Alternative Challenge Password Attributes for Enrollment over Secure Transport
RFC 7894
| Document | Type |
RFC
- Proposed Standard
(June 2016)
Was
draft-wallace-est-alt-challenge
(individual)
|
|
|---|---|---|---|
| Authors | Max Pritikin , Carl Wallace | ||
| Last updated | 2016-06-08 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| IESG | Responsible AD | Stephen Farrell | |
| Send notices to | (None) |
RFC 7894
Internet Engineering Task Force (IETF) M. Pritikin
Request for Comments: 7894 Cisco Systems, Inc.
Category: Standards Track C. Wallace
ISSN: 2070-1721 Red Hound Software, Inc.
June 2016
Alternative Challenge Password Attributes
for Enrollment over Secure Transport
Abstract
This document defines a set of new Certificate Signing Request
attributes for use with the Enrollment over Secure Transport (EST)
protocol. These attributes provide disambiguation of the existing
overloaded uses for the challengePassword attribute defined in "PKCS
#9: Selected Object Classes and Attribute Types Version 2.0" (RFC
2985). Uses include the original certificate revocation password,
common authentication password uses, and EST-defined linking of
transport security identity.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7894.
Pritikin & Wallace Standards Track [Page 1]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................4
3. Alternative Challenge Password Attributes .......................4
3.1. OTP Challenge Attribute ....................................4
3.2. Revocation Challenge Attribute .............................5
3.3. EST Identity Linking Attribute .............................5
4. Indicating Support for the Alternative Challenge Attributes .....6
5. Security Considerations .........................................6
6. IANA Considerations .............................................7
7. References ......................................................7
7.1. Normative References .......................................7
7.2. Informative References .....................................8
Appendix A. ASN.1 Module ..........................................9
Acknowledgements ..................................................10
Authors' Addresses ................................................10
Pritikin & Wallace Standards Track [Page 2]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
1. Introduction
"PKCS #9: Selected Object Classes and Attribute Types Version 2.0"
[RFC2985] defined a challengePassword attribute that has been
overloaded by modern protocol usage with the appropriate
interpretation being provided by context rather than OID definition.
PKCS #9 defines the challengePassword attribute as "a password by
which an entity may request certificate revocation". The parsing and
embedding of this attribute within Certificate Signing Requests is
well supported by common PKI toolsets, but many workflows leverage
this supported field as a one-time password for authentication. For
example, this is codified in many Simple Certificate Enrollment
Protocol (SCEP) implementations as indicated by [SCEP]. Continuing
this trend, Enrollment over Secure Transport (EST) [RFC7030] defines
an additional semantic for the challengePassword attribute in
Section 3.5, in order to provide a linking of the Certificate Signing
Request (CSR) to the secure transport.
Where the context of the protocol operation fully defined the proper
semantic, and when only one use was required at a time, the
overloading of this field did not cause difficulties. Implementation
experience with EST has shown this to be a limitation though. There
are plausible use cases where it is valuable to use either of the
existing methods separately or in concert. For example, an EST
server might require the client to authenticate itself using the
existing client X.509 certificate as well as the user's username and
password, and to include a one-time password within the CSR, all
while maintaining identity linking to bind the CSR to the secure
transport. The overloading of a single attribute type should not be
the limiting factor for administrators attempting to meet their
security requirements.
This document defines the otpChallenge attribute for use when a one-
time password (OTP) value within the CSR is a requirement. The
revocationChallenge attribute is defined to allow disambiguated usage
of the original challenge password attribute semantics for
certificate revocation. The estIdentityLinking attribute is defined
to reference existing EST challenge password semantics with no
potential for confusion with legacy challenge password practices.
The attributes defined in this specification supplement existing EST
mechanisms and are not intended to displace current usage of any
existing EST authentication mechanisms. Conveying the authentication
value itself as an attribute may be preferable to using an HTTP or
Transport Layer Security (TLS) password or other TLS authentication
mechanism in environments where the certificate request processing
component is removed from the HTTP/TLS termination point, for
example, when a web application firewall is used.
Pritikin & Wallace Standards Track [Page 3]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Alternative Challenge Password Attributes
The following sections describe three alternative challenge password
attributes for use with EST [RFC7030]. Appendix A provides an ASN.1
module containing the new definitions.
Each attribute described below is defined as a DirectoryString with a
maximum length of 255, which features several possible encoding
options. Attribute values generated in accordance this document
SHOULD use the PrintableString encoding whenever possible. If
internationalization issues make this impossible, the UTF8String
alternative SHOULD be used. Attribute processing systems MUST be
able to recognize and process the PrintableString and UTF8String
string types in DirectoryString values. Support for other string
types is OPTIONAL.
3.1. OTP Challenge Attribute
The otpChallenge attribute is defined as a DirectoryString with a
maximum length of 255. This is consistent with the challengePassword
attribute as originally defined in PKCS #9 [RFC2985]. The
otpChallenge attribute is identified by the id-aa-otpChallenge object
identifier. This facilitates reuse of the existing challengePassword
code by associating the new object identifiers with the existing
parsing and generation code. This attribute provides a means of
conveying a one-time password value as part of a CSR request.
Generation, verification, storage, etc., of the value is not
addressed by this specification. [RFC4226] and [RFC6238] define one-
time password mechanisms that MAY be used with this attribute.
ub-aa-otpChallenge INTEGER ::= 255
id-aa-otpChallenge OBJECT IDENTIFIER ::= {
id-smime 56
}
otpChallenge ATTRIBUTE ::= {
WITH SYNTAX DirectoryString {ub-aa-otpChallenge}
EQUALITY MATCHING RULE caseExactMatch
SINGLE VALUE TRUE
ID id-aa-otpChallenge
}
Pritikin & Wallace Standards Track [Page 4]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
Note that following DTLS-SRTP procedures for the
[I-D.ietf-perc-double] cipher, the endpoint will generate both E2E
and HBH encryption keys and salt values. Endpoints MAY use the DTLS-
SRTP generated E2E key for transmission or MAY generate a fresh E2E
key. In either case, the generated SRTP master salt for E2E
encryption MUST be replaced with the salt value provided by the Key
Distributor via the EKTKey message. That is because every endpoint
in the conference uses the same SRTP master salt. The endpoint only
transmits the SRTP master key (not the salt) used for E2E encryption
to other endpoints in RTP/RTCP packets per
[I-D.ietf-perc-srtp-ekt-diet].
Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
Distributor to establish the HBH key for transmitting RTP and RTCP
packets to that peer Media Distributor. The Key Distributor does not
facilitate establishing a HBH key for use between Media Distributors.
4.5.2. Key Exchange during a Conference
Following the initial key information exchange with the Key
Distributor, an endpoint will be able to encrypt media end-to-end
with an E2E key, sending that E2E key to other endpoints encrypted
with the KEK, and will be able to encrypt and authenticate RTP
packets using a HBH key. The procedures defined do not allow the
Media Distributor to gain access to the KEK information, preventing
it from gaining access to any endpoint's E2E key and subsequently
decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during
the life of a conference, such as when a new participant joins or
leaves a conference. Dictating if, when or how often a conference is
to be re-keyed is outside the scope of this document, but this
framework does accommodate re-keying during the life of a conference.
When a Key Distributor decides to re-key a conference, it transmits a
specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to
each of the conference participants. The endpoint MUST create a new
SRTP master key and prepare to send that key inside a Full EKT Field
using the new EKTKey. Since it may take some time for all of the
endpoints in conference to finish re-keying, senders MUST delay a
short period of time before sending media encrypted with the new
master key, but it MUST be prepared to make use of the information
from a new inbound EKT Key immediately. See Section 2.2.2 of
[I-D.ietf-perc-srtp-ekt-diet].
Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to
re-negotiate HBH keys as desired. If new HBH keys are generated, the
Jones, et al. Expires March 8, 2019 [Page 12]
Internet-Draft Private Media Framework September 2018
new keys are also delivered to the Media Distributor following the
procedures defined in [I-D.ietf-perc-dtls-tunnel].
Endpoints are at liberty to change the E2E encryption key used at any
time. Endpoints MUST generate a new E2E encryption key whenever it
receives a new EKT Key. After switching to a new key, the new key
will be conveyed to other endpoints in the conference in RTP/RTCP
packets per [I-D.ietf-perc-srtp-ekt-diet].
5. Authentication
It is important to this solution framework that the entities can
validate the authenticity of other entities, especially the Key
Distributor and endpoints. The details of this are outside the scope
of specification but a few possibilities are discussed in the
following sections. The key requirements is that endpoints can
verify they are connected to the correct Key Distributor for the
conference and the Key Distributor can verify the endpoints are the
correct endpoints for the conference.
Two possible approaches to solve this are Identity Assertions and
Certificate Fingerprints.
5.1. Identity Assertions
WebRTC Identity assertion [I-D.ietf-rtcweb-security-arch] can be used
to bind the identity of the user of the endpoint to the fingerprint
of the DTLS-SRTP certificate used for the call. This certificate is
unique for a given call and a conference. This allows the Key
Distributor to ensure that only authorized users participate in the
conference. Similarly the Key Distributor can create a WebRTC
Identity assertion to bind the fingerprint of the unique certificate
used by the Key Distributor for this conference so that the endpoint
can validate it is talking to the correct Key Distributor. Such a
setup requires an Identity Provider (Idp) trusted by the endpoints
and the Key Distributor.
5.2. Certificate Fingerprints in Session Signaling
Entities managing session signaling are generally assumed to be
untrusted in the PERC framework. However, there are some deployment
scenarios where parts of the session signaling may be assumed
trustworthy for the purposes of exchanging, in a manner that can be
authenticated, the fingerprint of an entity's certificate.
As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to
convey the fingerprint information per [RFC5763]. An endpoint's SIP
User Agent would send an INVITE message containing SDP for the media
Jones, et al. Expires March 8, 2019 [Page 13]
Internet-Draft Private Media Framework September 2018
session along with the endpoint's certificate fingerprint, which can
be signed using the procedures described in [RFC4474] for the benefit
of forwarding the message to other entities by the Focus [RFC4353].
Other entities can now verify the fingerprints match the certificates
found in the DTLS-SRTP connections to find the identity of the far
end of the DTLS-SRTP connection and check that is the authorized
entity.
Ultimately, if using session signaling, an endpoint's certificate
fingerprint would need to be securely mapped to a user and conveyed
to the Key Distributor so that it can check that that user is
authorized. Similarly, the Key Distributor's certificate fingerprint
can be conveyed to endpoint in a manner that can be authenticated as
being an authorized Key Distributor for this conference.
5.3. Conferences Identification
The Key Distributor needs to know what endpoints are being added to a
given conference. Thus, the Key Distributor and the Media
Distributor will need to know endpoint-to-conference mappings, which
is enabled by exchanging a conference-specific unique identifier as
defined in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier
is assigned is outside the scope of this document.
6. Security Considerations
This framework, and the individual protocols defined to support it,
must take care to not increase the exposure to Denial of Service
(DoS) attacks by untrusted or third-party entities and should take
measures to mitigate, where possible, more serious DoS attacks from
on-path and off-path attackers.
The following section enumerates the kind of attacks that will be
considered in the development of this framework's solution.
6.1. Third Party Attacks
On-path attacks are mitigated by HBH integrity protection and
encryption. The integrity protection mitigates packet modification
and encryption makes selective blocking of packets harder, but not
impossible.
Off-path attackers may try connecting to different PERC entities and
send specifically crafted packets. A successful attacker might be
able to get the Media Distributor to forward such packets. If not
making use of HBH authentication on the Media Distributor, such an
attack could only be detected in the receiving endpoints where the
forged packets would finally be dropped.
Jones, et al. Expires March 8, 2019 [Page 14]
Internet-Draft Private Media Framework September 2018
Another potential attack is a third party claiming to be a Media
Distributor, fooling endpoints in to sending packets to the false
Media Distributor instead of the correct one. The deceived sending
endpoints could incorrectly assuming their packets have been
delivered to endpoints when they in fact have not. Further, the
false Media Distributor may cascade to another legitimate Media
Distributor creating a false version of the real conference.
This attack can be mitigated by the false Media Distributor not being
authenticated by the Key Distributor during PERC Tunnel
establishment. Without the tunnel in place, endpoints will not
establish secure associations with the Key Distributor and receive
the KEK, causing the conference to not proceed.
6.2. Media Distributor Attacks
The Media Distributor can attack the session in a number of possible
ways.
6.2.1. Denial of service
Any modification of the end-to-end authenticated data will result in
the receiving endpoint getting an integrity failure when performing
authentication on the received packet.
The Media Distributor can also attempt to perform resource
consumption attacks on the receiving endpoint. One such attack would
be to insert random SSRC/CSRC values in any RTP packet with an inband
key-distribution message attached (i.e., Full EKT Field). Since such
a message would trigger the receiver to form a new cryptographic
context, the Media Distributor can attempt to consume the receiving
endpoints resources.
Another denial of service attack is where the Media Distributor
rewrites the PT field to indicate a different codec. The effect of
this attack is that any payload packetized and encoded according to
one RTP payload format is then processed using another payload format
and codec. Assuming that the implementation is robust to random
input, it is unlikely to cause crashes in the receiving software/
hardware. However, it is not unlikely that such rewriting will cause
severe media degradation.
For audio formats, this attack is likely to cause highly disturbing
audio and/or can be damaging to hearing and playout equipment.
Jones, et al. Expires March 8, 2019 [Page 15]
Internet-Draft Private Media Framework September 2018
6.2.2. Replay Attack
Replay attack is when an already received packets from a previous
point in the RTP stream is replayed as new packet. This could, for
example, allow a Media Distributor to transmit a sequence of packets
identified as a user saying "yes", instead of the "no" the user
actually said.
The mitigation for a replay attack is to prevent old packets beyond a
small-to-modest jitter and network re-ordering sized window to be
rejected. End-to-end replay protection MUST be provided for the
whole duration of the conference.
6.2.3. Delayed Playout Attack
The delayed playout attack is a variant of the replay attack. This
attack is possible even if E2E replay protection is in place.
However, due to fact that the Media Distributor is allowed to select
a sub-set of streams and not forward the rest to a receiver, such as
in forwarding only the most active speakers, the receiver has to
accept gaps in the E2E packet sequence. The issue with this is that
a Media Distributor can select to not deliver a particular stream for
a while.
Within the window from last packet forwarded to the receiver and the
latest received by the Media Distributor, the Media Distributor can
select an arbitrary starting point when resuming forwarding packets.
Thus what the media source said can be substantially delayed at the
receiver with the receiver believing that it is what was said just
now, and only delayed due to transport delay.
6.2.4. Splicing Attack
The splicing attack is an attack where a Media Distributor receiving
multiple media sources splices one media stream into the other. If
the Media Distributor is able to change the SSRC without the receiver
having any method for verifying the original source ID, then the
Media Distributor could first deliver stream A and then later forward
stream B under the same SSRC as stream A was previously using. Not
allowing the Media Distributor to change the SSRC mitigates this
attack.
7. IANA Considerations
There are no IANA considerations for this document.
Jones, et al. Expires March 8, 2019 [Page 16]
Internet-Draft Private Media Framework September 2018
8. Acknowledgments
The authors would like to thank Mo Zanaty and Christian Oien for
invaluable input on this document. Also, we would like to
acknowledge Nermeen Ismail for serving on the initial versions of
this document as a co-author.
9. References
9.1. Normative References
[I-D.ietf-perc-double]
Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP
Double Encryption Procedures", draft-ietf-perc-double-09
(work in progress), May 2018.
[I-D.ietf-perc-dtls-tunnel]
Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
between a Media Distributor and Key Distributor to
Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-03
(work in progress), April 2018.
[I-D.ietf-perc-srtp-ekt-diet]
Jennings, C., Mattsson, J., McGrew, D., Wing, D., and F.
Andreasen, "Encrypted Key Transport for DTLS and Secure
RTP", draft-ietf-perc-srtp-ekt-diet-08 (work in progress),
July 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure
Real-time Transport Protocol (SRTP)", RFC 6904,
DOI 10.17487/RFC6904, April 2013,
<https://www.rfc-editor.org/info/rfc6904>.
9.2. Informative References
[I-D.ietf-rtcweb-security-arch]
Rescorla, E., "WebRTC Security Architecture", draft-ietf-
rtcweb-security-arch-15 (work in progress), July 2018.
Jones, et al. Expires March 8, 2019 [Page 17]
Internet-Draft Private Media Framework September 2018
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>.
[RFC4353] Rosenberg, J., "A Framework for Conferencing with the
Session Initiation Protocol (SIP)", RFC 4353,
DOI 10.17487/RFC4353, February 2006,
<https://www.rfc-editor.org/info/rfc4353>.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474,
DOI 10.17487/RFC4474, August 2006,
<https://www.rfc-editor.org/info/rfc4474>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <https://www.rfc-editor.org/info/rfc5763>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010,
<https://www.rfc-editor.org/info/rfc5764>.
[RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time
Transport Protocol (RTP) Header Extension for Client-to-
Mixer Audio Level Indication", RFC 6464,
DOI 10.17487/RFC6464, December 2011,
<https://www.rfc-editor.org/info/rfc6464>.
[RFC7667] Westerlund, M. and S. Wenger, "RTP Topologies", RFC 7667,
DOI 10.17487/RFC7667, November 2015,
<https://www.rfc-editor.org/info/rfc7667>.
Jones, et al. Expires March 8, 2019 [Page 18]
Internet-Draft Private Media Framework September 2018
Appendix A. PERC Key Inventory
PERC specifies the use of a number of different keys and,
understandably, it looks complicated or confusing on the surface.
This section summarizes the various keys used in the system, how they
are generated, and what purpose they serve.
The keys are described in the order in which they would typically be
acquired.
The various keys used in PERC are shown in Figure 4 below.
+-----------+----------------------------------------------------+
| Key | Description |
+-----------+----------------------------------------------------+
| KEK | Key shared by all endpoints and used to encrypt |
| (EKT Key) | each endpoint's SRTP master key so receiving |
| | endpoints can decrypt media. |
+-----------+----------------------------------------------------+
| HBH Key | Key used to encrypt media hop-by-hop. |
+-----------+----------------------------------------------------+
| E2E Key | Key used to encrypt media end-to-end. |
+-----------+----------------------------------------------------+
Figure 4: Key Inventory
As you can see, the number key types is very small. However, what
can be challenging is keeping track of all of the distinct E2E keys
as the conference grows in size. With 1,000 participants in a
conference, there will be 1,000 distinct SRTP master keys, all of
which share the same master salt. Each of those keys are passed
through the KDF defined in [RFC3711] to produce the actual encryption
and authentication keys. Complicating key management is the fact
that the KEK can change and, when it does, the endpoints generate new
SRTP master keys. And, of course, there is a new SRTP master salt to
go with those keys. Endpoints have to retain old keys for a period
of time to ensure they can properly decrypt late-arriving or out-of-
order packets.
The time required to retain old keys (either EKT Keys or SRTP master
keys) is not specified, but they should be retained at least for the
period of time required to re-key the conference or handle late-
arriving or out-of-order packets. A period of 60s should be
considered a generous retention period, but endpoints may keep old
keys on hand until the end of the conference.
Or more detailed explanation of each of the keys follows.
Jones, et al. Expires March 8, 2019 [Page 19]
Internet-Draft Private Media Framework September 2018
A.1. DTLS-SRTP Exchange Yields HBH Keys
The first set of keys acquired are for hop-by-hop encryption and
decryption. Assuming the use of Double [I-D.ietf-perc-double], the
endpoint would perform DTLS-SRTP exchange with the key distributor
and receive a key that is, in fact, "double&3.2. Revocation Challenge Attribute
The original PKCS #9 challengePassword field has been overloaded, and
the common use is unclear. The revocationChallenge attribute defined
here provides an unambiguous method of indicating the original PKCS
#9 intent for this attribute type. The revocationChallenge attribute
is identified by the id-aa-revocationChallenge object identifier.
[RFC2985] discusses the original semantics for the PKCS #9 challenge
password attribute.
ub-aa-revocationChallenge INTEGER ::= 255
id-aa-revocationChallenge OBJECT IDENTIFIER ::= {
id-smime 57
}
revocationChallenge ATTRIBUTE ::= {
WITH SYNTAX DirectoryString {ub-aa-revocationChallenge}
EQUALITY MATCHING RULE caseExactMatch
SINGLE VALUE TRUE
ID id-aa-revocationChallenge
}
3.3. EST Identity Linking Attribute
EST defines a mechanism for associating identity information from an
authenticated TLS session with proof-of-possession information in a
certificate request. The mechanism was labeled using the pkcs-9-at-
challengePassword identifier from [RFC2985]. To avoid any confusion
with the semantics described in [RFC2985] or any other specifications
that similarly defined use of the PKCS #9 challenge password
attribute for their own purposes, a new object identifier is defined
here and associated with the semantics described in Section 3.5 of
[RFC7030].
ub-aa-est-identity-linking INTEGER ::= 255
id-aa-estIdentityLinking OBJECT IDENTIFIER ::= {
id-smime 58
}
estIdentityLinking ATTRIBUTE ::= {
WITH SYNTAX DirectoryString {ub-aa-est-identity-linking}
EQUALITY MATCHING RULE caseExactMatch
SINGLE VALUE TRUE
ID id-aa-estIdentityLinking
}
Pritikin & Wallace Standards Track [Page 5]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
4. Indicating Support for the Alternative Challenge Attributes
The EST server MUST indicate these attributes, as the particular use
case requires, in every CSR Attributes Response. An EST server MAY
send both the estIdentityLinking attribute and the challengePassword
attribute [RFC7030] in a CSR Attributes Response to ensure support
for legacy clients.
The client MUST include every indicated attribute for which it has
values in the subsequent CSR. If a client sees an estIdentityLinking
attribute in a CSR Attributes Response, it SHOULD prefer that and not
include a challengePassword attribute [RFC7030] in the resulting CSR.
EST clients that include an unsolicited estIdentityLinking attribute
MAY also include the challengePassword attribute [RFC7030] to ensure
support for legacy servers.
EST servers MUST evaluate each challenge attribute independently.
All challenge attributes included by an EST client MUST be
successfully processed by an EST server for a request to be
considered valid. The EST server MAY ignore challenge attributes
according to local policy, for example, if the EST client is an
authenticated Registration Authority, the EST server may ignore the
estIdentityLinking attribute within a CSR (see Section 3.7 of
[RFC7030]). The EST server MAY refuse enrollment requests that are
not encoded according to the policy of the Certification Authority
(CA).
5. Security Considerations
In addition to the security considerations expressed in the EST
specification [RFC7030], additional security considerations may be
associated with the mechanism used to generate and verify the
otpChallenge value. Where a one-time password is used, the security
considerations expressed in "HOTP: An HMAC-Based One-Time Password
Algorithm" [RFC4226] or "TOTP: Time-Based One-Time Password
Algorithm" [RFC6238] may be relevant. Similarly, the security
considerations from [RFC2985] that apply to the challenge attribute
are relevant as well.
Pritikin & Wallace Standards Track [Page 6]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
6. IANA Considerations
Section 3 defines three attributes that have been assigned object
identifiers in the "SMI Security for S/MIME Attributes
(1.2.840.113549.1.9.16.2)" registry [RFC7107]:
Value Description Reference
-------- --------------------------------- ----------
56 id-aa-otpChallenge RFC 7894
57 id-aa-revocationChallenge RFC 7894
58 id-aa-estIdentityLinking RFC 7894
Appendix A contains an ASN.1 module. A module identifier has been
assigned in the "SMI Security for PKIX Module Identifier" registry
[RFC7299].
Value Description Reference
-------- --------------------------------- ----------
87 id-mod-EST-Alt-Challenge RFC 7894
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985,
DOI 10.17487/RFC2985, November 2000,
<http://www.rfc-editor.org/info/rfc2985>.
[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
(CMC)", RFC 5272, DOI 10.17487/RFC5272, June 2008,
<http://www.rfc-editor.org/info/rfc5272>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010,
<http://www.rfc-editor.org/info/rfc5912>.
Pritikin & Wallace Standards Track [Page 7]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013,
<http://www.rfc-editor.org/info/rfc7030>.
7.2. Informative References
[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
O. Ranen, "HOTP: An HMAC-Based One-Time Password
Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005,
<http://www.rfc-editor.org/info/rfc4226>.
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP:
Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>.
[RFC7107] Housley, R., "Object Identifier Registry for the S/MIME
Mail Security Working Group", RFC 7107,
DOI 10.17487/RFC7107, January 2014,
<http://www.rfc-editor.org/info/rfc7107>.
[RFC7299] Housley, R., "Object Identifier Registry for the PKIX
Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014,
<http://www.rfc-editor.org/info/rfc7299>.
[SCEP] Gutmann, P. and M. Pritikin, "Simple Certificate Enrolment
Protocol", Work in Progress, draft-gutmann-scep-02, March
2016.
Pritikin & Wallace Standards Track [Page 8]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
Appendix A. ASN.1 Module
The following ASN.1 module includes the definitions to support usage
of the attributes defined in this specification. Modules from
[RFC5912] are imported (the original Standards Track source for the
imported structures is [RFC5280] and [RFC5272]).
Mod-EST-Alt-Challenge {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) 87
}
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
DirectoryString{}
FROM PKIX1Explicit-2009 {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)
}
ATTRIBUTE
FROM PKIX-CommonTypes-2009 {
iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)
};
ub-aa-otpChallenge INTEGER ::= 255
id-aa-otpChallenge OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 56
}
otpChallenge ATTRIBUTE ::= {
TYPE DirectoryString {ub-aa-otpChallenge}
COUNTS MIN 1 MAX 1
IDENTIFIED BY id-aa-otpChallenge
}
ub-aa-revocationChallenge INTEGER ::= 255
id-aa-revocationChallenge OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 57
}
revocationChallenge ATTRIBUTE ::= {
TYPE DirectoryString {ub-aa-revocationChallenge}
COUNTS MIN 1 MAX 1
IDENTIFIED BY id-aa-revocationChallenge
}
Pritikin & Wallace Standards Track [Page 9]
RFC 7894 EST Alternative Challenge Password Attributes June 2016
ub-aa-est-identity-linking INTEGER ::= 255
id-aa-estIdentityLinking OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 58
}
estIdentityLinking ATTRIBUTE ::= {
TYPE DirectoryString {ub-aa-est-identity-linking}
COUNTS MIN 1 MAX 1
IDENTIFIED BY id-aa-estIdentityLinking
}
END
Acknowledgements
Thanks to Jim Schaad, Dan Harkins, Phil Scheffler, Geoff Beier, Mike
Jenkins, and Deb Cooley for their feedback.
Authors' Addresses
Max Pritikin
Cisco Systems, Inc.
510 McCarthy Drive
Milpitas, CA 95035
United States
Email: pritikin@cisco.com
Carl Wallace
Red Hound Software, Inc.
Email: carl@redhoundsoftware.com
Pritikin & Wallace Standards Track [Page 10]