PKIX Working Group P. Yee Internet Draft RSA Security Expires September 2002 March 2002 Attribute Certificate Request Message Format Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of [RFC2026]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The Certificate Request Message Format ([CRMF]) specifies a format for requesting an X.509 public key certificate from a Certification Authority (CA), possibly with assistance from an Local Registration Authority (LRA). This specification, ACRMF, is modeled on CRMF, extending similar functionality to requests for X.509 attribute cer- tificates from Attribute Authorities (AA), possibly via an Attribute Registration Authority (ARA). 1. Introduction The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY" in this document are to be interpreted as described in [RFC2119]. ACRMF is essentially a recasting of CRMF to support attribute certi- ficate requests. As such, the data structures are parallel. CRMF specifies a set of controls for manipulating the certificate request. Most of these controls are not applicable to attribute certificates, and thus ACRMF presents a more limited set of controls. Yee [Page 1] Internet Draft March 2002 It is expected that ACRMF will be used in conjunction with [ACMC], the modification to [CMC] and [CMCbis] to allow attribute certificate requests. Requested certificates must comply with the provisions of [ACPROF]. 2. Overview An attribute certificate request consists of: a) An AttrCertRequest value, which is made up of information about the holder of the proposed attribute certificate, the attributes and their values to be populated in the attribute certificate, the vali- dity period, and possibly extensions. b) Additional registration information that may be conveyed in the AttrCertReqMessage. 3. AttrCertRequestMessage Syntax An attribute certificate request message is composed of the attribute certificate request and optional registration information. AttrCertReqMessages :: SEQUENCE SIZE (1..MAX) OF AttrCertReqMsg AttrCertReqMsg :: = SEQUENCE { attrCertReq AttrCertRequest, regInfo Attributes OPTIONAL } Attributes ::= SEQUENCE SIZE (1..MAX) OF Attribute The AttrCertRequest message contains information that will be used to form the attribute certificate. Additional information that is placed in the attribute certificate MAY be supplied by the Attribute Registration Authority and will be supplied to the Attribute Author- ity. The information in the request MAY be combined with information from other sources to form the attribute certificate. For example, a local database may provide information about each potential attribute certificate holder. The registration information (regInfo) SHOULD only contain supplemen- tary information related to the context of the certification request when such information is required to fulfill a certification request. This information is not used in the construction of the attribute certificate. This information MAY include subscriber contract infor- mation, billing information, or other ancillary information useful to fulfillment of the certification request. Yee [Page 2] Internet Draft March 2002 4. AttrCertRequest Syntax The AttrCertRequest syntax consists of an ID, a template of the (requestable) certificate content, and message controls. AttrCertRequest ::= SEQUENCE { attrCertReqID INTEGER, attrCertTemplate AttrCertTemplate, controls Controls OPTIONAL} AttrCertTemplate ::= SEQUENCE { version [0] AttrCertVersion OPTIONAL, -- version must be v2 holder [1] AttrCertHolder OPTIONAL, issuer [2] AttrCertIssuer OPTIONAL, signature [3] SignatureAlgorithmIdentifier OPTIONAL, attrCertValidityPeriod [4] AttrCertValidtyPeriod OPTIONAL, attributes [5] Attributes OPTIONAL, extensions [6] Extensions OPTIONAL } AttrCertVersion :: = INTEGER { v2(1) } AttrCertHolder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL -- issuer and serial number of the holder's PKC entityName [1] GeneralNames OPTIONAL } -- subject name or subject alternative name in the holder's PKC SignatureAlgorithmIdentifier ::= AlgorithmIdentifier AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this profile v2Form [0] V2Form -- v2 only } V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL -- issuerName MUST be present in this profile -- the other forms sometimes used, baseCertificateID and objectDigestInfo, -- MUST NOT be present in this profile } AttrCertValidityPeriod ::= SEQUENCE { notBeforeTime [0] GeneralizedTime OPTIONAL, notAfterTime [1] GeneralizedTime OPTIONAL } Yee [Page 3] Internet Draft March 2002 5. Controls Syntax The generator of an AttrCertRequest may include one or more control values pertaining to the processing of the request. Controls ::= SEQUENCE SIZE (1..MAX) OF Attribute The following controls are defined (it is recognized that this list may expand over time): pmiPubInfo, oldCertID. 5.1. Publication Information Control The pmiPubInfo control enables the holder to control the AA's publi- cation of the attribute certificate. It is defined by the following syntax: PMIPubInfo ::= SEQUENCE { action INTEGER { doNotPublish (0), pleasePublish (1) }, pubInfos SEQUENCE SIZE (1..MAX} OF PubInfo OPTIONAL } -- pubInfos MUST NOT be present if the action is "doNotPublish". -- If the action is "pleasePublish" and PubInfos is omitted, -- "doNotCare" is assumed. PubInfo ::= SEQUENCE { pubMethod PublicationMethod, pubLocation GeneralName OPTIONAL } PublicationMethod :: = INTEGER { doNotCare (0), x500 (1), web (2), ldap (3) } If the doNotPublish option is chosen, the holder is requesting that the AA not publish the attribute certificate. The holder may publish the certificate him/herself or the attribute certificate may have a short validity period, making publication undesirable. If the doNotCare method is chosen, or if the PMIPubInfo control is omitted from the request, the requester indicates that the AA MAY publish the attribute certificate by whatever means the AA deems appropriate. Yee [Page 4] Internet Draft March 2002 If the requester wishes the certificate to appear in at least some locations but wishes to enable the AA to make the certificate avail- able in other repositories, then multiple PubInfo values should be used, with one of these values set to doNotCare. The pubLocation field, if supplied, indicates where the requester would like the certificate to be found according to the publication method selected. A suitable value using one of the CHOICE values from GeneralNames MUST be given if the pubLocation is present. 5.2. OldCert ID Control If present, the OldCertID control specifies the certificate to be replaced by the certificate generated in response to the current attribute certificate request. The syntax of its value is: AttrCertId ::= Sequence { issuer GeneralName, SerialNumber INTEGER } 6. Security Considerations Security considerations are not yet discussed in this memo. 7. References [ACMC] Yee, P. Work in progress, March 2001. "Attribute Certi- ficate Management Messages over CMS", draft-ietf-pkix- acmc-01.txt. [ACPROF] Farrell, S. and R. Housley. Work in progress, June 8, 2001. "An Internet Atribute Certificate Profile for Authorization", draft-ietf-pkix-ac509prof-09.txt. [CMC] Myers, M., X. Liu, J. Schaad, and J. Weinstein. April 2000. "Certificate Management Messages over CMS", RFC 2797. [CMCbis] Myers, M., X. Liu, J. Schaad, and J. Weinstein. Work in progress, July 2001. "Certificate Management Messages over CMS", draft-ietf-pkix-rfc2797-bis-01.txt. [CRMF] Myers, M., C. Adams, D. Solo, and D. Kemp. March 1999. "Internet X.509 Certificate Request Message Format", RFC 2511. Yee [Page 5] Internet Draft March 2002 [RFC2026] Bradner, S. October 1996. "The Internet Standards Pro- cess -- Revision 3", RFC 2026, BCP 9. [RFC2119] Bradner, S. March 1997. "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14. Author's Address: Peter Yee RSA Security 2955 Campus Drive Suite 400 San Mateo, California 94403 USA email: pyee@rsasecurity.com Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of develop- ing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER- CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Appendix A: Object Identifiers The OID id-pkix has the value id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organizations(3) dod(6) Yee [Page 6] Internet Draft March 2002 internet(1) security(5) mechanisms(5) pkix(7) } -- arc for Internet X.509 PKI protocols and their components id-pkip OBJECT IDENTIFIER ::= { id-pkix pkip(5) } -- Remaining OIDs subject to change due to issuance of actual values or to -- changes in the arc placement. -- ACRMF arc id-acrmf OBJECT IDENTIFIER ::= { id-pkip acrmf(x) } -- Registration controls in ACRMF id-aCRegCtrl OBJECT IDENTIFIER ::= { id-acrmf aCRegCtrl(1) } id-aCRegCtrl-pmiPublicationInfo OBJECT IDENTIFIER ::= { id-aCRegCtrl 1 } id-aCRegCtrl-oldCertId OBJECT IDENTIFIER ::= { id-aCRegCtrl 2 } Appendix B: ASN.1 Module PKIXACRMF { iso(1) identified-organizations(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf(X) } ACRMF DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS -- Directory Authentcation Framework (X.509) Extensions FROM PKIX1Explicit88 { iso(1) identified-organizations(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1) } -- Certificate Extensions (X.509) GeneralName FROM PKIX1Implicit88 { iso(1) identified-organizations(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2) } AttrReqMesssages :: SEQUENCE SIZE (1..MAX) OF AttrCertReqMsg AttrCertReqMsg :: = SEQUENCE { attrCertReq AttrCertRequest regInfo SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL } AttrCertRequest ::= SEQUENCE { attrCertReqId INTEGER, -- ID for matching requests/replies attrCertTemplate AttrCertTemplate, -- Selected fields of cert to issue controls Controls OPTIONAL } -- Attributes affecting issuance Yee [Page 7] Internet Draft March 2002 AttrCertTemplate ::= SEQUENCE { version [0] AttrCertVersion OPTIONAL, -- if used MUST be v2 holder [1] AttrCertHolder OPTIONAL, issuer [2] AttrCertIssuer OPTIONAL, signature [3] SignatureAlgorithmIdentifier OPTIONAL, attrCertValidityPeriod [4] AttrCertValidtyPeriod OPTIONAL, attributes [5] SEQUENCE OF Attribute OPTIONAL, -- IMPORTed extensions [6] Extensions OPTIONAL } -- IMPORTed from PKIX#1 AttrCertVersion :: = INTEGER { v2(1) } AttrCertHolder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL -- the issuer and serial number of the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL -- the name of the claimant or role } SignatureAlgorithmIdentifier ::= AlgorithmIdentifier AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this profile v2Form [0] V2Form -- v2 only } V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, -- issuerName MUST be present in this profile -- the other forms sometimes used, baseCertificateID and objectDigestInfo, -- MUST NOT be present in this profile } AttrCertValidityPeriod ::= SEQUENCE { notBeforeTime [0] GeneralizedTime OPTIONAL, notAfterTime [1] GeneralizedTime OPTIONAL } Controls ::= SEQUENCE SIZE (1..MAX) OF Attribute Yee [Page 8]