<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-lamps-nf-eku-05"ipr="trust200902">number="9509" ipr="trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <front> <title abbrev="EKUs forNFs">X.5095G Network Functions">X.509 Certificate Extended Key Usage (EKU) for 5G Network Functions</title> <seriesInfo name="RFC" value="9509"/> <author fullname="TirumaleswarReddy"Reddy.K" initials="T."surname="Reddy">surname="Reddy.K"> <organization>Nokia</organization> <address> <postal><street></street><street/> <country>India</country> </postal> <email>kondtir@gmail.com</email> </address> </author> <author fullname="Jani Ekman" initials="J." surname="Ekman"> <organization>Nokia</organization> <address> <postal><street></street><street/> <country>Finland</country> </postal> <email>jani.ekman@nokia.com</email> </address> </author> <author fullname="Daniel Migault" initials="D." surname="Migault"> <organization>Ericsson</organization> <address> <postal><street></street><street/> <country>Canada</country> </postal> <email>daniel.migault@ericsson.com</email> </address> </author> <date/> <workgroup>LAMPS WG</workgroup>year="2024" month="March"/> <area>sec</area> <workgroup>lamps</workgroup> <keyword>3GPP</keyword> <abstract> <t>RFC 5280 specifies several extended key purpose identifiers (KeyPurposeIds) for X.509 certificates. This document defines encrypting JSON objects in HTTP messages, using JSON WebToken (JWT)Tokens (JWTs), and signing the OAuth 2.0 access tokens KeyPurposeIds for inclusion in the Extended Key Usage (EKU) extension of X.509 v3 public key certificates used by Network Functions (NFs) for the 5G System.</t> </abstract> </front> <middle> <section anchor="intro"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>TheOperatorsoperators of 5G ("fifth generation") systems as defined by 3GPP make use of an internal PKI to generate X.509 PKI certificates for the Network Functions (NFs) (Section 6 of <xreftarget="TS23.501"></xref>)target="TS23.501" format="default"/>) in a 5Gsystem.System. The certificates are used for the following purposes:</t><t><list style="symbols"> <t>Client<ul spacing="normal"> <li>Client and Server certificates for NFs in5GC5G Core (5GC) Service Based Architecture (SBA) (see Section 6.1.3c of <xreftarget="TS33.310"></xref>)</t> <t>Clienttarget="TS33.310" format="default"/> and Section 6.7.2 of <xref target="TS29.500" format="default"/>)</li> <li>Client Credentials Assertion (CCA) uses JSON Web Tokens(JWT)(JWTs) <xreftarget="RFC7519"></xref>target="RFC7519" format="default"/> and is secured with digital signatures based on the JSON Web Signature (JWS) <xreftarget="RFC7515"></xref>target="RFC7515" format="default"/> (see Section 13.3.8.2 of <xreftarget="TS33.501"></xref>).</t> <t>Certificatestarget="TS33.501" format="default"/>, and Section 6.7.5 of <xref target="TS29.500" format="default"/>).</li> <li>Certificates for encrypting JSON objects in HTTP messages between Security Edge Protection Proxies (SEPPs) using JSON Web Encryption (JWE) <xreftarget="RFC7516"></xref> (Sectiontarget="RFC7516" format="default"/> (see Section 13.2.4.4 of <xreftarget="TS33.501"></xref>) andtarget="TS33.501" format="default"/>, Section 6.3.2 of <xreftarget="TS33.210"></xref>).</t> <t>Certificatestarget="TS33.210" format="default"/>, Section 6.7.4 of <xref target="TS29.500" format="default"/>, and Section 5.3.2.1 of <xref target="TS29.573" format="default"/>).</li> <li>Certificates for signing the OAuth 2.0 access tokens for service authorization to grant temporary access to resources provided by NF producers using JWS (see Section 13.4.1 of <xreftarget="TS33.501"></xref>).</t> </list></t>target="TS33.501" format="default"/> and Section 6.7.3 of <xref target="TS29.500" format="default"/>).</li> </ul> <t><xreftarget="RFC5280"></xref>target="RFC5280" format="default"/> specifies several key usage extensions, defined via KeyPurposeIds, for X.509 certificates. Key usage extensions added to a certificate are meant to express intent as to the purpose of the named usage, for humans and for complying libraries. In addition, the IANA registry "SMI Security for PKIX Extended Key Purpose" <xreftarget="RFC7299"></xref>target="RFC7299" format="default"/> contains additionalKeyPurposeIds.TheKeyPurposeIds. The use of the anyExtendedKeyUsage KeyPurposeId, as defined inSection 4.2.1.12 of<xreftarget="RFC5280"></xref>,target="RFC5280" sectionFormat="of" section="4.2.1.12"/>, is generally considered a poor practice. This is especially true for publicly trusted certificates, whether they are multi-purpose or single-purpose, within the context of 5GsystemsSystems and the5G Core5GC Service Based Architecture.</t> <t>If the purpose of the issued certificates is not restricted, i.e., the type of operations for which a public key contained in the certificate can be used are not specified, those certificates could be used for another purpose than intended, increasing the risk of cross-protocol attacks. Failure to ensure proper segregation of duties means that a NFwhichthat generates the public/private keys and applies for a certificate to the operatorCA,certification authority could obtain a certificatewhichthat can be misused for tasks that this NF is not entitled to perform. For example, a NF service consumer could potentially impersonate NF service producers using its certificate. Additionally, in cases where the certificate's purpose is intended for use by the NF service consumer as a client certificate, it's essential to ensure that the NF with this client certificate and the corresponding private keyisare not allowed to sign the Client Credentials Assertion (CCA). When a NF service producer receives the signed CCA from the NF service consumer, the NF should only accept the token if the CCA is signed with a certificate that has been explicitly issued for this purpose.</t> <t>The KeyPurposeId id-kp-serverAuth(Section 4.2.1.12 of <xref target="RFC5280"></xref>)(<xref target="RFC5280" sectionFormat="of" section="4.2.1.12"/>) can be used to identify that the certificate is for a server (e.g., NF service producer), and the KeyPurposeId id-kp-clientAuth(Section 4.2.1.12 of <xref target="RFC5280"></xref>)(<xref target="RFC5280" sectionFormat="of" section="4.2.1.12"/>) can be used to identify that the certificate is for a client (e.g., NF service consumer). However, there are currently no KeyPurposeIds for the other usages of certificates in a 5G System. This document addresses the above problem by defining theExtended Key Usage (EKU)EKU extension of X.509 public key certificates for signing the JWT ClaimssetSet using JWS, encrypting JSON objects in HTTP messages using JWE, and signing the OAuth 2.0 access tokens using JWS.</t> <t>Vendor-defined KeyPurposeIds used within a PKI governed by the vendor or a group of vendors typically do not pose interoperability concerns, as non-critical extensions can be safely ignored if unrecognized. However, using or misusing KeyPurposeIds outside of their intended vendor-controlled environment can lead to interoperability issues. Therefore, it is advisable not to rely on vendor-defined KeyPurposeIds. Instead, the specification defines standard KeyPurposeIds to ensure interoperability across various implementations.</t> <t>Although the specification focuses on a 5G use case, the standard KeyPurposeIds defined in this document can be used in other deployments.</t> </section> <section anchor="notation"title="Terminology"> <t>Thenumbered="true" toc="default"> <name>Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"></xref><xref target="RFC8174"></xref>target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> <sectiontitle="Extendednumbered="true" toc="default"> <name>Extended Key Purpose for NetworkFunctions">Functions</name> <t>This specification defines the KeyPurposeIds id-kp-jwt, id-kp-httpContentEncrypt, and id-kp-oauthAccessTokenSigning and usesthese for respectivelythese, respectively, for: signing the JWT ClaimssetSet of CCA using JWS, encrypting JSON objects in HTTP messages between Security Edge Protection Proxies (SEPPs) usingJWEJWE, and signing the OAuth 2.0 access tokens for service authorization to grant temporary access to resources provided by NF producers using JWS. As described in <xreftarget="RFC5280"></xref>,target="RFC5280" format="default"/>, "[i]f the [Extended Key Usage] extension is present, then the certificateMUST<bcp14>MUST</bcp14> only be used for one of the purposes indicated." <xreftarget="RFC5280"></xref>target="RFC5280" format="default"/> also notes that "[i]f multiple [key] purposes are indicated the application need not recognize all purposes indicated, as long as the intended purpose is present."</t> <t>NetworkfunctionsFunctions that verify the signature of a CCA represented as a JWT, decrypt JSON objects in HTTP messages between Security Edge Protection Proxies (SEPPs) using JWE, or verify the signature of an OAuth 2.0 access tokens for service authorization to grant temporary access to resources provided by NF producers using JWSSHOULD<bcp14>SHOULD</bcp14> requirethe specification ofthat corresponding KeyPurposeIds be specified by theExtended Key Usage (EKU)EKU extension. If the certificate requester knows the certificate users are mandated to use these KeyPurposeIds, itMUST<bcp14>MUST</bcp14> enforce their inclusion. Additionally, such a certificate requesterMUST<bcp14>MUST</bcp14> ensure that the KeyUsage extension be set to digitalSignature or nonRepudiation (also designated as contentCommitment) for signature calculation and/or to keyEncipherment for secret key encryption.</t> </section> <sectiontitle="Includingnumbered="true" toc="default" anchor="purpose-in-certificates"> <name>Including the Extended Key Purpose inCertificates">Certificates</name> <t><xreftarget="RFC5280"></xref>target="RFC5280" format="default"/> specifies theExtended Key Usage (EKU)EKU X.509 certificate extension for use on end entity certificates. The extension indicates one or more purposes for which the certified public key is valid. The EKU extension can be used in conjunction with the key usage extension, which indicates the set of basic cryptographic operations for which the certified key may be used. The EKU extension syntax is repeated here for convenience:</t><figure> <artwork><![CDATA[ExtKeyUsageSyntax<sourcecode type="asn.1"><![CDATA[ ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER]]></artwork> </figure> <t></t>]]></sourcecode> <t>As described in <xreftarget="RFC5280"></xref>,target="RFC5280" format="default"/>, the EKU extension may, at the option of the certificate issuer, be either critical or non-critical. The inclusion ofKeyPurposeIdKeyPurposeIds id-kp-jwt, id-kp-httpContentEncrypt, and id-kp-oauthAccessTokenSigning in a certificate indicates that the public key encoded in the certificate has been certified for use in the following:<list style="numbers"> <t>Validating</t> <ol spacing="normal" type="1"> <li>Validating the JWS Signature in JWT. The distinction between JWS and JWE is determined by theKUKey Usage (KU) that is set to digitalSignature or nonRepudiation for JWS and keyEncipherment forJWE.</t> <t>EncryptingJWE.</li> <li>Encrypting JSON objects in HTTP messages (for example, encrypting theCEKcontent-encryption key (CEK) with the recipient's public key using the RSAES-OAEP algorithm to produce the JWE Encrypted Key). KU is set tokeyEncipherment.</t> <t>SigningkeyEncipherment.</li> <li>Signing OAuth 2.0 access tokens. In this case, KU is set to digitalSignature ornonRepudiation.</t> </list></t> <t><figure> <artwork><![CDATA[nonRepudiation.</li> </ol> <sourcecode type="asn.1"><![CDATA[ id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) } id-kp-jwt OBJECT IDENTIFIER ::= { id-kpTBD137 } id-kp-httpContentEncrypt OBJECT IDENTIFIER ::= { id-kpTBD238 } id-kp-oauthAccessTokenSigning OBJECT IDENTIFIER ::= { id-kpTBD339 }]]></artwork> </figure></t>]]></sourcecode> </section> <section anchor="solution"title="Implicationsnumbered="true" toc="default"> <name>Implications for a CertificationAuthority">Authority</name> <t>The procedures and practices employed by a certification authorityMUST<bcp14>MUST</bcp14> ensure that the correct values for the EKU extension as well as the KU extension are inserted in each certificate that is issued. The inclusion of the id-kp-jwt,id-kp-httpContentEncryptid-kp-httpContentEncrypt, and id-kp-oauthAccessTokenSigning KeyPurposeIds does not preclude the inclusion of other KeyPurposeIds.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>The Security Considerations of <xreftarget="RFC5280"></xref>target="RFC5280" format="default"/> are applicable to this document. This extended key purpose does not introduce new security risks but instead reduces existing security risks by providing the means to identify if the certificate is generated to sign the JWT Claims Set, signing the OAuth 2.0 access tokens usingJWSJWS, orto encryptencrypting the CEK in JWE for encrypting JSON objects in HTTP messages.</t> <t>To reduce the risk of specific cross-protocol attacks, the relying party or the relying party software may additionally prohibit use of specific combinations of KeyPurposeIds. The procedure for allowing or disallowing combinations of KeyPurposeIds using Excluded KeyPurposeId and Permitted KeyPurposeId, as carried out by a relying party, is defined inSection 4 of<xreftarget="RFC9336"></xref>.target="RFC9336" sectionFormat="of" section="4"/>. Examples of ExcludedKeyPurposeIdKeyPurposeIds include the presence of the anyExtendedKeyUsage KeyPurposeId or the complete absence of the EKU extension in a certificate. Examples of PermittedKeyPurposeIdKeyPurposeIds include the presence of id-kp-jwt,id-kp-httpContentEncryptid-kp-httpContentEncrypt, or id-kp-oauthAccessTokenSigningKeyPurposeId.</t>KeyPurposeIds.</t> </section> <section anchor="Privacy"title="Privacy Considerations">numbered="true" toc="default"> <name>Privacy Considerations</name> <t>In some security protocols, such as TLS 1.2 <xreftarget="RFC5246"></xref>,target="RFC5246" format="default"/>, certificates are exchanged in the clear. In other security protocols, such as TLS 1.3 <xreftarget="RFC8446"></xref>,target="RFC8446" format="default"/>, the certificates are encrypted. The inclusion of the EKU extension can help an observer determine the purpose of the certificate. In addition,Ifif the certificate is issued by a public certification authority, the inclusion of an EKU extension can help an attacker to monitor the Certificate Transparency logs <xreftarget="RFC9162"></xref>target="RFC9162" format="default"/> to identify the purpose of the certificate.</t> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>IANAis requested to registerhas registered the following OIDs in the "SMI Security for PKIX Extended Key Purpose" registry (1.3.6.1.5.5.7.3). These OIDs are defined inSection 4.</t> <figure anchor="fig-a"> <name>Table 1</name> <artwork><![CDATA[ +=========+===============================+============+ | Decimal | Description | References | +=========+===============================+============+ | TBD1 | id-kp-jwt | This-RFC | +---------+-------------------------------+------------+ | TBD2 | id-kp-httpContentEncrypt | This-RFC | +---------+-------------------------------+------------+ | TBD3 | id-kp-oauthAccessTokenSigning | This-RFC | +---------+-------------------------------+------------+ ]]></artwork> </figure> <t></t><xref target="purpose-in-certificates"/>.</t> <table anchor="iana-table-1" align="left"> <thead> <tr> <th>Decimal</th> <th>Description</th> <th>References</th> </tr> </thead> <tbody> <tr> <td>37</td> <td>id-kp-jwt</td> <td>RFC 9509</td> </tr> <tr> <td>38</td> <td>id-kp-httpContentEncrypt</td> <td>RFC 9509</td> </tr> <tr> <td>39</td> <td>id-kp-oauthAccessTokenSigning</td> <td>RFC 9509</td> </tr> </tbody> </table> <t>IANAis also requested to registerhas registered the following ASN.1<xreftarget="X.680"></xref>target="X.680" format="default"/> module OID in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). This OID is defined in <xreftarget="Appendix"></xref>.</t> <t><figure anchor="fig-b"> <name>Table 2</name> <artwork><![CDATA[ +=========+==========================+============+ | Decimal | Description | References | +=========+==========================+============+ | TBD4 | id-mod-nf-eku | This-RFC | +---------+--------------------------+------------+ ]]></artwork> </figure></t> </section> <section anchor="contrib" title="Contributors"> <t>The following individuals have contributed to this document:</t> <t><figure> <artwork><![CDATA[ German Peinado Nokia Email: german.peinado@nokia.com]]></artwork> </figure></t> </section> <section anchor="acknowledgments" title="Acknowledgments"> <t>We would like to thank Corey Bonnell, Ilari Liusvaara, Carl Wallace and Russ Housley for their useful feedback. Thanks to Yoav Nir for the secdir review, Elwyn Davies for the genart review and Benson Muite for the intdir review.</t> <t>Thanks to Paul Wouters, Lars Eggert, and Éric Vyncke for the IESG review.</t>target="Appendix" format="default"/>.</t> <table anchor="iana-table-2" align="left"> <thead> <tr> <th>Decimal</th> <th>Description</th> <th>References</th> </tr> </thead> <tbody> <tr> <td>108</td> <td>id-mod-nf-eku</td> <td>RFC 9509</td> </tr> </tbody> </table> </section> </middle> <back><references title="Normative References"> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.8174"?> <?rfc include="reference.RFC.5280"?> <?rfc include="reference.RFC.7515"?> <?rfc include="reference.RFC.7519"?> <?rfc include="reference.RFC.7516"?> <!-- <?rfc include="reference.RFC.7159"?> --> <!-- <?rfc include="reference.RFC.9052"?> --> <!-- <?rfc include="reference.RFC.8949"?> --><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7516.xml"/> <reference anchor="X.680" target="https://www.itu.int/rec/T-REC-X.680"> <front><title>ITU-T, "Information<title>Information technology - Abstract Syntax Notation One (ASN.1): Specification of basicnotation", ITU-T Recommendation X.680, February 2021.</title>notation</title> <author><organization></organization><organization>ITU-T</organization> </author> <dateday="" month="" year="" />month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.680"/> </reference> <reference anchor="X.690" target="https://www.itu.int/rec/T-REC-X.690"> <front><title>ITU-T, "Information<title>Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules(DER)", ITU-T Recommendation X.690, February 2021,</title>(DER)</title> <author><organization></organization><organization>ITU-T</organization> </author> <dateday="" month="" year="" />month="February" year="2021"/> </front> <seriesInfo name="ITU-T Recommendation" value="X.690"/> </reference> </references><references title="Informative References"> <?rfc include='reference.RFC.5246'?> <?rfc include='reference.RFC.8446' ?> <?rfc include="reference.RFC.7299"?> <?rfc include="reference.RFC.9336"?> <?rfc include="reference.RFC.9162"?> <!-- <?rfc include="reference.RFC.7518"?> --><references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7299.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9336.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9162.xml"/> <reference anchor="TS29.573" target="https://www.3gpp.org/ftp/Specs/archive/29_series/29.573/29573-i50.zip"> <front> <title>5G System; Public Land Mobile Network (PLMN) Interconnection; Stage 3</title> <author> <organization>3GPP</organization> </author> <date month="December" year="2023"/> </front> <seriesInfo name="Release" value="18.5.0"/> <seriesInfo name="3GPP TS" value="29.573"/> </reference> <reference anchor="TS33.501"target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-h70.zip">target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.501/33501-i40.zip"> <front><title>3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security<title>Security architecture and procedures for 5Gsystem (Release 17), , 3GPP TS:33.501 V17.7.0, Sept 2022,</title>system</title> <author><organization></organization><organization>3GPP</organization> </author> <dateday="" month="" year="" />month="December" year="2023"/> </front> <seriesInfo name="Release" value="18.4.0"/> <seriesInfo name="3GPP TS" value="33.501"/> </reference> <reference anchor="TS33.310"target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.310/33310-h40.zip">target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.310/33310-i20.zip"> <front><title>3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Network<title>Network Domain Security (NDS); Authentication Framework(AF) (Release 17), 3GPP 33.310 V17.4.0, Sept 2022,</title>(AF)</title> <author><organization></organization><organization>3GPP</organization> </author> <dateday="" month="" year="" />month="December" year="2023"/> </front> <seriesInfo name="Release" value="18.2.0"/> <seriesInfo name="3GPP TS" value="33.310"/> </reference> <reference anchor="TS33.210" target="https://www.3gpp.org/ftp/Specs/archive/33_series/33.210/33210-h10.zip"> <front><title>3rd Generation Partnership Project; Technical Specification Group Services and System Aspects;Network<title>Network Domain Security (NDS); IP network layersecurity (Release 17), 3GPP TS 33.210 V17.1.0 Sept 2022,</title>security</title> <author><organization></organization><organization>3GPP</organization> </author> <dateday="" month="" year="" />month="September" year="2022"/> </front> <seriesInfo name="Release" value="17.1.0"/> <seriesInfo name="3GPP TS" value="33.210"/> </reference> <reference anchor="TS23.501"target="https://www.3gpp.org/ftp/Specs/archive/23_series/23.501/23501-i00.zip">target="https://www.3gpp.org/ftp/Specs/archive/23_series/23.501/23501-i40.zip"> <front><title>3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System<title>System architecture for the 5G System(5GS);(5GS)</title> <author> <organization>3GPP</organization> </author> <date month="December" year="2023"/> </front> <seriesInfo name="Release" value="18.4.0"/> <seriesInfo name="3GPP TS" value="23.501"/> </reference> <reference anchor="TS29.500" target="https://www.3gpp.org/ftp/Specs/archive/29_series/29.500/29500-i40.zip"> <front> <title>5G System; Technical Realization of Service Based Architecture; Stage2 (Release 18), 3GPP TS 23.501 V18.0.0 Dec 2022,</title>3</title> <author><organization></organization><organization>3GPP</organization> </author> <dateday="" month="" year="" />month="December" year="2023"/> </front> <seriesInfo name="Release" value="18.4.0"/> <seriesInfo name="3GPP TS" value="29.500"/> </reference> </references> </references> <section anchor="Appendix"title="ASN.1 Module">numbered="true" toc="default"> <name>ASN.1 Module</name> <t>The following module adheres to ASN.1 specifications <xreftarget="X.680"></xref>target="X.680" format="default"/> and <xreftarget="X.690"></xref>.</t> <figure> <artwork><![CDATA[<CODE BEGINS>target="X.690" format="default"/>.</t> <sourcecode name="" type="asn.1" markers="true"><![CDATA[ NF-EKU { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-nf-eku(TBD4)(108) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- OID Arc id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) kp(3) } -- Extended Key Usage Values id-kp-jwt OBJECT IDENTIFIER ::= { id-kpTBD137 } id-kp-httpContentEncrypt OBJECT IDENTIFIER ::= { id-kpTBD238 } id-kp-oauthAccessTokenSigning OBJECT IDENTIFIER ::= { id-kpTBD339 } END<CODE ENDS>]]></artwork> </figure>]]></sourcecode> </section> <section anchor="acknowledgments" numbered="false" toc="default"> <name>Acknowledgments</name> <t>We would like to thank <contact fullname="Corey Bonnell"/>, <contact fullname="Ilari Liusvaara"/>, <contact fullname="Carl Wallace"/>, and <contact fullname="Russ Housley"/> for their useful feedback. Thanks to <contact fullname="Yoav Nir"/> for the secdir review, <contact fullname="Elwyn Davies"/> for the genart review, and <contact fullname="Benson Muite"/> for the intdir review.</t> <t>Thanks to <contact fullname="Paul Wouters"/>, <contact fullname="Lars Eggert"/>, and <contact fullname="Éric Vyncke"/> for the IESG review.</t> </section> <section anchor="contrib" numbered="false" toc="default"> <name>Contributor</name> <t>The following individual has contributed to this document:</t> <contact fullname="German Peinado"> <organization>Nokia</organization> <address> <email>german.peinado@nokia.com</email> </address> </contact> </section> </back> </rfc>