Clarification to processing Key Usage values during CRL validation
draft-lamps-bonnell-keyusage-crl-validation-00

Document Type Active Internet-Draft (individual)
Authors Corey Bonnell , Tadahiko Ito , Tomofumi Okubo
Last updated 2024-01-05
RFC stream (None)
Intended RFC status (None)
Formats
txt html xml htmlized pdf bibtex bibxml
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors IPR References Referenced by Nits Search email archive
draft-lamps-bonnell-keyusage-crl-validation-00 
Network Working Group                                         C. Bonnell
Internet-Draft                                            DigiCert, Inc.
Updates: 5280 (if approved)                           伊藤 忠彦 (T. Ito)
Intended status: Standards Track                         SECOM CO., LTD.
Expires: 8 July 2024                              大久保 智史 (T. Okubo)
                                                          DigiCert, Inc.
                                                          5 January 2024

   Clarification to processing Key Usage values during CRL validation
             draft-lamps-bonnell-keyusage-crl-validation-00

Abstract

   RFC 5280 defines the profile of X.509 certificates and certificate
   revocation lists (CRLs) for use in the Internet.  This profile
   requires that certificates which certify keys for signing CRLs
   contain the key usage extension with the cRLSign bit asserted.
   Additionally, RFC 5280 defines steps for the validation of CRLs.
   While there is a requirement for CRL validators to verify that the
   cRLSign bit is asserted in the keyUsage extension of the CRL issuer's
   certificate, there is no requirement for validators to verify the
   presence of the keyUsage extension itself.  The lack of this
   requirement may manifest in an issue in some Public Key
   Infrastructures where a CRL issuer who has been certified by a
   Certification Authority to issue CRLs on its behalf can sign CRLs
   using a key that has not been certified for signing CRLs.

   This document specifies an enhancement to the CRL validation process
   to explicitly require the presence of the keyUsage extension to
   resolve this issue.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://CBonnell.github.io/lamps-keyusage-crl-validation-
   clarification/draft-lamps-bonnell-keyusage-crl-validation.html.
   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-lamps-bonnell-keyusage-crl-
   validation/.

   Source for this draft and an issue tracker can be found at
   https://github.com/CBonnell/lamps-keyusage-crl-validation-
   clarification.

Bonnell, et al.            Expires 8 July 2024                  [Page 1]
Internet-Draft        CRL validation clarification          January 2024

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 8 July 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  The risk of signing CRLs with non-certified keys  . . . . . .   3
   4.  Checking the presence of the keyUsage extension . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   6
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

Bonnell, et al.            Expires 8 July 2024                  [Page 2]
Internet-Draft        CRL validation clarification          January 2024

1.  Introduction

   [RFC5280] defines the profile of X.509 certificates and certificate
   revocation lists (CRLs) for use in the Internet.  This profile
   requires that certificates which certify keys for signing CRLs
   contain the keyUsage extension with the cRLSign bit asserted.
   Additionally, [RFC5280] defines steps for the validation of CRLs.
   While there is a requirement for CRL validators to verify that the
   cRLSign bit is asserted in the keyUsage extension of the CRL issuer's
   certificate, there is no requirement for validators to verify the
   presence of the key usage extension itself.  The lack of such a
   requirement may manifest in an issue in some Public Key
   Infrastructures where a CRL issuer who has been certified by a
   Certification Authority to issue CRLs on its behalf can sign CRLs
   using a key that has not been certified for signing CRLs.

   Section 3 describes the issue in detail.

   Section 4 describes the amended CRL validation algorithm that
   remediates the issue.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  The risk of signing CRLs with non-certified keys

   In some Public Key Infrastructures, entities are delegated by
   Certification Authorities to issue CRLs.  CRLs whose scope
   encompasses certificates that have not been issued by the CRL issuer
   are known as "indirect CRLs".

   Certification Authorities delegate the issuance of CRLs to other
   entities by issuing to the entity a certificate that asserts the
   cRLSign bit in the keyUsage extension.  The Certification Authority
   will then issue certificates that fall within the scope of the
   indirect CRL by including the crlDistributionPoints extension and
   specifying the distinguished name ("DN") of the CRL issuer in the
   cRLIssuer field of the corresponding distribution point.

   The CRL issuer issues CRLs that assert the indirectCRL boolean within
   the issuingDistributionPoint extension.

Bonnell, et al.            Expires 8 July 2024                  [Page 3]
Internet-Draft        CRL validation clarification          January 2024

   Applications which consume CRLs follow the validation algorithm as
   specified in Section 6.3 of [RFC5280].  In particular, Section 6.3.3
   contains the following step for CRL validation:

      (f) Obtain and validate the certification path for the issuer of
      the complete CRL.  The trust anchor for the certification path
      MUST be the same as the trust anchor used to validate the target
      certificate.  If a keyUsage extension is present in the CRL
      issuer's certificate, verify that the cRLSign bit is set.

   Notably, there is no requirement for certificate-consuming
   applications to verify the presence of the keyUsage extension itself.

   Additionally, the certificate profile in [RFC5280] does not require
   the inclusion of the keyUsage extension in a certificate if the
   certified public key is not used for verifying the signatures of
   other certificates or CRLs.  Section 4.2.1.3 of [RFC5280] says:

      Conforming CAs MUST include this extension in certificates that
      contain public keys that are used to validate digital signatures
      on other public key certificates or CRLs.

   The allowance for the issuance of certificates without the keyUsage
   extension and the lack of a check for the inclusion of the keyUsage
   extension during CRL verification can manifest in a security issue.
   A concrete example is described below.

   1.  The Certification Authority issues an end-entity CRL issuer
       certificate to subject X that certifies key A for signing CRLs by
       explicitly including the keyUsage extension and asserting the
       cRLSign bit in accordance with Section 4.2.1.3 of [RFC5280].

   2.  The Certification Authority issues one or more certificates that
       include the crlDistributionPoints extension with the DN for
       subject X included in the cRLIssuer field.  This indicates that
       the CRL-based revocation information for these certificates will
       be provided by subject X.

   3.  The Certification Authority issues an end-entity certificate to
       subject X that certifies key B.  This certificate contains no key
       usage extension, as the certified key is not intended to be used
       for signing CRLs and could be a “mundane” certificate of any type
       (e.g., S/MIME, document signing certificate where the
       corresponding private key is stored on the filesystem of the
       secretary’s laptop, etc.).

Bonnell, et al.            Expires 8 July 2024                  [Page 4]
Internet-Draft        CRL validation clarification          January 2024

   4.  subject X signs a CRL using key B and publishes the CRL at the
       distributionPoint specified in the crlDistributionPoints
       extension of the certificates issued in step 2.

   5.  Relying parties download the CRL published in step 4.  The CRL
       validates successfully according to Section 6.3.3 of [RFC5280],
       as the CRL issuer DN matches, and the check for the presence of
       the cRLSign bit in the keyUsage extension is skipped because the
       keyUsage extension is absent.

4.  Checking the presence of the keyUsage extension

   To remediate the security issue described in Section 3, this document
   specifies the following amendment to step (f) of the CRL algorithm as
   found in Section 6.3.3 of [RFC5280].

   _OLD:_

      (f) Obtain and validate the certification path for the issuer of
      the complete CRL.  The trust anchor for the certification path
      MUST be the same as the trust anchor used to validate the target
      certificate.  If a keyUsage extension is present in the CRL
      issuer's certificate, verify that the cRLSign bit is set.

   _NEW:_

      (f) Obtain and validate the certification path for the issuer of
      the complete CRL.  The trust anchor for the certification path
      MUST be the same as the trust anchor used to validate the target
      certificate.  Verify that the keyUsage extension is present in the
      CRL issuer's certificate and verify that the cRLSign bit is set.

5.  Security Considerations

   If a Certification Authority has issued certificates to be used for
   CRL verification but do not include the keyUsage extension in
   accordance with Section 4.2.1.3 of [RFC5280], then relying party
   applications that have implemented the modified verification
   algorithm as specified in this document will be unable to verify CRLs
   issued by the CRL issuer in question.

   It is strongly RECOMMENDED that Certification Authorities include the
   keyUsage extension in certificates to be used for CRL verification to
   ensure that there are no interoperability issues where updated
   applications are unable to verify CRLs.

Bonnell, et al.            Expires 8 July 2024                  [Page 5]
Internet-Draft        CRL validation clarification          January 2024

   If it is not possible to update the profile of CRL issuer
   certificates, then the policy management authority of the affected
   Public Key Infrastructure SHOULD update the subject naming
   requirements to ensure that certificates to be used for different
   purposes contain unique DNs.

6.  IANA Considerations

   This document has no IANA actions.

7.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/rfc/rfc5280>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Corey Bonnell
   DigiCert, Inc.
   Email: corey.bonnell@digicert.com

   Tadahiko Ito
   SECOM CO., LTD.
   Email: tadahiko.ito.public@gmail.com

   Additional contact information:

      伊藤 忠彦
      SECOM CO., LTD.

Bonnell, et al.            Expires 8 July 2024                  [Page 6]
Internet-Draft        CRL validation clarification          January 2024

   Tomofumi Okubo
   DigiCert, Inc.
   Email: tomofumi.okubo+ietf@gmail.com

   Additional contact information:

      大久保 智史
      DigiCert, Inc.

Bonnell, et al.            Expires 8 July 2024                  [Page 7]