Sandelman Software Works

mcr+ietf@sandelman.ca

Cisco

ofriel@cisco.com

Siemens

dev@ddvo.net

The Industrial Lounge

dharkins@lounge.org

Internet LAMPS Working Group Internet-Draft Enrollment over Secure Transport (EST) is ambiguous in specification of the CSR Attributes Response. This has resulted in implementation challenges and implementor confusion. This document updates EST and clarifies how the CSR Attributes Response can be used by an EST server to specify both CSR attribute OIDs and also CSR attribute values that the server expects the client to include in its CSR request.

Introduction Enrollment over Secure Transport (EST) has been used in a wide variety of applications. In particular, and describe a way to use it in order to build out an autonomic control plane (ACP) . The ACP requires that each node be given a very specific SubjectAltName. In the ACP specification, the solution was for the EST server to use section 2.6 of to convey to the EST client the actual SubjectAltName that will end up in its certificate. As a result of some implementation challenges, it came to light that this particular way of using the CSR attributes was not universally agreed upon, and in fact runs contrary to section 2.6. Section 2.6 says that the CSR attributes "provide additional descriptive information that the EST server cannot access itself". This extends to specifying that a particular attribute should exist, but not to the point of having the EST server actually specify the value. The way in which the CSRattributes were understood by turns out to be invalid. This document, therefore, updates section 2.6 to define this behavior. This document also updates section 4.5 to include revised ASN.1 that covers all uses and is backward compatible with the existing use. Additional examples are provided in an appendix.

CSR Attributes Handling

Current EST Specification The ASN.1 for CSR Attributes as defined in EST section 4.5.2 is: That section also states the following: This has been interpreted by some implementations as meaning that the CSR Attributes response can only include values for the attribute OIDs that the client should include in its CSR, and cannot include the actual values of those attributes. This is further reinforced by the example: This example illustrates that the 'value' specified is an attribute OID, for example the macAddress OID, and not the value (such as "10-00-00-12-23-45") of the attribute itself. There is no clearly documented mechanism with supporting examples that specifies how a CSR Attributes response can include a value for a given attribute such as SubjectAltName. EST section 4.5.2 also states the following: This statement aligns closely with the goal of this document. Additionally, EST Extensions Appendix A has an informative appendix that outlines how a full CSR can be included in the CSR Attributes response.

Updated CSR Attributes Handling The WG will pick one option as part of the adoption call.

Option two: Extend CSR structure to allow values: This ASN.1 needs fixing. This would just add a value to the SEQUENCE: For example:

Option three: explicit content for the key specification The following options support complete and unambiguous specification of

• CSR ingredients optionally including values to use,
• the type of the public key, which is given in the form of a public-key algorithm,
• and the hash algorithm to use for the self-signature.

CSR ingredients may be the subject DN, any X.509 extensions, and special attributes like a challenge password. For specifying the type of keys allowed in CSRs, they use a to-the-point KeySpec type. It can be defined for instance as The keyAlg type use used to specify public-key alorithms and can include parameters, such as the name of an elliptic curve. The rsaKeyLen choice allows specifying the size of RSA keys, which it is not possible using values of type AlgorithmIdentifier. The keySpec could also be sequence of such specs, such that the server can give several key types from which the client can choose, e.g., EC keys on certain curves and/or RSA keys of certain sizes. Stick for syntactic backward compatibility with Each OID given in AttrOrOID must occur only once. Plain OIDs are used mostly for challengePassword. Attributes are used mostly for any X.509 extensions, subject DN, key spec, and hash alg, while defining new generally usable OIDs for

• a subject DN of type Name
• a key spec of type KeySpec
• a hash alg spec of type AlgorithmIdentifier

to be given on demand as attribute IDs of type ATTRIBUTE.&id({IOSet}).

Option four: explicit members for unique attributes Define a new and more to-the-point type, which does not require new OIDs: Each OID given in oids or attrs must occur only once. The oids are used mostly for requiring a challenge password. The atttrs are used mostly for requiring certain X.509 extensions. This is, typically just challengePassword and extensionRequest are used.

Option five: more specific structure, simpler extensions Define a new fully to-the-point type, which does not require any (direct) OIDs:

Co-existence with existing implementations There are some ways in which the new CSRattributes could co-exist with RFC7030.

Use a new MIME type The client can signal that it supports the new attribute format by using an Accept: header in the transaction. This acts as a signal to a server that it can/should return the attributes in the new format.

Use a new end point of the new format Clients that want to use the new format would use a new end point, such as "csrvalues" which would only support the new format. A client which supported both would have to try both "csrvalues" and then fall back "csrattrs" if the EST server did not support the new format. Some uses (such as ) require the new format, so if it was not suppored, that would be a protocol error.

Insist new format is upwardly compatible with old format ASN.1 encoding is self-describing, and some formats proposed above could possibly be parsed by legacy clients without a problem.

Return new format to new clients only The Registrar may know which clients are which by the kind of authentication that they do. An client which has just performed a enrollment would be assumed to require the new format only. A client which authenticates with an LDevID for a renewal would be strongly identified, and the Registrar could be programmed whether to return new format, or legacy CSR attributes.

Whether or not to Base64 encoding of results clarified that the csrattrs end point was to be Base64 encoded even though the HTTP transport was 8-bit clean. If this document establishes a new end point, then the new end point will not be base64 encoded according to current HTTP usage.

Examples

RFC8994/ACP subjectAltName with specific otherName included TBD

EST server requires public keys of a specific size TBD

EST server requires a public key of a specific algorithm/curve TBD

EST server requires a specific extension to be present TBD

Security Considerations All security considertions from EST section 6 are applicable.

Identity and Privacy Considerations An EST server may use this mechanism to instruct the EST client about the identities it should include in the CSR it sends as part of enrollment. The client may only be aware of its IDevID Subject, which includes a manufacturer serial number. The EST server can use this mechanism to tell the client to include a specific fully qualified domain name in the CSR in order to complete domain ownership proofs required by the CA. Additionally, the EST server may deem the manufacturer serial number in an IDevID as personally identifiable information, and may want to specify a new random opaque identifier that the pledge should use in its CSR. This may be desirable if the CA and EST server have different operators.

IANA Considerations None.

Acknowledgements TODO

Changelog

References Normative References RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple, yet functional, certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificates. It also supports client-generated public/private key pairs as well as key pairs generated by the CA. Autonomic functions need a control plane to communicate, which depends on some addressing and routing. This Autonomic Control Plane should ideally be self-managing and be as independent as possible of configuration. This document defines such a plane and calls it the "Autonomic Control Plane", with the primary use as a control plane for autonomic functions. It also serves as a "virtual out-of-band channel" for Operations, Administration, and Management (OAM) communications over a network that provides automatically configured, hop-by-hop authenticated and encrypted communications via automatically configured IPv6 even when the network is not configured or is misconfigured. This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well. Informative References Operations, Administration, and Maintenance (OAM), as per BCP 161, for data networks is often subject to the problem of circular dependencies when relying on connectivity provided by the network to be managed for the OAM purposes. Provisioning while bringing up devices and networks tends to be more difficult to automate than service provisioning later on. Changes in core network functions impacting reachability cannot be automated because of ongoing connectivity requirements for the OAM equipment itself, and widely used OAM protocols are not secure enough to be carried across the network without security concerns. This document describes how to integrate OAM processes with an autonomic control plane in order to provide stable and secure connectivity for those OAM processes. This connectivity is not subject to the aforementioned circular dependencies. The EST (Enrollment over Secure Transport) protocol defines the Well-Known URI (Uniform Resource Identifier) -- /.well-known/est -- along with a number of other path components that clients use for PKI (Public Key Infrastructure) services, namely certificate enrollment (e.g., /simpleenroll). This document defines a number of other PKI services as additional path components -- specifically, firmware and trust anchors as well as symmetric, asymmetric, and encrypted keys. This document also specifies the PAL (Package Availability List), which is an XML (Extensible Markup Language) file or JSON (JavaScript Object Notation) object that clients use to retrieve packages available and authorized for them. This document extends the EST server path components to provide these additional services. This document updates RFC 7030: Enrollment over Secure Transport to resolve some errata that were reported and that have proven to cause interoperability issues when RFC 7030 was extended. This document deprecates the specification of "Content-Transfer-Encoding" headers for Enrollment over Secure Transport (EST) endpoints. This document fixes some syntactical errors in ASN.1 that were present.