Internet DRAFT - draft-demarco-cose-header-federation-trust-chain
draft-demarco-cose-header-federation-trust-chain
CBOR Object Signing and Encryption G. D. Marco
Internet-Draft independent
Intended status: Standards Track J. Bradley
Expires: 8 August 2024 Yubico
5 February 2024
COSE Header Parameter for Carrying OpenID Federation 1.0 Trust Chains
draft-demarco-cose-header-federation-trust-chain-01
Abstract
The CBOR Object Signing and Encryption (COSE) [RFC9053] message
structure uses message headers to give references to elements that
are needed for the security and verifiability of the message, such as
algorithms and keys.
OpenID Federation 1.0 [OIDC-FED] is a general purpose attestation
mechanism to obtain verifiable metadata and cryptographic keys.
This document defines a new COSE header parameter to identify and
transport an OpenID Federation 1.0 Trust Chain.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-demarco-cose-header-
federation-trust-chain/.
Discussion of this document takes place on the CBOR Object Signing
and Encryption Working Group mailing list (mailto:cose@ietf.org),
which is archived at https://mailarchive.ietf.org/arch/browse/cose/.
Subscribe at https://www.ietf.org/mailman/listinfo/cose/.
Source for this draft and an issue tracker can be found at
https://github.com/peppelinux/draft-demarco-cose-header-federation-
trust-chain.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Marco & Bradley Expires 8 August 2024 [Page 1]
Internet-Draft COSE Trust Chains February 2024
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 August 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Audience Target audience/Usage . . . . . . . . . . . . . . . 3
5. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 4
6. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
7. The Scope of Trust Chain COSE Header Parameter . . . . . . . 4
8. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4
9. Trust Chain COSE Header Parameter . . . . . . . . . . . . . . 5
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
11. Normative References . . . . . . . . . . . . . . . . . . . . 5
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
Marco & Bradley Expires 8 August 2024 [Page 2]
Internet-Draft COSE Trust Chains February 2024
1. Introduction
The Internet Standards [RFC8152] and [RFC9052] defines how to
transport symmetric keys in the COSE headers, and are extended by
[RFC9360] to transport X.509 certificates for the requirements of
identification and cryptographic key attestation of a third party.
There are some cases where obtaining proof of a third party's
identity through key attestation and cryptographic signature
verification is not enough, cases where the solution requirements
include attestation of metadata, proofs of compliance and policies.
In these cases, it would be necessary to extend the X.509
certificates with policies, metadata and other information required
by the interoperability schemes or by a trust framework.
OpenID Federation 1.0 [OIDC-FED] allows the exchange of metadata,
roles, trust marks, policies and public keys, in a secure way.
OpenID Federation 1.0 [OIDC-FED] allows the construction of a trust
infrastructure in which even X.509 certificates can be published
within the Entity Statements that make up the federation Trust Chain.
This flexibility allows an infrastructure based on OpenID Federation
1.0 to guarantee the security of the solutions, the historical
verifiability of the signatures, and the revocation mechanisms
without the requirement to implement CRL or OCSP technologies, where
X.509 requires it.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Terminology
The terms Trust Anchor, Intermediate, Trust Chain, Entity Statement,
are defined in [OIDC-FED] and used in this specification.
4. Audience Target audience/Usage
The audience of the document is implementers that require a high
level of security for the exchange of metadata, cryptographic keys
and policies.
Marco & Bradley Expires 8 August 2024 [Page 3]
Internet-Draft COSE Trust Chains February 2024
5. Scope
This specification defines how a [OIDC-FED] Trust Chain is made
available within the COSE headers.
5.1. Out of Scope
The following items are out of scope for the current version of this
document:
* X.509 publication over a [OIDC-FED] Infrastructure, this can be
achieved using x5c or x5u as defind in [RFC7517].
* Metadata schemas, OpenID Federation allows the definition of
custom metadata schemas even for entities not belonging to OAuth
2.0 and OpenID ecosystems.
6. Terminology
This specification uses the terms "Trust Chain", "Trust Anchor",
"Intermediate", "Trust Mark" and "Entity Statement" as defined in
[OIDC-FED].
7. The Scope of Trust Chain COSE Header Parameter
The use of OpenID Federation Trust Chain enables a trust
infrastructure with full suites of Trust Anchors, Intermediates,
status and revocation checking, Trust Marks and metadata policies
that have been defined in [OIDC-FED].
The Concise Binary Object Representation (CBOR) key structures
[RFC8949] and Header Parameters for Carrying and Referencing X.509
Certificates [RFC9360] that have been defined in COSE currently do
not support all the properties made available in [OIDC-FED].
8. Requirements
If the application cannot establish trust to the cryptographic keys
or metadata made available and verified within the Trust Chain, the
public key and the metadata MUST NOT be used.
When Trust Chain parameter is used, the parameter KID defined in
[RFC9052] MUST be used. KID allows an efficient matching to the key
to be used for signature verification.
Marco & Bradley Expires 8 August 2024 [Page 4]
Internet-Draft COSE Trust Chains February 2024
9. Trust Chain COSE Header Parameter
The header parameter defined is trustchain, described below:
trustchain: This header parameter contains an ordered array of
strings, representing federation Entity Statements encoded as signed
Json Web Tokens [RFC7519]. How the Entity Statements are ordered is
defined in [OIDC-FED].
The trust mechanism used to process any Entity Statements is defined
in [OIDC-FED].
The header parameter can be used in the following locations:
COSE_Signature and COSE_Sign1 objects: In these objects, the
parameters identify the Trust Chain to be used for obtaining the key
needed for validating the signature, any needed metadata for
interoperability purpose, any metadata policy and any required Trust
Marks for administrative and technical compliances.
The labels assigned to the header parameter can be found in Table 1.
+=============+=======+=================+=====================+
| Name | Label | Value Type | Description |
+=============+=======+=================+=====================+
| trustchain | 27 | COSE_TRUSTCHAIN | OpenID |
| | | | Federation 1.0 |
| | | | Trust Chain |
+-------------+-------+-----------------+---------------------+
Table 1: TRUST CHAIN COSE Header Parameters
Below is an equivalent Concise Data Definition Language (CDDL)
description (see [RFC8610]) of the text above.
COSE_TRUSTCHAIN = [ N * jws :bstr ]
The variable N represents the number of Entity Statements that a
Trust Chain contains. The contents of "bstr" are the bytes
representing a signed JWT.
10. IANA Considerations
TBD
11. Normative References
Marco & Bradley Expires 8 August 2024 [Page 5]
Internet-Draft COSE Trust Chains February 2024
[OIDC-FED] Hedberg, R., Jones, M. B., Solberg, A. Å., Bradley, J., De
Marco, G., and V. Dzhuvinov, "OpenID Federation 1.0",
n.d..
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/rfc/rfc7517>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/rfc/rfc7519>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)",
RFC 8152, DOI 10.17487/RFC8152, July 2017,
<https://www.rfc-editor.org/rfc/rfc8152>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/rfc/rfc8610>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/rfc/rfc8949>.
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
<https://www.rfc-editor.org/rfc/rfc9052>.
[RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
August 2022, <https://www.rfc-editor.org/rfc/rfc9053>.
Marco & Bradley Expires 8 August 2024 [Page 6]
Internet-Draft COSE Trust Chains February 2024
[RFC9360] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Header Parameters for Carrying and Referencing X.509
Certificates", RFC 9360, DOI 10.17487/RFC9360, February
2023, <https://www.rfc-editor.org/rfc/rfc9360>.
Acknowledgments
TBD
Authors' Addresses
Giuseppe De Marco
independent
Email: demarcog83@gmail.com
John Bradley
Yubico
Email: ve7jtb@ve7jtb.com
Marco & Bradley Expires 8 August 2024 [Page 7]