Public Notary Transparency S. Kent Internet-Draft BBN Technologies Intended status: Standards Track R. Andrews Expires: June 24, 2016 Symantec December 22, 2015 Syntactic and Semantic Checks for Extended Validation Certificates draft-kent-trans-extended-validation-cert-checks-02 Abstract Certificate Transparency (CT) [RFC6962-bis] is a system for publicly logging the existence of X.509 certificates as they are issued or observed. The logging mechanism allows anyone to audit certification authority (CA) activity and detect the issuance of "suspect" certificates. Detecting mis-issuance of certificates is a primary goal of CT. A certificate is considered to be mis-issued if it fails to meet syntactic and/or semantic criteria associated with the type of certificate being issued. Mis-issuance can be detected by CT log servers, whose feedback to a CA could prompt the CA to not issue a suspect certificate. (Preventing the mis-issuance of such a certificate is preferable to issuing it and detecting it later.) Compliant CT log servers could offer these checks to a CA submitting a pre-certificate to be logged. These checks are intended to be used in an environment in which CAs optionally assert the version of the EV guidelines to which the submitted pre-certificate purportedly conforms. Log servers would then perform the checks of supported [CABF-EV] versions and include the CA's assertion and the log server's result in its Signed Certificate Timestamp (SCT). Monitors can also perform checks to detect suspect certificates on behalf of certificate Subjects. Checks performed by a Monitor also serve to double check log servers that claim to have checked a certificate, to identify those that are not doing the checks properly, e.g., because of errors, compromise, or conspiracy. This provides Monitors and CT clients with additional information when choosing which logs to use. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Kent & Andrews Expires June 24, 2016 [Page 1] Internet-Draft Extended Validation Certificate Checks December 2015 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 24, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Syntactic Checks . . . . . . . . . . . . . . . . . . . . . . 3 2.1. EV Certificate Field Syntax Requirements . . . . . . . . 4 2.2. Certificate Extension Syntax Requirements . . . . . . . . 5 2.3. Certificate Public Key: same as for DV certificates . . . 6 2.4. Certificate Signature: same as for DV certificates . . . 6 3. Semantic Verification of an EV Certificate . . . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 6.1. Informative References . . . . . . . . . . . . . . . . . 8 6.2. Normative References . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The following checks are extracted from the CA Browser Forum (CABF) document "Guidelines for the Issuance and Management of Extended Validation Certificates" version 1.5.2 [CABF-EV]. (If a new version Kent & Andrews Expires June 24, 2016 [Page 2] Internet-Draft Extended Validation Certificate Checks December 2015 of the CABF guidelines is created that alters any of the checks described below, a new CCID value MUST be assigned.) These requirements are used to define what constitutes mis-issuance of a certificate in the context of certificate transparency (CT) for Web PKI certificates. The CABF guidelines from which these checks are derived include many aspects of CA operation that are outside of the scope of CT-based detection of certificate mis-issuance, i.e., they impose requirements that could not be verified by a Monitor examining certificate logs. Hence this document was created to provide an enumeration of EV certificate checks for the Web PKI CT context. The checks enumerated below are to be applied to any certificate submitted to a log with the Certificate Class ID (CCID) value of 2 (see Section X of [CT RFC]). Note that "root" CA certificates are not subject to verification against these criteria. Each log maintains a list of the root CAs for which it is willing to accept SCT generation requests. This implies that the log operator has already determined that these CAs, and their corresponding self- signed certificates, are acceptable. A subordinate CA certificate will be checked only if it is submitted as the target of an SCT. If a subordinate CA certificate appears as part of a chain submitted for SCT generation, but is not the last certificate (the End-Entity or EE certificate) in that chain, the checks enumerated below should be applied to the EE certificate but not the subordinate CA certificate. [CABF-EV] describes both syntactic and semantic requirements for certificate issuance. This document deals primarily with syntactic checks, but also describes how semantic checks are to be performed. A log MAY perform the syntactic checks enumerated below if a certificate is submitted with a CCID value of 2. If a log performs these syntactic checks, it adds the SSV value appropriate for the outcome of the check (see Section Z of [CT-RFC]). Monitors SHOULD perform both the syntactic and semantic checks described below for all certificates that they protect, and which are marked with a CCID value of 2. 2. Syntactic Checks An X.509 certificate consists of a set of fields (all but two of which are mandatory), a set of optional extensions, a public key and a signature. This section defines the syntactic requirements imposed on the certificate fields. The following sections deal with extensions, public keys, and signatures. Kent & Andrews Expires June 24, 2016 [Page 3] Internet-Draft Extended Validation Certificate Checks December 2015 2.1. EV Certificate Field Syntax Requirements [CABF-EV] establishes syntactic requirements for EV certificates. Many of these requirements are the same as for DV certificates. The syntactic checks for DV certificates appear in [RFC-DV]. To avoid possible inconsistency between that RFC and this one, when the syntactic check for an EV certificate is the same as for a DV certificate, the phrase "same as for DV certificates" is inserted. 1. Version number: same as for DV certificates 2. certificate serial number: same as for DV certificates (Note that this is not the Subject Registration Number attribute discussed below.) 3. signature: same as for DV certificates 4. issuer: same as for DV certificates 5. validity: The maximum validity interval is 27 months. 6. subject: A certificate MAY contain a NULL Subject name. If it contains a non-null Subject name: A. It MUST contain the organizationName attribute. This requirement is derived from Section 9.2.1 of [CABF-EV]. B. It MAY contain a commonName attribute. If this attribute is present, it MUST contain a Fully-Qualified Domain Name (not a wildcard name). This requirement is derived from Section 9.2.3 of [CABF-EV]. C. It MUST contain the businessCategory attribute, and the value of that attribute must match one of the four allowed values. This requirement is derived from Section 9.2.4 of [CABF-EV]. D. It MUST contain the jurisdictionCountryName attribute as specified in [CABF-EV]. This requirement is derived from Section 9.2.5 of [CABF-EV]. (Note that this attribute is NOT defined in [RFC5280].) E. It MAY contain the jurisdictionLocalityName as specified in [CABF-EV]. This requirement is derived from Section 9.2.5 of [CABF-EV]. (Note that this attribute is NOT defined in [RFC5280].) Kent & Andrews Expires June 24, 2016 [Page 4] Internet-Draft Extended Validation Certificate Checks December 2015 F. It MAY contain the jurisdictionStateOrProvinceName as specified in [CABF-EV]. This requirement is derived from Section 9.2.5 of [CABF-EV]. (Note that this attribute is NOT defined in [RFC5280].) G. It MUST contain the Subject Registration Number (also known as Subject:serialNumber) attribute. This requirement is derived from Section 9.2.6 of [CABF-EV]. H. The countryName, stateOrProvinceName and localityName MUST be present and populated with values consistent with the syntax defined in [RFC5280]. This requirement is derived from Section 9.2.7 of [CABF-EV]. I. The localityName, streetAddress, and postalCode attributes MAY be present and if present, MUST be populated with values consistent with the syntax defined in [RFC5280]. This requirement is derived from Section 9.2.7 of [CABF-EV]. J. Other Subject attributes, as specified in Appendix A of [RFC5280], MAY appear. These attributes MUST NOT contain metadata such as '.', '-', or ' ' (i.e. space) characters. This requirement is derived from section 9.2.8 of [CABF-EV]. 7. subjectPublicKeyInfo: same as for DV certificates. 8. issuerUniqueId: same as for DV certificates. 9. subjectUniqueId: same as for DV certificates. 10. signatureAlgorithm: same as for DV certificates. 11. signatureValue: same as for DV certificates. 2.2. Certificate Extension Syntax Requirements An X.509 v3 certificate may contain extensions. [CABF-EV] mandates the presence of several extensions, and imposes requirements on their content. 1. The subjectAltName extension: same requirements as for DV certificates, except Wildcard FQDNs are not permitted. This requirement is derived from Section 9.2.2 of [CABF-EV]. 2. A certificate issued to a Subscriber MUST include the certificatePolicies extension. It MAY or MAY NOT be marked CRITICAL. It MUST contain one or more policy identifiers associated with an extended validation policy of the Issuer. Kent & Andrews Expires June 24, 2016 [Page 5] Internet-Draft Extended Validation Certificate Checks December 2015 This requirement is derived from Section 9.3.2 and 9.3.5 of [CABF-EV]. There are two commonly cited references for EV OIDs: http://en.wikipedia.org/wiki/Extended_Validation_Certificate and https://code.google.com/p/chromium/codesearch#chromium/src/net/ cert/ev_root_ca_metadata.cc&sq=package:chromium A log or Monitor checking a certificate that purports to be an EV certificate SHOULD use these references to verify that it contains an appropriate policy OID. This extension MUST contain certificatePolicies:policyIdentifier, certificatePolicies:policyQualifiers:policyQualifierId (id-qt 1) and certificatePolicies:policyQualifiers:qualifier:cPSuri (the URL for the CA's CPS). This requirement is derived from Section 9.7 paragraph (3) of [CABF-EV]. 3. basicConstraints: same as for DV certificates. 4. The cRLDistributionPoints extension MUST be present in a CA certificate. It MUST NOT be marked critical and it MUST contain an HTTP URL. This extension MUST be present in a Subscriber certificate if the certificate does not specify an OCSP responder location in the authorityInformationAccess extension. 5. keyUsage extension: same as for DV certificates. 6. authorityInformationAccess extension: same as for DV certificates 7. extendedKeyUsage extension: same as for DV certificates. 8. nameConstraints extension: same as for DV certificates 9. Other extensions defined in [RFC5280]: same as for DV certificates. 2.3. Certificate Public Key: same as for DV certificates 2.4. Certificate Signature: same as for DV certificates 3. Semantic Verification of an EV Certificate The fundamental semantic check that a Monitor MUST perform is to detect bogus certificates on behalf of its clients. A client of a Monitor provides the Monitor with a set of certificates that have been issued to the client. (Note that a client may have multiple certificates issued to its name, and thus there is not a one-to-one mapping between names and public keys.) These certificates MUST be acquired in a secure fashion, not using certificate discovery Kent & Andrews Expires June 24, 2016 [Page 6] Internet-Draft Extended Validation Certificate Checks December 2015 protocols or relying on databases operated by a CA or RA. Armed with this information, a Monitor can examine every log entry to determine if it contains the same Subject or subjectAltName as that of a client. If a log entry matches either of these names, and if it contains a public key distinct from the set of keys provided by the Subject, this is evidence of mis-issuance. (Note that a Monitor cannot rely on a log operated by a CA, to detect mis-issuance by that CA.) If a Monitor identifies what appears to be a bogus certificate, it notifies the client. The means by which notification is effected is not specified. [CABF-EV] imposes a number of requirements on certificate issuance that cannot be verified without access to reference information for the certificate Subject, information about the CA hierarchy, or information about internal procedures of the CA. Monitors are not presumed to be able to perform such checks. Examples of such checks appear in Sections 7, 8, 9.1, and 9.2.4 of [CABF-EV]. Additional semantic checks SHOULD be performed by a Monitor, if it has access to the requisite information. These are enumerated below. 1. A certificate issued to a subordinate CA that is not controlled by a Root CA MUST NOT contain the anyPolicy policy identifier. This requirement is derived from section 9.3.4 (1) of [CABF-EV]. Verification of this requirement requires knowledge of CA organizational relationships and thus may not be available to all Monitors. 2. A certificate issued to a subordinate CA that is not controlled by the issuing CA MUST include one or more policy identifiers defined by the issuing CA that explicitly identify the EV Policies that are implemented by the Subordinate CA. This requirement is derived from section 9.3.4 (1) of [CABF-EV]. If the extension contains any of the OIDs noted explicitly above, it is acceptable. Verification of this requirement requires knowledge of CA organizational relationships and thus may not be available to all Monitors. 3. The Subject's Jurisdiction of Incorporation, Registration, or Place of Business MUST not be in any country with which the laws of the CA's jurisdiction prohibit doing business. This suggestion is derived from Section 11.12.2 (1) (B) of [CABF-EV]. 4. The Subject's organizationName attribute MUST contain the Subject's full legal organization name as listed in the official records of the Incorporating or Registration Agency in the Subject's Jurisdiction of Incorporation or Registration, although Kent & Andrews Expires June 24, 2016 [Page 7] Internet-Draft Extended Validation Certificate Checks December 2015 abbreviations are permitted. This requirement is derived from Section 9.2.1 of [CABF-EV]. 5. The Domain Names in the subjectAltName extension MUST be owned or controlled by the Subject, or MUST have been owned or controlled by the Subject at the time of certificate issuance. This requirement is derived from Section 9.2.2 of [CABF-EV]. 6. The Domain Name in the Subject Common Name field, if present, MUST be owned or controlled by the Subject, MUST have been owned or controlled by the Subject at the time of certificate issuance. This requirement is derived from Section 9.2.2 of [CABF-EV]. 7. The Subject Jurisdiction of Incorporation or Registration Fields MUST not contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. This requirement is derived from Section 9.2.5 of [CABF-EV]. 8. The Subject Physical Address of Place of Business Fields MUST contain the address of a physical location of the Subject's Place of Business. This requirement is derived from Section 9.2.7 of [CABF-EV]. 4. IANA Considerations TBD 5. Security Considerations TBD 6. References 6.1. Informative References [CABF-EV] CA/Browser Forum, "Guidelines For The Issuance And Management Of Extended Validation Certificates, Version 1.5.2", October 2014, . 6.2. Normative References [I-D.ietf-trans-rfc6962-bis] Laurie, B., Langley, A., Kasper, E., Messeri, E., and R. Stradling, "Certificate Transparency", draft-ietf-trans- rfc6962-bis-11 (work in progress), November 2015. Kent & Andrews Expires June 24, 2016 [Page 8] Internet-Draft Extended Validation Certificate Checks December 2015 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Authors' Addresses Stephen Kent BBN Technologies 10 Moulton St. Cambridge, MA 02138 US Email: kent@bbn.com Rick Andrews Symantec 350 Ellis Street Mountain View, CA 94043 US Email: Rick_Andrews@symantec.com Kent & Andrews Expires June 24, 2016 [Page 9]