rfc9763.original.xml   rfc9763.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<rfc <!DOCTYPE rfc [
xmlns:xi="http://www.w3.org/2001/XInclude" <!ENTITY nbsp "&#160;">
category="std" <!ENTITY zwsp "&#8203;">
docName="draft-ietf-lamps-cert-binding-for-multi-auth-06" <!ENTITY nbhy "&#8209;">
ipr="trust200902" <!ENTITY wj "&#8288;">
obsoletes="" ]>
updates=""
submissionType="IETF"
xml:lang="en"
tocInclude="true"
tocDepth="4"
symRefs="true"
sortRefs="true"
version="3"
consensus="true">
<front> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ie tf-lamps-cert-binding-for-multi-auth-06" number="9763" ipr="trust200902" obsolet es="" updates="" submissionType="IETF" xml:lang="en" tocInclude="true" tocDepth= "4" symRefs="true" sortRefs="true" version="3" consensus="true">
<title abbrev="Related Certificates">Related Certificates for Use in Multiple <front>
Authentications within a Protocol</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cert-binding-for-m <!--[rfced] May we update the short title that spans the header of the
ulti-auth-06"/> PDF file to more closely match the document title as shown below?
Original:
Related Certificates
Perhaps:
Related Certificates for Protocol Authentications
-->
<title abbrev="Related Certificates">Related Certificates for Use in
Multiple Authentications within a Protocol</title>
<seriesInfo name="RFC" value="9763"/>
<author fullname="Alison Becker" initials="A." surname="Becker"> <author fullname="Alison Becker" initials="A." surname="Becker">
<organization abbrev="NSA">National Security Agency</organization> <organization abbrev="NSA">National Security Agency</organization>
<address> <address>
<email>aebecke@uwe.nsa.gov</email> <email>aebecke@uwe.nsa.gov</email>
</address> </address>
</author> </author>
<author fullname="Rebecca Guthrie" initials="R." surname="Guthrie"> <author fullname="Rebecca Guthrie" initials="R." surname="Guthrie">
<organization abbrev="NSA">National Security Agency</organization> <organization abbrev="NSA">National Security Agency</organization>
skipping to change at line 45 skipping to change at line 49
</address> </address>
</author> </author>
<author fullname="Michael Jenkins" initials="M." surname="Jenkins"> <author fullname="Michael Jenkins" initials="M." surname="Jenkins">
<organization abbrev="NSA">National Security Agency</organization> <organization abbrev="NSA">National Security Agency</organization>
<address> <address>
<email>mjjenki@cyber.nsa.gov</email> <email>mjjenki@cyber.nsa.gov</email>
</address> </address>
</author> </author>
<date year="2024"/> <date year="2025" month="March"/>
<area>SEC</area>
<workgroup>lamps</workgroup>
<!-- [rfced] Please insert any keywords (beyond those that appear in
the title) for use on https://www.rfc-editor.org/search. -->
<abstract> <abstract>
<t>This document defines a new CSR attribute, relatedCertRequest, and a ne w X.509 certificate extension, RelatedCertificate. The use of the relatedCertReq uest attribute in a CSR and the inclusion of the RelatedCertificate extension in the resulting certificate together provide additional assurance that two certif icates each belong to the same end entity. This mechanism is particularly useful in the context of non-composite hybrid authentication, which enables users to e mploy the same certificates in hybrid authentication as in authentication done w ith only traditional or post-quantum algorithms. <t>This document defines a new Certificate Signing Request (CSR) attribute , relatedCertRequest, and a new X.509 certificate extension, RelatedCertificate. The use of the relatedCertRequest attribute in a CSR and the inclusion of the R elatedCertificate extension in the resulting certificate together provide additi onal assurance that two certificates each belong to the same end entity. This me chanism is particularly useful in the context of non-composite hybrid authentica tion, which enables users to employ the same certificates in hybrid authenticati on as in authentication done with only traditional or post-quantum algorithms.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Introduction</name> <name>Introduction</name>
<t>The goal of this document is to define a method for providing assurance that two X.509 (aka PKIX) end-entity certificates are owned by the same entity, in order to perform multiple authentications where each certificate corresponds to a distinct digital signature. This method aims to facilitate the use of two certificates for authentication in a secure protocol while minimizing changes to the certificate format <xref target="RFC5280" format="default"/> and to current PKI best practices. <t>The goal of this document is to define a method for providing assurance that two X.509 (aka PKIX) end-entity certificates are owned by the same entity, in order to perform multiple authentications where each certificate corresponds to a distinct digital signature. This method aims to facilitate the use of two certificates for authentication in a secure protocol while minimizing changes to the certificate format <xref target="RFC5280" format="default"/> and to current PKI best practices.
</t> </t>
<t>When using non-composite hybrid public key mechanisms, the party relyin g on a certificate (an authentication verifier or a key-establishment initiator) will want assurance that the private keys associated with each certificate are under the control of the same entity. This document defines a certificate exten sion, RelatedCertificate, that signals that the certificate containing the exten sion is able to be used in combination with the other specified certificate. <t>When using non-composite hybrid public key mechanisms, the party relyin g on a certificate (an authentication verifier or a key-establishment initiator) will want assurance that the private keys associated with each certificate are under the control of the same entity. This document defines a certificate exten sion, RelatedCertificate, that signals that the certificate containing the exten sion is able to be used in combination with the other specified certificate.
</t> </t>
<t>A certification authority (CA) organization (defined here as the entity
or organization that runs a CA and determines the policies and tools the CA wil <t>A certification authority (CA) organization (defined here as the entity
l use) that is asked to issue a certificate with such an extension may want assu or organization that runs a CA and determines the policies and tools the CA wil
rance from a registration authority (RA) that the private keys (for example, cor l use) that is asked to issue a certificate with such an extension may want assu
responding to two public keys: one in an extant certificate, and one in a curren rance from a registration authority (RA) that the private keys (corresponding to
t request) belong to the same entity. To facilitate this, a CSR attribute is def , for example, two public keys: one in an extant certificate and one in a curren
ined, called relatedCertRequest, that permits an RA to make such an assertion. t request) belong to the same entity. To facilitate this, a CSR attribute, calle
d relatedCertRequest, is defined to permit an RA to make such an assertion.
</t> </t>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Overview</name> <name>Overview</name>
<t> The general roadmap of this design is best illustrated via an entity ( device, service, user token, etc.) that has an existing certificate (Cert A) and requests a new certificate (Cert B), perhaps as part of an organization's trans ition strategy to migrate their PKI from traditional cryptography to PQC. <t> The general roadmap of this design is best illustrated via an entity ( a device, service, user token, etc.) that has an existing certificate (Cert A) a nd requests a new certificate (Cert B), perhaps as part of an organization's tra nsition strategy to migrate their PKI from traditional cryptography to post-quan tum cryptography (PQC).
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li> For protocols where authentication is not negotiated, and rather is limited by what the signer offers, such as in CMS and S/MIME, either C ert A's signing key, Cert B's signing key, or both signing keys may be invoked, according to which validators the signer anticipates. <li> For protocols where authentication is not negotiated and i s rather limited by what the signer offers, such as in Cryptographic Message Syn tax (CMS) and S/MIME, either Cert A's signing key, Cert B's signing key, or both signing keys may be invoked, according to which validators the signer anticipat es.
</li> </li>
<li> For protocols where authentication is negotiated in-protoc ol, such as TLS and IKEv2, either Cert A or Cert B's signing key may be invoked, according to the preference of the validator. If the protocol is enabled to do so, peers may request that both Cert A and Cert B are used for authentication. <li> For protocols where authentication is negotiated in-protoc ol, such as TLS and Internet Key Exchange Protocol Version 2 (IKEv2), either Cer t A or Cert B's signing key may be invoked, according to the preference of the v alidator. If the protocol is enabled to do so, peers may request that both Cert A and Cert B are used for authentication.
</li> </li>
</ul> </ul>
<t> A validator that prefers multiple authentication types may be assis ted by the inclusion of relevant information in the signer's certificate, that i s, information that indicates the existence of a related certificate, and some a ssurance that those certificates have been issued to the same entity. This docum ent describes a certificate request attribute and certificate extension that pro vide such assurance.</t> <t> A validator that prefers multiple authentication types may be assis ted by the inclusion of relevant information in the signer's certificate, that i s, information that indicates the existence of a related certificate, and some a ssurance that those certificates have been issued to the same entity. This docum ent describes a certificate request attribute and certificate extension that pro vide such assurance.</t>
<t> <t>
To support this concept, this document defines a new CSR attribute, rel atedCertRequest, which contains information on how to locate a previously-issued certificate (Cert A) and provides evidence that the requesting entity owns that certificate. When the RA makes the request to the CA, the CA uses the given inf ormation to locate Cert A, and then verifies ownership before generating the new certificate, Cert B. To support this concept, this document defines a new CSR attribute, rel atedCertRequest, which contains information on how to locate a previously issued certificate (Cert A) and provides evidence that the requesting entity owns that certificate. When the RA makes the request to the CA, the CA uses the given inf ormation to locate Cert A and then verifies ownership before generating the new certificate, Cert B.
</t> </t>
</section> </section>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Requirements Language</name> <name>Requirements Language</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SH <t>
OULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are t The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
o be interpreted as described in <xref target="RFC2119" format="default"/>. IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
</t> NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>CSR and Related Certificates</name> <name>CSR and Related Certificates</name>
<section numbered="true" toc="default"> <section numbered="true" toc="default" anchor="related-cert-request">
<name>The relatedCertRequest Attribute</name> <name>The relatedCertRequest Attribute</name>
<t>This section defines a new CSR attribute designed to allow the <t>This section defines a new CSR attribute designed to allow the RA
RA to attest that the owner of the public key in the CSR also owns the public k to attest that the owner of the public key in the CSR also owns the
ey associated with the end-entity certificate identified in this attribute. The public key associated with the end-entity certificate identified in
relatedCertRequest attribute indicates the location of a previously issued certi this attribute. The relatedCertRequest attribute indicates the
ficate that the end-entity owns and wants identified in the new certificate requ location of a previously issued certificate that the end entity owns
ested through the CSR. and wants identified in the new certificate requested through the
</t> CSR.</t>
<t>The relatedCertRequest attribute has the following syntax: <t>The relatedCertRequest attribute has the following syntax:</t>
</t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <sourcecode type=""><![CDATA[
relatedCertRequest ATTRIBUTE ::= { relatedCertRequest ATTRIBUTE ::= {
WITH SYNTAX RequesterCertificate WITH SYNTAX RequesterCertificate
ID { TBD1 } ID { 60 }
} }
RequesterCertificate ::= SEQUENCE { RequesterCertificate ::= SEQUENCE {
certID IssuerAndSerialNumber, certID IssuerAndSerialNumber,
requestTime BinaryTime, requestTime BinaryTime,
locationInfo UniformResourceIdentifier, locationInfo UniformResourceIdentifier,
signature BIT STRING } signature BIT STRING }
]]></sourcecode>
]]></artwork> <t>The RequesterCertificate type has four fields:</t>
<ul spacing="normal">
<t>The RequesterCertificate type has four fields: <li><t>The certID field uses the IssuerAndSerialNumber type <xref
</t> target="RFC5652" format="default"/> to identify a previously issued
<ul spacing="normal"> end-entity certificate that the requesting entity also
<li>The certID field uses the IssuerAndSerialNumber type <xref owns. IssuerAndSerialNumber is repeated here for convenience:</t>
target="RFC5652" format="default"/> to identify a previously issued end-entity c
ertificate that the requesting entity also owns. IssuerAndSerialNumber is repeat
ed here for convenience: </li>
</ul>
<artwork name="" type="" align="left" alt=""><![CDATA[ <sourcecode type=""><![CDATA[
IssuerAndSerialNumber ::= SEQUENCE { IssuerAndSerialNumber ::= SEQUENCE {
issuer Name, issuer Name,
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
CertificateSerialNumber ::= INTEGER CertificateSerialNumber ::= INTEGER
]]></artwork> ]]></sourcecode>
</li>
<ul spacing="normal"> <li><t>The requestTime field uses the BinaryTime type <xref
<li>The requestTime field uses the BinaryTime type <xref target target="RFC6019" format="default"/> in order to ensure freshness,
="RFC6019" format="default"/> in order to ensure freshness, such that the signed such that the signed data can only be used at the time of the
data can only be used at the time of the initial CSR. The means by which the CA initial CSR. The means by which the CA and RA synchronize time is
and RA synchronize time is outside the scope of this document. BinaryTime is re outside the scope of this document. BinaryTime is repeated here for
peated here for convenience: </li> convenience: </t>
</ul>
<artwork name="" type="" align="left" alt=""><![CDATA[ <sourcecode type=""><![CDATA[
BinaryTime ::= INTEGER (0..MAX) BinaryTime ::= INTEGER (0..MAX)
]]></artwork> ]]></sourcecode>
<ul spacing="normal"> </li>
<li>The locationInfo field uses UniformResourceIdentifier to pr <li><t>The locationInfo field uses UniformResourceIdentifier to
ovide information on the location of the other certificate the requesting entity provide information on the location of the other certificate the
owns. We define UniformResourceIdentifier as: </li> requesting entity owns. We define UniformResourceIdentifier as:</t>
</ul>
<artwork name="" type="" align="left" alt=""><![CDATA[ <sourcecode type=""><![CDATA[
UniformResourceIdentifier ::= IA5String UniformResourceIdentifier ::= IA5String
]]></artwork> ]]></sourcecode>
<t> The UniformResourceIdentifier is a pointer to a location v <t>The UniformResourceIdentifier is a pointer to a location via
ia HTTP/HTTPS, or a dataURI. This field can contain one of two acceptable values HTTP/HTTPS or a dataURI. This field can contain one of two
:</t> acceptable values:</t>
<ul spacing="normal"> <ul spacing="normal" empty="true">
<li> <li>- If the request for (new) Cert B is to the same CA
organization as issued (existing) Cert A, then the
UniformResourceIdentifier value <bcp14>SHOULD</bcp14> be a URL
that points to a file containing a certificate or certificate
chain that the requesting entity owns, as detailed in <xref
target="RFC5280" format="default"/>; the URL is made available
via HTTP or HTTPS. The file must permit access to a CMS
'certs-only' message containing the end-entity X.509
certificate or the entire certificate chain. In this case,
preference for a URL keeps the data limit smaller than using a
dataURI. All certificates contained must be DER encoded. </li>
<t> - If the request for (new) Cert B is to the same CA o <!--[rfced] Please clarify "different to" in the following
rganization as issued (existing) Cert A, then the UniformResourceIdentifier valu sentence. Is the intended meaning perhaps "different than"?
e SHOULD be a URL that points to a file containing a certificate or certificate
chain that the requesting entity owns, as detailed in <xref target="RFC5280" for
mat="default"/>; the URL is made available via HTTP or HTTPS. The file must perm
it access to a CMS 'certs-only' message containing the end entity X.509 certific
ate, or the entire certificate chain. In this case, preference for a URL keeps t
he data limit smaller than using a dataURI. All certificates contained must be D
ER encoded. </t>
<t> - If the request for (new) Cert B is to a CA organiza Original:
tion different to the CA organization that issued the certificate (existing) Cer If the request for (new) Cert B is to a CA organization
t A referenced in the CSR, then the UniformResourceIdentifier value SHOULD be a different to the CA organization that issued the certificate
dataURI <xref target="RFC2397" format="default"/> containing inline degenerate P (existing) Cert A referenced in the CSR...
KCS#7 (see Sections 3.2.1, and 3.8 of <xref target="RFC8551" format="default"/>)
consisting of all the certificates and CRLs required to validate Cert A. This a
llows validation without the CA having to retrieve certificates/CRLs from anothe
r CA. Further discussion of requirements for this scenario is in Section 5. </t
>
</li>
</ul>
<ul spacing="normal">
<li>
<t>The signature field provides evidence that the request
ing entity owns the certificate indicated by the certID. Specifically, the sign
ature field contains a digital signature over the concatenation of DER encoded r
equestTime and IssuerAndSerialNumber. The concatenated value is signed using the
signature algorithm and private key associated with the certificate identified
by the certID field. </t>
<t>- If the related certificate is a key establishment ce Perhaps:
rtificate (e.g., using RSA key transport or ECC key agreement), use the private If the request for (new) Cert B is to a CA organization that is
key to sign one time for POP (as detailed in NIST SP 800-57 Part 1 Rev 5 Section different than the CA organization that issued the certificate
8.1.5.1.1.2) </t> (existing) Cert A referenced in the CSR...
</li> -->
</ul>
<t>The validation of this signature by the CA ensures that the <li>- If the request for (new) Cert B is to a CA organization
owner of the CSR also owns the certificate indicated in the relatedCertRequest a different to the CA organization that issued the certificate
ttribute. </t> (existing) Cert A referenced in the CSR, then the
UniformResourceIdentifier value <bcp14>SHOULD</bcp14> be a
dataURI <xref target="RFC2397" format="default"/> containing
inline degenerate PKCS#7 (see Sections <xref target="RFC8551" secti
on="3.2.1" sectionFormat="bare"/> and <xref target="RFC8551" section="3.8" secti
onFormat="bare"/> of <xref
target="RFC8551" format="default"/>) consisting of all the
certificates and CRLs required to validate Cert A. This allows
validation without the CA having to retrieve certificates/CRLs
from another CA. Further discussion of requirements for this
scenario is in <xref target="use-case"/>.</li></ul></li></ul>
<!-- [rfced] FYI: We have added a citation for the NIST SP mentioned
in this sentence, with a corresponding reference entry in the
informative reference section.
Original:
If the related certificate is a key establishment certificate (e.g., using RS
A
key transport or ECC key agreement), use the private key to sign one time for
POP (as detailed in NIST SP 800-57 Part 1 Rev 5 Section 8.1.5.1.1.2)
Current:
If the related certificate is a key establishment certificate (e.g., using RS
A
key transport or Elliptic Curve Cryptography (ECC) key agreement), use the
private key to sign one time for proof of possession (POP) (as detailed in
Section 8.1.5.1.1.2 of [NIST-SP-800-57]).
-->
<ul spacing="normal">
<li><t>The signature field provides evidence that the requesting
entity owns the certificate indicated by the certID.
Specifically, the signature field contains a digital signature
over the concatenation of DER-encoded requestTime and
IssuerAndSerialNumber. The concatenated value is signed using the
signature algorithm and private key associated with the
certificate identified by the certID field. </t></li></ul>
<ul spacing="normal" empty="true">
<li>- If the related certificate is a key establishment
certificate (e.g., using RSA key transport or Elliptic Curve
Cryptography (ECC) key
agreement), use the private key to sign one time for proof of
possession (POP) (as
detailed in Section 8.1.5.1.1.2 of <xref target="NIST-SP-800-57"/>)
.
</li>
</ul>
<t>The validation of this signature by the CA ensures that the
owner of the CSR also owns the certificate indicated in the
relatedCertRequest attribute. </t>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>CSR Processing</name> <name>CSR Processing</name>
<t>The information provided in the relatedCertRequest attribute a <t>The information provided in the relatedCertRequest attribute
llows the CA to locate a previously issued certificate that the requesting entit allows the CA to locate a previously issued certificate that the
y owns, and verify ownership by using the public key in that certificate to vali requesting entity owns, and verify ownership by using the public
date the signature in the relatedCertRequest attribute. key in that certificate to validate the signature in the
</t> relatedCertRequest attribute.
<t> If a CA receives a CSR that includes the relatedCertRequest a </t>
ttribute and that CA supports the attribute, the CA: <t> If a CA receives a CSR that includes the relatedCertRequest attri
bute and that CA supports the attribute, the CA:
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li> MUST retrieve the certificate identified in the relatedCer <li> <bcp14>MUST</bcp14> retrieve the certificate identified in
tRequest attribute using the information provided in UniformResourceIdentifier, the relatedCertRequest attribute using the information provided in UniformResou
and validate it using certificate path validation rules defined in <xref target= rceIdentifier, and validate it using certificate path validation rules defined i
"RFC5280" format="default"/>. The CA then extracts the IssuerAndSerialNumber fro n <xref target="RFC5280" format="default"/>. The CA then extracts the IssuerAndS
m the indicated certificate and compares this value against the IssuerAndSerialN erialNumber from the indicated certificate and compares this value against the I
umber provided in the certID field of relatedCertRequest. </li> ssuerAndSerialNumber provided in the certID field of relatedCertRequest. </li>
<li>MUST check that the BinaryTime indicated in the requestTime <li><bcp14>MUST</bcp14> check that the BinaryTime indicated in
field is sufficiently fresh. Note sufficient freshness is defined by local poli the requestTime field is sufficiently fresh. Note that sufficient freshness is d
cy out of scope of this document. </li> efined by local policy and is out of the scope of this document. </li>
<li>MUST verify the signature field of the relatedCertRequest a <li><bcp14>MUST</bcp14> verify the signature field of the relat
ttribute. The CA validates the signature using the public key associated with th edCertRequest attribute. The CA validates the signature using the public key ass
e certificate it located via the info provided in the UniformResourceIdentifier ociated with the certificate it located via the info provided in the UniformReso
field. The details of the validation process are outside the scope of this docum urceIdentifier field. The details of the validation process are outside the scop
ent. </li> e of this document. </li>
<li>SHOULD issue the new certificate containing the RelatedCert <li><bcp14>SHOULD</bcp14> issue the new certificate containing
ificate extension as specified in Section 4, which references the certificate in the RelatedCertificate extension as specified in <xref target="related-certifica
dicated in the attribute's IssuerAndSerialNumber field. The CA may apply local p te"/>, which references the certificate indicated in the attribute's IssuerAndSe
olicy regarding the suitability of the related certificate, such as validity per rialNumber field. The CA may apply local policy regarding the suitability of the
iod remaining.</li> related certificate, such as validity period remaining.</li>
</ul> </ul>
<t>The RA MUST only allow a previously-issued certificate to be i ndicated in the relatedCertRequest attribute in order to enable the CA to perfor m the required signature verification. <t>The RA <bcp14>MUST</bcp14> only allow a previously issued cert ificate to be indicated in the relatedCertRequest attribute in order to enable t he CA to perform the required signature verification.
</t> </t>
<t>The RA MAY send the CA a CSR containing a relatedCertRequest attribut e that includes the IssuerAndSerialNumber of a certificate that was issued by a different CA. <t>The RA <bcp14>MAY</bcp14> send the CA a CSR containing a relatedCertR equest attribute that includes the IssuerAndSerialNumber of a certificate that w as issued by a different CA.
</t> </t>
</section> </section>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default" anchor="related-certificate">
<name>Related Certificate</name> <name>Related Certificate</name>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>The RelatedCertificate Extension</name> <name>The RelatedCertificate Extension</name>
<t>This section profiles a new X.509v3 certificate extension, Rel <t>This section profiles a new X.509v3 certificate extension,
atedCertificate. RelatedCertificate creates an association between the certific RelatedCertificate. RelatedCertificate creates an association
ate containing the RelatedCertificate extension (Cert B) and the certificate ref between the certificate containing the RelatedCertificate
erenced within the extension (Cert A). When two end-entity certificates are use extension (Cert B) and the certificate referenced within the
d in a protocol, where one of the certificates contains a RelatedCertificate ext extension (Cert A). When two end-entity certificates are used in
ension that references another certificate, the authenticating entity is provide a protocol, where one of the certificates contains a
d with additional assurance that all certificates belong to the same entity. RelatedCertificate extension that references another certificate,
</t> the authenticating entity is provided with additional assurance
<t>The RelatedCertificate extension is an octet string that contains the that all certificates belong to the same entity.
hash of a single end-entity certificate. </t>
</t> <t>The RelatedCertificate extension is an octet string that
<t>The RelatedCertificate extension has the following syntax: contains the hash of a single end-entity certificate.
</t> </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <t>The RelatedCertificate extension has the following syntax:
</t>
<sourcecode type=""><![CDATA[
-- Object Identifiers for certificate extension -- Object Identifiers for certificate extension
id-relatedCert OBJECT IDENTIFIER ::= { TBD2 } id-relatedCert OBJECT IDENTIFIER ::= { 36 }
-- X.509 Certificate extension -- X.509 Certificate extension
RelatedCertificate ::= OCTET STRING RelatedCertificate ::= OCTET STRING
-- hash of entire related certificate } -- hash of entire related certificate }
]]></sourcecode>
]]></artwork> <t>The extension is comprised of an octet string, which is the di
<t>The extension is comprised of an octet string, which is the di gest value obtained from hashing the entire related certificate identified in th
gest value obtained from hashing the entire related certificate identified in th e relatedCertRequest CSR attribute defined above. The algorithm used to hash th
e CSR attribute defined above, relatedCertRequest. The algorithm used to hash t e certificate in the RelatedCertificate extension <bcp14>MUST</bcp14> match the
he certificate in the RelatedCertificate extension MUST match the hash algorithm hash algorithm used to sign the certificate that contains the extension.
used to sign the certificate that contains the extension.
</t> </t>
<t>This extension SHOULD NOT be marked critical. Marking this extension critical would severely impact interoperability. <t>This extension <bcp14>SHOULD NOT</bcp14> be marked critical. Marking this extension critical would severely impact interoperability.
</t> </t>
<t>For certificate chains, this extension MUST only be included in the e nd-entity certificate. <t>For certificate chains, this extension <bcp14>MUST</bcp14> only be in cluded in the end-entity certificate.
</t> </t>
<t>For the RelatedCertificate extension to be meaningful, a CA that issu es a certificate with this extension: <t>For the RelatedCertificate extension to be meaningful, a CA that issu es a certificate with this extension:
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>MUST only include a certificate in the extension that is li <li><bcp14>MUST</bcp14> only include a certificate in the exten
sted and validated in the relatedCertRequest attribute of the CSR submitted by t sion that is listed and validated in the relatedCertRequest attribute of the CSR
he requesting entity.</li> submitted by the requesting entity.</li>
<li>MUST ensure that the related certificate at least contains <li><bcp14>MUST</bcp14> ensure that the related certificate at
the KU bits and EKU OIDs <xref target="RFC5280" format="default"/> being asserte least contains the key usage (KU) bits and extended key usage (EKU) OIDs <xref t
d in the certificate being issued. </li> arget="RFC5280" format="default"/> being asserted in the certificate being issue
<li>SHOULD determine that all certificates are valid at the tim d. </li>
e of issuance.  The usable overlap of validity periods is a Subscriber concern.< <li><bcp14>SHOULD</bcp14> determine that all certificates are v
/li> alid at the time of issuance. The usable overlap of validity periods is a Subscr
iber concern.</li>
</ul> </ul>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default">
<name>Endpoint Protocol Multiple Authentication Processing</name> <name>Endpoint Protocol Multiple Authentication Processing</name>
<t> <t>
When the preference to use a non-composite hybrid authentication mode is expressed by an endpoint through the protocol itself (e.g., during negot iation), the use of the RelatedCertificate extension and its enforcement are lef t to the protocol's native authorization mechanism (along with other decisions e ndpoints make about whether to complete or drop a connection). When the preference to use a non-composite hybrid authentication mode is expressed by an endpoint through the protocol itself (e.g., during negot iation), the use of the RelatedCertificate extension and its enforcement are lef t to the protocol's native authorization mechanism (along with other decisions e ndpoints make about whether to complete or drop a connection).
</t> </t>
<t>If an endpoint has indicated that it is willing to do non-composite h ybrid authentication and receives the appropriate authentication data, it should check end-entity certificates (Cert A and Cert B) for the RelatedCertificate ex tension. If present in one certificate, for example Cert B, it should: <t>If an endpoint has indicated that it is willing to do non-composite h ybrid authentication and receives the appropriate authentication data, it should check end-entity certificates (Cert A and Cert B) for the RelatedCertificate ex tension. If present in one certificate, for example Cert B, it should:
</t> </t>
<ul spacing="normal"> <ul spacing="normal">
<li>Compute the appropriate hash of Cert A, the other end-entit y certificate received. The hash algorithm is the same as the one used to sign t he certificate containing the extension. </li> <li>Compute the appropriate hash of Cert A, the other end-entit y certificate received. The hash algorithm is the same as the one used to sign t he certificate containing the extension. </li>
<li>Verify that the hash value matches the hash entry in the Re latedCertificate extension of Cert B. </li> <li>Verify that the hash value matches the hash entry in the Re latedCertificate extension of Cert B. </li>
</ul> </ul>
<t>It is outside the scope of this document how to proceed with a uthentication based on the outcome of this verification process. Different deter minations may be made depending on each peer's policy regarding whether both or at least one authentication needs to succeed. <t>How to proceed with authentication based on the outcome of thi s verification process is outside the scope of this document. Different determin ations may be made depending on each peer's policy regarding whether both or at least one authentication needs to succeed.
</t> </t>
</section> </section>
</section> </section>
<section numbered="true" toc="default"> <section numbered="true" toc="default" anchor="use-case">
<name> Use Case </name> <name> Use Case </name>
<t> <t>
The general design of this method is best illustrated through specific u se within a migration strategy to PQ cryptography via a non-composite hybrid aut hentication mechanism. The intent is for a CA issuing a new, PQ certificate to a dd an X.509 extension that provides information about a previously-issued, tradi tional certificate in which the private key is controlled by the same end entity as the PQ certificate. The general design of this method is best illustrated through specific u se within a migration strategy to PQC via a non-composite hybrid authentication mechanism. The intent is for a CA issuing a new, post-quantum (PQ) certificate t o add an X.509 extension that provides information about a previously issued, tr aditional certificate in which the private key is controlled by the same end ent ity as the PQ certificate.
</t> </t>
<t> <t>
In the following scenario, an entity currently has a traditional certificate, and is requesting a new, PQ certificate be issued with the RelatedC ertificate extension included that references the entity's traditional certifica te. In the following scenario, an entity currently has a traditional certificate and is requesting a new, PQ certificate be issued with the RelatedCe rtificate extension included that references the entity's traditional certificat e.
</t> </t>
<t> <t>
The RA receives a CSR for a PQ certificate, where the CSR include s the relatedCertRequest attribute detailed in this document. The relatedCertReq uest attribute includes a certID field that identifies the entity's previously-i ssued traditional certificate, and a signature field in which the requesting ent ity produces a digital signature over the certID and a timestamp, using the priv ate key of the certificate identified by the certID. The RA receives a CSR for a PQ certificate, where the CSR include s the relatedCertRequest attribute detailed in this document. The relatedCertReq uest attribute includes a certID field that identifies the entity's previously i ssued traditional certificate and a signature field in which the requesting enti ty produces a digital signature over the certID and a timestamp, using the priva te key of the certificate identified by the certID.
</t> </t>
<t> <t>
The purpose of the relatedCertRequest attribute is to serve as a tool for the RA to provide assurance to the CA organization that the entity that controls the private key of the PQ certificate being requested also controls th e private key of the referenced, previously-issued traditional certificate. The purpose of the relatedCertRequest attribute is to serve as a tool for the RA to provide assurance to the CA organization that the entity that controls the private key of the PQ certificate being requested also controls th e private key of the referenced, previously issued traditional certificate.
</t> </t>
<t> <t>
Upon receipt of the CSR, the CA issues a PQ certificate to the re questing entity that includes the RelatedCertificate extension detailed in this document; the extension includes a hash of the entire traditional certificate id entified in the CSR. The X.509 extension creates an association between the PQ c ertificate and the traditional certificate via end-entity ownership. Upon receipt of the CSR, the CA issues a PQ certificate to the re questing entity that includes the RelatedCertificate extension detailed in this document; the extension includes a hash of the entire traditional certificate id entified in the CSR. The X.509 extension creates an association between the PQ c ertificate and the traditional certificate via end-entity ownership.
</t> </t>
<t> <t>
The attribute and subsequent extension together provide assurance from the CA organization that the same end-entity controls the private keys of both certificates.  It is neither a requirement nor a mandate that either certif icate be used with the other; it is simply an assurance that they can be used to gether, as they are under the control of the same entity. The attribute and subsequent extension together provide assurance from the CA organization that the same end entity controls the private keys of both certificates. It is neither a requirement nor a mandate that either certifi cate be used with the other; it is simply an assurance that they can be used tog ether, as they are under the control of the same entity.
</t> </t>
</section> </section>
<section anchor="CAconsiderations" numbered="true" toc="default"> <section anchor="CAconsiderations" numbered="true" toc="default">
<name>CA Organization Considerations</name> <name>CA Organization Considerations</name>
<t> <t>
The relatedCertRequest CSR attribute provides assertion to the CA organ ization issuing Cert B, of end entity control of the private key of a related ce rtificate, Cert A. There may arise scenarios where a public-facing CA organizati on is not configured to validate signatures associated with certificates that ha ve been issued by a different CA organization. In this case, recognition of the contents in the relatedCertRequest attribute may be contingent upon a pre-arrang ed contract with pre-configured trust anchors from the other CA organization, an d include agreements on certificate policy with regards to certificate applicati on, issuance, and acceptance. Further, matching policies between CA organization s on protection of private key may be necessary in order for the whole assurance level from the other CA organization to be accepted. The relatedCertRequest CSR attribute provides assertion to the CA organ ization issuing Cert B of end entity control of the private key of a related cer tificate, Cert A. Scenarios may arise where a public-facing CA organization is n ot configured to validate signatures associated with certificates that have been issued by a different CA organization. In this case, recognition of the content s in the relatedCertRequest attribute may be contingent upon a pre-arranged cont ract with pre-configured trust anchors from the other CA organization and includ e agreements on certificate policy with regards to certificate application, issu ance, and acceptance. Further, matching policies between CA organizations on pro tection of the private key may be necessary in order for the whole assurance lev el from the other CA organization to be accepted.
</t> </t>
<t> <t>
In a similar vein, if the CA organization issuing the PQ certificate ca n recognize the relatedCertRequest attribute in the CSR and wishes to issue the certificate with the RelatedCerts extension, it may be the case that a different CA organization issued the related certificate referenced in the CSR. In order to ensure that the certificates have been issued under homogeneous sets of secur ity parameters, the certificate policies should be the same with regard to commo n security requirements. The issuing CA, as part of related certificate public k ey validation, determines what policies are acceptable for the certification pat h of the related certificate. The issuing CA determines what is acceptable to th em in terms of certificate policy, to ensure that the policies for protection of private key are sufficient. The relatedCertRequest attribute and subsequent Rel atedCertificate certificate extension are solely intended to provide assurance t hat both private keys are controlled by the same end entity. Similarly, if the CA organization issuing the PQ certificate can recogn ize the relatedCertRequest attribute in the CSR and wishes to issue the certific ate with the RelatedCerts extension, it may be the case that a different CA orga nization issued the related certificate referenced in the CSR. In order to ensur e that the certificates have been issued under homogeneous sets of security para meters, the certificate policies should be the same with regard to common securi ty requirements. The issuing CA, as part of related certificate public key valid ation, determines what policies are acceptable for the certification path of the related certificate. The issuing CA determines what is acceptable to them in te rms of certificate policy, to ensure that the policies for protection of the pri vate key are sufficient. The relatedCertRequest attribute and subsequent Related Certificate certificate extension are solely intended to provide assurance that both private keys are controlled by the same end entity.
</t> </t>
</section> </section>
<section anchor="Security" numbered="true" toc="default"> <section anchor="Security" numbered="true" toc="default">
<name>Security Considerations</name> <name>Security Considerations</name>
<t> <t>
This document inherits security considerations identified in <xref targ et="RFC5280" format="default"/>. This document inherits security considerations identified in <xref targ et="RFC5280" format="default"/>.
</t> </t>
<t>The mechanisms described in this document provide only a means to expre ss that multiple certificates are related. They are intended for the interpretat ion of the recipient of the data in which they are embedded (i.e. a CSR or certi ficate). They do not by themselves effect any security function. <t>The mechanisms described in this document provide only a means to expre ss that multiple certificates are related. They are intended for the interpretat ion of the recipient of the data in which they are embedded (i.e., a CSR or cert ificate). They do not by themselves effect any security function.
</t> </t>
<t>Authentication, unlike key establishment, is necessarily a one-way arra <t>Authentication, unlike key establishment, is necessarily a one-way arra
ngement. That is, authentication is an assertion made by a claimant to a verifie ngement. That is, authentication is an assertion made by a claimant to a verifie
r. The means and strength of mechanism for authentication have to be to the sati r.
sfaction of the verifier. A system security designer needs to be aware of what a
uthentication assurances are needed in various parts of the system and how to ac <!--[rfced] Is "mechanism" intended to be singular (perhaps A) or
hieve that assurance. In a closed system (e.g. Company X distributing firmware t plural (perhaps B) in this sentence? And may we rephrase "have to
o its own devices) the approach may be implicit. In an online protocol like IPse be to the satisfaction of the verifier" to "have to be
c where the peers are generally known, any mechanism selected from a pre-establi satisfactory to the verifier"?
shed set may be sufficient. For more promiscuous online protocols, like TLS, the
ability for the verifier to express what is possible and what is preferred - an Original:
d to assess that it got what it needed - is important. The means and strength of mechanism for authentication have
to be to the satisfaction of the verifier.
Perhaps A:
The means and strength of an authentication mechanism have
to be to satisfactory to the verifier.
Perhaps B:
The means and strength of mechanisms for authentication have
to be satisfactory to the verifier.
-->
The means and strength of mechanism for authentication have to be to the s
atisfaction of the verifier. A system security designer needs to be aware of wha
t authentication assurances are needed in various parts of the system and how to
achieve that assurance. In a closed system (e.g., Company X distributing firmwa
re to its own devices), the approach may be implicit. In an online protocol like
IPsec where the peers are generally known, any mechanism selected from a pre-es
tablished set may be sufficient.
<!--[rfced] Can "and to assess that it got what it needed" be
rephrased for clarity? Please let us know if the suggested text
is agreeable or if you prefer otherwise.
Original:
For more promiscuous online protocols, like TLS, the ability
for the verifier to express what is possible and what is
preferred - and to assess that it got what it needed -
is important.
Perhaps:
For more promiscuous online protocols, like TLS, the ability
for the verifier to express what is possible and what is
preferred - and to assess that its requirements were met -
is important.
-->
For more promiscuous online protocols, like TLS, the ability for the verif
ier to express what is possible and what is preferred - and to assess that it go
t what it needed - is important.
</t> </t>
<t>A certificate is an assertion of binding between an identity and a publ ic key. However, that assertion is based on several other assurances, specifical ly, that the identity belongs to a particular physical entity, and that that phy sical entity has control over the private key corresponding to the public. For a ny hybrid approach, it is important that there be evidence that the same entity controls all private keys at time of use (to the verifier) and at time of regist ration (to the CA). <t>A certificate is an assertion of binding between an identity and a publ ic key. However, that assertion is based on several other assurances, specifical ly, that the identity belongs to a particular physical entity and that the physi cal entity has control over the private key corresponding to the public. For any hybrid approach, it is important that there be evidence that the same entity co ntrols all private keys at time of use (to the verifier) and at time of registra tion (to the CA).
</t> </t>
<t>All hybrid implementations are vulnerable to a downgrade attack in whic h a malicious peer does not express support for the stronger algorithm, resultin g in an exchange that can only rely upon a weaker algorithm for security. <t>All hybrid implementations are vulnerable to a downgrade attack in whic h a malicious peer does not express support for the stronger algorithm, resultin g in an exchange that can only rely upon a weaker algorithm for security.
</t> </t>
<t> <t>
Implementors should be aware of risks that arise from the retrieval of a related certificate via the UniformResourceIdentifier provided in the relatedC ertRequest CSR attribute, if the URI points to malicious code. Implementors shou ld ensure the data is properly formed and validate the retrieved data fully. Implementors should be aware of risks that arise from the retrieval of a related certificate via the UniformResourceIdentifier provided in the relatedC ertRequest CSR attribute, if the URI points to malicious code. Implementors shou ld ensure the data is properly formed and validate the retrieved data fully.
</t> </t>
<t> <t>
CAs should be aware that retrieval of existing certificates may be subj
ect to observation; if this is a concern, it may be advisable to use the dataURI <!--[rfced] We updated "it may be advisable" to "it is advisable". If
option described in Section 3.1. that is incorrect, please let us know.
Original:
CAs should be aware that retrieval of existing certificates may be
subject to observation; if this is a concern, it may be advisable to
use the dataURI option described in Section 3.1.
Current:
CAs should be aware that retrieval of existing certificates may be
subject to observation; if this is a concern, it is advisable to
use the dataURI option described in Section 3.1.
-->
CAs should be aware that retrieval of existing certificates may be subj
ect to observation; if this is a concern, it may be advisable to use the dataURI
option described in <xref target="related-cert-request"/>.
</t> </t>
</section> </section>
<section anchor="IANA" numbered="true" toc="default"> <section anchor="IANA" numbered="true" toc="default">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document defines an extension for use with X.509 certificates. IAN
A is requested to register the following OID in the SMI Security for PKIX Certif <!--[rfced] We have included a clarification about the IANA
icate Extension registry: text below. In addition to responding to that question, please
review all of the IANA-related updates carefully and let us know
if any further updates are needed.
a) FYI: For all three registrations, we replaced the OIDs enclosed
in <artwork> with entries that exactly match the IANA registries at
<https://www.iana.org/assignments/smi-numbers/>.
One example
Original:
id-pe-relatedCert OBJECT IDENTIFIER ::= { id-pe TBD2 }
Current:
| Decimal | Description | References |
+=========+===================+============+
| 36 | id-pe-relatedCert | RFC 9763 |
-->
<t>This document defines an extension for use with X.509 certificates. IAN
A has registered the following OID in the "SMI Security for PKIX Certificate Ext
ension" registry (1.3.6.1.5.5.7.1):
</t> </t>
<table align="center">
<thead>
<tr>
<th align="left" colspan="1" rowspan="1">Decimal</th>
<th align="left" colspan="1" rowspan="1">Description</th>
<th align="left" colspan="1" rowspan="1">References</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" colspan="1" rowspan="1">36</td>
<td align="left" colspan="1" rowspan="1">id-pe-relatedCert</td>
<td align="left" colspan="1" rowspan="1">RFC 9763</td>
</tr>
</tbody>
</table>
<!--
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork name="" type="" align="left" alt=""><![CDATA[
id-pe-relatedCert OBJECT IDENTIFIER ::= { id-pe TBD2 } id-pe-relatedCert OBJECT IDENTIFIER ::= { id-pe 36 }
]]></artwork> ]]></artwork>
-->
<t>with this document as the Required Specification. <t>The registration procedure is Specification Required <xref target="RFC8
126"/>.
</t> </t>
<t>This document defines a CSR attribute. IANA is requested to register the following OID in the SMI Security for S/MIME Attributes registry: <t>This document defines a CSR attribute. IANA has registered the follo wing OID in the "SMI Security for S/MIME Attributes (1.2.840.113549.1.9.16.2)" r egistry:
</t> </t>
<table align="center">
<thead>
<tr>
<th align="left" colspan="1" rowspan="1">Decimal</th>
<th align="left" colspan="1" rowspan="1">Description</th>
<th align="left" colspan="1" rowspan="1">References</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" colspan="1" rowspan="1">60</td>
<td align="left" colspan="1" rowspan="1">id-aa-relatedCertRequest</t
d>
<td align="left" colspan="1" rowspan="1">RFC 9763</td>
</tr>
</tbody>
</table>
<!--
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork name="" type="" align="left" alt=""><![CDATA[
id-aa-relatedCertRequest OBJECT IDENTIFIER ::= { id-aa TBD1 } id-aa-relatedCertRequest OBJECT IDENTIFIER ::= { id-aa 60 }
]]></artwork> ]]></artwork>
<t> This document defines an ASN.1 Module in Appendix A. IANA is -->
requested to register an OID for the module identifier in the SMI Security for P
KIX Module Identifier registry: <t> This document defines an ASN.1 module in <xref target="app-ad
ditional"/>. IANA has registered the following OID for the module identifier in
the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0):
</t> </t>
<table align="center">
<thead>
<tr>
<th align="left" colspan="1" rowspan="1">Decimal</th>
<th align="left" colspan="1" rowspan="1">Description</th>
<th align="left" colspan="1" rowspan="1">References</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" colspan="1" rowspan="1">115</td>
<td align="left" colspan="1" rowspan="1">id-mod-related-cert-2023</t
d>
<td align="left" colspan="1" rowspan="1">RFC 9763</td>
</tr>
</tbody>
</table>
<!--
<artwork name="" type="" align="left" alt=""><![CDATA[ <artwork name="" type="" align="left" alt=""><![CDATA[
id-mod-related-cert(TBD0) id-mod-related-cert-2023(115)
]]></artwork> ]]></artwork>
<t> The RFC Editor is requested to replace the TBDs in the text with the ass -->
igned OIDs.</t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.5280.xml"/> e.RFC.5280.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.2119.xml"/> e.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.5652.xml"/> e.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.6019.xml"/> e.RFC.5652.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.2397.xml"/> e.RFC.6019.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
e.RFC.2397.xml"/>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.5912.xml"/> e.RFC.5912.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.6268.xml"/> e.RFC.6268.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxm <xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
l/reference.RFC.8551.xml"/> e.RFC.8551.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/referenc
e.RFC.8126.xml"/>
<reference anchor="NIST-SP-800-57" target="https://nvlpubs.nist.gov/nistpubs/Spe
cialPublications/NIST.SP.800-57pt1r5.pdf">
<front>
<title>Recommendation for Key Management: Part 1 - General</title>
<author fullname="Elaine Barker" surname="Barker">
<organization>Information Technology Laboratory</organization>
</author>
<date month="May" year="2020"/>
</front>
<refcontent>National Institute of Standards and Technology</refcontent>
<seriesInfo name="NIST SP" value="800-57pt1r5"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-57pt1r5"/>
</reference>
</references> </references>
</references> </references>
<section anchor="app-additional" numbered="true" toc="default"> <section anchor="app-additional" numbered="true" toc="default">
<name>ASN.1 Module</name> <name>ASN.1 Module</name>
<t>The following RelatedCertificate ASN.1 module describes the Re questerCertificate type found in the relatedCertAttribute. It pulls definitions from modules defined in <xref target="RFC5912" format="default"/>, and <xref tar get="RFC6268" format="default"/>, and <xref target="RFC6019" format="default"/> for the IssuerAndSerialNumber type, and BinaryTime type, respectively. </t>
<artwork name="" type="" align="left" alt=""><![CDATA[ <!-- [rfced] We note that the "IssuerAndSerialNumber type" is
mentioned in [RFC5912] and [RFC6268, and the "BinaryTime type" is
mentioned in [RFC6019]. Considering that, may we update the
following sentence for clarity as shown below?
Original:
It pulls definitions from modules defined in [RFC5912], and [RFC6268],
and [RFC6019] for the IssuerAndSerialNumber type, and BinaryTime type,
respectively.
Perhaps:
It pulls definitions from modules defined in [RFC5912] and [RFC6268]
for the IssuerAndSerialNumber type and in [RFC6019] for the
BinaryTime type.
-->
<t>The following RelatedCertificate ASN.1 module describes the
RequesterCertificate type found in the relatedCertAttribute. It pulls
definitions from modules defined in <xref target="RFC5912"
format="default"/>, and <xref target="RFC6268" format="default"/>, and
<xref target="RFC6019" format="default"/> for the IssuerAndSerialNumber
type, and BinaryTime type, respectively. </t>
<sourcecode type="asn.1"><![CDATA[
RelatedCertificate { iso(1) identified-organization(3) dod(6) RelatedCertificate { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-related-cert(TBD0)} id-mod-related-cert-2023(115)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ATTRIBUTE, EXTENSION ATTRIBUTE, EXTENSION
FROM PKIX-CommonTypes-2009 -- in [RFC5912] FROM PKIX-CommonTypes-2009 -- in RFC 5912
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) } id-mod-pkixCommon-02(57) }
IssuerAndSerialNumber IssuerAndSerialNumber
FROM CryptographicMessageSyntax-2010 -- in [RFC6268] FROM CryptographicMessageSyntax-2010 -- in RFC 6268
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-cms-2009(58) } id-mod-cms-2009(58) }
BinaryTime BinaryTime
FROM BinarySigningTimeModule -- in [RFC6019] FROM BinarySigningTimeModule -- in RFC 6019
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-binarySigningTime(27) } ; id-mod-binarySigningTime(27) } ;
-- Object identifier arcs -- Object identifier arcs
id-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) id-pe OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 } dod(6) internet(1) security(5) mechanisms(5) pkix(7) 1 }
id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) usa(840) id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) usa(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2) } rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) attributes(2) }
-- relatedCertificate Extension -- relatedCertificate Extension
id-pe-relatedCert OBJECT IDENTIFIER ::= { id-pe TBD2 } id-pe-relatedCert OBJECT IDENTIFIER ::= { id-pe 36 }
RelatedCertificate ::= OCTET STRING RelatedCertificate ::= OCTET STRING
ext-relatedCertificate EXTENSION ::= { ext-relatedCertificate EXTENSION ::= {
SYNTAX RelatedCertificate SYNTAX RelatedCertificate
IDENTIFIED BY id-pe-relatedCert } IDENTIFIED BY id-pe-relatedCert }
-- relatedCertRequest Attribute -- relatedCertRequest Attribute
id-aa-relatedCertRequest OBJECT IDENTIFIER ::= { id-aa TBD1 } id-aa-relatedCertRequest OBJECT IDENTIFIER ::= { id-aa 60 }
RequesterCertificate ::= SEQUENCE { RequesterCertificate ::= SEQUENCE {
certID IssuerAndSerialNumber, certID IssuerAndSerialNumber,
requestTime BinaryTime, requestTime BinaryTime,
locationInfo UniformResourceIdentifier, locationInfo UniformResourceIdentifier,
signature BIT STRING } signature BIT STRING }
UniformResourceIdentifier ::= IA5String UniformResourceIdentifier ::= IA5String
aa-relatedCertRequest ATTRIBUTE ::= { aa-relatedCertRequest ATTRIBUTE ::= {
TYPE RequesterCertificate TYPE RequesterCertificate
IDENTIFIED BY id-aa-relatedCertRequest } IDENTIFIED BY id-aa-relatedCertRequest }
END END
]]></artwork> ]]></sourcecode>
</section> </section>
<!-- [rfced] We updated artwork to sourcecode in Sections 3.1 and 4.1 and in
Appendix A. Please confirm that this is correct.
In addition, please consider whether the "type" attribute of any sourcecode
element should be set and/or has been set correctly.
The current list of preferred values for "type" is available at
<https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>.
If the current list does not contain an applicable type, feel free to
suggest additions for consideration. Note that it is also acceptable
to leave the "type" attribute not set.
-->
<!-- [rfced] FYI: We have added expansions for the following
abbreviations per Section 3.6 of RFC 7322 ("RFC Style
Guide"). Please review each expansion in the document carefully
to ensure correctness.
Cryptographic Message Syntax (CMS)
Certificate Signing Request (CSR)
Elliptic Curve Cryptography (ECC)
extended key usage (EKU)
Internet Key Exchange Protocol Version 2 (IKEv2)
key usage (KU)
proof of possession (POP) (per NIST-SP-800-57)
post-quantum (PQ)
post-quantum cryptography (PQC)
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
For example, please consider whether "native" should be updated.
In addition, please consider whether "traditional" should be updated for clarity
.
While the NIST website
<https://web.archive.org/web/20250214092458/https://www.nist.gov/
nist-research-library/nist-technical-series-publications-author-instructions#tab
le1>
indicates that this term is potentially biased, it is also ambiguous.
"Tradition" is a subjective term, as it is not the same for everyone.
-->
</back> </back>
</rfc> </rfc>
 End of changes. 79 change blocks. 
259 lines changed or deleted 537 lines changed or added

This html diff was produced by rfcdiff 1.48.