draft-ietf-stir-certificates-12.txt   draft-ietf-stir-certificates-13.txt 
Network Working Group J. Peterson Network Working Group J. Peterson
Internet-Draft Neustar Internet-Draft Neustar
Intended status: Standards Track S. Turner Intended status: Standards Track S. Turner
Expires: September 14, 2017 sn3rd Expires: September 27, 2017 sn3rd
March 13, 2017 March 27, 2017
Secure Telephone Identity Credentials: Certificates Secure Telephone Identity Credentials: Certificates
draft-ietf-stir-certificates-12.txt draft-ietf-stir-certificates-13.txt
Abstract Abstract
In order to prevent the impersonation of telephone numbers on the In order to prevent the impersonation of telephone numbers on the
Internet, some kind of credential system needs to exist that Internet, some kind of credential system needs to exist that
cryptographically asserts authority over telephone numbers. This cryptographically asserts authority over telephone numbers. This
document describes the use of certificates in establishing authority document describes the use of certificates in establishing authority
over telephone numbers, as a component of a broader architecture for over telephone numbers, as a component of a broader architecture for
managing telephone numbers as identities in protocols like SIP. managing telephone numbers as identities in protocols like SIP.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on September 27, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
3. Authority for Telephone Numbers in Certificates . . . . . . . 3 3. Authority for Telephone Numbers in Certificates . . . . . . . 3
4. Certificate Usage with STIR . . . . . . . . . . . . . . . . . 5 4. Certificate Usage with STIR . . . . . . . . . . . . . . . . . 5
5. Enrollment and Authorization using the TN Authorization List 6 5. Enrollment and Authorization using the TN Authorization List 6
5.1. Constraints on Signing PASSporTs . . . . . . . . . . . . 7 5.1. Constraints on Signing PASSporTs . . . . . . . . . . . . 7
5.2. Certificate Extension Scope and Structure . . . . . . . . 8 5.2. Certificate Extension Scope and Structure . . . . . . . . 8
6. Provisioning Private Keying Material . . . . . . . . . . . . 8 6. Provisioning Private Keying Material . . . . . . . . . . . . 8
7. Acquiring Credentials to Verify Signatures . . . . . . . . . 9 7. Acquiring Credentials to Verify Signatures . . . . . . . . . 9
8. JWT Claim Constraints Syntax . . . . . . . . . . . . . . . . 10 8. JWT Claim Constraints Syntax . . . . . . . . . . . . . . . . 10
9. TN Authorization List Syntax . . . . . . . . . . . . . . . . 11 9. TN Authorization List Syntax . . . . . . . . . . . . . . . . 11
10. Certificate Freshness and Revocation . . . . . . . . . . . . 13 10. Certificate Freshness and Revocation . . . . . . . . . . . . 13
10.1. Acquiring TN Lists By Reference . . . . . . . . . . . . 13 10.1. Acquiring TN Lists By Reference . . . . . . . . . . . . 14
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
12. Security Considerations . . . . . . . . . . . . . . . . . . . 15 12. Security Considerations . . . . . . . . . . . . . . . . . . . 15
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
14.1. Normative References . . . . . . . . . . . . . . . . . . 15 14.1. Normative References . . . . . . . . . . . . . . . . . . 15
14.2. Informative References . . . . . . . . . . . . . . . . . 17 14.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 18 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
skipping to change at page 10, line 13 skipping to change at page 10, line 13
discriminator that the signer uses to identify their credentials. discriminator that the signer uses to identify their credentials.
The Identity header "info" parameter itself can serve as such a The Identity header "info" parameter itself can serve as such a
discriminator, provided implementations use that parameter as a key discriminator, provided implementations use that parameter as a key
when accessing certificates from caches or other sources. when accessing certificates from caches or other sources.
8. JWT Claim Constraints Syntax 8. JWT Claim Constraints Syntax
The subjects of certificates containing the JWT Claim Constraints The subjects of certificates containing the JWT Claim Constraints
certificate extension are specifies values for PASSporT claims that certificate extension are specifies values for PASSporT claims that
are permitted, values for PASSporT claims that are excluded, or both. are permitted. The syntax of these claims is given in PASSporT;
The syntax of these claims is given in PASSporT; specifying new specifying new claims follows the procedures in
claims follows the procedures in [I-D.ietf-stir-passport] [I-D.ietf-stir-passport] (Section 8.3). When a verifier is
(Section 8.3). When a verifier is validating PASSporT claims, the validating PASSporT claims, the JWT claim MUST contain permitted
JWT claim MUST contain permitted values, and MUST NOT contain values. The non-critical JWT Claim Constraints certificate extension
excluded values. The non-critical JWT Claim Constraints certificate is included in the extension field of end entity certificates
extension is included in the extension field of end entity [RFC5280]. The extension is defined with ASN.1 [X.680][X.681][X.682]
certificates [RFC5280]. The extension is defined with ASN.1 [X.683].
[X.680][X.681][X.682] [X.683].
The JWT Claim Constraints certificate extension places constraints on The JWT Claim Constraints certificate extension places constraints on
the values that are allowed in particular JWT claims. This the values that are allowed in particular JWT claims. This
certificate extension is optional, but if present, it constraints the certificate extension is optional, but if present, it constrains the
claims that authentication services may include in the PASSporT claims that authentication services may included in the PASSporT
objects they sign. For example, imagine a PASSporT extension claim objects they sign. For example, imagine a PASSporT extension claim
called "confidence". If a CA issue to an authentication service a called "confidence" with values "low", "medium", and "high". If a CA
certificate that contains the value "confidence" in the "permitted" issues to an authentication service a certificate that contains the
field of the JWT Claim Constraints, then an authentication service value "confidence" in the "claim" field and "high" in the "permitted"
MAY add a "confidence" claim to any PASSporTs it generates. A feild of the JWT Claim Constraints, then an authentication service
MAY add a "high" "confidence" claim to any PASSporTs it generates. A
verification service MUST treat as invalid any PASSporT it receives verification service MUST treat as invalid any PASSporT it receives
with a PASSporT extension claim that is not included in JWT Claim with a PASSporT extension claim that is not included in JWT Claim
Constraints The baseline claims of PASSporT ("orig", "dest", "iat" Constraints. The baseline claims of PASSporT ("orig", "dest", "iat"
and "mky") are considered to be permitted by default and SHOULD NOT and "mky") are considered to be permitted by default and SHOULD NOT
be included in a "permitted" field of the certificate." The issuer be included in the "claim" field. The issuer of a certificate may
of a certificate may similarly explicitly allow the use of a similarly explicitly allow the use of a particular claim by the
particular claim by the holder of the certificate. If a certificate holder of the certificate. If a certificate contains no JWT Claim
contains no JWT Claim Constraints, the issuer of the certificate Constraints, the issuer of the certificate permits all claims.
permits all claims.
The JWT Claim Constraints certificate extension is identified by the The JWT Claim Constraints certificate extension is identified by the
following object identifier (OID), which is defined under the id-pe following object identifier (OID), which is defined under the id-pe
OID arc defined in [RFC5280] and managed by IANA (see Section 11): OID arc defined in [RFC5280] and managed by IANA (see Section 11):
id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 }
The JWT Claim Constraints certificate extension has the following The JWT Claim Constraints certificate extension has the following
syntax: syntax:
JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint
JWTClaimConstraint ::= SEQUENCE { JWTClaimConstraint ::= SEQUENCE {
claim IA5String, claim IA5String,
permitted SEQUENCE OF IA5String permitted SEQUENCE OF IA5String
} }
9. TN Authorization List Syntax 9. TN Authorization List Syntax
The subjects of certificates containing the TN Authorization List The subjects of certificates containing the TN Authorization List
extension are the administrative entities to whom numbers are extension are the administrative entities to whom numbers are
assigned or delegated. When a verifier is validating a caller's assigned or delegated. When a verifier is validating a caller's
identity, local policy always determines the circumstances under identity, local policy always determines the circumstances under
which any particular subject may be trusted, but the purpose of the which any particular subject may be trusted, but the purpose of the
TN Authorization List extension in particular is to allow a verifier TN Authorization List extension in particular is to allow a verifier
to ascertain when the CA has designated that the subject has to ascertain when the CA has designated that the subject has
skipping to change at page 11, line 37 skipping to change at page 11, line 37
The subjects of certificates containing the TN Authorization List The subjects of certificates containing the TN Authorization List
extension are the administrative entities to whom numbers are extension are the administrative entities to whom numbers are
assigned or delegated. In an end entity certificate, TN assigned or delegated. In an end entity certificate, TN
Authorization List indicates the TNs which the certificate has been Authorization List indicates the TNs which the certificate has been
authorized. In a CA certificate, the TN Authorization List limits authorized. In a CA certificate, the TN Authorization List limits
the set of TNs for certification paths that include this certificate. the set of TNs for certification paths that include this certificate.
The Telephony Number (TN) Authorization List certificate extension is The Telephony Number (TN) Authorization List certificate extension is
identified by the following object identifier (OID), which is defined identified by the following object identifier (OID), which is defined
under the id-pe OID arc defined in [RFC5280] and managed by IANA (see under the id-pe OID arc defined in [RFC5280] and managed by IANA (see
Section 11). Section 11):
id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 }
The TN Authorization List certificate extension has the following The TN Authorization List certificate extension has the following
syntax: syntax:
TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry
TNEntry ::= CHOICE { TNEntry ::= CHOICE {
spc [0] ServiceProviderCodeList, spc [0] ServiceProviderCodeList,
range [1] TelephoneNumberRange, range [1] TelephoneNumberRange,
one E164Number } one E164Number
}
ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF IA5String
IA%String
-- Service Provider Codes may be OCNs, various SPIDs, or other SP identifiers from the telephone network -- Service Provider Codes may be OCNs, various SPIDs, or other
-- SP identifiers from the telephone network
TelephoneNumberRange ::= SEQUENCE { TelephoneNumberRange ::= SEQUENCE {
start E164Number, start E164Number,
count INTEGER } count INTEGER
}
E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789#*")) E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789#*"))
The TN Authorization List certificate extension indicates the The TN Authorization List certificate extension indicates the
authorized phone numbers for the call setup signer. It indicates one authorized phone numbers for the call setup signer. It indicates one
or more blocks of telephone number entries that have been authorized or more blocks of telephone number entries that have been authorized
for use by the call setup signer. There are three ways to identify for use by the call setup signer. There are three ways to identify
the block: the block:
1. Service Provider Codes as described in this document are a 1. Service Provider Codes as described in this document are a
generic term for the identifiers used to designate service generic term for the identifiers used to designate service
providers in the telepohone networks today. In North American providers in the telepohone networks today. In North American
skipping to change at page 18, line 33 skipping to change at page 18, line 39
The modules defined in this document are compatible with the most The modules defined in this document are compatible with the most
current ASN.1 specification published in 2015 (see [X.680], [X.681], current ASN.1 specification published in 2015 (see [X.680], [X.681],
[X.682], [X.683]). None of the newly defined tokens in the 2008 [X.682], [X.683]). None of the newly defined tokens in the 2008
ASN.1 (DATE, DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE- ASN.1 (DATE, DATE-TIME, DURATION, NOT-A-NUMBER, OID-IRI, RELATIVE-
OID-IRI, TIME, TIME-OF-DAY)) are currently used in any of the ASN.1 OID-IRI, TIME, TIME-OF-DAY)) are currently used in any of the ASN.1
specifications referred to here. specifications referred to here.
This ASN.1 module imports ASN.1 from [RFC5912]. This ASN.1 module imports ASN.1 from [RFC5912].
TN-Module-2016 { TN-Module-2016
iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
security(5) mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0) id-mod-tn-module(88) }
id-mod-tn-module(88) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN DEFINITIONS EXPLICIT TAGS ::= BEGIN
IMPORTS IMPORTS
id-ad, id-ad-ocsp, id-pe -- From [RFC5912]
FROM PKIX1Explicit-2009 {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
EXTENSION -- From [RFC5912] id-ad, id-pe
FROM PKIX-CommonTypes-2009 { FROM PKIX1Explicit-2009 -- From [RFC5912]
iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
security(5) mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
id-mod-pkixCommon-02(57) }
;
-- EXTENSION
-- JWT Claim Constraints Certificate Extension FROM PKIX-CommonTypes-2009 -- From [RFC5912]
-- { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
ext-jwtClaimConstraints EXTENSION ::= { ;
SYNTAX JWTClaimConstraints IDENTIFIED BY id-pe-JWTClaimConstraints }
id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 } --
-- JWT Claim Constraints Certificate Extension
--
JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint ext-jwtClaimConstraints EXTENSION ::= {
SYNTAX JWTClaimConstraints IDENTIFIED BY id-pe-JWTClaimConstraints
}
JWTClaimConstraint ::= SEQUENCE { id-pe-JWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 25 }
claim IA5String,
permitted [1] SEQUENCE OF IA5String OPTIONAL,
excluded [2] SEQUENCE OF IA5String OPTIONAL }
( WITH COMPONENTS { ..., permitted PRESENT } |
WITH COMPONENTS { ..., excluded PRESENT } )
-- JWTClaimConstraints ::= SEQUENCE SIZE (1..MAX) OF JWTClaimConstraint
-- Telephone Number Authorization List Certificate Extension
--
ext-tnAuthList EXTENSION ::= { JWTClaimConstraint ::= SEQUENCE {
SYNTAX TNAuthorizationList IDENTIFIED BY id-pe-TNAuthList } claim IA5String,
permitted SEQUENCE OF IA5String
}
id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 } --
-- Telephone Number Authorization List Certificate Extension
--
TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry ext-tnAuthList EXTENSION ::= {
SYNTAX TNAuthorizationList IDENTIFIED BY id-pe-TNAuthList
}
TNEntry ::= CHOICE { id-pe-TNAuthList OBJECT IDENTIFIER ::= { id-pe 26 }
spc [0] ServiceProviderCodeList,
range [1] TelephoneNumberRange,
one E164Number }
ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF TNAuthorizationList ::= SEQUENCE SIZE (1..MAX) OF TNEntry
IA5STRING
-- Service Provider Codes may be OCNs, various SPIDs, or other SP identifiers from the telephone network TNEntry ::= CHOICE {
spc [0] ServiceProviderCodeList,
range [1] TelephoneNumberRange,
one E164Number
}
TelephoneNumberRange ::= SEQUENCE { ServiceProviderCodeList ::= SEQUENCE SIZE (1..3) OF IA5String
start E164Number,
count INTEGER }
E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789")) -- Service Provider Codes may be OCNs, various SPIDs, or other
-- TN Access Descriptor -- SP identifiers from the telephone network
id-ad-stirTNList OBJECT IDENTIFIER ::= { id-ad 14 } TelephoneNumberRange ::= SEQUENCE {
start E164Number,
count INTEGER
}
END E164Number ::= IA5String (SIZE (1..15)) (FROM ("0123456789"))
-- TN Access Descriptor
id-ad-stirTNList OBJECT IDENTIFIER ::= { id-ad 14 }
END
Authors' Addresses Authors' Addresses
Jon Peterson Jon Peterson
Neustar, Inc. Neustar, Inc.
Email: jon.peterson@neustar.biz Email: jon.peterson@neustar.biz
Sean Turner Sean Turner
sn3rd sn3rd
 End of changes. 38 change blocks. 
91 lines changed or deleted 95 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/