LAMPS                                                       M. Ounsworth
Internet-Draft                                                   Entrust
Updates: {"RFC5280"=>nil} (if approved)                M.-J. O. Saarinen
Intended status: Standards Track                                PQShield
Expires: 2 April 2024                                            J. Gray
                                                                 Entrust
                                                                 D. Hook
                                                               KeyFactor
                                                       30 September 2023


          External Keys For Use In Internet X.509 Certificates
              draft-ounsworth-lamps-pq-external-pubkeys-01

Abstract

   Many of the post quantum cryptographic algorithms have large public
   keys.  In the interest of reducing bandwidth of transitting X.509
   certificates, this document defines new public key and algorithms for
   referencing external public key data by hash, and location, for
   example URL.  This mechanism is designed to mimic the behaviour of an
   Authority Information Access extension.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://EntrustCorporation.github.io/draft-pq-external-pubkeys/draft-
   ounsworth-pq-external-pubkeys.html.  Status information for this
   document may be found at https://datatracker.ietf.org/doc/draft-
   ounsworth-lamps-pq-external-pubkeys/.

   Source for this draft and an issue tracker can be found at
   https://github.com/EntrustCorporation/draft-pq-external-pubkeys.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.






Ounsworth, et al.         Expires 2 April 2024                  [Page 1]

Internet-Draft             External X.509 Keys            September 2023


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 April 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  External Value  . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  External Public Key . . . . . . . . . . . . . . . . . . .   3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Module Registration - SMI Security for PKIX Module
           Identifier  . . . . . . . . . . . . . . . . . . . . . . .   3
       3.1.1.  Object Identifier Registrations - SMI Security for PKIX
               Algorithms  . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
     4.1.  CSRs and CT logs  . . . . . . . . . . . . . . . . . . . .   4
   5.  Appendices  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .   4
     5.2.  Samples . . . . . . . . . . . . . . . . . . . . . . . . .   5
     5.3.  Intellectual Property Considerations  . . . . . . . . . .   8
   6.  Contributors and Acknowledgements . . . . . . . . . . . . . .   8
     6.1.  Making contributions  . . . . . . . . . . . . . . . . . .   8
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction








Ounsworth, et al.         Expires 2 April 2024                  [Page 2]

Internet-Draft             External X.509 Keys            September 2023


2.  External Value

   The id-external-value algorithm identifier is used for identifying a
   public key or signature which is provided as a reference to external
   data.

   id-external-value OBJECT IDENTIFIER  ::=  { iso(1)
               identified-organization(3) dod(6) internet(1)
               security(5) mechanisms(5) pkix(7) algorithms(6)
               TBDOID }

   EDNOTE: for prototyping purposes, id-external-value ::=
   1.3.6.1.4.1.22554.4.2

   The corresponding subjectPublicKey is the DER encoding of the
   following structure:

   ExternalValue ::= SEQUENCE {
     location     GeneralName,
     hashAlg      AlgorithmIdentifier,
     hashVal      OCTET STRING
   }

   Upon retrieval of the referenced data, the hash of the OCTET STRING
   of the retrieved data (removing base64 encoding as per [RFC4648] if
   necessary) MUST be verified using hashAlg to match the
   ExternalPublicKey.hash value.

2.1.  External Public Key

   When used with a public key, algorithm parameters for id-external-
   value are absent.

   When ExternalValue is placed into a
   SubjectPublicKeyInfo.subjectPublicKey, the ExternalValue.location
   MUST refer to a DER-encoded SubjectPublicKeyInfo, which MAY be base64
   encoded as per [RFC4648] for easier transport over text protocols.

3.  IANA Considerations

   ## Object Identifier Allocations

3.1.  Module Registration - SMI Security for PKIX Module Identifier

   *  Decimal: IANA Assigned - *Replace TBDMOD*

   *  Description: EXTERNAL-PUBKEY-2023 - id-mod-external-pubkey




Ounsworth, et al.         Expires 2 April 2024                  [Page 3]

Internet-Draft             External X.509 Keys            September 2023


   *  References: This Document

3.1.1.  Object Identifier Registrations - SMI Security for PKIX
        Algorithms

   *  Attest Statement

      -  Decimal: IANA Assigned - Replace *TBDOID*

      -  Description: id-external-value

      -  References: This Document

4.  Security Considerations

   There are no security implications to externalizing a public key from
   a certificate as described in this draft.  It is of course possible
   for a malicious actor to replace or tamper with the public key data
   at the referenced location, but since the hash of the public key data
   is included in the signed certificate, any such tampering will be
   detected and the certificate verification will fail.  For this
   reason, external public key data MAY be served over an insecure
   channel such as HTTP.

4.1.  CSRs and CT logs

   In practice, situations will arise where the
   ExternalPublicKey.location refers to a location which is not publicly
   available either because it is in a local keystore, on a private
   network, or no longer being hosted.

   Not having the public key in a certificate signing request (CSR)
   could make it substantially harder for CAs to perform vetting of the
   key, for example for cryptographic strength or checking for prior
   revocation due to key compromise.  A certificate requester MUST make
   the full public key available to the CA at the time of certificate
   request either by ensuring that the link in the
   ExternalPublicKey.location is visible to the CA, or by supplying the
   full public key to the CA out of band.

   Not having the public key in Certificate Transparency (CT) logs could
   make it substantially harder for researchers to perform auditing
   tasks on CT logs.  This may require additional CT mechanisms.

5.  Appendices

5.1.  ASN.1 Module




Ounsworth, et al.         Expires 2 April 2024                  [Page 4]

Internet-Draft             External X.509 Keys            September 2023


EXTERNAL-PUBKEY-2023
           {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0) id-mod-external-pubkey(TBDMOD)}

DEFINITIONS IMPLICIT TAGS ::= BEGIN

EXPORTS ALL;

IMPORTS

  GeneralName
  FROM PKIX1Implicit-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}

  AlgorithmIdentifier{}
  FROM AlgorithmInformation-2009
      {iso(1) identified-organization(3) dod(6) internet(1) security(5)
      mechanisms(5) pkix(7) id-mod(0)
      id-mod-algorithmInformation-02(58)}

;

id-external-value OBJECT IDENTIFIER  ::=  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBDOID }

ExternalValue ::= SEQUENCE {
  location     GeneralName,
  hashAlg      AlgorithmIdentifier,
  hashVal      OCTET STRING
}

END

5.2.  Samples

   Here is a sample of a Kyber1024 end entity certificate with an
   external public key.  A trust anchor certificate using the algorithm
   ecdsaWithSHA256 is provided so that the Kyber1024 End Entity
   certificate can be verified.









Ounsworth, et al.         Expires 2 April 2024                  [Page 5]

Internet-Draft             External X.509 Keys            September 2023


   This is a modest example demonstrating a 550 byte Kyber1024
   certificate and a 2.2 kb external Kyber1024 public key.  This
   "compression" effect will be even more pronounced with algorithms
   such as Classic McEliece which have public keys in the hundreds of
   kilobytes; with the external public key mechanism, the size of the
   certificate remains constant regardless of how large the externalized
   subject public key is.

   End entity Kyber1024 Certificate with ExternalValue public key:

   -----BEGIN CERTIFICATE-----
   MIIBajCCAQ+gAwIBAgIGAYrnq6R7MAoGCCqGSM49BAMCMDoxDjAMBgNVBAMMBVFT
   IENBMRswGQYDVQQKDBJRdWFudGl0eSBTdXJ2ZXlvcnMxCzAJBgNVBAYTAlhYMB4X
   DTIzMDkzMDE5NTgyMFoXDTI0MDEwODE5NTgyMFowHTEbMBkGA1UEAwwSRXRoZWwg
   dGhlIEFhcmR2YXJrMGcwDAYKKwYBBAGBsBoEAgNXADBUhiNmaWxlOi8vbG9jYWxf
   a2V5c2VydmVyL3N1cnZleW9ycy5kYjALBglghkgBZQMEAgEEIOc9S8iXUv01kSjc
   XaG0mpL5O0a5GOOOckd6m84UK/VToxAwDjAMBgNVHRMBAf8EAjAAMAoGCCqGSM49
   BAMCA0kAMEYCIQCsdcyyIrcGy3Ro4WyOYhAHoxSXFO0Ptgfm9FaXAqno9wIhAJLy
   vNED2FxrxJCu5y+4EZyFIA2cZ2IU40FILxaB3Y72
   -----END CERTIFICATE-----

   For illustrative purposes, the SubjectPublicKeyInfo within the end
   entity certificate decodes as:

 subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE (2 elem)
       algorithm AlgorithmIdentifier SEQUENCE (1 elem)
         algorithm OBJECT IDENTIFIER 1.3.6.1.4.1.22554.4.2 ExternalValue
       subjectPublicKey BIT STRING (688 bit)
         SEQUENCE (3 elem)
           [6] (35 byte) file://local_keyserver/surveyors.db
           SEQUENCE (1 elem)
             OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.1 sha-256
           OCTET STRING (32 byte) E73D4BC89752FD359...

   The external public key object referenced by the end entity
   certificate is:















Ounsworth, et al.         Expires 2 April 2024                  [Page 6]

Internet-Draft             External X.509 Keys            September 2023


   -----BEGIN PUBLIC KEY-----
   MIIGNDANBgsrBgEEAYGwGgUGAwOCBiEAb4wXewtjbrOj8aATsKNEsylhQhGacYZO
   lFUEIOeXVeK1/ZqjZSISJNuVTvoZvxjJXoV24vO/CLFi+HqCoNK6jZGsSwQ963k4
   gRRAbxkuzIc1bvRpofeTyNgVD9EQVwa1mJqYFmi3iJnI8ENG3rsMi7Obqlh26qRD
   eUkh5PQGyZap8YOy7+k02AjEAFAzxzSqyfl1Nip3PLREfWs6SpF4/7ace5UIkGi/
   AXaZegUSSJORm9sOi2FDOFhhzglf/+I6YKyTPczCqaIk+wdjPDJLU0i+PDLKEwZa
   BlglVPqTDwpENKXMIUPI+3OXqExlHEWIB2uy/8ZlKzNSFFWwKeVSOJJLH0Uqe4AO
   VfVZDrIXVfBQYsN4W9fCIKCKk1WKk3PAsCEXqOGMUgGFAUuqd6U0cHqAEKeXYFMl
   GCsJ8qd2mLgTUol3eBavlURa3HledZskZiik1JlCCvi6wGPFtwVj1JJE9ntF7smp
   OZyxUhhWvFiR4qWGPbSNhgAUd5qrKzphU5aDjWsUTIVryKFfYZC2DGy32oIua6s3
   NqcR0+tz4Vg7UIbAurFVQPh7AppRyflsXpkWZJR2toxYsmGzs7di2HFUsIyNVsoF
   ztFbT0vJEXsuEHhleWKYJSUKZiGQokKgUrHIEwhu0dLDnDG3eSPDbgpJ1iHDknqQ
   FSNKl5Yp6LqM7sFB5uZTDIIzbdsJ+mwsXYp5oIevcegbmno5CXNP56Mg6UKnZOmI
   GGwxGPUSoJB4hBhl7QwC1PoDOuCTQ0KRW1JeiPUsvbiAyIM/dNG7LqR5ZHzFREe7
   NdEbyhrEHFu5Z5pgm6J9crGWJ0QzmvLP3MKm5/CqbDMbsBSPD+vJarIzAeWxzElP
   UjK3bDBvH1l2cFQW1NpP4Hl6zYF5o2h5rKM6qHwpzogTM+IIe1Ua4fhc+ysCZ+yi
   WWd8UXdcNEJ3WaINEceYktLPJJnGVEM2+asH9eyLyOsglxQhibAgnEdh3XKTAKqB
   /EyhYbLLOKJfz9GiDzSqFJIecZGxRdvK4aam2yG86/dco6IorWDPa1GyC7xBubwl
   LDBZGNhPqEHP47lIsfpRYRa1tDsoH0tP5GAAUUUI+6tLU+LCo5sqXoxt9PDGZfmq
   P9InsZQfeWksDhQvNtDKpiMHrKo1+HeCL/suUPvNd0VOLbKZufS9UCRH/pGqGGxU
   o6kcrsN4krQfNrIphAoGcyy9u+XPOXw0NUxeReBIQPE+URijogsH2BYQ+6ITEqki
   RQSGtZuNoUwLUxtb2/pe5YStwESuqRUfMYB3pzcdEKbLkbnG/mRMNJWUtdOQAkcI
   SFF9DdJ/+YgLfzqiuemhsJGprmqPXzKQ6XecvVdkRrYjotgOjHBl4GBxAL1DdKdc
   JfSRfcegxCQAPOLE95UJ10ouEyMnSAJS2EgVaqpLK+Ayb8AKmrOJkuc8vFOLw9Ul
   cqd+7DnGFNVyT8XCldti7kQRlSUvq2eIPcCqdOQ1CzmffIxg42wuN2skgXSN00eo
   VLt+HHm/q7p48hQTL2R8bLYqJHbKRetXz0yAXqkBMDck71QDg9so+0ZAO3W4nyqC
   2zKYdxItCJEZkxs6rvJaJwq8WQxmXMgoUUeNjmduVFJ5FGas6rQRWRhaWYquj7Om
   H0dsgSYeRPmG89lViCYEVjfO6AgI4rG7H6ZOqokNQeeEHSo6ZJmo1+AbzoKimFev
   M2axfjokPzm8CjgQVMOxCJdgxamkXzasjZOxZourBUJYBCA5lztlEiKDD4G0UzGs
   muaO7HSVxyWNJ+QELRmh/LQnj+UwE6JcdJIoQEA2iCvIrWSHwTcS17oIE4aQocMs
   DGEqoigjmVh/1YAiXrStzlzGiSkxAiU5b5eXsYwqqoZKVpNYR7O2k/mLdxwhA7cY
   9YTMUQY7WqCESslAycCJ0luKEPNbLOMHs4tsAlxUj5igbEOkK3weYKecndE/aGNW
   nKCh18aKT8U8idLDvpBuGmMAW3ZhhPRLSrJXQpMkwKaAOcl547iPYRiQAqIDgiyT
   qAkqPbJ9BwvEs6xb8iZCJna5d5lXQiNrD0v+OU8P28vZ7zbjf6oEfmI/6j3OydtS
   S5EjF9K6/ZQ=
   -----END PUBLIC KEY-----

   For illustrative purposes, the key data, which is itself a
   SubjectPublicKeyInfo, decodes as:

   SEQUENCE (2 elem)
     SEQUENCE (1 elem)
       OBJECT IDENTIFIER 1.3.6.1.4.1.22554.5.6.3 Kyber1024
     BIT STRING (12544 bit) 01101111...

   The following trust anchor certificate can be used to validate the
   above end entity certificate.




Ounsworth, et al.         Expires 2 April 2024                  [Page 7]

Internet-Draft             External X.509 Keys            September 2023


   -----BEGIN CERTIFICATE-----
   MIIBfzCCASSgAwIBAgIGAYrnq6N3MAoGCCqGSM49BAMCMDoxDjAMBgNVBAMMBVFT
   IENBMRswGQYDVQQKDBJRdWFudGl0eSBTdXJ2ZXlvcnMxCzAJBgNVBAYTAlhYMB4X
   DTIzMDkzMDE5NTgyMFoXDTI0MDEwODE5NTgyMFowOjEOMAwGA1UEAwwFUVMgQ0Ex
   GzAZBgNVBAoMElF1YW50aXR5IFN1cnZleW9yczELMAkGA1UEBhMCWFgwWTATBgcq
   hkjOPQIBBggqhkjOPQMBBwNCAARWnuLUvnLty9QwvqwuksCYe9LMASE7PmJ47S6w
   ob28VOZKDYaRu6Kx8Yj5cA/g/FaxrwX6FDN2S0NJsva5wmfMoxYwFDASBgNVHRMB
   Af8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0kAMEYCIQDZsojipbuEYL8wzY3MqceN
   uvs15XZtKdihrBt/B+blfgIhAJemmt2HY33zD9XRvtbLE4Rg/vLsuB3Oo+TUWlWS
   g+g6
   -----END CERTIFICATE-----

5.3.  Intellectual Property Considerations

   None.

6.  Contributors and Acknowledgements

   This document incorporates contributions and comments from a large
   group of experts.  The Editors would especially like to acknowledge
   the expertise and tireless dedication of the following people, who
   attended many long meetings and generated millions of bytes of
   electronic mail and VOIP traffic over the past year in pursuit of
   this document:

   Serge Mister (Entrust).

   We are grateful to all, including any contributors who may have been
   inadvertently omitted from this list.

   This document borrows text from similar documents, including those
   referenced below.  Thanks go to the authors of those documents.
   "Copying always makes things easier and less error prone" -
   [RFC8411].

6.1.  Making contributions

   Additional contributions to this draft are welcome.  Please see the
   working copy of this draft at, as well as open issues at:

   https://github.com/EntrustCorporation/draft-ounsworth-pq-external-
   keys

7.  Normative References

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/rfc/rfc4648>.



Ounsworth, et al.         Expires 2 April 2024                  [Page 8]

Internet-Draft             External X.509 Keys            September 2023


   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/rfc/rfc5280>.

   [RFC8411]  Schaad, J. and R. Andrews, "IANA Registration for the
              Cryptographic Algorithm Object Identifier Range",
              RFC 8411, DOI 10.17487/RFC8411, August 2018,
              <https://www.rfc-editor.org/rfc/rfc8411>.

Authors' Addresses

   Mike Ounsworth
   Entrust Limited
   1000 Innovation Drive
   Ottawa, Ontario  K2K 1E3
   Canada
   Email: mike.ounsworth@entrust.com


   Markku-Juhani O. Saarinen
   PQShield
   Email: mjos@pqshield.com


   J. Gray
   Entrust
   Email: john.gray@entrust.com


   D. Hook
   KeyFactor
   Email: david.hook@keyfactor.com

















Ounsworth, et al.         Expires 2 April 2024                  [Page 9]