Network Working Group                                         S. Leonard
Internet-Draft                                             Penango, Inc.
Updates: 2585 (if approved)                            November 12, 2014
Intended status: Standards Track
Expires: May 16, 2015

   URI Fragment Identifiers for the application/pkix-cert Media Type


   This memo describes Uniform Resource Identifier (URI) fragment
   identifiers for PKIX certificates, which are identified with the
   Internet media type application/pkix-cert.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 16, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Leonard                   Expires May 16, 2015                  [Page 1]

Internet-Draft                  certfrag                   November 2014

1.  Fragment

   A digital certificate [RFC5280] is comprised of parts that are of
   interest to particular users and applications.  For example, a user
   agent may wish to draw attention to the "notAfter" time for an
   expired certificate.  Uniform Resource Indicators (URIs) can include
   fragment identifiers to identify such sub-parts of a resource; see
   Section 3.5 of [RFC3986].  However, the semantics of fragment
   identifiers depend upon the Internet media type [RFC2046], not the
   URI scheme.  Therefore, the fragment identifiers in this memo apply
   to the application/pkix-cert Internet media type [RFC2585].  The
   following fragments are hereby defined:

   | Identifier | Certificate Part (ASN.1 identifier)                  |
   | v          | tbsCertificate.version                               |
   | sn         | tbsCertificate.serialNumber                          |
   | sig        | tbsCertificate.signature; also signatureAlgorithm    |
   | issuer     | tbsCertificate.issuer                                |
   | nb         | tbsCertificate.validity.notBefore                    |
   | na         | tbsCertificate.validity.notAfter                     |
   | subject    | tbsCertificate.subject                               |
   | spki       | tbsCertificate.subjectPublicKeyInfo                  |
   | ext        | tbsCertificate.extensions                            |
   | ext:<OID>  | tbsCertificate.extensions                            |
   |            | {Extension matching extoid == extnID}*               |
   | sigval     | signatureValue                                       |

   * The particular extension in the Extensions "SEQUENCE" is identified
     by OID only; there are no textual identifiers.  The syntax of the
          <OID> matches the "numericoid" production of [RFC4512].

                 Table 1: Certificate Parts and Fragments

   The fragments defined in the table above are case-insensitive.  The
   table is not exhaustive: should additional identifiers be required, a
   future document may specify additional identifiers.

2.  IANA Considerations

   IANA needs to add a reference to this specification in the
   application/pkix-cert media type registration.

   Additionally, the registration template needs to be updated to add
   the following section:

Leonard                   Expires May 16, 2015                  [Page 2]

Internet-Draft                  certfrag                   November 2014

      Fragment identifier considerations: Fragment identification is
      supported by using fragment identifiers as specified by this memo.

   It has also been observed that DER-encoded certificates and
   certificate revocation lists begin with octet 0x30 (in US-ASCII:
   '0'), which is the tag for an ASN.1 SEQUENCE.  Accordingly, the magic
   number(s) subsections for application/pkix-cert and
   application/pkix-crl are to be amended to say:

        Magic number(s): 0x30 ('0', SEQUENCE tag)

3.  Security Considerations

   Digital certificates are important building blocks for
   authentication, integrity, authorization, and (occasionally)
   confidentiality services.  Accordingly, identifying digital
   certificates incorrectly can have significant security ramifications.

   A URI that identifies a certificate will likely be used by an
   application or user for some security-related service, such as to
   retrieve the certificate as part of a validation procedure.  When a
   fragment identifies a part of a certificate, the application will
   define the behavioral semantics.  A certificate displaying
   application might zoom in on that aspect of the certificate, while a
   public key-processing application might use a fragment identifier
   like "#spki" in a URI when identifying a certificate from which to
   extract the "SubjectPublicKeyInfo" structure for further processing.
   The (textual) values of the fragment identifier are not supposed to
   be used in lieu of the values they are supposed to be identifying
   because the fragment identifiers are not parts of the actual
   certificate.  Interpreting these identifiers incorrectly may cause
   denial-of-service attacks.

4.  Normative References

   [RFC2046]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Two: Media Types", RFC 2046,
              November 1996.

   [RFC2585]  Housley, R. and P. Hoffman, "Internet X.509 Public Key
              Infrastructure Operational Protocols: FTP and HTTP", RFC
              2585, May 1999.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

Leonard                   Expires May 16, 2015                  [Page 3]

Internet-Draft                  certfrag                   November 2014

   [RFC4512]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): Directory Information Models", RFC 4512, June

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

Author's Address

   Sean Leonard
   Penango, Inc.
   5900 Wilshire Boulevard
   21st Floor
   Los Angeles, CA  90036


Leonard                   Expires May 16, 2015                  [Page 4]