CORE                                                          T. Fossati
Internet-Draft                                                     Nokia
Intended status: Standards Track                           H. Tschofenig
Expires: September 1, 2016                                      ARM Ltd.
                                                       February 29, 2016

          Introducing Server Name Identifiers in Certificates



Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 1, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Fossati & Tschofenig    Expires September 1, 2016               [Page 1]

Internet-Draft            SN-ID in Certificates            February 2016

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology and Requirements Language . . . . . . . . . . . .   3
   3.  Syntax  . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Server Name Indication (SNI) Name Type and Server Name Syntax   4
   5.  Subject Alternative Name Extension  . . . . . . . . . . . . .   4
   6.  Client Behaviour  . . . . . . . . . . . . . . . . . . . . . .   5
   7.  Server Behaviour  . . . . . . . . . . . . . . . . . . . . . .   5
   8.  Example . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   10. Security Considerations . . . . . . . . . . . . . . . . . . .   8
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     12.1.  Normative References . . . . . . . . . . . . . . . . . .   8
     12.2.  Informative References . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   Today, many Internet of Things (IoT) deployments consist of an IoT
   device that interacts with a cloud service infrastructure.  (This
   deployment model is described in Section 2.2 of [RFC7452].)  If TLS/
   DTLS is used to mutually authenticate the device and the cloud
   server, then the guidance in [I-D.ietf-dice-profile] - which, in
   turn, takes [RFC7252] recommendations into account - should be

   Let us take the CoAP protocol as an example.  According to
   Section of [RFC7252], a DTLS client that receives a
   certificate from the DTLS server must check that the authority of the
   requested URI matches "at least one of the authorities of any CoAP
   URI found in a field of URI type in the SubjectAltName (SAN) set.  If
   there is no SubjectAltName in the certificate, then the authority of
   the request URI must match the Common Name (CN) found in the
   certificate [...].".  A URI that includes an authority, such as a
   'coaps' URI, needs to include a fully qualified domain name (FQDN),
   or an IP literal as its host part, as stated in Section of
   [RFC5280].  So, an IoT device that wants to talk to a CoAP server at
   coaps:// will expect to receive a certificate with a
   matching URI in either the content of the SAN extension or the CN.

   The Server Name Indication (SNI) extension [RFC6066] defined for TLS/
   DTLS allows a client to tell a server the name of the server it is
   contacting.  This is a feature useful when the server is part of a
   hosting solution where multiple virtual servers are using a single
   underlying network address.  Section 3 of [RFC6066] only allows FQDN
   hostname of the server in the ServerName field.

Fossati & Tschofenig    Expires September 1, 2016               [Page 2]

Internet-Draft            SN-ID in Certificates            February 2016

   When a TLS/DTLS server has an FQDN registered in the DNS then the use
   of certificates work well with TLS/DTLS to secure protocols like HTTP
   or CoAP.  While the DNS can be taken for granted in the Web, many IoT
   deployments do not mandate its presence.  There are even IoT
   deployments where the server infrastructure is located in a
   residential environment in which IoT devices interact with the server
   solely in the local network (see also Section 2.1 of [RFC7452]).

   Since static configuration is not generally a viable option from a
   usability point of view, in order to cope with scenarios like the one
   described above there is a need to define some kind of stable, non-
   DNS-based identifier that can be used with certificates.  Note that
   an alternative is to avoid using certificates altogether and to
   instead use raw public keys.  With raw public keys, the raw public
   key itself is the identifier and some out-of-band validation
   technique is needed instead, as described in RFC 7250 [RFC7250].

   This document specifies such identifiers for use with certificates.

2.  Terminology and Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

3.  Syntax

   [Editor's Note: This is a strawman proposal for the identifier

   This section defines the syntax for the instance and the domain
   component, which are separated by the "@" sign.  The structure for
   the name and the domain component are determined by the namespace
   prefix.  We call this new construct the 'Server Name Identifier' (SN-

   The following ABNF reuses ALPHA and DIGIT from [RFC5234].

               char = ALPHA / DIGIT / "-" / "_" / "~" / "!" /
                         "$" / "&" / "'" / "(" / ")" / "*" /
                         "," / ";" / "="
               ns = ALPHA *(ALPHA / DIGIT / "-")
               name = 1*RD-char
               domain = 1*63RD-char
               authority = [ ns "." ] name [ "@" domain ]

   Note that the "@" and the "." signs are illegal characters in the
   name and the ns components.

Fossati & Tschofenig    Expires September 1, 2016               [Page 3]

Internet-Draft            SN-ID in Certificates            February 2016

   Here are some examples:

   o  eui64.01-23-45-67-89-ab-cd-ef

   o  imei.+123456789012345

   o  uuid.84c05e54-1d3c-48b6-bf12-c11c55f8fdac@foo

4.  Server Name Indication (SNI) Name Type and Server Name Syntax

   In order to encode the SN-ID in a ServerNameList, the extension_data
   field of the server_name extension is expanded to allow the SN-ID in
   a ServerName extension:

                    struct {
                        NameType name_type;
                        select (name_type) {
                            case host_name: HostName;
                            case sn_id: AuthorityType;
                        } name;
                    } ServerName;

                    enum {
                    } NameType;

                    opaque AuthorityType<1..2^16-1>;

   AuthorityType, the data structure associated with the authority
   declaration, is a variable-length vector that begins with a 16-bit
   length field indicating the length of the following authority.  The
   value in the authority field is represented as a byte string using
   ASCII encoding.  It MUST NOT contain any percent-encoded character
   other than for those characters not explicitly allowed by the grammar
   in Section 3.

5.  Subject Alternative Name Extension

   As described in RFC 5280 [RFC5280] the subjectAltName may carry
   additional name types through the use of the otherName field.  The
   format and semantics of the name are indicated through the OBJECT
   IDENTIFIER in the type-id field.  The name itself is conveyed as
   value field in otherName.  This document defines a new value for the
   type-id field.

Fossati & Tschofenig    Expires September 1, 2016               [Page 4]

Internet-Draft            SN-ID in Certificates            February 2016

   This section defines the SN-ID as a form of otherName from the
   GeneralName structure in SubjectAltName defined in [RFC5280].

          id-sn-id OBJECT IDENTIFIER ::= { id-pkix id-sn-id(TODO) }

   An X.509 server certificate intended to be used with this
   specification MUST contain an otherName SAN identified using a type-
   id of 'id-sn-id-san'.

             id-sn-id-san OBJECT IDENTIFIER ::= { id-sn-id 2 }

   The value field of the otherName MUST contain the SN-ID, as described
   in Section 3, encoded as a IA5String.

6.  Client Behaviour

   TLS/DTLS clients behave as follows:

   1)  Clients MAY include an extension of type "server_name" in the
       (extended) client hello.  A client supporting this specification
       MAY include one (and one only) ServerName element conveying the

   2)  Process the Certificate message, verify the digitial signature
       and perform path validation (as described in Section 3.2 of RFC

   3)  Verify that the intended server name is indeed one of the
       identities bound to the presented certificate, by checking that
       the name in the SAN otherName of type id-sn-id-san matches the
       authority requested via server_name.

   4)  Upon receiving the CertificateRequest message, send the
       certificate via a Certificate message - or CertificateURL
       message, if the client_certificate_url extension has been
       successfully negotiated during the "hello" exchange.

   5)  Send ClientKeyExchange and then CertificateVerify to complete the
       mutual authentication process.

7.  Server Behaviour

   TLS/DTLS servers behave as follows:

   1)  A server receiving the extended ClientHello carrying a
       server_name extension uses the given server_name (with the
       included SN-ID) to select the appropriate certificate.  The
       selected certificate MUST include a SAN otherName with an id-sn-

Fossati & Tschofenig    Expires September 1, 2016               [Page 5]

Internet-Draft            SN-ID in Certificates            February 2016

       id-san type-id and value, which MUST match the requested

       a)  If no certificate can be selected, the server MUST terminate
           the handshake by sending a fatal-level unrecognized_name(112)
           alert.  [[CREF1: Prefer a single, hard failure, path over
           soft failure, or worse: ignoring the error altogether.
           Rationale: do not waste time/energy; provide clear and prompt
           diagnostic to the peer.  It doesn't look like the condition
           that could be exploited by a timing attack.]]

       b)  If a matching certificate exist, the server SHALL include an
           extension of type "server_name" in the (extended) ServerHello
           message with an empty value.

   2)  The server MUST send the selected certificate to the client in
       the Certificate message.

   3)  Server MAY request a client certificate via a CertificateRequest
       message and conclude its negotiation with a ServerHelloDone

   4)  When server receives the Certificate message from the client it
       MUST process the Certificate message, verify the digitial
       signature of the certificate and perform path validation (as
       described in Section 3.2 of RFC 5280).

       a)  If the client certificate processing fails then the server
           MUST tear down the exchange.

       b)  If the client certificate processing is successful then the
           server finalizes the TLS handshake.

   5)  The server application running on top of the TLS/DTLS stack MUST
       check the included client identity against the access control
       policy at the server.  It is important to note that this
       verification check is done outside the TLS/DTLS stack; failure to
       do it at the application layer may result in unauthorized access.

8.  Example

   In this section we discuss a more complete scenario where the
   mechanism described in this document is practical.  Consider the
   following setup where IoT devices are located in a small home network
   with a Resource Directory (RD) [I-D.ietf-core-resource-directory]
   helping with discovery.

Fossati & Tschofenig    Expires September 1, 2016               [Page 6]

Internet-Draft            SN-ID in Certificates            February 2016

   A resource directory is an entity that acts as a centralized store
   where protocol endpoints can register their resources and thereby
   make them available to others.  Other devices subsequently use the
   resource directory to lookup devices and their resources.

   The RD defines the concept of an "endpoint name" which identifies a
   given endpoint within a "domain".  Endpoint (EP) is a term used to
   describe a web server or client in [RFC7252].  In the context of
   [I-D.ietf-core-resource-directory] an endpoint is used to describe a
   web server that registers resources to the resource directory.  An
   endpoint is identified by its endpoint name, which is included during
   registration, and is unique within the associated domain of the

   Imagine various IoT devices registering their resources with the pre-
   configured RD (or dynamically discoverd RD).  Section 5.2 of
   [I-D.ietf-core-resource-directory] contains a description of
   registration procedure using CoAP and offers examples.  The resource
   server stores, among other things, the endpoint name and (optionally)
   a domain.

   Once the resources are registered nodes may use the resource
   directory to discover the resources offered by others.  Section 7 of
   [I-D.ietf-core-resource-directory] describes the discovery procedure
   and lists examples.  A node may, for example, search for resources of
   type 'temperature' and learns the network addresses of the nodes
   hosting those resources as well as their endpoint name (and, if
   available, their domain).

   Once the network address has been obtained, direct communication
   between the two entities can be initiated.  During the subsequent
   DTLS exchange to secure CoAP the server hosting the resources offers
   his certificates and the client executes the steps outlined in
   Section 6 to match the endpoint name (and optionally the domain)
   learned through the resource directory with the SN-ID provided in the
   server certificate.  Note that it is not envisioned that the client
   compares the input to the discovery procedure with the SN-ID.  In
   this example the input to the discovery procedure with the resource
   directory was the resource type, i.e., the 'temperature' string.  It
   is therefore assumed that the client trusts the resource directory to
   return genuine mappings from abstract search terms to specific
   servers hosting those resources.

9.  IANA Considerations

   TBD: This document requires registration of various identifiers into
   existing registries,namely

Fossati & Tschofenig    Expires September 1, 2016               [Page 7]

Internet-Draft            SN-ID in Certificates            February 2016

   o  id-sn-id

   o  OtherName.type-id::id-sn-id-san

   o  NameType::sn-id


10.  Security Considerations

   It's the responsibility of the CA issuing the certificate to verify
   the content of the certificate before issuing a new certificate.  In
   particular, the CA MUST ensure uniqueness of the issued certificates
   and that the included SN-ID is indeed correct.  This should exclude
   the threat of a (possibly rogue) node to successfully impersonate
   another node's identity.

   Security considerations from Section 11.1 of [RFC6066] fully apply.

11.  Acknowledgements

   We would like to thank Martin Thomson, Carsten Bormann, Andrew
   McGregor, and Zach Shelby for their feedback during IETF 92.

12.  References

12.1.  Normative References

              Shelby, Z. and C. Bormann, "CoRE Resource Directory",
              draft-ietf-core-resource-directory-02 (work in progress),
              November 2014.

              Tschofenig, H. and T. Fossati, "TLS/DTLS Profiles for the
              Internet of Things", draft-ietf-dice-profile-17 (work in
              progress), October 2015.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
              RFC2119, March 1997,

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/
              RFC5234, January 2008,

Fossati & Tschofenig    Expires September 1, 2016               [Page 8]

Internet-Draft            SN-ID in Certificates            February 2016

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,

   [RFC6066]  Eastlake 3rd, D., "Transport Layer Security (TLS)
              Extensions: Extension Definitions", RFC 6066, DOI
              10.17487/RFC6066, January 2011,

   [RFC7252]  Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
              Application Protocol (CoAP)", RFC 7252, DOI 10.17487/
              RFC7252, June 2014,

12.2.  Informative References

   [RFC7250]  Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
              Weiler, S., and T. Kivinen, "Using Raw Public Keys in
              Transport Layer Security (TLS) and Datagram Transport
              Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
              June 2014, <>.

   [RFC7452]  Tschofenig, H., Arkko, J., Thaler, D., and D. McPherson,
              "Architectural Considerations in Smart Object Networking",
              RFC 7452, DOI 10.17487/RFC7452, March 2015,

Authors' Addresses

   Thomas Fossati
   3 Ely Road
   Milton, Cambridge  CB24 6DD
   Great Britain


   Hannes Tschofenig
   ARM Ltd.
   110 Fulbourn Rd
   Cambridge  CB1 9NJ
   Great Britain


Fossati & Tschofenig    Expires September 1, 2016               [Page 9]