draft-ietf-acme-authority-token-tnauthlist-05.txt   draft-ietf-acme-authority-token-tnauthlist-06.txt 
Network Working Group C. Wendt Network Working Group C. Wendt
Internet-Draft D. Hancock Internet-Draft D. Hancock
Intended status: Standards Track Comcast Intended status: Standards Track Comcast
Expires: May 7, 2020 M. Barnes Expires: September 10, 2020 M. Barnes
Independent Independent
J. Peterson J. Peterson
Neustar Inc. Neustar Inc.
November 04, 2019 March 09, 2020
TNAuthList profile of ACME Authority Token TNAuthList profile of ACME Authority Token
draft-ietf-acme-authority-token-tnauthlist-05 draft-ietf-acme-authority-token-tnauthlist-06
Abstract Abstract
This document defines a profile of the Automated Certificate This document defines a profile of the Automated Certificate
Management Environment (ACME) Authority Token for the automated and Management Environment (ACME) Authority Token for the automated and
authorized creation of certificates for VoIP Telephone Providers to authorized creation of certificates for VoIP Telephone Providers to
support Secure Telephony Identity (STI) using the TNAuthList defined support Secure Telephony Identity (STI) using the TNAuthList defined
by STI certificates. by STI certificates.
Status of This Memo Status of This Memo
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020. This Internet-Draft will expire on September 10, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 20 skipping to change at page 3, line 20
Section 9, defines the ability to associate a STI certificate with a Section 9, defines the ability to associate a STI certificate with a
specific set of Service Provider Codes (SPCs), Telephone Numbers specific set of Service Provider Codes (SPCs), Telephone Numbers
(TNs), or Telephone Number ranges (TN ranges). Typically, these (TNs), or Telephone Number ranges (TN ranges). Typically, these
identifiers have been assigned to a Communications Service Provider identifiers have been assigned to a Communications Service Provider
(CSP) that is authorized to use a set of telephone numbers or (CSP) that is authorized to use a set of telephone numbers or
telephone number ranges in association with a Service Provider Code telephone number ranges in association with a Service Provider Code
as defined in [RFC8226]. The SPC is a unique code or string managed as defined in [RFC8226]. The SPC is a unique code or string managed
by a national regulatory body that has the authority over those code- by a national regulatory body that has the authority over those code-
to-CSP associations. to-CSP associations.
This document will also incorporate the ability for a telephone This document also describes the ability for a telephone authority to
authority to authorize the creation of CA types of certificates for authorize the creation of CA types of certificates for delegation as
delegation as defined in [I-D.ietf-stir-cert-delegation]. defined in [I-D.ietf-stir-cert-delegation].
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. ACME new-order identifiers for TNAuthList 3. ACME new-order identifiers for TNAuthList
In [RFC8555], Section 7.4 defines the procedure that an ACME client In [RFC8555], Section 7.4 defines the procedure that an ACME client
skipping to change at page 11, line 9 skipping to change at page 11, line 9
perform the following steps to determine the validity of the perform the following steps to determine the validity of the
response. response.
o Verify that the token contained in the Payload "atc" field is an o Verify that the token contained in the Payload "atc" field is an
TNAuthList Authority Token. TNAuthList Authority Token.
o Verify the TNAuthList Authority Token signature using the public o Verify the TNAuthList Authority Token signature using the public
key of the certificate referenced by the token's "x5u" parameter. key of the certificate referenced by the token's "x5u" parameter.
o Verify that "atc" claim contains an identifier type of o Verify that "atc" claim contains an identifier type of
"TNAuthList", "TNAuthList".
o Verify that the "atc" claim contains the equivalent base64 encoded o Verify that the "atc" claim contains the equivalent base64 encoded
TNAuthList certificate extension string value as the Identifier TNAuthList certificate extension string value as the Identifier
specified in the original challenge. specified in the original challenge.
o Verify that the remaining claims are valid (e.g., verify that o Verify that the remaining claims are valid (e.g., verify that
token has not expired) token has not expired)
o Verify that the "atc" claim "fingerprint" is valid o Verify that the "atc" claim "fingerprint" is valid
skipping to change at page 11, line 44 skipping to change at page 11, line 44
unbounded set of combinations. It's possible that a complex non- unbounded set of combinations. It's possible that a complex non-
contiguous set of telephone numbers are being managed by a CSP. Best contiguous set of telephone numbers are being managed by a CSP. Best
practice may be simply to split a set of non-contiguous numbers under practice may be simply to split a set of non-contiguous numbers under
management into multiple STI certificates to represent the various management into multiple STI certificates to represent the various
contiguous parts of the greater non-contiguous set of TNs, contiguous parts of the greater non-contiguous set of TNs,
particularly if length of the set of values in identifier object particularly if length of the set of values in identifier object
grows to be too large. grows to be too large.
8. Security Considerations 8. Security Considerations
The token represented by this document obviously has the credentials The token represented by this document has the credentials to
to represent the scope of a telephone number, a block of telephone represent the scope of a telephone number, a block of telephone
numbers, or an entire set of telephone numbers represented by a SPC. numbers, or an entire set of telephone numbers represented by a SPC.
The creation, transport, and any storage of this token MUST follow The creation, transport, and any storage of this token MUST follow
the strictest of security best practices beyond the recommendations the strictest of security best practices beyond the recommendations
of the use of encrypted transport protocols in this document to of the use of encrypted transport protocols in this document to
protect it from getting in the hands of bad actors with illegitimate protect it from getting in the hands of bad actors with illegitimate
intent to impersonate telephone numbers. intent to impersonate telephone numbers.
9. IANA Considerations 9. IANA Considerations
This document requests the addition of a new identifier object type This document requests the addition of a new identifier object type
skipping to change at page 12, line 29 skipping to change at page 12, line 29
We would like to thank Richard Barnes and Russ Housley for valuable We would like to thank Richard Barnes and Russ Housley for valuable
contributions to this document. contributions to this document.
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-acme-authority-token] [I-D.ietf-acme-authority-token]
Peterson, J., Barnes, M., Hancock, D., and C. Wendt, "ACME Peterson, J., Barnes, M., Hancock, D., and C. Wendt, "ACME
Challenges Using an Authority Token", draft-ietf-acme- Challenges Using an Authority Token", draft-ietf-acme-
authority-token-03 (work in progress), March 2019. authority-token-04 (work in progress), November 2019.
[I-D.ietf-stir-cert-delegation] [I-D.ietf-stir-cert-delegation]
Peterson, J., "STIR Certificate Delegation", draft-ietf- Peterson, J., "STIR Certificate Delegation", draft-ietf-
stir-cert-delegation-00 (work in progress), July 2019. stir-cert-delegation-01 (work in progress), November 2019.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999, DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>. <https://www.rfc-editor.org/info/rfc2616>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/info/rfc4648>.
 End of changes. 10 change blocks. 
13 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/