External Keys For Use In Internet X.509 Certificates
draft-ounsworth-lamps-pq-external-pubkeys-03
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Mike Ounsworth , Markku-Juhani O. Saarinen , John Gray , D. Hook | ||
| Last updated | 2024-04-02 | ||
| Replaces | draft-ounsworth-pq-external-pubkeys | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ounsworth-lamps-pq-external-pubkeys-03
LAMPS M. Ounsworth
Internet-Draft Entrust
Updates: {"RFC5280"=>nil} (if approved) M.-J. O. Saarinen
Intended status: Standards Track PQShield
Expires: 5 October 2024 J. Gray
Entrust
D. Hook
KeyFactor
3 April 2024
External Keys For Use In Internet X.509 Certificates
draft-ounsworth-lamps-pq-external-pubkeys-03
Abstract
Many of the post quantum cryptographic algorithms have large public
keys. In the interest of reducing bandwidth of transitting X.509
certificates, this document defines new public key and algorithms for
referencing external public key data by hash, and location, for
example URL. This mechanism is designed to mimic the behaviour of an
Authority Information Access extension.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://EntrustCorporation.github.io/draft-pq-external-pubkeys/draft-
ounsworth-pq-external-pubkeys.html. Status information for this
document may be found at https://datatracker.ietf.org/doc/draft-
ounsworth-lamps-pq-external-pubkeys/.
Source for this draft and an issue tracker can be found at
https://github.com/EntrustCorporation/draft-pq-external-pubkeys.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Ounsworth, et al. Expires 5 October 2024 [Page 1]
Internet-Draft External X.509 Keys April 2024
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 5 October 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. External Value . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. External Public Key . . . . . . . . . . . . . . . . . . . 3
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
3.1. Module Registration - SMI Security for PKIX Module
Identifier . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.1. Object Identifier Registrations - SMI Security for PKIX
Algorithms . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
4.1. CSRs and CT logs . . . . . . . . . . . . . . . . . . . . 4
5. Appendices . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 5
5.2. Samples . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.3. Intellectual Property Considerations . . . . . . . . . . 9
6. Contributors and Acknowledgements . . . . . . . . . . . . . . 9
6.1. Making contributions . . . . . . . . . . . . . . . . . . 9
7. Normative References . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Ounsworth, et al. Expires 5 October 2024 [Page 2]
Internet-Draft External X.509 Keys April 2024
2. External Value
The id-external-value algorithm identifier is used for identifying a
public key or signature which is provided as a reference to external
data.
id-external-value OBJECT IDENTIFIER ::= { iso(1)
identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) algorithms(6)
TBDOID }
EDNOTE: for prototyping purposes, id-external-value ::=
1.3.6.1.4.1.22554.4.2
The corresponding subjectPublicKey is the DER encoding of the
following structure:
ExternalValue ::= SEQUENCE {
location GeneralNames,
hashAlg AlgorithmIdentifier,
hashVal OCTET STRING
}
Upon retrieval of the referenced data, the hash of the OCTET STRING
of the retrieved data (removing base64 encoding as per [RFC4648] if
necessary) MUST be verified using hashAlg to match the
ExternalPublicKey.hash value.
GeneralNames is defined in [RFC5280] as
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
which we use instead of GeneralName so that certificate issuers can
specify multiple backup key servers for high availability or specify
key identifiers in multiple formats if the corresponding public keys
will be distributed in multiple keystore formats. When multiple key
locations are specified, they MUST represent alternative locations
for retrieval of the same key and MUST NOT be used as a mechanism to
place multiple subject keys into a single certificate. Thus, when
multiple key locations are specified, the client MAY try them in any
order and stop when it successfully retrieves a public key whose hash
matches hashVal.
2.1. External Public Key
When used with a public key, algorithm parameters for id-external-
value are absent.
Ounsworth, et al. Expires 5 October 2024 [Page 3]
Internet-Draft External X.509 Keys April 2024
When ExternalValue is placed into a
SubjectPublicKeyInfo.subjectPublicKey, the ExternalValue.location
MUST refer to a DER-encoded SubjectPublicKeyInfo, which MAY be base64
encoded as per [RFC4648] for easier transport over text protocols.
3. IANA Considerations
## Object Identifier Allocations
3.1. Module Registration - SMI Security for PKIX Module Identifier
* Decimal: IANA Assigned - *Replace TBDMOD*
* Description: EXTERNAL-PUBKEY-2023 - id-mod-external-pubkey
* References: This Document
3.1.1. Object Identifier Registrations - SMI Security for PKIX
Algorithms
* Attest Statement
- Decimal: IANA Assigned - Replace *TBDOID*
- Description: id-external-value
- References: This Document
4. Security Considerations
There are no security implications to externalizing a public key from
a certificate as described in this draft. It is of course possible
for a malicious actor to replace or tamper with the public key data
at the referenced location, but since the hash of the public key data
is included in the signed certificate, any such tampering will be
detected and the certificate verification will fail. For this
reason, external public key data MAY be served over an insecure
channel such as HTTP.
4.1. CSRs and CT logs
In practice, situations will arise where the
ExternalPublicKey.location refers to a location which is not publicly
available either because it is in a local keystore, on a private
network, or no longer being hosted.
Ounsworth, et al. Expires 5 October 2024 [Page 4]
Internet-Draft External X.509 Keys April 2024
Not having the public key in a certificate signing request (CSR)
could make it substantially harder for CAs to perform vetting of the
key, for example for cryptographic strength or checking for prior
revocation due to key compromise. A certificate requester MUST make
the full public key available to the CA at the time of certificate
request either by ensuring that the link in the
ExternalPublicKey.location is visible to the CA, or by supplying the
full public key to the CA out of band.
Not having the public key in Certificate Transparency (CT) logs could
make it substantially harder for researchers to perform auditing
tasks on CT logs. This may require additional CT mechanisms.
5. Appendices
5.1. ASN.1 Module
Ounsworth, et al. Expires 5 October 2024 [Page 5]
Internet-Draft External X.509 Keys April 2024
EXTERNAL-PUBKEY-2023
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-external-pubkey(TBDMOD)}
DEFINITIONS IMPLICIT TAGS ::= BEGIN
EXPORTS ALL;
IMPORTS
GeneralNames
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
AlgorithmIdentifier{}
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
;
id-external-value OBJECT IDENTIFIER ::= { iso(1)
identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) algorithms(6)
TBDOID }
ExternalValue ::= SEQUENCE {
location GeneralNames,
hashAlg AlgorithmIdentifier,
hashVal OCTET STRING
}
END
5.2. Samples
Here is a sample of a Kyber1024 end entity certificate with an
external public key. A trust anchor certificate using the algorithm
ecdsaWithSHA256 is provided so that the Kyber1024 End Entity
certificate can be verified.
Ounsworth, et al. Expires 5 October 2024 [Page 6]
Internet-Draft External X.509 Keys April 2024
This is a modest example demonstrating a 550 byte Kyber1024
certificate and a 2.2 kb external Kyber1024 public key. This
"compression" effect will be even more pronounced with algorithms
such as Classic McEliece which have public keys in the hundreds of
kilobytes; with the external public key mechanism, the size of the
certificate remains constant regardless of how large the externalized
subject public key is.
End entity Kyber1024 Certificate with ExternalValue public key:
-----BEGIN CERTIFICATE-----
MIIBbDCCARGgAwIBAgIGAYro4QFGMAoGCCqGSM49BAMCMDoxDjAMBgNVBAMMBVFT
IENBMRswGQYDVQQKDBJRdWFudGl0eSBTdXJ2ZXlvcnMxCzAJBgNVBAYTAlhYMB4X
DTIzMTAwMTAxMzYxNFoXDTI0MDEwOTAxMzYxNFowHTEbMBkGA1UEAwwSRXRoZWwg
dGhlIEFhcmR2YXJrMGkwDAYKKwYBBAGBsBoEAgNZADBWMCWGI2ZpbGU6Ly9sb2Nh
bF9rZXlzZXJ2ZXIvc3VydmV5b3JzLmRiMAsGCWCGSAFlAwQCAQQg0K1P456WkMCO
RxsGOm271ynblXxFCgkTDI78by/RRJCjEDAOMAwGA1UdEwEB/wQCMAAwCgYIKoZI
zj0EAwIDSQAwRgIhANqC6ZVDVrgaFFPxJcnhJO6kRGU9dHv5vRDcf2paXxSfAiEA
2s/xoctsB1oCisbjK9HCUw/rzXoVKhkt1ZEXuapJYCk=
-----END CERTIFICATE-----
For illustrative purposes, the SubjectPublicKeyInfo within the end
entity certificate decodes as:
subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE (2 elem)
algorithm AlgorithmIdentifier SEQUENCE (1 elem)
algorithm OBJECT IDENTIFIER 1.3.6.1.4.1.22554.4.2 ExternalValue
subjectPublicKey BIT STRING (704 bit)
SEQUENCE (3 elem)
SEQUENCE (1 elem)
[6] (35 byte) file://local_keyserver/surveyors.db
SEQUENCE (1 elem)
OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.1 sha-256
OCTET STRING (32 byte) D0AD4FE39E9690C08E4...
The external public key object referenced by the end entity
certificate is:
Ounsworth, et al. Expires 5 October 2024 [Page 7]
Internet-Draft External X.509 Keys April 2024
-----BEGIN PUBLIC KEY-----
MIIGNDANBgsrBgEEAYGwGgUGAwOCBiEAPEFAYjZ9CljJTDJiJcKBIVCH6Clk3DDA
ybVRPdsXT6An/mAzlVPHjRtginkcrKIlgRq7lhyoyjVmqkqso1wQGON2vZYM8rwU
UZFyGUcwykY2bLWJypBvopmUDGumCnARrNqcqRS4zHokOFWZXqcxnVx8DvZsoDc4
LNIEALKh6vFVx1hZ6txEKtxqxrbC1PGsZ4Z1Z9VY3tB/YJkVKmDLqxcrmwFyAHki
CEtoaqSxkdB9cBPIlegidjQJS6EqO8aztxu4yWax/jbFu6FOC1cJS2KsBNOjAZvE
cMhQIGK0R2a6/tGk6TZBHZtHdlYX6udW5OEnW3Aj49On6cMT2ZMx/vlpsTu0DSoX
lvlJjyiWKxalCNQOGcdMLKNaCOk8NmxLsVdck6WtexiRC6WhccaVR0SZoeO4DBBv
O7C8mbOrXyyngGmiplNr6oJaY5JbLTMaCsJhiNxvdmLAtxy8EcpRV1FmMkOtqdKX
FvCwOwxfRGtxDPlOmAE6AqiZfpdmGAGax5XBbQkK5TDErHIidLbGf3IcQzSBOyFw
HPLG+lXGiZRFBFsmioikpjO0K+jKkWJPFNcb0SOYcktgMxGxZeMpQHHDpSeyn7GM
uCwVr1BFW8x3S3y+AgMLgEZT3HIPyyljDNwBC1U15sES0zgpV1vB5neQMeBU98AP
VpFYJDVDhBJgS4qmJfh1aFuQn3HPT8BQYkzBnve36sKKDhmIAYACyEsMKWJZyhix
dkUH4ls4v+o6MrEoLFZZKuNzowNujlq882NeG/a5GCYTN6gp+PVAh5KbHad9Miic
+GJKlMPOsJUxzZGEw8iAoBQCZ9dSHdhSDiSPxTsoOso1qyx8dWdJh5AfmQAK7AWi
sZh054M67rtaTcpLVbqK8DJiFLsItNhu0JsuUpNNy+RxhUC6TiecgkYWPCtnWMuT
/iFghcTLckzO+RrGAedklNEJ7BM8lkq/qLMXqfmu4/aV1OVVpxuyt/YSc1kOPSpS
cYTC5gGx85NWpEqmmuUIi/OslEcCeLNl0GgyvFSxncR4eVQ0LDxj1TbOk9t5GVE8
3IDMZxioK5spypm4jKRFqeRKBWKtzCZCm2MciKtEAZUXOSk7qOl8Sig9TeVUg5LP
YqmZKCoHeBiKjjlnHxQ5aEM7Dfk8HaWl2IghOXdizPi15XFmrhfLqJijyDQq8xts
ibR0yBNXc7BGkjGzTLgAe4UZZncvYFsKjehM1umfpNu1vztnpEt35lWc6UIYezvJ
CDBGWdqAJEFJBflwzpgvF2lTIumTTVazePsCAAg38mg1qprFCNcikcmn0PuwUHmS
Iza1c9UX/HK4QENt9CyLnKl0vmPEtPWOuvge9Belc9KUibHHBCI24Mg6AbYv2dLO
7ZEBj6krLpUkkEtGTke5zVwRdFMK6+kP4FG9CpVfqNpC7sO0mACkeAMZSiAderS3
MgaiH1RpkGkM11kG/IM6U3vAPMAgO4xHM4fB3Wgf5reBC8ZRR5liYGSDZ9KOHrkw
ISZXNaEYLJFBVXd5g/KrsxQ5AWKxqPsMFMW6+Ih3onQ8R5kIkbxM6/U72nmKOAC+
9bQuCLBqIJo3GFM087B+LmIW5ZJ6FVV9vSIvaDhrBJiHwQSGsssT+2CntGE+aDxh
MaVAuLlijgSerBcHkOKhQFAXIKehOENcMfxIW0w4CBCVQrxbUpIiAvpjL0nNUoej
GngA+euFD4ZESMzP1UICokOyZRS6VpSQn9ozfDxMxlBPt/M6zwOGt0W9jhacjrIs
IyxB3Dm93ysDnaRRmtOWgAAB80ZKNRBp28uWtUbJYzermLmUNQsWK6I5P2y8JogB
3htoryUSduEXYOeAVTCYnmgf3yJswznFPNhGZpNoJ2NnJuKHS7o0OCVRpbuRXMOh
TcMNFyc8+8y//Lpu38kDC1fPK6pW9UVhbKRGFAQWpKonWzDGaeihoDQcP1RD8VUv
Y2w4MoOpNkdsDgEmoGkv+1EiwLSbThpes1wGa/kx7ihwbAYvuOjFGZIU4Dp+rjJ1
Unk1erFIlayhGOAr5fWaeNOV3QUK9aSPyVV5YRDXZRKJbaJXDla8JLDOCKeO4aV6
JHIT3nFqKNQ=
-----END PUBLIC KEY-----
For illustrative purposes, the key data, which is itself a
SubjectPublicKeyInfo, decodes as:
SEQUENCE (2 elem)
SEQUENCE (1 elem)
OBJECT IDENTIFIER 1.3.6.1.4.1.22554.5.6.3 Kyber1024
BIT STRING (12544 bit) 001111000100000101000
The following trust anchor certificate can be used to validate the
above end entity certificate.
Ounsworth, et al. Expires 5 October 2024 [Page 8]
Internet-Draft External X.509 Keys April 2024
-----BEGIN CERTIFICATE-----
MIIBfTCCASSgAwIBAgIGAYro4QBFMAoGCCqGSM49BAMCMDoxDjAMBgNVBAMMBVFT
IENBMRswGQYDVQQKDBJRdWFudGl0eSBTdXJ2ZXlvcnMxCzAJBgNVBAYTAlhYMB4X
DTIzMTAwMTAxMzYxNFoXDTI0MDEwOTAxMzYxNFowOjEOMAwGA1UEAwwFUVMgQ0Ex
GzAZBgNVBAoMElF1YW50aXR5IFN1cnZleW9yczELMAkGA1UEBhMCWFgwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAASZNnsQba2aDhAfhCTE670YBBvGfo7cU69VR2I+
NQt321Feh+Au0/S+RobWtyx6JnFnAb/Y00YhQdA1liz0i4lFoxYwFDASBgNVHRMB
Af8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0cAMEQCIHV0TdjJm9vCn3k93xhTXMQ0
D8tQuzXJtFXNGtKk8OQQAiBn8yKLzreor7QrdGUHCH7g0kaDcyI4xXn95aPjgi/V
NA==
-----END CERTIFICATE-----
5.3. Intellectual Property Considerations
None.
6. Contributors and Acknowledgements
This document incorporates contributions and comments from a large
group of experts. The Editors would especially like to acknowledge
the expertise and tireless dedication of the following people, who
attended many long meetings and generated millions of bytes of
electronic mail and VOIP traffic over the past year in pursuit of
this document:
Serge Mister (Entrust).
We are grateful to all, including any contributors who may have been
inadvertently omitted from this list.
This document borrows text from similar documents, including those
referenced below. Thanks go to the authors of those documents.
"Copying always makes things easier and less error prone" -
[RFC8411].
6.1. Making contributions
Additional contributions to this draft are welcome. Please see the
working copy of this draft at, as well as open issues at:
https://github.com/EntrustCorporation/draft-ounsworth-pq-external-
keys
7. Normative References
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/rfc/rfc4648>.
Ounsworth, et al. Expires 5 October 2024 [Page 9]
Internet-Draft External X.509 Keys April 2024
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/rfc/rfc5280>.
[RFC8411] Schaad, J. and R. Andrews, "IANA Registration for the
Cryptographic Algorithm Object Identifier Range",
RFC 8411, DOI 10.17487/RFC8411, August 2018,
<https://www.rfc-editor.org/rfc/rfc8411>.
Authors' Addresses
Mike Ounsworth
Entrust Limited
1000 Innovation Drive
Ottawa, Ontario K2K 1E3
Canada
Email: mike.ounsworth@entrust.com
Markku-Juhani O. Saarinen
PQShield
Email: mjos@pqshield.com
J. Gray
Entrust
Email: john.gray@entrust.com
D. Hook
KeyFactor
Email: david.hook@keyfactor.com
Ounsworth, et al. Expires 5 October 2024 [Page 10]