Internet DRAFT - draft-seantek-certfrag
draft-seantek-certfrag
Network Working Group S. Leonard
Internet-Draft Penango, Inc.
Updates: 2585 (if approved) November 12, 2014
Intended status: Standards Track
Expires: May 16, 2015
URI Fragment Identifiers for the application/pkix-cert Media Type
draft-seantek-certfrag-02
Abstract
This memo describes Uniform Resource Identifier (URI) fragment
identifiers for PKIX certificates, which are identified with the
Internet media type application/pkix-cert.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Leonard Expires May 16, 2015 [Page 1]
�
Internet-Draft certfrag November 2014
1. Fragment
A digital certificate [RFC5280] is comprised of parts that are of
interest to particular users and applications. For example, a user
agent may wish to draw attention to the "notAfter" time for an
expired certificate. Uniform Resource Indicators (URIs) can include
fragment identifiers to identify such sub-parts of a resource; see
Section 3.5 of [RFC3986]. However, the semantics of fragment
identifiers depend upon the Internet media type [RFC2046], not the
URI scheme. Therefore, the fragment identifiers in this memo apply
to the application/pkix-cert Internet media type [RFC2585]. The
following fragments are hereby defined:
+------------+------------------------------------------------------+
| Identifier | Certificate Part (ASN.1 identifier) |
+------------+------------------------------------------------------+
| v | tbsCertificate.version |
| sn | tbsCertificate.serialNumber |
| sig | tbsCertificate.signature; also signatureAlgorithm |
| issuer | tbsCertificate.issuer |
| nb | tbsCertificate.validity.notBefore |
| na | tbsCertificate.validity.notAfter |
| subject | tbsCertificate.subject |
| spki | tbsCertificate.subjectPublicKeyInfo |
| ext | tbsCertificate.extensions |
| ext:<OID> | tbsCertificate.extensions |
| | {Extension matching extoid == extnID}* |
| sigval | signatureValue |
+------------+------------------------------------------------------+
* The particular extension in the Extensions "SEQUENCE" is identified
by OID only; there are no textual identifiers. The syntax of the
<OID> matches the "numericoid" production of [RFC4512].
Table 1: Certificate Parts and Fragments
The fragments defined in the table above are case-insensitive. The
table is not exhaustive: should additional identifiers be required, a
future document may specify additional identifiers.
2. IANA Considerations
IANA needs to add a reference to this specification in the
application/pkix-cert media type registration.
Additionally, the registration template needs to be updated to add
the following section:
Leonard Expires May 16, 2015 [Page 2]
�
Internet-Draft certfrag November 2014
Fragment identifier considerations: Fragment identification is
supported by using fragment identifiers as specified by this memo.
It has also been observed that DER-encoded certificates and
certificate revocation lists begin with octet 0x30 (in US-ASCII:
'0'), which is the tag for an ASN.1 SEQUENCE. Accordingly, the magic
number(s) subsections for application/pkix-cert and
application/pkix-crl are to be amended to say:
Magic number(s): 0x30 ('0', SEQUENCE tag)
3. Security Considerations
Digital certificates are important building blocks for
authentication, integrity, authorization, and (occasionally)
confidentiality services. Accordingly, identifying digital
certificates incorrectly can have significant security ramifications.
A URI that identifies a certificate will likely be used by an
application or user for some security-related service, such as to
retrieve the certificate as part of a validation procedure. When a
fragment identifies a part of a certificate, the application will
define the behavioral semantics. A certificate displaying
application might zoom in on that aspect of the certificate, while a
public key-processing application might use a fragment identifier
like "#spki" in a URI when identifying a certificate from which to
extract the "SubjectPublicKeyInfo" structure for further processing.
The (textual) values of the fragment identifier are not supposed to
be used in lieu of the values they are supposed to be identifying
because the fragment identifiers are not parts of the actual
certificate. Interpreting these identifiers incorrectly may cause
denial-of-service attacks.
4. Normative References
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996.
[RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key
Infrastructure Operational Protocols: FTP and HTTP", RFC
2585, May 1999.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005.
Leonard Expires May 16, 2015 [Page 3]
�
Internet-Draft certfrag November 2014
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June
2006.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
Author's Address
Sean Leonard
Penango, Inc.
5900 Wilshire Boulevard
21st Floor
Los Angeles, CA 90036
USA
Email: dev+ietf@seantek.com
URI: http://www.penango.com/
Leonard Expires May 16, 2015 [Page 4]
