summaryrefslogtreecommitdiff
path: root/doc/standardisation/rfc3820.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/standardisation/rfc3820.txt')
-rw-r--r--doc/standardisation/rfc3820.txt2075
1 files changed, 0 insertions, 2075 deletions
diff --git a/doc/standardisation/rfc3820.txt b/doc/standardisation/rfc3820.txt
deleted file mode 100644
index f4e60737f..000000000
--- a/doc/standardisation/rfc3820.txt
+++ /dev/null
@@ -1,2075 +0,0 @@
-
-
-
-
-
-
-Network Working Group S. Tuecke
-Request for Comments: 3820 ANL
-Category: Standards Track V. Welch
- NCSA
- D. Engert
- ANL
- L. Pearlman
- USC/ISI
- M. Thompson
- LBNL
- June 2004
-
-
- Internet X.509 Public Key Infrastructure (PKI)
- Proxy Certificate Profile
-
-Status of this Memo
-
- This document specifies an Internet standards track protocol for the
- Internet community, and requests discussion and suggestions for
- improvements. Please refer to the current edition of the "Internet
- Official Protocol Standards" (STD 1) for the standardization state
- and status of this protocol. Distribution of this memo is unlimited.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2004).
-
-Abstract
-
- This document forms a certificate profile for Proxy Certificates,
- based on X.509 Public Key Infrastructure (PKI) certificates as
- defined in RFC 3280, for use in the Internet. The term Proxy
- Certificate is used to describe a certificate that is derived from,
- and signed by, a normal X.509 Public Key End Entity Certificate or by
- another Proxy Certificate for the purpose of providing restricted
- proxying and delegation within a PKI based authentication system.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 1]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Overview of Approach . . . . . . . . . . . . . . . . . . . . . 4
- 2.1. Terminology. . . . . . . . . . . . . . . . . . . . . . . 4
- 2.2. Background . . . . . . . . . . . . . . . . . . . . . . . 5
- 2.3. Motivation for Proxying. . . . . . . . . . . . . . . . . 5
- 2.4. Motivation for Restricted Proxies. . . . . . . . . . . . 7
- 2.5. Motivation for Unique Proxy Name . . . . . . . . . . . . 8
- 2.6. Description Of Approach. . . . . . . . . . . . . . . . . 9
- 2.7. Features Of This Approach. . . . . . . . . . . . . . . . 10
- 3. Certificate and Certificate Extensions Profile . . . . . . . . 12
- 3.1. Issuer . . . . . . . . . . . . . . . . . . . . . . . . . 12
- 3.2. Issuer Alternative Name. . . . . . . . . . . . . . . . . 12
- 3.3. Serial Number. . . . . . . . . . . . . . . . . . . . . . 12
- 3.4. Subject. . . . . . . . . . . . . . . . . . . . . . . . . 13
- 3.5. Subject Alternative Name . . . . . . . . . . . . . . . . 13
- 3.6. Key Usage and Extended Key Usage . . . . . . . . . . . . 13
- 3.7. Basic Constraints. . . . . . . . . . . . . . . . . . . . 14
- 3.8. The ProxyCertInfo Extension. . . . . . . . . . . . . . . 14
- 4. Proxy Certificate Path Validation. . . . . . . . . . . . . . . 17
- 4.1. Basic Proxy Certificate Path Validation. . . . . . . . . 19
- 4.2. Using the Path Validation Algorithm. . . . . . . . . . . 23
- 5. Commentary . . . . . . . . . . . . . . . . . . . . . . . . . . 24
- 5.1. Relationship to Attribute Certificates . . . . . . . . . 24
- 5.2. Kerberos 5 Tickets . . . . . . . . . . . . . . . . . . . 28
- 5.3. Examples of usage of Proxy Restrictions. . . . . . . . . 28
- 5.4. Delegation Tracing . . . . . . . . . . . . . . . . . . . 29
- 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 30
- 6.1. Compromise of a Proxy Certificate. . . . . . . . . . . . 30
- 6.2. Restricting Proxy Certificates . . . . . . . . . . . . . 31
- 6.3. Relying Party Trust of Proxy Certificates. . . . . . . . 31
- 6.4. Protecting Against Denial of Service with Key Generation 32
- 6.5. Use of Proxy Certificates in a Central Repository. . . . 32
- 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 33
- 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
- 8.1. Normative References . . . . . . . . . . . . . . . . . . 33
- 8.2. Informative References . . . . . . . . . . . . . . . . . 33
- 9. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 34
- Appendix A. 1988 ASN.1 Module. . . . . . . . . . . . . . . . . . . 35
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36
- Full Copyright Notice. . . . . . . . . . . . . . . . . . . . . . . 37
-
-
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 2]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-1. Introduction
-
- Use of a proxy credential [i7] is a common technique used in security
- systems to allow entity A to grant to another entity B the right for
- B to be authorized with others as if it were A. In other words,
- entity B is acting as a proxy on behalf of entity A. This document
- forms a certificate profile for Proxy Certificates, based on the RFC
- 3280, "Internet X.509 Public Key Infrastructure Certificate and CRL
- Profile" [n2].
-
- In addition to simple, unrestricted proxying, this profile defines:
-
- * A framework for carrying policies in Proxy Certificates that
- allows proxying to be limited (perhaps completely disallowed)
- through either restrictions or enumeration of rights.
-
- * Proxy Certificates with unique names, derived from the name of the
- end entity certificate name. This allows the Proxy Certificates
- to be used in conjunction with attribute assertion approaches such
- as Attribute Certificates [i3] and have their own rights
- independent of their issuer.
-
- Section 2 provides a non-normative overview of the approach. It
- begins by defining terminology, motivating Proxy Certificates, and
- giving a brief overview of the approach. It then introduces the
- notion of a Proxy Issuer, as distinct from a Certificate Authority,
- to describe how end entity signing of a Proxy Certificate is
- different from end entity signing of another end entity certificate,
- and therefore why this approach does not violate the end entity
- signing restrictions contained in the X.509 keyCertSign field of the
- keyUsage extension. It then continues with discussions of how
- subject names are used by this proxying approach, and features of
- this approach.
-
- Section 3 defines requirements on information content in Proxy
- Certificates. This profile addresses two fields in the basic
- certificate as well as five certificate extensions. The certificate
- fields are the subject and issuer fields. The certificate extensions
- are subject alternative name, issuer alternative name, key usage,
- basic constraints, and extended key usage. A new certificate
- extension, Proxy Certificate Information, is introduced.
-
- Section 4 defines path validation rules for Proxy Certificates.
-
- Section 5 provides non-normative commentary on Proxy Certificates.
-
- Section 6 discusses security considerations relating to Proxy
- Certificates.
-
-
-
-Tuecke, et al. Standards Track [Page 3]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- References, listed in Section 8, are sorted into normative and
- information references. Normative references, listed in Section 8.1,
- are in the form [nXX]. Informative references, listed in Section
- 8.2, are in the form [iXX].
-
- Section 9 contains acknowledgements.
-
- Following Section 9, contains the Appendix, the contact information
- for the authors, the intellectual property information, and the
- copyright information for this document.
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in BCP 14, RFC 2119 [n1].
-
-2. Overview of Approach
-
- This section provides non-normative commentary on Proxy Certificates.
-
- The goal of this specification is to develop a X.509 Proxy
- Certificate profile and to facilitate their use within Internet
- applications for those communities wishing to make use of restricted
- proxying and delegation within an X.509 Public Key Infrastructure
- (PKI) authentication based system.
-
- This section provides relevant background, motivation, an overview of
- the approach, and related work.
-
-2.1. Terminology
-
- This document uses the following terms:
-
- * CA: A "Certification Authority", as defined by X.509 [n2]
-
- * EEC: An "End Entity Certificate", as defined by X.509. That is,
- it is an X.509 Public Key Certificate issued to an end entity,
- such as a user or a service, by a CA.
-
- * PKC: An end entity "Public Key Certificate". This is synonymous
- with an EEC.
-
- * PC: A "Proxy Certificate", the profile of which is defined by this
- document.
-
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 4]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- * PI: A "Proxy Issuer" is an entity with an End Entity Certificate
- or Proxy Certificate that issues a Proxy Certificate. The Proxy
- Certificate is signed using the private key associated with the
- public key in the Proxy Issuer's certificate.
-
- * AC: An "Attribute Certificate", as defined by "An Internet
- Attribute Certificate Profile for Authorization" [i3].
-
- * AA: An "Attribute Authority", as defined in [i3].
-
-2.2. Background
-
- Computational and Data "Grids" have emerged as a common approach to
- constructing dynamic, inter-domain, distributed computing
- environments. As explained in [i5], large research and development
- efforts starting around 1995 have focused on the question of what
- protocols, services, and APIs are required for effective, coordinated
- use of resources in these Grid environments.
-
- In 1997, the Globus Project (www.globus.org) introduced the Grid
- Security Infrastructure (GSI) [i4]. This library provides for public
- key based authentication and message protection, based on standard
- X.509 certificates and public key infrastructure, the SSL/TLS
- protocol [i2], and delegation using proxy certificates similar to
- those profiled in this document. GSI has been used, in turn, to
- build numerous middleware libraries and applications, which have been
- deployed in large-scale production and experimental Grids [i1]. GSI
- has emerged as the dominant security solution used by Grid efforts
- worldwide.
-
- This experience with GSI has proven the viability of restricted
- proxying as a basis for authorization within Grids, and has further
- proven the viability of using X.509 Proxy Certificates, as defined in
- this document, as the basis for that proxying. This document is one
- part of an effort to migrate this experience with GSI into standards,
- and in the process clean up the approach and better reconcile it with
- existing and recent standards.
-
-2.3. Motivation for Proxying
-
- A motivating example will assist in understanding the role proxying
- can play in building Internet based applications.
-
- Steve is an engineer who wants to use a reliable file transfer
- service to manage the movement of a number of large files around
- between various hosts on his company's Intranet-based Grid. From his
- laptop he wants to submit a number of transfer requests to the
- service and have the files transferred while he is doing other
-
-
-
-Tuecke, et al. Standards Track [Page 5]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- things, including being offline. The transfer service may queue the
- requests for some time (e.g., until after hours or a period of low
- resource usage) before initiating the transfers. The transfer
- service will then, for each file, connect to each of the source and
- destination hosts, and instruct them to initiate a data connection
- directly from the source to the destination in order to transfer the
- file. Steve will leave an agent running on his laptop that will
- periodically check on progress of the transfer by contacting the
- transfer service. Of course, he wants all of this to happen securely
- on his company's resources, which requires that he initiate all of
- this using his PKI smartcard.
-
- This scenario requires authentication and delegation in a variety of
- places:
-
- * Steve needs to be able to mutually authenticate with the reliable
- file transfer service to submit the transfer request.
-
- * Since the storage hosts know nothing about the file transfer
- service, the file transfer service needs to be delegated the
- rights to mutually authenticate with the various storage hosts
- involved directly in the file transfer, in order to initiate the
- file transfer.
-
- * The source and destination hosts of a particular transfer must be
- able to mutual authenticate with each other, to ensure the file is
- being transferred to and from the proper parties.
-
- * The agent running on Steve's laptop must mutually authenticate
- with the file transfer service in order to check the result of the
- transfers.
-
- Proxying is a viable approach to solving two (related) problems in
- this scenario:
-
- * Single sign-on: Steve wants to enter his smartcard password (or
- pin) once, and then run a program that will submit all the file
- transfer requests to the transfer service, and then periodically
- check on the status of the transfer. This program needs to be
- given the rights to be able to perform all of these operations
- securely, without requiring repeated access to the smartcard or
- Steve's password.
-
- * Delegation: Various remote processes in this scenario need to
- perform secure operations on Steve's behalf, and therefore must be
- delegated the necessary rights. For example, the file transfer
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 6]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- service needs to be able to authenticate on Steve's behalf with
- the source and destination hosts, and must in turn delegate rights
- to those hosts so that they can authenticate with each other.
-
- Proxying can be used to secure all of these interactions:
-
- * Proxying allows for the private key stored on the smartcard to be
- accessed just once, in order to create the necessary proxy
- credential, which allows the client/agent program to be authorized
- as Steve when submitting the requests to the transfer service.
- Access to the smartcard and Steve's password is not required after
- the initial creation of the proxy credential.
-
- * The client program on the laptop can delegate to the file transfer
- service the right to act on Steve's behalf. This, in turn, allows
- the service to authenticate to the storage hosts and inherit
- Steve's privileges in order to start the file transfers.
-
- * When the transfer service authenticates to hosts to start the file
- transfer, the service can delegate to the hosts the right to act
- on Steve's behalf so that each pair of hosts involved in a file
- transfer can mutually authenticate to ensure the file is securely
- transferred.
-
- * When the agent on the laptop reconnects to the file transfer
- service to check on the status of the transfer, it can perform
- mutual authentication. The laptop may use a newly generated proxy
- credential, which is just created anew using the smartcard.
-
- This scenario, and others similar to it, is being built today within
- the Grid community. The Grid Security Infrastructure's single sign-
- on and delegation capabilities, built on X.509 Proxy Certificates,
- are being employed to provide authentication services to these
- applications.
-
-2.4. Motivation for Restricted Proxies
-
- One concern that arises is what happens if a machine that has been
- delegated the right to inherit Steve's privileges has been
- compromised? For example, in the above scenario, what if the machine
- running the file transfer service is compromised, such that the
- attacker can gain access to the credential that Steve delegated to
- that service? Can the attacker now do everything that Steve is
- allowed to do?
-
- A solution to this problem is to allow for restrictions to be placed
- on the proxy by means of policies on the proxy certificates. For
- example, the machine running the reliable file transfer service in
-
-
-
-Tuecke, et al. Standards Track [Page 7]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- the above example might only be given Steve's right for the purpose
- of reading the source files and writing the destination files.
- Therefore, if that file transfer service is compromised, the attacker
- cannot modify source files, cannot create or modify other files to
- which Steve has access, cannot start jobs on behalf of Steve, etc.
- All that an attacker would be able to do is read the specific files
- to which the file transfer service has been delegated read access,
- and write bogus files in place of those that the file transfer
- service has been delegated write access. Further, by limiting the
- lifetime of the credential that is delegated to the file transfer
- service, the effects of a compromise can be further mitigated.
-
- Other potential uses for restricted proxy credentials are discussed
- in [i7].
-
-2.5. Motivation for Unique Proxy Name
-
- The dynamic creation of entities (e.g., processes and services) is an
- essential part of Grid computing. These entities will require rights
- in order to securely perform their function. While it is possible to
- obtain rights solely through proxying as described in previous
- sections, this has limitations. For example what if an entity should
- have rights that are granted not just from the proxy issuer but from
- a third party as well? While it is possible in this case for the
- entity to obtain and hold two proxy certifications, in practice it is
- simpler for subsequent credentials to take the form of attribute
- certificates.
-
- It is also desirable for these entities to have a unique identity so
- that they can be explicitly discussed in policy statements. For
- example, a user initiating a third-party FTP transfer could grant
- each FTP server a PC with a unique identity and inform each server of
- the identity of the other, then when the two servers connected they
- could authenticate themselves and know they are connected to the
- proper party.
-
- In order for a party to have rights of it's own it requires a unique
- identity. Possible options for obtaining an unique identity are:
-
- 1) Obtain an identity from a traditional Certification Authority
- (CA).
-
- 2) Obtain a new identity independently - for example by using the
- generated public key and a self-signed certificate.
-
- 3) Derive the new identity from an existing identity.
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 8]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- In this document we describe an approach to option #3, because:
-
- * It is reasonably light-weight, as it can be done without
- interacting with a third party. This is important when
- creating identities dynamically.
-
- * As described in the previous section, a common use for PCs is
- for restricted proxying, so deriving their identity from the
- identity of the EEC makes this straightforward. Nonetheless
- there are circumstances where the creator does not wish to
- delegate all or any of its rights to a new entity. Since the
- name is unique, this is easily accomplished by #3 as well, by
- allowing the application of a policy to limit proxying.
-
-2.6. Description Of Approach
-
- This document defines an X.509 "Proxy Certificate" or "PC" as a means
- of providing for restricted proxying within an (extended) X.509 PKI
- based authentication system.
-
- A Proxy Certificate is an X.509 public key certificate with the
- following properties:
-
- 1) It is signed by either an X.509 End Entity Certificate (EEC), or
- by another PC. This EEC or PC is referred to as the Proxy Issuer
- (PI).
-
- 2) It can sign only another PC. It cannot sign an EEC.
-
- 3) It has its own public and private key pair, distinct from any
- other EEC or PC.
-
- 4) It has an identity derived from the identity of the EEC that
- signed the PC. When a PC is used for authentication, in may
- inherit rights of the EEC that signed the PC, subject to the
- restrictions that are placed on that PC by the EEC.
-
- 5) Although its identity is derived from the EEC's identity, it is
- also unique. This allows this identity to be used for
- authorization as an independent identity from the identity of the
- issuing EEC, for example in conjunction with attribute assertions
- as defined in [i3].
-
- 6) It contains a new X.509 extension to identify it as a PC and to
- place policies on the use of the PC. This new extension, along
- with other X.509 fields and extensions, are used to enable proper
- path validation and use of the PC.
-
-
-
-
-Tuecke, et al. Standards Track [Page 9]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- The process of creating a PC is as follows:
-
- 1) A new public and private key pair is generated.
-
- 2) That key pair is used to create a request for a Proxy Certificate
- that conforms to the profile described in this document.
-
- 3) A Proxy Certificate, signed by the private key of the EEC or by
- another PC, is created in response to the request. During this
- process, the PC request is verified to ensure that the requested
- PC is valid (e.g., it is not an EEC, the PC fields are
- appropriately set, etc).
-
- When a PC is created as part of a delegation from entity A to entity
- B, this process is modified by performing steps #1 and #2 within
- entity B, then passing the PC request from entity B to entity A over
- an authenticated, integrity checked channel, then entity A performs
- step #3 and passes the PC back to entity B.
-
- Path validation of a PC is very similar to normal path validation,
- with a few additional checks to ensure, for example, proper PC
- signing constraints.
-
-2.7. Features Of This Approach
-
- Using Proxy Certificates to perform delegation has several features
- that make it attractive:
-
- * Ease of integration
-
- o Because a PC requires only a minimal change to path validation,
- it is very easy to incorporate support for Proxy Certificates
- into existing X.509 based software. For example, SSL/TLS
- requires no protocol changes to support authentication using a
- PC. Further, an SSL/TLS implementation requires only minor
- changes to support PC path validation, and to retrieve the
- authenticated subject of the signing EEC instead of the subject
- of the PC for authorization purposes.
-
- o Many existing authorization systems use the X.509 subject name
- as the basis for access control. Proxy Certificates can be
- used with such authorization systems without modification,
- since such a PC inherits its name and rights from the EEC that
- signed it and the EEC name can be used in place of the PC name
- for authorization decisions.
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 10]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- * Ease of use
-
- o Using PC for single sign-on helps make X.509 PKI authentication
- easier to use, by allowing users to "login" once and then
- perform various operations securely.
-
- o For many users, properly managing their own EEC private key is
- a nuisance at best, and a security risk at worst. One option
- easily enabled with a PC is to manage the EEC private keys and
- certificates in a centrally managed repository. When a user
- needs a PKI credential, the user can login to the repository
- using name/password, one time password, etc. Then the
- repository can delegate a PC to the user with proxy rights, but
- continue to protect the EEC private key in the repository.
-
- * Protection of private keys
-
- o By using the remote delegation approach outlined above, entity
- A can delegate a PC to entity B, without entity B ever seeing
- the private key of entity A, and without entity A ever seeing
- the private key of the newly delegated PC held by entity B. In
- other words, private keys never need to be shared or
- communicated by the entities participating in a delegation of a
- PC.
-
- o When implementing single sign-on, using a PC helps protect the
- private key of the EEC, because it minimizes the exposure and
- use of that private key. For example, when an EEC private key
- is password protected on disk, the password and unencrypted
- private key need only be available during the creation of the
- PC. That PC can then be used for the remainder of its valid
- lifetime, without requiring access to the EEC password or
- private key. Similarly, when the EEC private key lives on a
- smartcard, the smartcard need only be present in the machine
- during the creation of the PC.
-
- * Limiting consequences of a compromised key
-
- o When creating a PC, the PI can limit the validity period of the
- PC, the depth of the PC path that can be created by that PC,
- and key usage of the PC and its descendents. Further, fine-
- grained policies can be carried by a PC to even further
- restrict the operations that can be performed using the PC.
- These restrictions permit the PI to limit damage that could be
- done by the bearer of the PC, either accidentally or
- maliciously.
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 11]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- o A compromised PC private key does NOT compromise the EEC
- private key. This makes a short term, or an otherwise
- restricted PC attractive for day-to-day use, since a
- compromised PC does not require the user to go through the
- usually cumbersome and time consuming process of having the EEC
- with a new private key reissued by the CA.
-
- See Section 5 below for more discussion on how Proxy Certificates
- relate to Attribute Certificates.
-
-3. Certificate and Certificate Extensions Profile
-
- This section defines the usage of X.509 certificate fields and
- extensions in Proxy Certificates, and defines one new extension for
- Proxy Certificate Information.
-
- All Proxy Certificates MUST include the Proxy Certificate Information
- (ProxyCertInfo) extension defined in this section and the extension
- MUST be critical.
-
-3.1. Issuer
-
- The Proxy Issuer of a Proxy Certificate MUST be either an End Entity
- Certificate, or another Proxy Certificate.
-
- The Proxy Issuer MUST NOT have an empty subject field.
-
- The issuer field of a Proxy Certificate MUST contain the subject
- field of its Proxy Issuer.
-
- If the Proxy Issuer certificate has the KeyUsage extension, the
- Digital Signature bit MUST be asserted.
-
-3.2. Issuer Alternative Name
-
- The issuerAltName extension MUST NOT be present in a Proxy
- Certificate.
-
-3.3. Serial Number
-
- The serial number of a Proxy Certificate (PC) SHOULD be unique
- amongst all Proxy Certificates issued by a particular Proxy Issuer.
- However, a Proxy Issuer MAY use an approach to assigning serial
- numbers that merely ensures a high probability of uniqueness.
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 12]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- For example, a Proxy Issuer MAY use a sequentially assigned integer
- or a UUID to assign a unique serial number to a PC it issues. Or a
- Proxy Issuer MAY use a SHA-1 hash of the PC public key to assign a
- serial number with a high probability of uniqueness.
-
-3.4. Subject
-
- The subject field of a Proxy Certificate MUST be the issuer field
- (that is the subject of the Proxy Issuer) appended with a single
- Common Name component.
-
- The value of the Common Name SHOULD be unique to each Proxy
- Certificate bearer amongst all Proxy Certificates with the same
- issuer.
-
- If a Proxy Issuer issues two proxy certificates to the same bearer,
- the Proxy Issuer MAY choose to use the same Common Name for both.
- Examples of this include Proxy Certificates for different uses (e.g.,
- signing vs encryption) or the re-issuance of an expired Proxy
- Certificate.
-
- The Proxy Issuer MAY use an approach to assigning Common Name values
- that merely ensures a high probability of uniqueness. This value MAY
- be the same value used for the serial number.
-
- The result of this approach is that all subject names of Proxy
- Certificates are derived from the name of the issuing EEC (it will be
- the first part of the subject name appended with one or more CN
- components) and are unique to each bearer.
-
-3.5. Subject Alternative Name
-
- The subjectAltName extension MUST NOT be present in a Proxy
- Certificate.
-
-3.6. Key Usage and Extended Key Usage
-
- If the Proxy Issuer certificate has a Key Usage extension, the
- Digital Signature bit MUST be asserted.
-
- This document places no constraints on the presence or contents of
- the key usage and extended key usage extension. However, section 4.2
- explains what functions should be allowed a proxy certificate by a
- relying party.
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 13]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-3.7. Basic Constraints
-
- The cA field in the basic constraints extension MUST NOT be TRUE.
-
-3.8. The ProxyCertInfo Extension
-
- A new extension, ProxyCertInfo, is defined in this subsection.
- Presence of the ProxyCertInfo extension indicates that a certificate
- is a Proxy Certificate and whether or not the issuer of the
- certificate has placed any restrictions on its use.
-
- id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
-
- id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
-
- id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pe 14 }
-
- ProxyCertInfo ::= SEQUENCE {
- pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
- proxyPolicy ProxyPolicy }
-
-
- ProxyPolicy ::= SEQUENCE {
- policyLanguage OBJECT IDENTIFIER,
- policy OCTET STRING OPTIONAL }
-
- If a certificate is a Proxy Certificate, then the proxyCertInfo
- extension MUST be present, and this extension MUST be marked as
- critical.
-
- If a certificate is not a Proxy Certificate, then the proxyCertInfo
- extension MUST be absent.
-
- The ProxyCertInfo extension consists of one required and two optional
- fields, which are described in detail in the following subsections.
-
-3.8.1. pCPathLenConstraint
-
- The pCPathLenConstraint field, if present, specifies the maximum
- depth of the path of Proxy Certificates that can be signed by this
- Proxy Certificate. A pCPathLenConstraint of 0 means that this
- certificate MUST NOT be used to sign a Proxy Certificate. If the
- pCPathLenConstraint field is not present then the maximum proxy path
- length is unlimited. End entity certificates have unlimited maximum
- proxy path lengths.
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 14]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-3.8.2. proxyPolicy
-
- The proxyPolicy field specifies a policy on the use of this
- certificate for the purposes of authorization. Within the
- proxyPolicy, the policy field is an expression of policy, and the
- policyLanguage field indicates the language in which the policy is
- expressed.
-
- The proxyPolicy field in the proxyCertInfo extension does not define
- a policy language to be used for proxy restrictions; rather, it
- places the burden on those parties using that extension to define an
- appropriate language, and to acquire an OID for that language (or to
- select an appropriate previously-defined language/OID). Because it
- is essential for the PI that issues a certificate with a proxyPolicy
- field and the relying party that interprets that field to agree on
- its meaning, the policy language OID must correspond to a policy
- language (including semantics), not just a policy grammar.
-
- The policyLanguage field has two values of special importance,
- defined in Appendix A, that MUST be understood by all parties
- accepting Proxy Certificates:
-
- * id-ppl-inheritAll indicates that this is an unrestricted proxy
- that inherits all rights from the issuing PI. An unrestricted
- proxy is a statement that the Proxy Issuer wishes to delegate all
- of its authority to the bearer (i.e., to anyone who has that proxy
- certificate and can prove possession of the associated private
- key). For purposes of authorization, this an unrestricted proxy
- effectively impersonates the issuing PI.
-
- * id-ppl-independent indicates that this is an independent proxy
- that inherits no rights from the issuing PI. This PC MUST be
- treated as an independent identity by relying parties. The only
- rights this PC has are those granted explicitly to it.
-
- For either of the policyLanguage values listed above, the policy
- field MUST NOT be present.
-
- Other values for the policyLanguage field indicates that this is a
- restricted proxy certification and have some other policy limiting
- its ability to do proxying. In this case the policy field MAY be
- present and it MUST contain information expressing the policy. If
- the policy field is not present the policy MUST be implicit in the
- value of the policyLanguage field itself. Authors of additional
- policy languages are encouraged to publicly document their policy
- language and list it in the IANA registry (see Section 7).
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 15]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- Proxy policies are used to limit the amount of authority delegated,
- for example to assert that the proxy certificate may be used only to
- make requests to a specific server, or only to authorize specific
- operations on specific resources. This document is agnostic to the
- policies that can be placed in the policy field.
-
- Proxy policies impose additional requirements on the relying party,
- because only the relying party is in a position to ensure that those
- policies are enforced. When making an authorization decision based
- on a proxy certificate based on rights that proxy certificate
- inherited from its issuer, it is the relying party's responsibility
- to verify that the requested authority is compatible with all
- policies in the PC's certificate path. In other words, the relying
- party MUST verify that the following three conditions are all met:
-
- 1) The relying party MUST know how to interpret the proxy policy and
- the request is allowed under that policy.
-
- 2) If the Proxy Issuer is an EEC then the relying party's local
- policies MUST authorize the request for the entity named in the
- EEC.
-
- 3) If the Proxy Issuer is another PC, then one of the following MUST
- be true:
-
- a. The relying party's local policies authorize the Proxy Issuer
- to perform the request.
-
- b. The Proxy Issuer inherits the right to perform the request from
- its issuer by means of its proxy policy. This must be verified
- by verifying these three conditions on the Proxy Issuer in a
- recursive manner.
-
- If these conditions are not met, the relying party MUST either deny
- authorization, or ignore the PC and the whole certificate chain
- including the EEC entirely when making its authorization decision
- (i.e., make the same decision that it would have made had the PC and
- it's certificate chain never been presented).
-
- The relying party MAY impose additional restrictions as to which
- proxy certificates it accepts. For example, a relying party MAY
- choose to reject all proxy certificates, or MAY choose to accept
- proxy certificates only for certain operations, etc.
-
- Note that since a proxy certificate has a unique identity it MAY also
- have rights granted to it by means other than inheritance from it's
- issuer via its proxy policy. The rights granted to the bearer of a
- PC are the union of the rights granted to the PC identity and the
-
-
-
-Tuecke, et al. Standards Track [Page 16]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- inherited rights. The inherited rights consist of the intersection
- of the rights granted to the PI identity intersected with the proxy
- policy in the PC.
-
- For example, imagine that Steve is authorized to read and write files
- A and B on a file server, and that he uses his EEC to create a PC
- that includes the policy that it can be used only to read or write
- files A and C. Then a trusted attribute authority grants an
- Attribute Certificate granting the PC the right to read file D. This
- would make the rights of the PC equal to the union of the rights
- granted to the PC identity (right to read file D) with the
- intersection of the rights granted to Steve, the PI, (right to read
- files A and B) with the policy in the PC (can only read files A and
- C). This would mean the PC would have the following rights:
-
- * Right to read file A: Steve has this right and he issued the PC
- and his policy grants this right to the PC.
-
- * Right to read file D: This right is granted explicitly to the PC
- by a trusted authority.
-
- The PC would NOT have the following rights:
-
- * Right to read file B: Although Steve has this right, it is
- excluded by his policy on the PC.
-
- * Right to read file C: Although Steve's policy grants this right,
- he does not have this right himself.
-
- In many cases, the relying party will not have enough information to
- evaluate the above criteria at the time that the certificate path is
- validated. For example, if a certificate is used to authenticate a
- connection to some server, that certificate is typically validated
- during that authentication step, before any requests have been made
- of the server. In that case, the relying party MUST either have some
- authorization mechanism in place that will check the proxy policies,
- or reject any certificate that contains proxy policies (or that has a
- parent certificate that contains proxy policies).
-
-4. Proxy Certificate Path Validation
-
- Proxy Certification path processing verifies the binding between the
- proxy certificate distinguished name and proxy certificate public
- key. The binding is limited by constraints which are specified in
- the certificates which comprise the path and inputs which are
- specified by the relying party.
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 17]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- This section describes an algorithm for validating proxy
- certification paths. Conforming implementations of this
- specification are not required to implement this algorithm, but MUST
- provide functionality equivalent to the external behavior resulting
- from this procedure. Any algorithm may be used by a particular
- implementation so long as it derives the correct result.
-
- The algorithm presented in this section validates the proxy
- certificate with respect to the current date and time. A conformant
- implementation MAY also support validation with respect to some point
- in the past. Note that mechanisms are not available for validating a
- proxy certificate with respect to a time outside the certificate
- validity period.
-
- Valid paths begin with the end entity certificate (EEC) that has
- already been validated by public key certificate validation
- procedures in RFC 3280 [n2]. The algorithm requires the public key
- of the EEC and the EEC's subject distinguished name.
-
- To meet the goal of verifying the proxy certificate, the proxy
- certificate path validation process verifies, among other things,
- that a prospective certification path (a sequence of n certificates)
- satisfies the following conditions:
-
- (a) for all x in {1, ..., n-1}, the subject of certificate x is the
- issuer of proxy certificate x+1 and the subject distinguished
- name of certificate x+1 is a legal subject distinguished name to
- have been issued by certificate x;
-
- (b) certificate 1 is valid proxy certificate issued by the end entity
- certificate whose information is given as input to the proxy
- certificate path validation process;
-
- (c) certificate n is the proxy certificate to be validated;
-
- (d) for all x in {1, ..., n}, the certificate was valid at the time
- in question; and
-
- (e) for all certificates in the path with a pCPathLenConstraint
- field, the number of certificates in the path following that
- certificate does not exceed the length specified in that field.
-
- At this point there is no mechanism defined for revoking proxy
- certificates.
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 18]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-4.1. Basic Proxy Certificate Path Validation
-
- This section presents the algorithm in four basic steps to mirror the
- description of public key certificate path validation in RFC 3280:
- (1) initialization, (2) basic proxy certificate processing, (3)
- preparation for the next proxy certificate, and (4) wrap-up. Steps
- (1) and (4) are performed exactly once. Step (2) is performed for
- all proxy certificates in the path. Step (3) is performed for all
- proxy certificates in the path except the final proxy certificate.
-
- Certificate path validation as described in RFC 3280 MUST have been
- done prior to using this algorithm to validate the end entity
- certificate. This algorithm then processes the proxy certificate
- chain using the end entity certificate information produced by RFC
- 3280 path validation.
-
-4.1.1. Inputs
-
- This algorithm assumes the following inputs are provided to the path
- processing logic:
-
- (a) information about the entity certificate already verified using
- RFC 3280 path validation. This information includes:
-
- (1) the end entity name,
-
- (2) the working_public_key output from RFC 3280 path validation,
-
- (3) the working_public_key_algorithm output from RFC 3280,
-
- (4) and the working_public_key_parameters output from RFC 3280
- path validation.
-
- (b) prospective proxy certificate path of length n.
-
- (c) acceptable-pc-policy-language-set: A set of proxy certificate
- policy languages understood by the policy evaluation code. The
- acceptable-pc-policy-language-set MAY contain the special value
- id-ppl-anyLanguage (as defined in Appendix A) if the path
- validation code should not check the proxy certificate policy
- languages (typically because the set of known policy languages is
- not known yet and will be checked later in the authorization
- process).
-
- (d) the current date and time.
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 19]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-4.1.2. Initialization
-
- This initialization phase establishes the following state variables
- based upon the inputs:
-
- (a) working_public_key_algorithm: the digital signature algorithm
- used to verify the signature of a proxy certificate. The
- working_public_key_algorithm is initialized from the input
- information provided from RFC 3280 path validation.
-
- (b) working_public_key: the public key used to verify the signature
- of a proxy certificate. The working_public_key is initialized
- from the input information provided from RFC 3280 path
- validation.
-
- (c) working_public_key_parameters: parameters associated with the
- current public key, that may be required to verify a signature
- (depending upon the algorithm). The
- proxy_issuer_public_key_parameters variable is initialized from
- the input information provided from RFC 3280 path validation.
-
- (d) working_issuer_name: the issuer distinguished name expected in
- the next proxy certificate in the chain. The working_issuer_name
- is initialized to the distinguished name in the end entity
- certificate validated by RFC 3280 path validation.
-
- (e) max_path_length: this integer is initialized to n, is decremented
- for each proxy certificate in the path. This value may also be
- reduced by the pcPathLenConstraint value of any proxy certificate
- in the chain.
-
- (f) proxy_policy_list: this list is empty to start and will be filled
- in with the key usage extensions, extended key usage extensions
- and proxy policies in the chain.
-
- Upon completion of the initialization steps, perform the basic
- certificate processing steps specified in 4.1.3.
-
-4.1.3. Basic Proxy Certificate Processing
-
- The basic path processing actions to be performed for proxy
- certificate i (for all i in [1..n]) are listed below.
-
- (a) Verify the basic certificate information. The certificate MUST
- satisfy each of the following:
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 20]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- (1) The certificate was signed with the
- working_public_key_algorithm using the working_public_key and
- the working_public_key_parameters.
-
- (2) The certificate validity period includes the current time.
-
- (3) The certificate issuer name is the working_issuer_name.
-
- (4) The certificate subject name is the working_issuer_name with a
- CN component appended.
-
- (b) The proxy certificate MUST have a ProxyCertInfo extension.
- Process the extension as follows:
-
- (1) If the pCPathLenConstraint field is present in the
- ProxyCertInfo field and the value it contains is less than
- max_path_length, set max_path_length to its value.
-
- (2) If acceptable-pc-policy-language-set is not id-ppl-
- anyLanguage, the OID in the policyLanguage field MUST be
- present in acceptable-pc-policy-language-set.
-
- (c) The tuple containing the certificate subject name, policyPolicy,
- key usage extension (if present) and extended key usage extension
- (if present) must be appended to proxy_policy_list.
-
- (d) Process other certificate extensions, as described in [n2]:
-
- (1) Recognize and process any other critical extensions present in
- the proxy certificate.
-
- (2) Process any recognized non-critical extension present in the
- proxy certificate.
-
- If either step (a), (b) or (d) fails, the procedure terminates,
- returning a failure indication and an appropriate reason.
-
- If i is not equal to n, continue by performing the preparatory steps
- listed in 4.1.4. If i is equal to n, perform the wrap-up steps
- listed in 4.1.5.
-
-4.1.4. Preparation for next Proxy Certificate
-
- (a) Verify max_path_length is greater than zero and decrement
- max_path_length.
-
- (b) Assign the certificate subject name to working_issuer_name.
-
-
-
-
-Tuecke, et al. Standards Track [Page 21]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- (c) Assign the certificate subjectPublicKey to working_public_key.
-
- (d) If the subjectPublicKeyInfo field of the certificate contains an
- algorithm field with non-null parameters, assign the parameters
- to the working_public_key_parameters variable.
-
- If the subjectPublicKeyInfo field of the certificate contains an
- algorithm field with null parameters or parameters are omitted,
- compare the certificate subjectPublicKey algorithm to the
- working_public_key_algorithm. If the certificate
- subjectPublicKey algorithm and the working_public_key_algorithm
- are different, set the working_public_key_parameters to null.
-
- (e) Assign the certificate subjectPublicKey algorithm to the
- working_public_key_algorithm variable.
-
- (f) If a key usage extension is present, verify that the
- digitalSignature bit is set.
-
- If either check (a) or (f) fails, the procedure terminates, returning
- a failure indication and an appropriate reason.
-
- If (a) and (f) complete successfully, increment i and perform the
- basic certificate processing specified in 4.1.3.
-
-4.1.5. Wrap-up Procedures
-
- (a) Assign the certificate subject name to working_issuer_name.
-
- (b) Assign the certificate subjectPublicKey to working_public_key.
-
- (c) If the subjectPublicKeyInfo field of the certificate contains an
- algorithm field with non-null parameters, assign the parameters
- to the proxy_issuer_public_key_parameters variable.
-
- If the subjectPublicKeyInfo field of the certificate contains an
- algorithm field with null parameters or parameters are omitted,
- compare the certificate subjectPublicKey algorithm to the
- proxy_issuer_public_key_algorithm. If the certificate
- subjectPublicKey algorithm and the
- proxy_issuer_public_key_algorithm are different, set the
- proxy_issuer_public_key_parameters to null.
-
- (d) Assign the certificate subjectPublicKey algorithm to the
- proxy_issuer_public_key_algorithm variable.
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 22]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-4.1.6. Outputs
-
- If path processing succeeds, the procedure terminates, returning a
- success indication together with final value of the
- working_public_key, the working_public_key_algorithm, the
- working_public_key_parameters, and the proxy_policy_list.
-
-4.2. Using the Path Validation Algorithm
-
- Each Proxy Certificate contains a ProxyCertInfo extension, which
- always contains a policy language OID, and may also contain a policy
- OCTET STRING. These policies serve to indicate the desire of each
- issuer in the proxy certificate chain, starting with the EEC, to
- delegate some subset of their rights to the issued proxy certificate.
- This chain of policies is returned by the algorithm to the
- application.
-
- The application MAY make authorization decisions based on the subject
- distinguished name of the proxy certificate or on one of the proxy
- certificates in it's issuing chain or on the EEC that serves as the
- root of the chain. If an application chooses to use the subject
- distinguished name of a proxy certificate in the issuing chain or the
- EEC it MUST use the returned policies to restrict the rights it
- grants to the proxy certificate. If the application does not know
- how to parse any policy in the policy chain it MUST not use, for the
- purposes of making authorization decisions, the subject distinguished
- name of any certificate in the chain prior to the certificate in
- which the unrecognized policy appears.
-
- Application making authorization decisions based on the contents of
- the proxy certificate key usage or extended key usage extensions MUST
- examine the list of key usage, extended key usage and proxy policies
- resulting from proxy certificate path validation and determine the
- effective key usage functions of the proxy certificate as follows:
-
- * If a certificate is a proxy certificate with a proxy policy of
- id-ppl-independent or an end entity certificate, the effective key
- usage functions of that certificate is as defined by the key usage
- and extended key usage extensions in that certificate. The key
- usage functionality of the issuer has no bearing on the effective
- key usage functionality.
-
- * If a certificate is a proxy certificate with a policy other than
- id-ppl-independent, the effective key usage and extended key usage
- functionality of the proxy certificate is the intersection of the
- functionality of those extensions in the proxy certificate and the
- effective key usage functionality of the proxy issuer.
-
-
-
-
-Tuecke, et al. Standards Track [Page 23]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-5. Commentary
-
- This section provides non-normative commentary on Proxy Certificates.
-
-5.1. Relationship to Attribute Certificates
-
- An Attribute Certificate [i3] can be used to grant to one identity,
- the holder, some attribute such as a role, clearance level, or
- alternative identity such as "charging identity" or "audit identity".
- This is accomplished by way of a trusted Attribute Authority (AA),
- which issues signed Attribute Certificates (AC), each of which binds
- an identity to a particular set of attributes. Authorization
- decisions can then be made by combining information from the
- authenticated End Entity Certificate providing the identity, with the
- signed Attribute Certificates providing binding of that identity to
- attributes.
-
- There is clearly some overlap between the capabilities provided by
- Proxy Certificates and Attribute Certificates. However, the
- combination of the two approaches together provides a broader
- spectrum of solutions to authorization in X.509 based systems, than
- either solution alone. This section seeks to clarify some of the
- overlaps, differences, and synergies between Proxy Certificate and
- Attribute Certificates.
-
-5.1.1. Types of Attribute Authorities
-
- For the purposes of this discussion, Attribute Authorities, and the
- uses of the Attribute Certificates that they produce, can be broken
- down into two broad classes:
-
- 1) End entity AA: An End Entity Certificate may be used to sign an
- AC. This can be used, for example, to allow an end entity to
- delegate some of its privileges to another entity.
-
- 2) Third party AA: A separate entity, aside from the end entity
- involved in an authenticated interaction, may sign ACs in order to
- bind the authenticated identity with additional attributes, such
- as role, group, etc. For example, when a client authenticates
- with a server, the third party AA may provide an AC that binds the
- client identity to a particular group, which the server then uses
- for authorization purposes.
-
- This second type of Attribute Authority, the third party AA, works
- equally well with an EEC or a PC. For example, unrestricted Proxy
- Certificates can be used to delegate the EEC's identity to various
- other parties. Then when one of those other parties uses the PC to
- authenticate with a service, that service will receive the EEC's
-
-
-
-Tuecke, et al. Standards Track [Page 24]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- identity via the PC, and can apply any ACs that bind that identity to
- attributes in order to determine authorization rights. Additionally
- PC with policies could be used to selectively deny the binding of ACs
- to a particular proxy. An AC could also be bound to a particular PC
- using the subject or issuer and serial number of the proxy
- certificate. There would appear to be great synergies between the
- use of Proxy Certificates and Attribute Certificates produced by
- third party Attribute Authorities.
-
- However, the uses of Attribute Certificates that are granted by the
- first type of Attribute Authority, the end entity AA, overlap
- considerably with the uses of Proxy Certificates as described in the
- previous sections. Such Attribute Certificates are generally used
- for delegation of rights from one end entity to others, which clearly
- overlaps with the stated purpose of Proxy Certificates, namely single
- sign-on and delegation.
-
-5.1.2. Delegation Using Attribute Certificates
-
- In the motivating example in Section 2, PCs are used to delegate
- Steve's identity to the various other jobs and entities that need to
- act on Steve's behalf. This allows those other entities to
- authenticate as if they were Steve, for example to the mass storage
- system.
-
- A solution to this example could also be cast using Attribute
- Certificates that are signed by Steve's EEC, which grant to the other
- entities in this example the right to perform various operations on
- Steve's behalf. In this example, the reliable file transfer service
- and all the hosts involved in file transfers, the starter program,
- the agent, the simulation jobs, and the post-processing job would
- each have their own EECs. Steve's EEC would therefore issue ACs to
- bind each of those other EEC identities to attributes that grant the
- necessary privileges allow them to, for example, access the mass
- storage system.
-
- However, this AC based solution to delegation has some disadvantages
- as compared to the PC based solution:
-
- * All protocols, authentication code, and identity based
- authorization services must be modified to understand ACs. With
- the PC solution, protocols (e.g., TLS) likely need no
- modification, authentication code needs minimal modification
- (e.g., to perform PC aware path validation), and identity based
- authorization services need minimal modification (e.g., possibly
- to find the EEC name and to check for any proxy policies).
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 25]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- * ACs need to be created by Steve's EEC, which bind attributes to
- each of the other identities involved in the distributed
- application (i.e., the agent, simulation jobs, and post-processing
- job the file transfer service, the hosts transferring files).
- This implies that Steve must know in advance which other
- identities may be involved in this distributed application, in
- order to generate the appropriate ACs which are signed by Steve's
- ECC. On the other hand, the PC solution allows for much more
- flexibility, since parties can further delegate a PC without a
- priori knowledge by the originating EEC.
-
- There are many unexplored tradeoffs and implications in this
- discussion of delegation. However, reasonable arguments can be made
- in favor of either an AC based solution to delegation or a PC based
- solution to delegation. The choice of which approach should be taken
- in a given instance may depend on factors such as the software that
- it needs to be integrated into, the type of delegation required, and
- other factors.
-
-5.1.3. Propagation of Authorization Information
-
- One possible use of Proxy Certificates is to carry authorization
- information associated with a particular identity.
-
- The merits of placing authorization information into End Entity
- Certificates (also called a Public Key Certificate or PKC) have been
- widely debated. For example, Section 1 of "An Internet Attribute
- Certificate Profile for Authorization" [i3] states:
-
- "Authorization information may be placed in a PKC extension or
- placed in a separate attribute certificate (AC). The placement of
- authorization information in PKCs is usually undesirable for two
- reasons. First, authorization information often does not have the
- same lifetime as the binding of the identity and the public key.
- When authorization information is placed in a PKC extension, the
- general result is the shortening of the PKC useful lifetime.
- Second, the PKC issuer is not usually authoritative for the
- authorization information. This results in additional steps for
- the PKC issuer to obtain authorization information from the
- authoritative source.
-
- For these reasons, it is often better to separate authorization
- information from the PKC. Yet, authorization information also
- needs to be bound to an identity. An AC provides this binding; it
- is simply a digitally signed (or certified) identity and set of
- attributes."
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 26]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- Placing authorization information in a PC mitigates the first
- undesirable property cited above. Since a PC has a lifetime that is
- mostly independent of (always shorter than) its signing EEC, a PC
- becomes a viable approach for carrying authorization information for
- the purpose of delegation.
-
- The second undesirable property cited above is true. If a third
- party AA is authoritative, then using ACs issued by that third party
- AA is a natural approach to disseminating authorization information.
- However, this is true whether the identity being bound by these ACs
- comes from an EEC (PKC), or from a PC.
-
- There is one case, however, that the above text does not consider.
- When performing delegation, it is usually the EEC itself that is
- authoritative (not the EEC issuer, or any third party AA). That is,
- it is up to the EEC to decide what authorization rights it is willing
- to grant to another party. In this situation, including such
- authorization information into PCs that are generated by the EEC
- seems a reasonable approach to disseminating such information.
-
-5.1.4. Proxy Certificate as Attribute Certificate Holder
-
- In a system that employs both PCs and ACs, one can imagine the
- utility of allowing a PC to be the holder of an AC. This would allow
- for a particular delegated instance of an identity to be given an
- attribute, rather than all delegated instances of that identity being
- given the attribute.
-
- However, the issue of how to specify a PC as the holder of an AC
- remains open. An AC could be bound to a particular instance of a PC
- using the unique subject name of the PC, or it's issuer and serial
- number combination.
-
- Unrestricted PCs issued by that PC would then inherit those ACs and
- independent PCs would not. PCs issued with a policy would depend on
- the policy as to whether or not they inherit the issuing PC's ACs
- (and potentially which ACs they inherit).
-
- While an AC can be bound to one PC by the AA, how can the AA restrict
- that PC from passing it on to a subsequently delegated PC? One
- possible solution would be to define an extension to attribute
- certificates that allows the attribute authority to state whether an
- issued AC is to apply only to the particular entity to which it is
- bound, or if it may apply to PCs issued by that entity.
-
- One issue that an AA in this circumstance would need to be aware of
- is that the PI of the PC that the AA bound the AC to, could issue
- another PC with the same name as the original PC to a different
-
-
-
-Tuecke, et al. Standards Track [Page 27]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- entity, effectively stealing the AC. This implies that an AA issuing
- an AC to a PC need to not only trust the entity holding the PC, but
- the entity holding the PC's issuer as well.
-
-5.2. Kerberos 5 Tickets
-
- The Kerberos Network Authentication Protocol (RFC 1510 [i6]) is a
- widely used authentication system based on conventional (shared
- secret key) cryptography. It provides support for single sign-on via
- creation of "Ticket Granting Tickets" or "TGT", and support for
- delegation of rights via "forwardable tickets".
-
- Kerberos 5 tickets have informed many of the ideas surrounding X.509
- Proxy Certificates. For example, the local creation of a short-lived
- PC can be used to provide single sign-on in an X.509 PKI based
- system, just as creation of short-lived TGT allows for single sign-on
- in a Kerberos based system. And just as a TGT can be forwarded
- (i.e., delegated) to another entity to allow for proxying in a
- Kerberos based system, so can a PC can be delegated to allow for
- proxying in an X.509 PKI based system.
-
- A major difference between a Kerberos TGT and an X.509 PC is that
- while creation and delegation of a TGT requires the involvement of a
- third party (Key Distribution Center), a PC can be unilaterally
- created without the active involvement of a third party. That is, a
- user can directly create a PC from an EEC for single sign-on
- capability, without requiring communication with a third party. And
- an entity with a PC can delegate the PC to another entity (i.e., by
- creating a new PC, signed by the first) without requiring
- communication with a third party.
-
- The method used by Kerberos implementations to protect a TGT can also
- be used to protect the private key of a PC. For example, some Unix
- implementations of Kerberos use standard Unix file system security to
- protect a user's TGT from compromise. Similarly, the Globus
- Toolkit's Grid Security Infrastructure implementation of Proxy
- Certificates protects a user's PC private key using this same
- approach.
-
-5.3. Examples of usage of Proxy Restrictions
-
- This section gives some examples of Proxy Certificate usage and some
- examples of how the Proxy policy can be used to restrict Proxy
- Certificates.
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 28]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-5.3.1. Example use of proxies without Restrictions
-
- Steve wishes to perform a third-party FTP transfer between two FTP
- servers. Steve would use an existing PC to authenticate to both
- servers and delegate a PC to both hosts. He would inform each host
- of the unique subject name of the PC given to the other host. When
- the servers establish the data channel connection to each other, they
- use these delegated credentials to perform authentication and verify
- they are talking to the correct entity by checking the result of the
- authentication matches the name as provided by Steve.
-
-5.3.2. Example use of proxies with Restrictions
-
- Steve wishes to delegate to a process the right to perform a transfer
- of a file from host H1 to host H2 on his behalf. Steve would
- delegate a PC to the process and he would use Proxy Policy to
- restrict the delegated PC to two rights - the right to read file F1
- on host H1 and the right to write file F2 on host H2.
-
- The process then uses this restricted PC to authenticate to servers
- H1 and H2. The process would also delegate a PC to both servers.
- Note that these delegated PCs would inherit the restrictions of their
- parents, though this is not relevant to this example. As in the
- example in the previous Section, each host would be provided with the
- unique name of the PC given to the other server.
-
- Now when the process issues the command to transfer the file F1 on H1
- and to F2 on H2, these two servers perform an authorization check
- based on the restrictions in the PC that the process used to
- authenticate with them (in addition to any local policy they have).
- Namely H1 checks that the PC gives the user the right to read F1 and
- H2 checks that the PC gives the user the right to write F2. When
- setting up the data channel the servers would again verify the names
- resulting from the authentication match the names provided by Steve
- as in the example in the previous Section.
-
- The extra security provided by these restrictions is that now if the
- PC delegated to the process by Steve is stolen, its use is greatly
- limited.
-
-5.4. Delegation Tracing
-
- A relying party accepting a Proxy Certificate may have an interest in
- knowing which parties issued earlier Proxy Certificates in the
- certificate chain and to whom they delegated them. For example it
- may know that a particular service or resource is known to have been
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 29]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- compromised and if any part of a Proxy Certificate's chain was issued
- to the compromised service a relying party may wish to disregard the
- chain.
-
- A delegation tracing mechanism was considered by the authors as
- additional information to be carried in the ProxyCertInfo extension.
- However at this time agreement has not been reached as to what this
- information should include so it was left out of this document, and
- will instead be considered in future revisions. The debate mainly
- centers on whether the tracing information should simply contain the
- identity of the issuer and receiver or it should also contain all the
- details of the delegated proxy and a signed statement from the
- receiver that the proxy was actually acceptable to it.
-
-5.4.1. Site Information in Delegation Tracing
-
- In some cases, it may be desirable to know the hosts involved in a
- delegation transaction (for example, a relying party may wish to
- reject proxy certificates that were created on a specific host or
- domain). An extension could be modified to include the PA's and
- Acceptor's IP addresses; however, IP addresses are typically easy to
- spoof, and in some cases the two parties to a transaction may not
- agree on the IP addresses being used (e.g., if the Acceptor is on a
- host that uses NAT, the Acceptor and the PA may disagree about the
- Acceptor's IP address).
-
- Another suggestion was, in those cases where domain information is
- needed, to require that the subject names of all End Entities
- involved (the Acceptor(s) and the End Entity that appears in a PC's
- certificate path) include domain information.
-
-6. Security Considerations
-
- In this Section we discuss security considerations related to the use
- of Proxy Certificates.
-
-6.1. Compromise of a Proxy Certificate
-
- A Proxy Certificate is generally less secure than the EEC that issued
- it. This is due to the fact that the private key of a PC is
- generally not protected as rigorously as that of the EEC. For
- example, the private key of a PC is often protected using only file
- system security, in order to allow that PC to be used for single
- sign-on purposes. This makes the PC more susceptible to compromise.
-
- However, the risk of a compromised PC is only the misuse of a single
- user's privileges. Due to the PC path validation checks, a PC cannot
- be used to sign an EEC or PC for another user.
-
-
-
-Tuecke, et al. Standards Track [Page 30]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- Further, a compromised PC can only be misused for the lifetime of the
- PC, and within the bound of the restriction policy carried by the PC.
- Therefore, one common way to limit the misuse of a compromised PC is
- to limit its validity period to no longer than is needed, and/or to
- include a restriction policy in the PC that limits the use of the
- (compromised) PC.
-
- In addition, if a PC is compromised, it does NOT compromise the EEC
- that created the PC. This property is of great utility in protecting
- the highly valuable, and hard to replace, public key of the EEC. In
- other words, the use of Proxy Certificates to provide single sign-on
- capabilities in an X.509 PKI environment can actually increase the
- security of the end entity certificates, because creation and use of
- the PCs for user authentication limits the exposure of the EEC
- private key to only the creation of the first level PC.
-
-6.2. Restricting Proxy Certificates
-
- The pCPathLenConstraint field of the proxyCertInfo extension can be
- used by an EEC to limit subsequent delegation of the PC. A service
- may choose to only authorize a request if a valid PC can be delegated
- to it. An example of such as service is a job starter, which may
- choose to reject a job start request if a valid PC cannot be
- delegated to it. By limiting the pCPathLenConstraint, an EEC can
- ensure that a compromised PC of one job cannot be used to start
- additional jobs elsewhere.
-
- An EEC or PC can limit what a new PC can be used for by turning off
- bits in the Key Usage and Extended Key Usage extensions. Once a key
- usage or extended key usage has been removed, the path validation
- algorithm ensures that it cannot be added back in a subsequent PC.
- In other words, key usage can only be decreased in PC chains.
-
- The EEC could use the CRL Distribution Points extension and/or OCSP
- to take on the responsibility of revoking PCs that it had issued, if
- it felt that they were being misused.
-
-6.3. Relying Party Trust of Proxy Certificates
-
- The relying party that is going to authorize some actions on the
- basis of a PC will be aware that it has been presented with a PC, and
- can determine the depth of the delegation and the time that the
- delegation took place. It may want to use this information in
- addition to the information from the signing EEC. Thus a highly
- secure resource might refuse to accept a PC at all, or maybe only a
- single level of delegation, etc.
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 31]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- The relying party should also be aware that since the policy
- restricting the rights of a PC is the intersection of the policy of
- all the PCs in it's certificate chain, this means any change in the
- certificate chain can effect the policy of the PC. Since there is no
- mechanism in place to enforce unique subject names of PCs, if an
- issuer were to issue two PCs with identical names and keys, but
- different rights, this could allow the two PCs to be substituted for
- each other in path validation and effect the rights of a PC down the
- chain. Ultimately, this means the relying party places trust in the
- entities that are acting as Proxy Issuers in the chain to behave
- properly.
-
-6.4. Protecting Against Denial of Service with Key Generation
-
- As discussed in Section 2.3, one of the motivations for Proxy
- Certificates is to allow for dynamic delegation between parties. This
- delegation potentially requires, by the party receiving the
- delegation, the generation of a new key pair which is a potentially
- computationally expensive operation. Care should be taken by such
- parties to prevent another entity from performing a denial of service
- attack by causing them to consume large amount of resource doing key
- generation.
-
- A general guideline would always to perform authentication of the
- delegating party to prevent such attacks from being performed
- anonymously. Another guideline would be to maintain some state to
- detect and prevent such attacks.
-
-6.5. Use of Proxy Certificates with a Central Repository
-
- As discussed in Section 2.7, one potential use of Proxy Certificates
- is to ease certificate management for end users by storing the EEC
- private keys and certificates in a centrally managed repository.
- When a user needs a PKI credential, the user can login to the
- repository using name/password, one time password, etc. and the
- repository would then delegate a PC to the user with proxy rights,
- but continue to protect the EEC private key in the repository.
-
- Care must be taken with this approach since compromise of the
- repository will potentially give the attacker access to the long-term
- private keys stored in the repository. It is strongly suggested that
- some form of hardware module be used to store the long-term private
- keys, which will serve to help prevent their direct threat though it
- may still allow a successful attacker to use the keys while the
- repository is compromised to sign arbitrary objects (including Proxy
- Certificates).
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 32]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-7. IANA Considerations
-
- IANA has established a registry for policy languages. Registration
- under IETF space is by IETF standards action as described in [i8].
- Private policy languages should be under organizational OIDs; policy
- language authors are encouraged to list such languages in the IANA
- registry, along with a pointer to a specification.
-
- OID Description
- --- -----------
- 1.3.6.1.5.5.7.21.1 id-ppl-inheritALL
- 1.3.6.1.5.5.7.21.2 id-ppl-independent
-
-8. References
-
-8.1. Normative References
-
- [n1] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [n2] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509
- Public Key Infrastructure Certificate and Certificate
- Revocation List (CRL) Profile", RFC 3280, April 2002.
-
-8.2. Informative References
-
- [i1] Butler, R., Engert, D., Foster, I., Kesselman, C., and S.
- Tuecke, "A National-Scale Authentication Infrastructure",
- IEEE Computer, vol. 33, pp. 60-66, 2000.
-
- [i2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
- 2246, January 1999.
-
- [i3] Farrell, S. and R. Housley, "An Internet Attribute
- Certificate Profile for Authorization", RFC 3281, April 2002.
-
- [i4] Foster, I., Kesselman, C., Tsudik, G., and S. Tuecke, "A
- Security Architecture for Computational Grids", presented at
- Proceedings of the 5th ACM Conference on Computer and
- Communications Security, 1998.
-
- [i5] Foster, I., Kesselman, C., and S. Tuecke, "The Anatomy of the
- Grid: Enabling Scalable Virtual Organizations", International
- Journal of Supercomputer Applications, 2001.
-
- [i6] Kohl, J. and C. Neuman, "The Kerberos Network Authentication
- Service (V5)", RFC 1510, September 1993.
-
-
-
-
-Tuecke, et al. Standards Track [Page 33]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
- [i7] Neuman, B. Clifford, "Proxy-Based Authorization and
- Accounting for Distributed Systems", In Proceedings of the
- 13th International Conference on Distributed Computing
- Systems, pages 283-291, May 1993.
-
- [i8] Narten, T. and H. Alvestrand. "Guidelines for Writing an IANA
- Considerations Section in RFC", RFC 2434, October 1998.
-
-9. Acknowledgments
-
- We are pleased to acknowledge significant contributions to this
- document by David Chadwick, Ian Foster, Jarek Gawor, Carl Kesselman,
- Sam Meder, Jim Schaad, and Frank Siebenlist.
-
- We are grateful to numerous colleagues for discussions on the topics
- covered in this paper, in particular (in alphabetical order, with
- apologies to anybody we've missed): Carlisle Adams, Joe Bester, Randy
- Butler, Keith Jackson, Steve Hanna, Russ Housley, Stephen Kent, Bill
- Johnston, Marty Humphrey, Sam Lang, Ellen McDermott, Clifford Neuman,
- Gene Tsudik.
-
- We are also grateful to members of the Global Grid Forum (GGF) Grid
- Security Infrastructure working group (GSI-WG), and the Internet
- Engineering Task Force (IETF) Public-Key Infrastructure (X.509)
- working group (PKIX) for feedback on this document.
-
- This work was supported in part by the Mathematical, Information, and
- Computational Sciences Division subprogram of the Office of Advanced
- Scientific Computing Research, U.S. Department of Energy, under
- Contract W-31-109-Eng-38 and DE-AC03-76SF0098; by the Defense
- Advanced Research Projects Agency under contract N66001-96-C-8523; by
- the National Science Foundation; and by the NASA Information Power
- Grid project.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 34]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-Appendix A. 1988 ASN.1 Module
-
- PKIXproxy88 { iso(1) identified-organization(3) dod(6)
- internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
- proxy-cert-extns(25) }
-
- DEFINITIONS EXPLICIT TAGS ::=
-
- BEGIN
-
- -- EXPORTS ALL --
-
- -- IMPORTS NONE --
-
- -- PKIX specific OIDs
-
- id-pkix OBJECT IDENTIFIER ::=
- { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
-
- -- private certificate extensions
- id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
-
- -- Locally defined OIDs
-
- -- The proxy certificate extension
- id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pe 14 }
-
- -- Proxy certificate policy languages
- id-ppl OBJECT IDENTIFIER ::= { id-pkix 21 }
-
- -- Proxy certificate policies languages defined in
- id-ppl-anyLanguage OBJECT IDENTIFIER ::= { id-ppl 0 }
- id-ppl-inheritAll OBJECT IDENTIFIER ::= { id-ppl 1 }
- id-ppl-independent OBJECT IDENTIFIER ::= { id-ppl 2 }
-
- -- The ProxyCertInfo Extension
- ProxyCertInfoExtension ::= SEQUENCE {
- pCPathLenConstraint ProxyCertPathLengthConstraint
- OPTIONAL,
- proxyPolicy ProxyPolicy }
-
- ProxyCertPathLengthConstraint ::= INTEGER
- ProxyPolicy ::= SEQUENCE {
- policyLanguage OBJECT IDENTIFIER,
- policy OCTET STRING OPTIONAL }
-
- END
-
-
-
-Tuecke, et al. Standards Track [Page 35]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-Authors' Addresses
-
- Steven Tuecke
- Distributed Systems Laboratory
- Mathematics and Computer Science Division
- Argonne National Laboratory
- Argonne, IL 60439
-
- Phone: 630-252-8711
- EMail: tuecke@mcs.anl.gov
-
-
- Von Welch
- National Center for Supercomputing Applications
- University of Illinois
-
- EMail: vwelch@ncsa.uiuc.edu
-
-
- Doug Engert
- Argonne National Laboratory
-
- EMail: deengert@anl.gov
-
-
- Laura Pearlman
- University of Southern California, Information Sciences Institute
-
- EMail: laura@isi.edu
-
-
- Mary Thompson
- Lawrence Berkeley National Laboratory
-
- EMail: mrthompson@lbl.gov
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 36]
-
-RFC 3820 X.509 Proxy Certificate Profile June 2004
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2004). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at ietf-
- ipr@ietf.org.
-
-Acknowledgement
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-Tuecke, et al. Standards Track [Page 37]
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 18:54:35 +0000