datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Other Certificates Extension
RFC 5697

Network Working Group                                         S. Farrell
Request for Comments: 5697                        Trinity College Dublin
Category: Experimental                                     November 2009

                      Other Certificates Extension

Abstract

   Some applications that associate state information with public key
   certificates can benefit from a way to link together a set of
   certificates that belong to the same end entity and that can safely
   be considered equivalent to one another for the purposes of
   referencing that application-state information.  This memo defines a
   certificate extension that allows applications to establish the
   required linkage without introducing a new application protocol data
   unit.

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

Farrell                       Experimental                      [Page 1]
RFC 5697                      Other Certs                  November 2009

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  A Use Case  . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  Other Certificates Extension  . . . . . . . . . . . . . . . . . 3
   4.  Another Approach Using Permanent Identifiers  . . . . . . . . . 5
   5.  A Possible Optimisation . . . . . . . . . . . . . . . . . . . . 5
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . . . 7
     8.2.  Informative References  . . . . . . . . . . . . . . . . . . 7
   Appendix A.  ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 8

1.  Introduction

   RFC 5280 [RFC5280] defines a profile for the use of public key
   certificates for Internet applications.  If an application associates
   application-state information with a public key certificate, then
   that association may be disrupted if the end entity changes its
   public key certificate.  Such disruption can occur due to renewals or
   if the end entity changes its certificate issuer.  Similarly, if the
   end entity is actually a distributed system, where each instance has
   a different private key, then the relying party (RP) has no way to
   associate the different public key certificates with the relevant
   application-state information.

   For example, assume a web browser retains state information (perhaps
   passwords) about a web site, indexed (possibly indirectly) via values
   contained in the web server's public key certificate (perhaps a DNS
   name).  When the web server certificate expires and a new certificate
   is acquired (perhaps with a different DNS name), then the browser
   cannot safely map the new certificate to the relevant state
   information.

   This memo defines a new public key certificate extension that
   supports such linkage, allowing the certificate issuer to attest that
   the end entity that holds the private key for the certificate in
   question also holds other private keys corresponding to other
   identified certificates.

   Other than the issuer asserting that the set of certificates belongs
   to the same end entity for use with the same application, the fine
   detail of the semantics of the linkage of certificates is not defined
   here, since that is a matter for application developers and the
   operators of certification authorities (CAs).  In particular, we do
   not define how a CA can validate that the same end entity is the
   holder of the various private keys, nor how the application should

Farrell                       Experimental                      [Page 2]
RFC 5697                      Other Certs                  November 2009

   make use of this information.  Nor do we define what kinds of state

[include full document text]