To distinguish among multiple individuals with the same name, it may
be necessary to include in a certificate some personal data that may
be considered sensitive. Examples of such personal ID data are U.S.
social security numbers and similar national ID numbers in other
countries. A certificate subject may be willing to disclose this data
to some relying parties (RPs), but not to everyone who may have access
to his/her certificate. Recall that certificates are often passed
over the Internet without encryption, stored in repositories that may
allow public access, and so on. Thus a wide range of possible
adversaries will have an opportunity to conduct offline attacks that
seek to reveal sensitive ID data if it is part of a certificate.
SIM is a technique for managing this problem of selective disclosure
of such sensitive (though not secret) ID data in the context of X.509
certificates. The SIM data is carried as a subject alternative name
(SAN) using the Privacy-Enhanced Personal Identifier (PEPSI) format,
also defined in this document. Because this data is carried in the
SAN, the subject name must itself be unique without the further
qualification provided by this other data, consistent with X.509 and
PKIX certificate requirements.
The PEPSI value is the result of applying a two-pass hash function to
the SIM data, employing a user-supplied password and a Registration
Authority supplied random number. An attacker trying to confirm a
guessed SIM value cannot employ a pre-computed dictionary attack, due
to the use of the random number. Nonetheless, selection of a poor
password by a user does allow an attacker to mount a focused, offline
guessing attack on a PEPSI value.
Three scenarios for use of SIM are described:
- If a relying party knows the user's SIM value, and uses
it to uniquely identify the user, the RP can confirm the
user's identify through processing of the certificate and
user disclosure of the password to the RP via a secure
- If the RP does not know the SIM value, it can be disclosed
to the RP via secure transfer of the password, and processing
of the certificate by the RP, e.g., so that the RP can
acquire the SIM value for future use.
- Finally, knowledge of the password by the user can be
employed as a secondary authentication mechanism, in
addition to the user's knowledge of his private key,
without exposing the SIM data to an RP.
Working Group Summary
The PKIX working group expressed consensus to advance the document to
This document has been reviewed by PKIX working group and by the PKIX
working group chairs.
This document was reviewed by Russ Housley for the IESG.
Note to RFC Editor
Please expand the first use of "RA".
R The random number value generated by an RA.
R The random number value generated by a Registration