| rfc9734.original | rfc9734.txt | |||
|---|---|---|---|---|
| LAMPS WG R. Mahy | Internet Engineering Task Force (IETF) R. Mahy | |||
| Internet-Draft Rohan Mahy Consulting Services | Request for Comments: 9734 Rohan Mahy Consulting Services | |||
| Intended status: Standards Track 9 December 2024 | Category: Standards Track February 2025 | |||
| Expires: 12 June 2025 | ISSN: 2070-1721 | |||
| X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs | X.509 Certificate Extended Key Usage (EKU) for Instant Messaging URIs | |||
| draft-ietf-lamps-im-keyusage-04 | ||||
| Abstract | Abstract | |||
| RFC 5280 specifies several extended key purpose identifiers | RFC 5280 specifies several extended key purpose identifiers | |||
| (KeyPurposeIds) for X.509 certificates. This document defines | (KeyPurposeIds) for X.509 certificates. This document defines an | |||
| Instant Messaging (IM) identity KeyPurposeId for inclusion in the | Instant Messaging (IM) identity KeyPurposeId for inclusion in the | |||
| Extended Key Usage (EKU) extension of X.509 v3 public key | Extended Key Usage (EKU) extension of X.509 v3 public key | |||
| certificates | certificates | |||
| About This Document | ||||
| This note is to be removed before publishing as an RFC. | ||||
| The latest revision of this draft can be found at | ||||
| https://rohanmahy.github.io/mahy-lamps-im-keyusage/draft-ietf-lamps- | ||||
| im-keyusage.html. Status information for this document may be found | ||||
| at https://datatracker.ietf.org/doc/draft-ietf-lamps-im-keyusage/. | ||||
| Discussion of this document takes place on the LAMPS WG Working Group | ||||
| mailing list (mailto:lamps@ietf.org), which is archived at | ||||
| https://mailarchive.ietf.org/arch/browse/lamps/. Subscribe at | ||||
| https://www.ietf.org/mailman/listinfo/lamps/. | ||||
| Source for this draft and an issue tracker can be found at | ||||
| https://github.com/rohanmahy/mahy-lamps-im-keyusage. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | This document is a product of the Internet Engineering Task Force | |||
| Task Force (IETF). Note that other groups may also distribute | (IETF). It represents the consensus of the IETF community. It has | |||
| working documents as Internet-Drafts. The list of current Internet- | received public review and has been approved for publication by the | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | Information about the current status of this document, any errata, | |||
| and may be updated, replaced, or obsoleted by other documents at any | and how to provide feedback on it may be obtained at | |||
| time. It is inappropriate to use Internet-Drafts as reference | https://www.rfc-editor.org/info/rfc9734. | |||
| material or to cite them other than as "work in progress." | ||||
| This Internet-Draft will expire on 12 June 2025. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions | |||
| 3. The IM URI Extended Key Usage . . . . . . . . . . . . . . . . 3 | 3. The IM URI EKU | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 4. Security Considerations | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 | 5. IANA Considerations | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6. References | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 | 6.1. Normative References | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 4 | 6.2. Informative References | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 5 | Appendix A. ASN.1 Module | |||
| Appendix B. Change log . . . . . . . . . . . . . . . . . . . . . 6 | Acknowledgments | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6 | Author's Address | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Introduction | 1. Introduction | |||
| Instant Messaging (IM) systems using the Messaging Layer Security | Instant Messaging (IM) systems using the Messaging Layer Security | |||
| (MLS) [RFC9420] protocol can incorporate per-client identity | (MLS) [RFC9420] protocol can incorporate per-client identity | |||
| certificate credentials. A subjectAltName in these certificates can | certificate credentials. A subjectAltName in these certificates can | |||
| be an IM URI [RFC3860] or XMPP URI [RFC6121], for example. | be an IM URI [RFC3860] or Extensible Messaging and Presence Protocol | |||
| (XMPP) URI [RFC6121], for example. | ||||
| Organizations may be unwilling to issue certificates for Instant | Organizations may be unwilling to issue certificates for an IM client | |||
| Message client using a general KeyPurposeId such as id-kp-serverAuth | using a general KeyPurposeId, such as id-kp-serverAuth or id-kp- | |||
| or id-kp-clientAuth, because of the risk that such certificates could | clientAuth, because of the risk that such certificates could be | |||
| be abused in a cross-protocol attack. | abused in a cross-protocol attack. | |||
| An explanation of MLS credentials as they apply to Instant Messaging | An explanation of MLS credentials as they apply to IM is described in | |||
| is described in [I-D.barnes-mimi-identity-arch]. These credentials | [E2E-IDENTITY]. These credentials are expected to be heavily used in | |||
| are expected to be heavily used in the More Instant Messaging | the More Instant Messaging Interoperability (MIMI) Working Group. | |||
| Interoperability (MIMI) Working Group. | ||||
| 2. Conventions and Definitions | 2. Conventions and Definitions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. The IM URI Extended Key Usage | 3. The IM URI EKU | |||
| This specification defines the KeyPurposeId id-kp-imUri, which may be | This specification defines the KeyPurposeId id-kp-imUri, which may be | |||
| included in certificates used to prove the identity of an Instant | included in certificates used to prove the identity of an IM client. | |||
| Messaging client. This EKU extension MAY, at the option of the | This EKU extension MAY, at the option of the certificate issuer, be | |||
| certificate issuer, be either critical or non-critical. | either critical or non-critical. | |||
| id-kp OBJECT IDENTIFIER ::= { | id-kp OBJECT IDENTIFIER ::= { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) kp(3) } | security(5) mechanisms(5) pkix(7) kp(3) } | |||
| id-kp-imUri OBJECT IDENTIFIER ::= { id-kp TBD1 } | id-kp-imUri OBJECT IDENTIFIER ::= { id-kp 40 } | |||
| 4. Security Considerations | 4. Security Considerations | |||
| The Security Considerations of [RFC5280] are applicable to this | The security considerations of [RFC5280] are applicable to this | |||
| document. This extended key purpose does not introduce new security | document. The id-kp-imUri extended key purpose does not introduce | |||
| risks but instead reduces existing security risks by providing means | new security risks but instead reduces existing security risks by | |||
| to identify if the certificate is generated to sign IM identity | providing means to identify if the certificate is generated to sign | |||
| credentials. Issuers SHOULD NOT set the id-kp-imUri extended key | IM identity credentials. Issuers SHOULD NOT set the id-kp-imUri | |||
| purpose and an id-kp-clientAuth or id-kp-serverAuth extended key | extended key purpose and an id-kp-clientAuth or id-kp-serverAuth | |||
| purpose, as that would defeat the improved specificity offered by | extended key purpose: that would defeat the improved specificity | |||
| having an id-kp-imUri extended key purpose. | offered by having an id-kp-imUri extended key purpose. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| IANA is requested to register the following OIDs in the "SMI Security | IANA has registered the following OID in the "SMI Security for PKIX | |||
| for PKIX Extended Key Purpose" registry (1.3.6.1.5.5.7.3). These | Extended Key Purpose" registry (1.3.6.1.5.5.7.3). This OID is | |||
| OIDs are defined in Section 4. | defined in Section 3. | |||
| +=========+=============+============+ | +=========+=============+============+ | |||
| | Decimal | Description | References | | | Decimal | Description | References | | |||
| +=========+=============+============+ | +=========+=============+============+ | |||
| | TBD1 | id-kp-imUri | This-RFC | | | 40 | id-kp-imUri | RFC 9734 | | |||
| +---------+-------------+------------+ | +---------+-------------+------------+ | |||
| Table 1 | Table 1 | |||
| IANA is also requested to register the following ASN.1 | IANA has also registered the following ASN.1 [ITU.X690.2021] module | |||
| [ITU.X690.2021] module OID in the "SMI Security for PKIX Module | OID in the "SMI Security for PKIX Module Identifier" registry | |||
| Identifier" registry (1.3.6.1.5.5.7.0). This OID is defined in | (1.3.6.1.5.5.7.0). This OID is defined in Appendix A. | |||
| Appendix A. | ||||
| +=========+===============+============+ | +=========+===============+============+ | |||
| | Decimal | Description | References | | | Decimal | Description | References | | |||
| +=========+===============+============+ | +=========+===============+============+ | |||
| | TBD2 | id-mod-im-eku | This-RFC | | | 113 | id-mod-im-eku | RFC 9734 | | |||
| +---------+---------------+------------+ | +---------+---------------+------------+ | |||
| Table 2 | Table 2 | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [ITU.X680.2021] | [ITU.X680.2021] | |||
| International Telecommunications Union, "Information | ITU-T, "Information Technology - Abstract Syntax Notation | |||
| Technology - Abstract Syntax Notation One (ASN.1): | One (ASN.1): Specification of basic notation", ITU-T | |||
| Specification of basic notation", ITU-T Recommendation | Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | |||
| X.680, 2021. | <https://www.itu.int/rec/T-REC-X.680>. | |||
| [ITU.X690.2021] | [ITU.X690.2021] | |||
| International Telecommunications Union, "Information | ITU-T, "Information Technology - ASN.1 encoding rules: | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1-2021, | |||
| X.690, 2021. | February 2021, <https://www.itu.int/rec/T-REC-X.690>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/rfc/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [I-D.barnes-mimi-identity-arch] | [E2E-IDENTITY] | |||
| Barnes, R. and R. Mahy, "Identity for E2E-Secure | Barnes, R. and R. Mahy, "Identity for E2E-Secure | |||
| Communications", Work in Progress, Internet-Draft, draft- | Communications", Work in Progress, Internet-Draft, draft- | |||
| barnes-mimi-identity-arch-01, 23 October 2023, | barnes-mimi-identity-arch-02, 4 February 2025, | |||
| <https://datatracker.ietf.org/doc/html/draft-barnes-mimi- | <https://datatracker.ietf.org/doc/html/draft-barnes-mimi- | |||
| identity-arch-01>. | identity-arch-02>. | |||
| [RFC3860] Peterson, J., "Common Profile for Instant Messaging | [RFC3860] Peterson, J., "Common Profile for Instant Messaging | |||
| (CPIM)", RFC 3860, DOI 10.17487/RFC3860, August 2004, | (CPIM)", RFC 3860, DOI 10.17487/RFC3860, August 2004, | |||
| <https://www.rfc-editor.org/rfc/rfc3860>. | <https://www.rfc-editor.org/info/rfc3860>. | |||
| [RFC6121] Saint-Andre, P., "Extensible Messaging and Presence | [RFC6121] Saint-Andre, P., "Extensible Messaging and Presence | |||
| Protocol (XMPP): Instant Messaging and Presence", | Protocol (XMPP): Instant Messaging and Presence", | |||
| RFC 6121, DOI 10.17487/RFC6121, March 2011, | RFC 6121, DOI 10.17487/RFC6121, March 2011, | |||
| <https://www.rfc-editor.org/rfc/rfc6121>. | <https://www.rfc-editor.org/info/rfc6121>. | |||
| [RFC9420] Barnes, R., Beurdouche, B., Robert, R., Millican, J., | [RFC9420] Barnes, R., Beurdouche, B., Robert, R., Millican, J., | |||
| Omara, E., and K. Cohn-Gordon, "The Messaging Layer | Omara, E., and K. Cohn-Gordon, "The Messaging Layer | |||
| Security (MLS) Protocol", RFC 9420, DOI 10.17487/RFC9420, | Security (MLS) Protocol", RFC 9420, DOI 10.17487/RFC9420, | |||
| July 2023, <https://www.rfc-editor.org/rfc/rfc9420>. | July 2023, <https://www.rfc-editor.org/info/rfc9420>. | |||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| The following module adheres to ASN.1 specifications [ITU.X680.2021] | The following module adheres to ASN.1 specifications [ITU.X680.2021] | |||
| and [ITU.X690.2021]. | and [ITU.X690.2021]. | |||
| <CODE BEGINS> | <CODE BEGINS> | |||
| IM-EKU | IM-EKU | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-im-eku (TBD2) } | id-mod-im-eku (113) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- OID Arc | -- OID Arc | |||
| id-kp OBJECT IDENTIFIER ::= | id-kp OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) kp(3) } | security(5) mechanisms(5) pkix(7) kp(3) } | |||
| -- Extended Key Usage Values | -- Extended Key Usage Values | |||
| id-kp-imUri OBJECT IDENTIFIER ::= { id-kp TBD1 } | id-kp-imUri OBJECT IDENTIFIER ::= { id-kp 40 } | |||
| END | END | |||
| <CODE ENDS> | <CODE ENDS> | |||
| Appendix B. Change log | ||||
| RFC Editor, please remove this section on publication. | ||||
| * made Proposed Standard | ||||
| * added a MAY statement in Section 3 | ||||
| * corrected typo in registration of the ASN.1 module (Thanks Sean!) | ||||
| * updated author affiliation | ||||
| * added ASN.1 module | ||||
| * specified that eku is optionally critical | ||||
| Acknowledgments | Acknowledgments | |||
| Thanks to Sean Turner and Russ Housley for reviews, suggestions, | Thanks to Sean Turner and Russ Housley for reviews, suggestions, | |||
| corrections, and encouragement. | corrections, and encouragement. | |||
| Author's Address | Author's Address | |||
| Rohan Mahy | Rohan Mahy | |||
| Rohan Mahy Consulting Services | Rohan Mahy Consulting Services | |||
| Email: rohan.ietf@gmail.com | Email: rohan.ietf@gmail.com | |||
| End of changes. 36 change blocks. | ||||
| 121 lines changed or deleted | 85 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||