INTERNET-DRAFT R. Housley Intended Status: Standards Track Vigil Security Updates: RFC 5280 (if approved) Expires: 14 November 2016 13 May 2016 Extended Key Usage Constraints draft-housley-spasm-eku-constraints-00 Abstract This document specifies the extended key usage constraints certificate extension, which is used to place restrictions on the key purpose identifiers that are authorized to appear in subsequent certificates in a certification path. Restrictions apply to the extended key usage certificate extension, which is described in RFC 5280. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Housley Expires 14 November 2016 [Page 1] INTERNET-DRAFT EKU Constraints 13 May 2016 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1 Introduction This document specifies the extended key usage constraints certificate extension, which is used to place restrictions on the key purpose identifiers that are authorized to appear in subsequent certificates in a certification path. Restrictions apply to the extended key usage certificate extension, which is described in Section 4.2.1.12 of RFC 5280 [RFC5280]. 1.1 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 1.2. ASN.1 Certificates are generated using ASN.1 [X680], which uses the Basic Encoding Rules (BER) and the Distinguished Encoding Rules (DER) [X690]. 2. Extended Key Usage Constraints Certificate Extension The extended key usage (EKU) constraints certificate extension, which MUST be used only in a CA certificate, indicates the extended key usage values that are authorized to appear in subsequent certificates in a certification path. Restrictions apply to the extended key usage certificate extension, which is described in Section 4.2.1.12 of RFC 5280 [RFC5280]. Restrictions are defined in terms of permitted or excluded key purpose identifiers. Any key purpose identifier matching an entry in the excludedKeyPurposeIds field is invalid regardless of information appearing in the permittedKeyPurposeIds. Conforming CAs MUST mark this extension as critical, and conforming CAs MUST NOT issue certificates where this extension is an empty sequence. That is, either the permittedKeyPurposeIds field or the excludedKeyPurposeIds field MUST be present. Conforming applications MUST be able to process this extension. If any CA certificate in the certification path includes an EKU Housley Expires 14 November 2016 [Page 2] INTERNET-DRAFT EKU Constraints 13 May 2016 constraints extension that is marked as critical, and the end-entity certificate includes an extended key usage certificate extension, then the application MUST either process the EKU constraint or reject the certificate. ekuConstraints EXTENSION ::= { SYNTAX EKUConstraints IDENTIFIED BY id-ce-ekuConstraints } id-ce-ekuConstraints OBJECT IDENTIFIER ::= { id-ce TBD } EKUConstraints ::= SEQUENCE { permittedKeyPurposeIds [0] KeyPurposeIds OPTIONAL, excludedKeyPurposeIds [1] KeyPurposeIds OPTIONAL } KeyPurposeIds ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId 3. Basic Path Validation Certification path validation is described in Section 6.1 of RFC 5280 [RFC5280]. Certification path processing verifies the binding between the subject name and the subject public key. The binding is limited by constraints that are specified in the certificates that comprise the path and inputs that are specified by the relying party. This section extends to path processing to include EKU constraints. 3.1. Inputs No additional inputs are needed. 3.2. Initialization Two additional values are initialized. (l) permitted_key_purpose_ids: a set of key purpose identifiers; all of the key purpose identifiers in the end-entity certificate MUST be included in this set. If the set is empty, then the certification path will be considered invalid if the end-entity certificate includes an extended key usage extension. The initial value is a special value that represents the universal set. (m) excluded_key_purpose_ids: a set of key purpose identifiers; the key purpose identifiers in the end-entity certificate MUST NOT be included in this set. If the set is empty, then no key purpose identifiers are excluded. The initial value is a is the empty set. Housley Expires 14 November 2016 [Page 3] INTERNET-DRAFT EKU Constraints 13 May 2016 3.3. Basic Certificate Processing No additional processing steps are needed. 3.4. Preparation for Certificate i+1 One additional processing step is needed. (p) If a EKU constraints extension is included in the certificate, then modify the permitted_key_purpose_ids and excluded_key_purpose_ids state variables as follows: (1) If permittedKeyPurposeIds is present in the certificate, set the permitted_key_purpose_ids state variable to the intersection of its previous value and the value indicated in the extension field. (2) If excludedKeyPurposeIds is present in the certificate, set the excluded_key_purpose_ids state variable to the union of its previous value and the value indicated in the extension field. 3.5. Wrap-Up Procedure One additional processing step is needed. (h) If the EKU extension is included in the end-entity certificate, then confirm that the values meet the restrictions in the permitted_key_purpose_ids and excluded_key_purpose_ids state variables as follows: (1) If permitted_key_purpose_ids state variable is not special value that represents the universal set, then confirm that all of the key purpose identifiers are present in the set. If any are missing, then returning a failure indication and an appropriate reason. (2) If excluded_key_purpose_ids state variable is not empty, then confirm that none of the key purpose identifiers are present in the set. If any are present, then returning a failure indication and an appropriate reason. 3.6. Outputs No additional output values are returned. Housley Expires 14 November 2016 [Page 4] INTERNET-DRAFT EKU Constraints 13 May 2016 4. IANA Considerations Please assign an object identifier for the certificate extension specified in this document. Once the ASN.1 module is added, then an object identifier for that will be needed too. 5. Security Considerations TBD 6. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . Appendix: ASN.1 Module TBD Author's Address Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA EMail: housley@vigilsec.com Housley Expires 14 November 2016 [Page 5]