Network Working Group M. King INTERNET-DRAFT M. Tebo Intended Status: Proposed Standard W. Brown Expires: October 2011 D. Silver C. Louden Protiviti Government Services April 19, 2011 claimSigning Extended Key Usage (EKU) draft-king-pkix-claimsigning-extn-00 Abstract This memo specifies an Extended Key Usage (EKU) X.509 certificate extension which indicates that the certificate holder is authorized to sign security tokens to assert claims, or attributes, about a principal. When an owner of a certificate that asserts the claimSigning EKU signs a claim, the owner is asserting that a statement about the principal is true. For example, a IdP secure token service (STS) would use an X.509 certificate containing the claimSigning EKU to sign SAML assertions containing an identifier and attributes about a user. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 1] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on October 14, 2011. Copyright and License Notice Copyright (c) IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Abstract Syntax Notation . . . . . . . . . . . . . . . . . . . 3 3. claimSigning Extended Key Usage Value . . . . . . . . . . . . 4 4. Using the claimSinging EKU in a Certificate . . . . . . . . . 5 5. Implications for a Certification Authority . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 8. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . 6 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9.1 Normative References . . . . . . . . . . . . . . . . . . . 6 9.2 Informative References . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 2] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 1 Introduction A Claim Signer is software or a service that packages and digitally signs statements about particular subjects (i.e., claims) in the form of security tokens. The Claim Signer conveys that it is certified to issue claims by using a certificate that asserts the claimSigning Extended Key Usage (EKU) X.509 certificate extension. Claim Signing services are used in a number of applications. Examples of these services include Backend Attribute Exchange (BAE), Metadata signing, and SAML and other assertion protocols. This memo documents an extended key usage (EKU) X.509 certificate extension [PROFILE] for specifying the applicability of a certificate to be used with a Claim Signing service. As such, in addition to providing rules for processing certificates that assert the claimSigning EKU Object Identifier (OID), this memo also provides guidance to issuers of certificates for use with Claim Signing. 1.1 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [KEYWORDS]. Additionally, the following terms are defined: A Claim is a statement about a particular subject. Statements may include values that represent identity, attributes, keys, or other identifiers that are related to a particular subject. A Signed Claim is a digitally signed claim about a particular subject where the signer is indicating the veracity of the claim. A Claim Signer is software or a service that packages and digitally signs claims in the form of security tokens. The claim signer conveys the veracity of signed claims by using a certificate that asserts the claimSigning EKU. 2. Abstract Syntax Notation All X.509 certificate [X.509] extensions are defined using ASN.1 [X.680, X.690]. King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 3] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 3. claimSigning Extended Key Usage Value RFC 5280 [PROFILE] specifies the extended key usage (EKU) X.509 certificate extension. The EKU extension indicates one or more purposes for which the certificate may be used. The EKU extension can be used in conjunction with the key usage extension, which indicates the intended purpose of the certified public key. The EKU extension syntax is repeated here for convenience: ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) of KeyPurposeID KeyPurposeID ::= OBJECT IDENTIFIER This specification defines one KeyPurposeID value for use in transactions where Claim Signing is required. Inclusion of the Claim Signing value in the EKU indicates that the certificate is appropriate for use by an entity who intends to assert the veracity of a signed claim. id-kp OBJECT IDENTIFIER ::= { iso(1) identified- organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 } id-kp-claimSigning OBJECT IDENTIFIER ::= { id-kp TBD } The EKU extension MAY, at the option of the certificate issuer, be either critical or non-critical. Certificate-using applications MAY require the EKU extension to be present in a certificate, and they MAY require a particular KeyPurposeId value to be present (such as id-kp-claimSigning) within the EKU extension. If multiple KeyPurposeId values are included, the certificate-using application need not recognize all of them, as long as the required KeyPurposeId value is present. If a certificate contains a key usage extension, the certificate MUST only be used for a purpose consistent with the extension. If there is no purpose consistent with the extension, then the certificate- using application MUST NOT use the certificate for any purpose. King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 4] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 4. Using the claimSinging EKU in a Certificate In order to determine whether the usage of a certificate is restricted to serve as a claimSigning certificate only, implementations MUST perform the steps given below as a part of the certificate validation: The implementation MUST examine the Extended Key Usage value(s): If the certificate does not contain any EKU values (i.e., the Extended Key Usage extension does not exist), it is a matter of local policy whether or not to accept the certificate for use as a claimSigning certificate. Note that since certificates that do not follow this specification will not have the id-kp-claimSigning EKU value local policies might accept certificates for use as a claimSigning certificate to improve interoperability. If the certificate contains the id-kp-claimSigning EKU value, then implementations of this specification MUST consider the certificate acceptable for use as a claimSigning certificate. If the certificate does not contain the id-kp-claimSigning EKU value, but does contain the id-kp-anyExtendedKeyUsage EKU value, it is a matter of local policy whether or not to consider the certificate acceptable for use as a claimSigning certificate. If the EKU extension exists, but does not contain any of the id- kp-claimSigning or id-kp-anyExtendedKeyUsage EKU values, then the certificate MUST NOT be accepted as valid for use as a claimSigning certificate. 5. Implications for a Certification Authority The procedures and practices employed by a certification authority MUST ensure that the certificate requestor is authorized to sign claims within a particular community of interest before populating the certificate with the id-kp-claimSigning EKU value. 6. Security Considerations This memo defines an EKU X.509 certificate extension that restricts the usage of a certificate to a Claim Signing service. The procedures and practices employed by the certification authority (CA) MUST ensure that the correct values for the EKU are inserted in each certificate that is issued. Relying parties may accept or reject a particular certificate for an intended use King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 5] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 based on the information provided in the extension. Incorrect representation of the information in the extension could cause the relying party to reject an otherwise appropriate certificate or accept a certificate that ought to be rejected. 7. IANA Considerations Certificate extended key usage values are identified by object identifiers (OIDs). The OIDs used in this document were assigned from an arc delegated by the IANA. No further action by the IANA is necessary for this document or any anticipated updates [RFC5513]. 8. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. 9. References 9.1 Normative References [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [PROFILE] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [X.509] ITU-T. Recommendation X.509: The Directory - Authentication Framework. 2000. [X.680] ITU-T Recommendation X.680: Information Technology - Abstract Syntax Notation One, 1997. [X.690] ITU-T Recommendation X.690: Information Technology - Abstract Syntax Notation One Encoding Rules, 2002. 9.2 Informative References [RFC5513] Farrel, A., "IANA Considerations for Three Letter Acronyms", RFC 5513, April 1 2009. King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 6] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 Authors' Addresses Matt King Protiviti Government Services 1640 King St., Suite 400 Alexandria, VA 22314 Phone: 410-271-5624 Email: Matthew.King@pgs.protiviti.com Matt Tebo Protiviti Government Services 1640 King St., Suite 400 Alexandria, VA 22314 Phone: 301-312-5852 Email: Matt.Tebo@pgs.protiviti.com Wendy Brown Protiviti Government Services 1640 King St., Suite 400 Alexandria, VA 22314 Phone: 703-965-2990 Email: Wendy.Brown@pgs.protiviti.com Dave Silver Protiviti Government Services 1640 King St., Suite 400 Alexandria, VA 22314 Phone: 703-597-5114 Email: Dave.Silver@pgs.protiviti.com Chris Louden Protiviti Government Services 1640 King St., Suite 400 Alexandria, VA 22314 Phone: 703-447-7431 Email: Chris.Louden@pgs.protiviti.com King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 7] INTERNET DRAFT claimSigning Extended Key Usage April 14, 2011 King, Tebo, Brown, Silver & Louden:Expires October 19, 2011 [Page 8]