Skip to main content

Hash Of Root Key Certificate Extension
draft-ietf-lamps-hash-of-root-key-cert-extn-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8649.
Author Russ Housley
Last updated 2018-09-04
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Became RFC 8649 (Informational)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-lamps-hash-of-root-key-cert-extn-00
Network Working Group                                         R. Housley
Internet-Draft                                            Vigil Security
Intended status: Informational                           August 31, 2018
Expires: March 4, 2019

                 Hash Of Root Key Certificate Extension
             draft-ietf-lamps-hash-of-root-key-cert-extn-00

Abstract

   This document specifies the Hash Of Root Key certificate extension.
   This certificate extension is carried in the self-signed certificate
   for a trust anchor, which is often called a Root Certification
   Authority (CA) certificate.  This certificate extension unambiguously
   identifies the next public key that will be used by the trust anchor.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 4, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Housley                   Expires March 4, 2019                 [Page 1]
Internet-Draft         Hash Of Root Key Extension            August 2018

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   2
     1.2.  ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Hash Of Root Key Certificate Extension  . . . . . . . . . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Appendix A.  ASN.1 Module . . . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   This document specifies the Hash Of Root Key X.509 version 3
   certificate extension.  The extension is an optional addition to the
   Internet X.509 Public Key Infrastructure Certificate and Certificate
   Revocation List (CRL) Profile [RFC5280].  The certificate extension
   facilitates the orderly transition from one Root Certification
   Authority (CA) public key to the next.  It does so by publishing the
   hash value of the next generation public key in the current self-
   signed certificate.  This allows a relying party to unambiguously
   recognize the next generation public key when it becomes available.

   A Root CA Certificate MAY include the Hashed Root Key certificate
   extension to provide the hash value of the next public key that will
   be used by the Root CA.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  ASN.1

   Certificates [RFC5280] are generated using ASN.1 [X680], which uses
   the Basic Encoding Rules (BER) and the Distinguished Encoding Rules
   (DER) [X690].

Housley                   Expires March 4, 2019                 [Page 2]
Internet-Draft         Hash Of Root Key Extension            August 2018

2.  Overview

   Before the initial deployment of the Root CA, the following are
   generated:

      R1 = The initial Root key pair
      C1 = Self-signed certificate for R1, which also contains H2
      R2 = The second generation Root key pair
      H2 = Thumbprint (hash) of the public key of R2

   C1 is a self-signed certificate, and it contains H2 within the
   HashOfRootKey extension.  C1 is distributed as part of the initial
   the system deployment.  The HashOfRootKey certificate extension is
   described in Section 3.

   When the time comes to replace the initial Root CA certificate, R1,
   the following are generated:

      R3 = The third generation Root key pair
      H3 = Thumbprint (hash) the public key of R3
      C2 = Self-signed certificate for R2, which contains H3

   This is an iterative process.  That is, R4 and H4 are generated when
   it is time for C3 to replace C2.  And so on.

   The successors to the Root CA self-signed certificate can be
   delivered by any means.  Whenever a new Root CA certificate is
   received, the recipient is able to verify that the potential Root CA
   certificate chains back to a previously authenticated Root CA
   certificate with the hashOfRootKey certificate extension.  That is,
   validate the self-signed signature and verify that the hash of the
   DER-encoded SubjectPublicKeyInfo from the potential Root CA
   certificate matches the value from the HashOfRootKey certificate
   extension of the current Root CA certificate.  If the signature does
   not validate or the hash values do not match, then potential Root CA
   certificate is not a valid replacement, and the recipient continues
   to use the current Root CA certificate.

3.  Hash Of Root Key Certificate Extension

   The HashOfRootKey certificate extension MUST NOT be critical.

   The following ASN.1 [X680][X690] syntax defines the HashOfRootKey
   certificate extension:

Housley                   Expires March 4, 2019                 [Page 3]
Internet-Draft         Hash Of Root Key Extension            August 2018

   ext-HashOfRootKey EXTENSION ::= {    -- Only in Root CA certificates
      SYNTAX         HashedRootKey
      IDENTIFIED BY  id-ce-hashOfRootKey
      CRITICALITY    {FALSE} }

   HashedRootKey ::= SEQUENCE {
      hashAlg        AlgorithmIdentifier,  -- Hash algorithm used
      hashValue      OCTET STRING }        -- Hash of DER-encoded
                                           --   SubjectPublicKeyInfo

   id-ce-hashOfRootKey  ::=  OBJECT IDENTIFIER { 1 3 6 1 4 1 TBD 2 1 }

   The definitions of EXTENSION and HashAlgorithm can be found in
   [RFC5912].

   The hashAlg indicates the one-way hash algorithm that was used to
   compute the hash value.

   The hashValue contains the hash value computed from the next
   generation public key.  The public key is DER-encoded
   SubjectPublicKeyInfo as defined in [RFC5280].

4.  IANA Considerations

   This document makes no requests of the IANA.

5.  Security Considerations

   The security considerations from [RFC5280] apply, especially the
   discussion of self-issued certificates.

   The Hash Of Root Key certificate extension facilitates the orderly
   transition from one Root CA public key to the next by publishing the
   hash value of the next generation public key in the current
   certificate.  This allows a relying party to unambiguously recognize
   the next generation public key when it becomes available; however,
   the full public key is not disclosed until the Root CA releases the
   next generation certificate.  In this way, attackers cannot begin to
   analyze the public key before the next generation Root CA certificate
   is released.

   If an early release of the next generation public key occurs and the
   Root CA is concerned that attackers were given too much lead time to
   analyze that public key, then the Root CA can transition to a freshly
   generated key pair by rapidly performing two transitions.  The first
   transition takes the Root CA to the key pair that suffered the early
   release, and it causes the Root CA to generate the subsequent Root
   key pair.  The second transition occurs when the Root CA is confident

Housley                   Expires March 4, 2019                 [Page 4]
Internet-Draft         Hash Of Root Key Extension            August 2018

   that the population of relying parties have completed the first
   transition, and it takes the Root CA to the freshly generated key
   pair.  Of course, the second transition also causes the Root CA to
   generate the Root key pair for future use.

6.  Acknowledgements

   The Secure Electronic Transaction (SET) [SET] specification published
   by MasterCard and VISA in 1997 includes a very similar certificate
   extension.  The SET certificate extension has essentially the same
   semantics, but the syntax fairly different.

   CTIA - The Wireless Association is developing a public key
   infrastructure that will make use of the certificate extension
   described in this document.

7.  References

7.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5912]  Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
              Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
              DOI 10.17487/RFC5912, June 2010,
              <https://www.rfc-editor.org/info/rfc5912>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [X680]     ITU-T, "Information technology -- Abstract Syntax Notation
              One (ASN.1): Specification of basic notation",
              ITU-T Recommendation X.680, 2015.

   [X690]     ITU-T, "Information Technology -- ASN.1 encoding rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules
              (DER)", ITU-T Recommendation X.690, 2015.

Housley                   Expires March 4, 2019                 [Page 5]
Internet-Draft         Hash Of Root Key Extension            August 2018

7.2.  Informative References

   [SET]      MasterCard and VISA, "SET Secure Electronic Transaction
              Specification -- Book 2: Programmer's Guide, Version 1.0",
              May 1997.

Appendix A.  ASN.1 Module

   The following ASN.1 module provides the complete definition of the
   HashOfRootKey certificate extension.

Housley                   Expires March 4, 2019                 [Page 6]
Internet-Draft         Hash Of Root Key Extension            August 2018

   HashedRootKeyCertExtn { 1 3 6 1 4 1 51483 0 1 }

   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN

   -- EXPORTS All

   IMPORTS

   AlgorithmIdentifier{}, DIGEST-ALGORITHM
     FROM AlgorithmInformation-2009  -- [RFC5912]
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) pkix(7) id-mod(0)
         id-mod-algorithmInformation-02(58) }

   EXTENSION
     FROM PKIX-CommonTypes-2009
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) pkix(7) id-mod(0)
         id-mod-pkixCommon-02(57) } ;

   --
   -- Expand the certificate extensions list in [RFC5912]
   --

   CertExtensions EXTENSION ::= {
      ext-HashOfRootKey, ... }

   --
   -- HashOfRootKey Certificate Extension
   --

   ext-HashOfRootKey EXTENSION ::= {    -- Only in Root CA certificates
      SYNTAX         HashedRootKey
      IDENTIFIED BY  id-ce-hashOfRootKey
      CRITICALITY    {FALSE} }

   HashedRootKey  ::=  SEQUENCE {
      hashAlg        HashAlgorithmId,   -- Hash algorithm used
      hashValue      OCTET STRING }     -- Hash of DER-encoded
                                        --   SubjectPublicKeyInfo

   HashAlgorithmId  ::=  AlgorithmIdentifier {DIGEST-ALGORITHM,{ ... }}

   id-ce-hashOfRootKey OBJECT IDENTIFIER  ::=  { 1 3 6 1 4 1 51483 2 1 }

   END

Housley                   Expires March 4, 2019                 [Page 7]
Internet-Draft         Hash Of Root Key Extension            August 2018

Author's Address

   Russ Housley
   Vigil Security
   918 Spring Knoll Drive
   Herndon, VA  20170
   US

   Email: housley@vigilsec.com

Housley                   Expires March 4, 2019                 [Page 8]