draft-ietf-acme-authority-token-tnauthlist-02.txt   draft-ietf-acme-authority-token-tnauthlist-03.txt 
Network Working Group C. Wendt Network Working Group C. Wendt
Internet-Draft D. Hancock Internet-Draft D. Hancock
Intended status: Standards Track Comcast Intended status: Standards Track Comcast
Expires: September 12, 2019 M. Barnes Expires: September 26, 2019 M. Barnes
iconectiv iconectiv
J. Peterson J. Peterson
Neustar Inc. Neustar Inc.
March 11, 2019 March 25, 2019
TNAuthList profile of ACME Authority Token TNAuthList profile of ACME Authority Token
draft-ietf-acme-authority-token-tnauthlist-02 draft-ietf-acme-authority-token-tnauthlist-03
Abstract Abstract
This document defines a profile of the Automated Certificate This document defines a profile of the Automated Certificate
Management Environment (ACME) Authority Token for the automated and Management Environment (ACME) Authority Token for the automated and
authorized creation of certificates for VoIP Telephone Providers to authorized creation of certificates for VoIP Telephone Providers to
support Secure Telephony Identity (STI) using the TNAuthList defined support Secure Telephony Identity (STI) using the TNAuthList defined
by STI certificates. by STI certificates.
Status of This Memo Status of This Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on September 26, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 21 skipping to change at page 6, line 21
"expires": "2018-03-03T14:09:00Z", "expires": "2018-03-03T14:09:00Z",
"identifier": { "identifier": {
"type:"TNAuthList", "type:"TNAuthList",
"value":"F83n2a...avn27DN3==" "value":"F83n2a...avn27DN3=="
}, },
"challenges": [ "challenges": [
{ {
"type": "tkauth-01", "type": "tkauth-01",
"tkauth-type": "ATC", "tkauth-type": "atc",
"token-authority": "https://authority.example.org/authz", "token-authority": "https://authority.example.org/authz",
"url": "https://boulder.example.com/authz/asdf/0" "url": "https://boulder.example.com/authz/asdf/0"
"token": "IlirfxKKXAsHtmzK29Pj8A" "token": "IlirfxKKXAsHtmzK29Pj8A"
} }
] ]
} }
When processing a certificate order containing an identifier of type When processing a certificate order containing an identifier of type
"TNAuthList", a CA MUST use the Authority Token challenge mechanism "TNAuthList", a CA MUST use the Authority Token challenge mechanism
defined in [I-D.ietf-acme-authority-token] to verify that the defined in [I-D.ietf-acme-authority-token] to verify that the
skipping to change at page 7, line 17 skipping to change at page 7, line 17
Content-Type: application/jose+json Content-Type: application/jose+json
{ {
"protected": base64url({ "protected": base64url({
"alg": "ES256", "alg": "ES256",
"kid": "https://example.com/acme/acct/1", "kid": "https://example.com/acme/acct/1",
"nonce": "Q_s3MWoqT05TrdkM2MTDcw", "nonce": "Q_s3MWoqT05TrdkM2MTDcw",
"url": "https://boulder.example.com/acme/authz/asdf/0" "url": "https://boulder.example.com/acme/authz/asdf/0"
}), }),
"payload": base64url({ "payload": base64url({
"ATC": "DGyRejmCefe7v4N...vb29HhjjLPSggwiE" "atc": "DGyRejmCefe7v4N...vb29HhjjLPSggwiE"
}), }),
"signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ"
} }
The specifics of the construction of the TNAuthList specific "ATC" The specifics of the construction of the TNAuthList specific "atc"
token is defined in the next section. token is defined in the next section.
5. TNAuthList Authority Token 5. TNAuthList Authority Token
The Telephone Number Authority List Authority Token (TNAuthList The Telephone Number Authority List Authority Token (TNAuthList
Authority Token) is an extension of the ACME Authority Token defined Authority Token) is an extension of the ACME Authority Token defined
in [I-D.ietf-acme-authority-token]. in [I-D.ietf-acme-authority-token].
The TNAuthList Authority Token Protected header MUST comply with the The TNAuthList Authority Token Protected header MUST comply with the
Authority Token Protected header as defined in Authority Token Protected header as defined in
skipping to change at page 8, line 47 skipping to change at page 8, line 47
{ "typ":"JWT", { "typ":"JWT",
"alg":"ES256", "alg":"ES256",
"x5u":https://authority.example.org/cert "x5u":https://authority.example.org/cert
} }
{ {
"iss":"https://authority.example.org/authz", "iss":"https://authority.example.org/authz",
"exp":1300819380, "exp":1300819380,
"jti":"id6098364921", "jti":"id6098364921",
"atc":{"TnAuthList","F83n2a...avn27DN3==", "atc":{"TnAuthList":"F83n2a...avn27DN3==",
"ca":false, "ca":false,
"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50: "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:
9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} 9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"}
} }
5.5. Acquiring the token from the Token Authority 5.5. Acquiring the token from the Token Authority
Following [I-D.ietf-acme-authority-token] Section 5, the authority Following [I-D.ietf-acme-authority-token] Section 5, the authority
token should be acquired using a RESTful HTTP POST transaction as token should be acquired using a RESTful HTTP POST transaction as
follows follows
skipping to change at page 9, line 36 skipping to change at page 9, line 36
{ {
"atc":{"TNAuthList":"F83n2a...avn27DN3==", "atc":{"TNAuthList":"F83n2a...avn27DN3==",
"ca":false, "ca":false,
"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3 \ "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3 \
:BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} :BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"}
} }
The response to the POST request if successful MUST return a 200 OK The response to the POST request if successful MUST return a 200 OK
with a JSON body that contains the TNAuthList Authority Token as a with a JSON body that contains the TNAuthList Authority Token as a
JSON object with a single key of "ATC" and the base64 encoded string JSON object with a single key of "atc" and the base64 encoded string
representing the ATC token. representing the atc token.
An example successful response would be as follows: An example successful response would be as follows:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/json
{"ATC": "DGyRejmCefe7v4N...vb29HhjjLPSggwiE"} {"atc": "DGyRejmCefe7v4N...vb29HhjjLPSggwiE"}
If the request is not successful, the response should indicate the If the request is not successful, the response should indicate the
error condition. Specifically, for the case that the authorization error condition. Specifically, for the case that the authorization
credentials are invalid, the response code MUST be 403 - Forbidden. credentials are invalid, the response code MUST be 403 - Forbidden.
If the Account ID provided does not exist or does not match If the Account ID provided does not exist or does not match
credentials in Authorization header, the response MUST be 404 - credentials in Authorization header, the response MUST be 404 -
Invalid account ID. Other 4xx and 5xx responses SHOULD follow Invalid account ID. Other 4xx and 5xx responses SHOULD follow
standard [RFC2616] HTTP error condition conventions. standard [RFC2616] HTTP error condition conventions.
5.6. Token Authority Responsibilities 5.6. Token Authority Responsibilities
skipping to change at page 10, line 19 skipping to change at page 10, line 19
information contained in the ASN.1 TNAuthList accurately represents information contained in the ASN.1 TNAuthList accurately represents
the SPC or telephone number resources the ACME client is authorized the SPC or telephone number resources the ACME client is authorized
to represent. to represent.
6. Validating the TNAuthList Authority Token 6. Validating the TNAuthList Authority Token
Upon receiving a response to the challenge, the ACME server MUST Upon receiving a response to the challenge, the ACME server MUST
perform the following steps to determine the validity of the perform the following steps to determine the validity of the
response. response.
o Verify that the token contained in the Payload "ATC" field is an o Verify that the token contained in the Payload "atc" field is an
TNAuthList Authority Token. TNAuthList Authority Token.
o Verify the TNAuthList Authority Token signature using the public o Verify the TNAuthList Authority Token signature using the public
key of the certificate referenced by the token's "x5u" parameter. key of the certificate referenced by the token's "x5u" parameter.
o Verify that "atc" claim contains an identifier type of o Verify that "atc" claim contains an identifier type of
"TNAuthList", "TNAuthList",
o Verify that the "atc" claim contains the equivalent base64 encoded o Verify that the "atc" claim contains the equivalent base64 encoded
TNAuthList certificate extension string value as the Identifier TNAuthList certificate extension string value as the Identifier
 End of changes. 11 change blocks. 
12 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/