--- 1/draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt 2019-01-03 09:13:15.938832315 -0800 +++ 2/draft-ietf-lamps-hash-of-root-key-cert-extn-03.txt 2019-01-03 09:13:15.962832890 -0800 @@ -1,48 +1,48 @@ Network Working Group R. Housley Internet-Draft Vigil Security -Intended status: Informational December 27, 2018 -Expires: June 30, 2019 +Intended status: Informational January 03, 2019 +Expires: July 7, 2019 Hash Of Root Key Certificate Extension - draft-ietf-lamps-hash-of-root-key-cert-extn-02 + draft-ietf-lamps-hash-of-root-key-cert-extn-03 Abstract This document specifies the Hash Of Root Key certificate extension. This certificate extension is carried in the self-signed certificate for a trust anchor, which is often called a Root Certification Authority (CA) certificate. This certificate extension unambiguously - identifies the next public key that will be used by the trust anchor - at some point in the future. + identifies the next public key that will be used at some point in the + future as the next Root CA certificate, replacing the current one. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on June 30, 2019. + This Internet-Draft will expire on July 7, 2019. Copyright Notice - Copyright (c) 2018 IETF Trust and the persons identified as the + Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -50,97 +50,101 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 1.2. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Hash Of Root Key Certificate Extension . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 5. Operational Considerations . . . . . . . . . . . . . . . . . 4 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 - 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . 7 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction This document specifies the Hash Of Root Key X.509 version 3 certificate extension. The extension is an optional addition to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [RFC5280]. The certificate extension facilitates the orderly transition from one Root Certification Authority (CA) public key to the next. It does so by publishing the hash value of the next generation public key in the current self- - signed certificate. This allows a relying party to unambiguously - recognize the next generation public key when it becomes available, - install that public key in the trust anchor store, and remove the - previous public key from the trust anchor store. + signed certificate. This hash value is a commitment to a particular + public key in the next generation self-signed certificate. This + commitment allows a relying party to unambiguously recognize the next + generation self-signed certificate when it becomes available, install + the new self-signed certificate in the trust anchor store, and remove + the previous one from the trust anchor store. A Root CA Certificate MAY include the Hashed Root Key certificate extension to provide the hash value of the next public key that will be used by the Root CA. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and - "OPTIONAL" in this document are to be interpreted as described in BCP - 14 [RFC2119][RFC8174] when, and only when, they appear in all + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. ASN.1 Certificates [RFC5280] are generated using ASN.1 [X680]; certificates are always encoded with the Distinguished Encoding Rules (DER) [X690]. 2. Overview Before the initial deployment of the Root CA, the following are generated: R1 = The initial Root key pair - C1 = Self-signed certificate for R1, which also contains H2 R2 = The second generation Root key pair H2 = Thumbprint (hash) of the public key of R2 + C1 = Self-signed certificate for R1, which also contains H2 C1 is a self-signed certificate, and it contains H2 within the HashOfRootKey extension. C1 is distributed as part of the initial the system deployment. The HashOfRootKey certificate extension is described in Section 3. When the time comes to replace the initial Root CA certificate, R1, the following are generated: R3 = The third generation Root key pair H3 = Thumbprint (hash) the public key of R3 C2 = Self-signed certificate for R2, which contains H3 This is an iterative process. That is, R4 and H4 are generated when it is time for C3 to replace C2. And so on. - The successors to the Root CA self-signed certificate can be - delivered by any means. Whenever a new Root CA certificate is - received, the recipient is able to verify that the potential Root CA - certificate links back to a previously authenticated Root CA - certificate with the hashOfRootKey certificate extension. That is, - verify the signature on the self-signed certificate and verify that - the hash of the DER-encoded SubjectPublicKeyInfo from the potential - Root CA certificate matches the value from the HashOfRootKey - certificate extension of the current Root CA certificate. Checking - the self-signed certificate signature ensures that the certificate - contains the subject name that the key owner intends, which is - important for path validation. Checking the hash of the + The successor to the Root CA self-signed certificate can be delivered + by any means. Whenever a new Root CA certificate is received, the + recipient is able to verify that the potential Root CA certificate + links back to a previously authenticated Root CA certificate with the + hashOfRootKey certificate extension. That is, the recipient verifies + the signature on the self-signed certificate and verifies that the + hash of the DER-encoded SubjectPublicKeyInfo from the potential Root + CA certificate matches the value from the HashOfRootKey certificate + extension of the current Root CA certificate. Checking the self- + signed certificate signature ensures that the certificate contains + the subject name, public key algorithm identifier, and public key + algorithm parameters intended by the key owner intends; these are + important inputs to certification path validation as defined in + Section 6 of [RFC5280]. Checking the hash of the SubjectPublicKeyInfo ensures that the certificate contains the intended public key. If either check fails, then potential Root CA certificate is not a valid replacement, and the recipient continues to use the current Root CA certificate. 3. Hash Of Root Key Certificate Extension The HashOfRootKey certificate extension MUST NOT be critical. The following ASN.1 [X680][X690] syntax defines the HashOfRootKey @@ -175,38 +179,52 @@ 5. Operational Considerations Guidance on the transition from one trust anchor to another is available in [RFC2510]. In particular, the oldWithNew and newWithOld advice ensures that relying parties are able to validate certificates issued under the current Root CA certificate and the next generation Root CA certificate throughout the transition. Further, this technique avoids the need for all relying parties to make the transition at the same time. + The Root CA must securely back up the yet-to-be-deployed key pair. + If the Root CA stores the key pair in a hardware security module, and + that module fails, the Root CA remains committed to the now + unavailable key pair. The remedy is to deploy a new self-signed + certificate that contains a newly-generated key pair in the same + manner as the initial self-signed certificate, thus loosing the + benefits of the Hash Of Root Key certificate extension altogether. + 6. Security Considerations The security considerations from [RFC5280] apply, especially the discussion of self-issued certificates. The Hash Of Root Key certificate extension facilitates the orderly transition from one Root CA public key to the next by publishing the hash value of the next generation public key in the current certificate. This allows a relying party to unambiguously recognize the next generation public key when it becomes available; however, the full public key is not disclosed until the Root CA releases the next generation certificate. In this way, attackers cannot begin to - analyze the public key before the next generation Root CA certificate - is released. + analyze the public key before the next generation Root CA self-signed + certificate is released. The Root CA needs to ensure that the public key in the next generation certificate is as strong or stronger than the key that it - is replacing. + is replacing. Of course, a significant advance in cryptoanalytic + capability can break the yet-to-be-deployed key pair. Such advances + are rare and difficult to predict. If such an advance occurs, the + Root CA remains committed to the now broken key. The remedy is to + deploy a new public key and algorithm in the same manner as the + initial Root CA self-signed certificate, thus loosing the benefits of + the Hash Of Root Key certificate extension altogether. The Root CA needs to employ a hash function that is resistant to preimage attacks [RFC4270]. A first-preimage attack against the hash function would allow an attacker to find another input that results published hash value. For the attack to be successful, the input would have to be a valid SubjectPublicKeyInfo that contains the public key that corresponds to a private key known to the attacker. A second-preimage attack becomes possible once the Root CA releases the next generation public key, which makes the input to the hash function becomes available to the attacker and everyone else. Again, @@ -230,23 +248,23 @@ The Secure Electronic Transaction (SET) [SET] specification published by MasterCard and VISA in 1997 includes a very similar certificate extension. The SET certificate extension has essentially the same semantics, but the syntax fairly different. CTIA - The Wireless Association is developing a public key infrastructure that will make use of the certificate extension described in this document. - Many thanks to Jim Schaad and Stefan Santesson. Their review and - comments have greatly improved the document, especially the - Operational Considerations and Security Considerations sections. + Many thanks to Jim Schaad, Stefan Santesson, and Paul Hoffman. Their + review and comments have greatly improved the document, especially + the Operational Considerations and Security Considerations sections. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . @@ -340,15 +358,15 @@ HashAlgorithmId ::= AlgorithmIdentifier {DIGEST-ALGORITHM,{ ... }} id-ce-hashOfRootKey OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 51483 2 1 } END Author's Address Russ Housley Vigil Security - 918 Spring Knoll Drive + 516 Dranesville Road Herndon, VA 20170 US Email: housley@vigilsec.com