External Keys And Signatures For Use In Internet PKI
draft-ounsworth-pq-external-pubkeys-00

Document Type Active Internet-Draft (individual)
Authors Mike Ounsworth  , Markku-Juhani Saarinen 
Last updated 2021-03-24
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
LAMPS                                                       M. Ounsworth
Internet-Draft                                                   Entrust
Updates: {"RFC5280"=>nil} (if approved)                      M. Saarinen
Intended status: Standards Track                                PQShield
Expires: September 22, 2021                               March 21, 2021

          External Keys And Signatures For Use In Internet PKI
                 draft-ounsworth-pq-external-pubkeys-00

Abstract

   Many of the post quantum cryptographic algorithms have either large
   public keys or signatures.  In the interest of reducing bandwidth of
   transitting X.509 certificates, this document defines new public key
   and signature algorithms for referencing external public key and
   signature data by hash, URL, etc.  This mechanism is designed to
   mimic the behaviour of an Authority Information Access extension.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 22, 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Ounsworth & Saarinen   Expires September 22, 2021               [Page 1]
Internet-Draft           External keys and sigs               March 2021

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  External Value  . . . . . . . . . . . . . . . . . . . . . . .   2
     2.1.  External Public Key . . . . . . . . . . . . . . . . . . .   3
     2.2.  External Signature  . . . . . . . . . . . . . . . . . . .   3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
     4.1.  CSRs and CT logs  . . . . . . . . . . . . . . . . . . . .   3
   5.  Appendices  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   4
     5.2.  Intellectual Property Considerations  . . . . . . . . . .   4
   6.  Contributors and Acknowledgements . . . . . . . . . . . . . .   4
     6.1.  Making contributions  . . . . . . . . . . . . . . . . . .   4
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

2.  External Value

   The id-external-value algorithm identifier is used for identifying a
   public key or signature which is provided as a reference to external
   data.

   id-external-value ::= < OID >

   The corresponding subjectPublicKey is the DER encoding of the
   following structure:

   ExternalValue ::= SEQUENCE {
     location     GeneralName,
     hashAlg      AlgorithmIdentifier,
     hashVal      BIT STRING
   }

   Upon retrieval of the referenced data, the hash of the OCTET STRING
   of the retrieved data (removing base64 encoding as per [RFC4648] if
   necessary) MUST be verified using hashAlg to match the
   ExternalPublicKey.hash value.

Ounsworth & Saarinen   Expires September 22, 2021               [Page 2]
Internet-Draft           External keys and sigs               March 2021

2.1.  External Public Key

   When used with a public key, algorithm parameters for id-external-
   value are absent.

   When ExternalValue is placed into a
   SubjectPublicKeyInfo.subjectPublicKey, the ExternalValue.location
   MUST refer to a DER-encoded SubjectPublicKeyInfo, which MAY be base64
   encoded as per [RFC4648] for easier transport over text protocols.

2.2.  External Signature

   When used with a signatureAlgorithm, algorithm parameters are to
   contain the AlgorithmIdentifier of the signature that is being
   externalized.

   When ExternalValue is placed into a signatureValue, the location MUST
Show full document text