in the certificates that
comprise the path and inputs that are specified by the relying party.
This section extends to path processing to include EKU constraints.
3.1. Inputs
No additional inputs are needed.
3.2. Initialization
Two additional values are initialized.
(l) permitted_key_purpose_ids: a set of key purpose identifiers;
all of the key purpose identifiers in the end-entity certificate
MUST be included in this set. If the set is empty, then the
certification path will be considered invalid if the end-entity
certificate includes an extended key usage extension. The
initial value is a special value that represents the universal
set.
(m) excluded_key_purpose_ids: a set of key purpose identifiers; the
key purpose identifiers in the end-entity certificate MUST NOT
be included in this set. If the set is empty, then no key
purpose identifiers are excluded. The initial value is a is the
empty set.
Housley Expires 14 November 2016 [Page 3]
INTERNET-DRAFT EKU Constraints 13 May 2016
3.3. Basic Certificate Processing
No additional processing steps are needed.
3.4. Preparation for Certificate i+1
One additional processing step is needed.
(p) If a EKU constraints extension is included in the certificate,
then modify the permitted_key_purpose_ids and
excluded_key_purpose_ids state variables as follows:
(1) If permittedKeyPurposeIds is present in the certificate,
set the permitted_key_purpose_ids state variable to the
intersection of its previous value and the value indicated
in the extension field.
(2) If excludedKeyPurposeIds is present in the certificate, set
the excluded_key_purpose_ids state variable to the union of
its previous value and the value indicated in the extension
field.
3.5. Wrap-Up Procedure
One additional processing step is needed.
(h) If the EKU extension is included in the end-entity certificate,
then confirm that the values meet the restrictions in the
permitted_key_purpose_ids and excluded_key_purpose_ids state
variables as follows:
(1) If permitted_key_purpose_ids state variable is not special
value that represents the universal set, then confirm that
all of the key purpose identifiers are present in the set.
If any are missing, then returning a failure indication and
an appropriate reason.
(2) If excluded_key_purpose_ids state variable is not empty,
then confirm that none of the key purpose identifiers are
present in the set. If any are present, then returning a
failure indication and an appropriate reason.
3.6. Outputs
No additional output values are returned.
Housley Expires 14 November 2016 [Page 4]
INTERNET-DRAFT EKU Constraints 13 May 2016
4. IANA Considerations
Please assign an object identifier for the certificate extension
specified in this document. Once the ASN.1 module is added, then an
object identifier for that will be needed too.
5. Security Considerations
TBD
6. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <http://www.rfc-
editor.org/info/rfc2119>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
Appendix: ASN.1 Module
TBD
Author's Address
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: housley@vigilsec.com
Housley Expires 14 November 2016 [Page 5]