draft-ietf-acme-service-provider-01.txt   draft-ietf-acme-service-provider-02.txt 
Network Working Group M. Barnes Network Working Group M. Barnes
Internet-Draft MLB@Realtime Communications Internet-Draft iconectiv
Intended status: Informational C. Wendt Intended status: Informational C. Wendt
Expires: January 19, 2018 Comcast Expires: May 3, 2018 Comcast
July 18, 2017 October 30, 2017
ACME Identifiers and Challenges for VoIP Service Providers ACME Identifiers and Challenges for VoIP Service Providers
draft-ietf-acme-service-provider-01 draft-ietf-acme-service-provider-02
Abstract Abstract
This document specifies identifiers and challenges required to enable This document specifies identifiers and challenges required to enable
the Automated Certificate Management Environment (ACME) to issue the Automated Certificate Management Environment (ACME) to issue
certificates for VoIP service providers to support Secure Telephony certificates for VoIP service providers to support Secure Telephony
Identity (STI). Identity (STI).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 19, 2018. This Internet-Draft will expire on May 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
skipping to change at page 3, line 20 skipping to change at page 3, line 20
authorized to request certificates on behalf of the entity that has authorized to request certificates on behalf of the entity that has
been assigned a specific service provider code. A single VoIP been assigned a specific service provider code. A single VoIP
service provider can be allocated multiple service provider codes. A service provider can be allocated multiple service provider codes. A
service provider can choose to use the same certificate for multiple service provider can choose to use the same certificate for multiple
service providers as reflected by the structure of the TN service providers as reflected by the structure of the TN
Authorization List certificate extension defined in Authorization List certificate extension defined in
[I-D.ietf-stir-certificates]. [I-D.ietf-stir-certificates].
The intent of the challenges in this document is not to establish The intent of the challenges in this document is not to establish
that an entity is a valid service provider but rather to provide that an entity is a valid service provider but rather to provide
evidence that an established governance entity has authorized the evidence that an established administrative authority entity has
entity to provide VoIP services in the network and thus to request authorized the entity to provide VoIP services in the network and
credentials on behalf of the VoIP users in the network. thus to request credentials on behalf of the VoIP users in the
network.
3. Identifier for Service Provider Codes 3. Identifier for Service Provider Codes
In order to issue certificates for service providers based on service In order to issue certificates for service providers based on service
provider code values, a new ACME identifier type is required for use provider code values, a new ACME identifier type is required for use
in ACME authorization objects. The baseline ACME specification in ACME authorization objects. The baseline ACME specification
defines one type of identifier, for a fully-qualified domain name defines one type of identifier, for a fully-qualified domain name
("dns"). The document [I-D.ietf-acme-telephone] defines an ACME ("dns"). The document [I-D.ietf-acme-telephone] defines an ACME
identifier type for telephone numbers ("tn"). This document defines identifier type for telephone numbers ("tn"). This document defines
a new ACME identifier type for service provider codes ("TNAuthList"). a new ACME identifier type for service provider codes ("TNAuthList").
skipping to change at page 4, line 31 skipping to change at page 4, line 31
"token": "DGyRejmCefe7v4NfDGDKfA" } "token": "DGyRejmCefe7v4NfDGDKfA" }
], ],
} }
A client responds to this challenge by providing a service provider A client responds to this challenge by providing a service provider
code token. In the SHAKEN Certificate Management framework, the code token. In the SHAKEN Certificate Management framework, the
Service Provider has a secure exchange with the STI-PA to obtain a Service Provider has a secure exchange with the STI-PA to obtain a
service provider code token that can be used for authorization by the service provider code token that can be used for authorization by the
CA when requesting a certificate. The service provider code token is CA when requesting a certificate. The service provider code token is
a standard JWT token [RFC7519] using a JWS defined signature string a standard JWT token [RFC7519] using a JWS defined signature string
[RFC7515]. [RFC7515]. It is RECOMMENDED that the lifetime of the service
provider code token be greater than the certificate lifetime, in
particular in cases where multiple certificates are being issued
using the same service provider code token.
The service provider code token JWT Protected Header MUST include the The service provider code token JWT Protected Header MUST include the
following: following:
alg: Defines the algorithm used in the signature of the token. alg: Defines the algorithm used in the signature of the token.
For Service Provider Code tokens, the algorithm MUST be For Service Provider Code tokens, the algorithm MUST be
"ES256". "ES256".
typ: Set to standard "JWT" value. typ: Set to standard "JWT" value.
x5u: Defines the URL of the certificate of the STI-PA validating x5u: Defines the URL of the certificate of the STI-PA validating
the Service Provider Code. the Service Provider Code.
The service provide code token JWT Payload MUST include the The service provide code token JWT Payload MUST include the
following: following:
sub: Service Provider Code value being validated in the form of a sub: Service Provider Code value being validated in the form of
JSON array of ASCII strings. an ASCII string.
iat: DateTime value of the time and date the token was issued. iat: DateTime value of the time and date the token was issued.
nbf: DateTime value of the starting time and date that the token nbf: DateTime value of the starting time and date that the token
is valid. is valid.
exp: DateTime value of the ending time and date that the token exp: DateTime value of the ending time and date that the token
expires. expires.
fingerprint: : Fingerprint of the ACME credentials the Service fingerprint: : Fingerprint of the ACME credentials the Service
skipping to change at page 8, line 40 skipping to change at page 8, line 40
Wendt, C. and J. Peterson, "Personal Assertion Token Wendt, C. and J. Peterson, "Personal Assertion Token
(PASSporT)", draft-ietf-stir-passport-11 (work in (PASSporT)", draft-ietf-stir-passport-11 (work in
progress), February 2017. progress), February 2017.
[I-D.ietf-stir-rfc4474bis] [I-D.ietf-stir-rfc4474bis]
Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, Peterson, J., Jennings, C., Rescorla, E., and C. Wendt,
"Authenticated Identity Management in the Session "Authenticated Identity Management in the Session
Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-16 Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-16
(work in progress), February 2017. (work in progress), February 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure [RFC7340] Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure
Telephone Identity Problem Statement and Requirements", Telephone Identity Problem Statement and Requirements",
RFC 7340, DOI 10.17487/RFC7340, September 2014, RFC 7340, DOI 10.17487/RFC7340, September 2014,
<http://www.rfc-editor.org/info/rfc7340>. <https://www.rfc-editor.org/info/rfc7340>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <http://www.rfc-editor.org/info/rfc7515>. 2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015, DOI 10.17487/RFC7518, May 2015,
<http://www.rfc-editor.org/info/rfc7518>. <https://www.rfc-editor.org/info/rfc7518>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK)
Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September
2015, <http://www.rfc-editor.org/info/rfc7638>. 2015, <https://www.rfc-editor.org/info/rfc7638>.
Authors' Addresses Authors' Addresses
Mary Barnes Mary Barnes
MLB@Realtime Communications iconectiv
Email: mary.ietf.barnes@gmail.com Email: mary.ietf.barnes@gmail.com
Chris Wendt Chris Wendt
Comcast Comcast
One Comcast Center One Comcast Center
Philadelphia, PA 19103 Philadelphia, PA 19103
US US
Email: chris-ietf@chriswendt.net Email: chris-ietf@chriswendt.net
 End of changes. 16 change blocks. 
24 lines changed or deleted 23 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/