Network Working Group S. Leonard Internet-Draft Penango, Inc. Intended status: Standards Track September 8, 2014 Expires: March 12, 2015 URI Fragment Identifiers for the application/pkix-cert Media Type draft-seantek-certfrag-00 Abstract This memo describes Uniform Resource Identifier (URI) fragment identifiers for PKIX certificates, which are identified with the Internet media type application/pkix-cert. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 12, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Leonard Expires March 12, 2015 [Page 1] Internet-Draft certspec September 2014 1. Fragment A digital certificate [RFC5280] is comprised of parts that are of interest to particular users and applications. For example, a user agent may wish to draw attention to the "notAfter" time for an expired certificate. Uniform Resource Indicators (URIs) can include fragment identifiers to identify such sub-parts of a resource; see Section 3.5 of [RFC3986]. However, the semantics of fragment identifiers depend upon the Internet media type [RFC2046], not the URI scheme. Therefore, the fragment identifiers in this memo apply to the application/pkix-cert Internet media type [RFC2585]. The following fragments are hereby defined: +------------+------------------------------------------------------+ | Identifier | Certificate Part (ASN.1 identifier) | +------------+------------------------------------------------------+ | v | tbsCertificate.version | | sn | tbsCertificate.serialNumber | | sig | tbsCertificate.signature; also signatureAlgorithm | | issuer | tbsCertificate.issuer | | nb | tbsCertificate.validity.notBefore | | na | tbsCertificate.validity.notAfter | | subject | tbsCertificate.subject | | spki | tbsCertificate.subjectPublicKeyInfo | | ext | tbsCertificate.extensions | | ext: | tbsCertificate.extensions | | | {Extension matching extoid == extnID}* | | sigval | signatureValue | +------------+------------------------------------------------------+ * The particular extension in the Extensions "SEQUENCE" is identified by OID only; there are no textual identifiers. The syntax of the matches the "numericoid" production of [RFC4512]. Table 1: Certificate Parts and Fragments The fragments defined in the table above are case-insensitive. However, a generator that complies with this memo MUST produce the fragment identifiers with the exact casing as provided above. The table is not exhaustive: should additional identifiers be required, a future document may specify additional identifiers. The key word "MUST" in this document is to be interpreted as described in RFC 2119 [RFC2119]. Leonard Expires March 12, 2015 [Page 2] Internet-Draft certspec September 2014 2. IANA Considerations IANA needs to add a reference to this specification in the application/pkix-cert media type registration. Additionally, the registration template needs to be updated to add the following section: Fragment identifier considerations: Fragment identification is supported by using fragment identifiers as specified by this memo. 3. Security Considerations Digital certificates are important building blocks for authentication, integrity, authorization, and (occasionally) confidentiality services. Accordingly, identifying digital certificates incorrectly can have significant security ramifications. A URI that identifies a certificate will likely be used by an application or user for some security-related service, such as to retrieve the certificate as part of a validation procedure. When a fragment identifies a part of a certificate, the application will define the behavioral semantics. A certificate displaying application might zoom in on that aspect of the certificate, while a public key-processing application might use a fragment identifier like "#spki" to extract the "SubjectPublicKeyInfo" structure for further processing. Interpreting these identifiers incorrectly may cause denial-of-service attacks. 4. Normative References [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, November 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP", RFC 2585, May 1999. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. Leonard Expires March 12, 2015 [Page 3] Internet-Draft certspec September 2014 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. Author's Address Sean Leonard Penango, Inc. 5900 Wilshire Boulevard 21st Floor Los Angeles, CA 90036 USA Email: dev+ietf@seantek.com URI: http://www.penango.com/ Leonard Expires March 12, 2015 [Page 4]