Internet DRAFT - draft-lear-ietf-pkix-mud-extension
draft-lear-ietf-pkix-mud-extension
pkix E. Lear
Internet-Draft Cisco Systems
Intended status: Standards Track February 02, 2016
Expires: August 5, 2016
An X.509 Extension for Manufacturer Usage Description URI
draft-lear-ietf-pkix-mud-extension-00
Abstract
Manufacturer User Descriptions are used by device manufacturers to
provide indications to the network as to the intended use of a
particular device and with what end points it might communicate. A
URI points to those descriptions. This memo specifies an X.509
certificate extension to specify that URI in a device certificate to
be used with IEEE 802.1AR.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 5, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Lear Expires August 5, 2016 [Page 1]
Internet-Draft X.509 MUD February 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Manufacturer Usage Description (MUD) URI Extension . . . 2
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 3
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3
6.1. Normative References . . . . . . . . . . . . . . . . . . 3
6.2. Informative References . . . . . . . . . . . . . . . . . 4
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
[I-D.lear-mud-framework] introduces the concept of manufacturer usage
description. In other documents, DHCP is used to identify a URI that
network systems can use to retrieve YANG-based XML that advises the
network on appropriate usage of a device.
Use of DHCP as a means of transmission may not be appropriate for all
use cases, particularly for devices intended for use in critical
environments. The IEEE has developed [IEEE8021AR] that provides a
certificate-based approach to communicate device characteristics,
which itself relies on [RFC5280].
This document specifies an X.509 extension so that such MUD URI may
be communicated via 802.1AR. The MUD URI extension is non-critical,
as required by IEEE 802.1AR.
2. The Manufacturer Usage Description (MUD) URI Extension
[RFC7299] provides a procedure and means to specify extensions to
X.509 certificates. The object identifier (OID) for extensions is as
follows:
- PKIX certificate extensions id-pe OBJECT IDENTIFIER ::= { id-pkix 1
}
The choice of id-pe is based on guidance found in Section 4.2.2 of
[RFC5280]:
These extensions may be used to direct applications to on-line
information about the issuer or the subject.
Lear Expires August 5, 2016 [Page 2]
Internet-Draft X.509 MUD February 2016
The MUD URI is precisely that: online information about the
particular subject.
The new extension is identified as follows:
- The MUD URI extension id-pe-mud-uri OBJECT IDENTIFER ::= { id-pe
TBD }
The extension returns a single value:
mud-uri ::= uniformResourceIdentifier - for use with mud
architecture.
The semantics of the URI are defined [I-D.lear-ietf-netmod-mud].
3. Security Considerations
This document specifies a certificate extension to communicate a
Manufacturer Usage Description URI. The semantics of the URI are
defined in draft-lear-ietf-netmod-mud. At this time, no security
concerns are visible to the author for inclusion of such an
extension.
4. IANA Considerations
The IANA is requested to assign a value for id-pe-mud-uri in the "SMI
Security for PKIX Certificate Extension" Registry.
5. Acknowledgments
The author wishes to thank Max Pritikin for his review and
suggestions.
6. References
6.1. Normative References
[I-D.lear-ietf-netmod-mud]
Lear, E., "Manufacturer Usage Description YANG Model",
draft-lear-ietf-netmod-mud-00 (work in progress), January
2016.
[RFC7299] Housley, R., "Object Identifier Registry for the PKIX
Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014,
<http://www.rfc-editor.org/info/rfc7299>.
Lear Expires August 5, 2016 [Page 3]
Internet-Draft X.509 MUD February 2016
6.2. Informative References
[I-D.lear-mud-framework]
Lear, E., "Manufacturer Usage Description Framework",
draft-lear-mud-framework-00 (work in progress), January
2016.
[IEEE8021AR]
Institute for Electrical and Electronics Engineers,
"Secure Device Identity", 1998.
[IEEE8021X]
Institute for Electrical and Electronics Engineers, "Port
Based Network Access Control", 1998.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
Author's Address
Eliot Lear
Cisco Systems
Richtistrasse 7
Wallisellen CH-8304
Switzerland
Phone: +41 44 878 9200
Email: lear@cisco.com
Lear Expires August 5, 2016 [Page 4]