draft-ietf-sidr-res-certs-04.txt   draft-ietf-sidr-res-certs-05.txt 
SIDR G. Huston SIDR G. Huston
Internet-Draft G. Michaelson Internet-Draft G. Michaelson
Intended status: Standards Track R. Loomans Intended status: Standards Track R. Loomans
Expires: August 24, 2007 APNIC Expires: August 28, 2007 APNIC
February 20, 2007 February 24, 2007
A Profile for X.509 PKIX Resource Certificates A Profile for X.509 PKIX Resource Certificates
draft-ietf-sidr-res-certs-04.txt draft-ietf-sidr-res-certs-05.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 24, 2007. This Internet-Draft will expire on August 28, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document defines a standard profile for X.509 certificates for This document defines a standard profile for X.509 certificates for
the purposes of supporting validation of assertions of "right-to-use" the purposes of supporting validation of assertions of "right-to-use"
of an Internet Number Resource (IP Addresses and Autonomous System of an Internet Number Resource (IP Addresses and Autonomous System
skipping to change at page 2, line 33 skipping to change at page 2, line 33
3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10 3.9.4. Key Usage . . . . . . . . . . . . . . . . . . . . . . 10
3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10 3.9.5. CRL Distribution Points . . . . . . . . . . . . . . . 10
3.9.6. Authority Information Access . . . . . . . . . . . . . 10 3.9.6. Authority Information Access . . . . . . . . . . . . . 10
3.9.7. Subject Information Access . . . . . . . . . . . . . . 11 3.9.7. Subject Information Access . . . . . . . . . . . . . . 11
3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12 3.9.8. Certificate Policies . . . . . . . . . . . . . . . . . 12
3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12 3.9.9. Subject Alternate Name . . . . . . . . . . . . . . . . 12
3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12 3.9.10. IP Resources . . . . . . . . . . . . . . . . . . . . . 12
3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 13 3.9.11. AS Resources . . . . . . . . . . . . . . . . . . . . . 13
4. Resource Certificate Revocation List Profile . . . . . . . . . 13 4. Resource Certificate Revocation List Profile . . . . . . . . . 13
4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1. Version . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Issuer Name . . . . . . . . . . . . . . . . . . . . . . . 13
4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14 4.3. This Update . . . . . . . . . . . . . . . . . . . . . . . 14
4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14 4.4. Next Update . . . . . . . . . . . . . . . . . . . . . . . 14
4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14 4.5. Signature . . . . . . . . . . . . . . . . . . . . . . . . 14
4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14 4.6. Revoked Certificate List . . . . . . . . . . . . . . . . . 14
4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14 4.6.1. Serial Number . . . . . . . . . . . . . . . . . . . . 14
4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14 4.6.2. Revocation Date . . . . . . . . . . . . . . . . . . . 14
4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 15 4.7. CRL Extensions . . . . . . . . . . . . . . . . . . . . . . 14
4.7.1. Authority Key Identifier . . . . . . . . . . . . . . . 15 4.7.1. Authority Key Identifier . . . . . . . . . . . . . . . 15
4.7.2. CRL Number . . . . . . . . . . . . . . . . . . . . . . 15 4.7.2. CRL Number . . . . . . . . . . . . . . . . . . . . . . 15
5. Resource Certificate Request Profile . . . . . . . . . . . . . 15 5. Resource Certificate Request Profile . . . . . . . . . . . . . 15
5.1. PCKS#10 Profile . . . . . . . . . . . . . . . . . . . . . 15 5.1. PCKS#10 Profile . . . . . . . . . . . . . . . . . . . . . 15
5.1.1. PKCS#10 Resource Certificate Request Template 5.1.1. PKCS#10 Resource Certificate Request Template
Fields . . . . . . . . . . . . . . . . . . . . . . . . 15 Fields . . . . . . . . . . . . . . . . . . . . . . . . 15
5.2. CRMF Profile . . . . . . . . . . . . . . . . . . . . . . . 16 5.2. CRMF Profile . . . . . . . . . . . . . . . . . . . . . . . 16
5.2.1. CRMF Resource Certificate Request Template Fields . . 17 5.2.1. CRMF Resource Certificate Request Template Fields . . 17
5.2.2. Resource Certificate Request Control Fields . . . . . 17 5.2.2. Resource Certificate Request Control Fields . . . . . 17
5.3. Certificate Extension Attributes in Certificate 5.3. Certificate Extension Attributes in Certificate
Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18 Requests . . . . . . . . . . . . . . . . . . . . . . . . . 18
6. Resource Certificate Validation . . . . . . . . . . . . . . . 21 6. Resource Certificate Validation . . . . . . . . . . . . . . . 21
6.1. Trust Anchors for Resource Certificates . . . . . . . . . 21 6.1. Trust Anchors for Resource Certificates . . . . . . . . . 21
6.2. Resource Extension Validation . . . . . . . . . . . . . . 22 6.2. Resource Extension Validation . . . . . . . . . . . . . . 22
6.3. Resource Certificate Path Validation . . . . . . . . . . . 22 6.3. Resource Certificate Path Validation . . . . . . . . . . . 23
7. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 23 7. Example Use Cases . . . . . . . . . . . . . . . . . . . . . . 24
8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
11. Normative References . . . . . . . . . . . . . . . . . . . . . 24 11. Normative References . . . . . . . . . . . . . . . . . . . . . 24
Appendix A. Example Resource Certificate . . . . . . . . . . . . 25 Appendix A. Example Resource Certificate . . . . . . . . . . . . 25
Appendix B. Example Certificate Revocation List . . . . . . . . . 27 Appendix B. Example Certificate Revocation List . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
Intellectual Property and Copyright Statements . . . . . . . . . . 30 Intellectual Property and Copyright Statements . . . . . . . . . . 30
1. Introduction 1. Introduction
skipping to change at page 6, line 8 skipping to change at page 6, line 8
the resource extension field. the resource extension field.
3. A test of the resource extension in the context of certificate 3. A test of the resource extension in the context of certificate
validity includes the condition that the resources described in validity includes the condition that the resources described in
the immediate superior certificate in the PKI hierarchy (the the immediate superior certificate in the PKI hierarchy (the
certificate where this certificate's issuer is the subject) has a certificate where this certificate's issuer is the subject) has a
resource set (called here the "Issuer's resource set") that must resource set (called here the "Issuer's resource set") that must
encompass the resource set of the issued certificate. In this encompass the resource set of the issued certificate. In this
context "encompass" allows for the issuer's resource set to be context "encompass" allows for the issuer's resource set to be
the same as, or a strict superset of, any subject's resource set. the same as, or a strict superset of, any subject's resource set.
The constraints imposed by this profile a certificate furthermore
require that a the encompassing issuer's resource set be
described in a single certificate, and not in two or more
certificates.
A test of certificate validity entails the identification of a A test of certificate validity entails the identification of a
sequence of valid certificates in an issuer-subject chain (where the sequence of valid certificates in an issuer-subject chain (where the
subject field of one certificate appears as the issuer in the next subject field of one certificate appears as the issuer in the next
certificate in the sequence) from one, and only one, trust anchor to certificate in the sequence) from one, and only one, trust anchor to
the certificate being validated, and that the resource extensions in the certificate being validated, and that the resource extensions in
this certificate sequence from the trust anchor to the certificate this certificate sequence from the trust anchor to the certificate
form a sequence of encompassing relationships. form a sequence of encompassing relationships.
3. Resource Certificate Fields 3. Resource Certificate Fields
skipping to change at page 12, line 27 skipping to change at page 12, line 22
For End Entity certificates, where the subject is not a CA, this For End Entity certificates, where the subject is not a CA, this
field MAY be present, and is non-critical. If present, it references field MAY be present, and is non-critical. If present, it references
the location where objects signed by the key pair associated with the the location where objects signed by the key pair associated with the
End Entity certificate can be accessed. The id-ad- End Entity certificate can be accessed. The id-ad-
signedObjectRepository OID is used when the subject is an End Entity signedObjectRepository OID is used when the subject is an End Entity
and it publishes objects signed with the matching private key in a and it publishes objects signed with the matching private key in a
repository. repository.
id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } id-ad OBJECT IDENTIFIER ::= { id-pkix 48 }
id-ad-signedObjectRepositor OBJECT IDENTIFIER ::= { id-ad 9 } id-ad-signedObjectRepository OBJECT IDENTIFIER ::= { id-ad 9 }
3.9.8. Certificate Policies 3.9.8. Certificate Policies
This extension MUST reference the Resource Certificate Policy, using This extension MUST reference the Resource Certificate Policy, using
the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field the OID Policy Identifier value of "1.3.6.1.5.5.7.14.2". This field
MUST be present and MUST contain only this value for Resource MUST be present and MUST contain only this value for Resource
Certificates. Certificates.
PolicyQualifiers MUST NOT be used in this profile. PolicyQualifiers MUST NOT be used in this profile.
skipping to change at page 15, line 24 skipping to change at page 15, line 18
identifying the public key corresponding to the private key used to identifying the public key corresponding to the private key used to
sign a CRL. Conforming CRL issuers MUST use the key identifier sign a CRL. Conforming CRL issuers MUST use the key identifier
method. The syntax for this CRL extension is defined in section method. The syntax for this CRL extension is defined in section
4.2.1.1 of [RFC3280]. 4.2.1.1 of [RFC3280].
This extension is non-critical. This extension is non-critical.
4.7.2. CRL Number 4.7.2. CRL Number
The CRL Number extension conveys a monotonically increasing sequence The CRL Number extension conveys a monotonically increasing sequence
number for a given CA. This extension allows users to easily number of positive integers for a given CA. This extension allows
determine when a particular CRL supersedes another CRL. The highest users to easily determine when a particular CRL supersedes another
CRL Number value supersedes all other CRLs issued by the CA within CRL. The highest CRL Number value supersedes all other CRLs issued
the scope of this profile. by the CA within the scope of this profile.
This extension is non-critical. This extension is non-critical.
5. Resource Certificate Request Profile 5. Resource Certificate Request Profile
5.1. PCKS#10 Profile 5.1. PCKS#10 Profile
This profile refines the specification in [RFC2986], as it relates to This profile refines the specification in [RFC2986], as it relates to
Resource Certificates. A Certificate Request Message object, Resource Certificates. A Certificate Request Message object,
formatted according to PKCS#10, is passed to a Certificate Authority formatted according to PKCS#10, is passed to a Certificate Authority
skipping to change at page 20, line 44 skipping to change at page 20, line 44
CertificatePolicies CertificatePolicies
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA and MUST be omitted in this
profile. profile.
SubjectAlternateName SubjectAlternateName
This field MAY be present, and the CA MAY use this as the This field MAY be present, and the CA MAY use this as the
SubjectAltName in the issued Certificate. SubjectAltName in the issued Certificate.
IPResources IPResources
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA if omitted by the requestor, and
profile. shall be intereted as a request to certify all IP Resources
assigned to the requestor within the context of this CA. If
present, this is to be interepreted as the maximal set of IP
Resources to be certified by the CA, and the CA may reduce this to
the the certified IP Resource set based on the IP Resources
assigned to the request under this CA.
ASResources ASResources
This field is assigned by the CA and MUST be omitted in this This field is assigned by the CA if omitted by the requestor, and
profile. shall be intereted as a request to certify all AS Resources
assigned to the requestor within the context of this CA. If
present, this is to be interepreted as the maximal set of AS
Resources to be certified by the CA, and the CA may reduce this to
the the certified IP Resource set based on the AS Resources
assigned to the request under this CA.
With the exception of the publicKey field, the CA is permitted to With the exception of the publicKey field, the CA is permitted to
alter any requested field. alter any requested field.
6. Resource Certificate Validation 6. Resource Certificate Validation
This section describes the Resource Certificate validation procedure. This section describes the Resource Certificate validation procedure.
This refines the generic procedure described insection 6 of This refines the generic procedure described insection 6 of
[RFC3280]: [RFC3280]:
 End of changes. 11 change blocks. 
21 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/