📄 draft-ietf-pkix-proxy-03.txt
字号:
Internet Draft S. Tuecke Document: draft-ietf-pkix-proxy-03 D. Engert I. Foster Initial Version March 2001 ANL Revised October 2002 V. Welch Expires April 2003 U. Chicago M. Thompson LBNL L. Pearlman C. Kesselman USC/ISI Internet X.509 Public Key Infrastructure Proxy Certificate Profile Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This document provides information to the community regarding the profile of the X.509 Proxy Certificate. It tuecke@mcs.anl.gov 1
X.509 Proxy Certificate Profile October 2002 Expires April 2003 defines a standard for implementing X.509 Proxy Certificates. Abstract This document forms a certificate profile for Proxy Certificates, based on X.509 PKI certificates as defined in RFC 3280, for use in the Internet. The term Proxy Certificate is used to describe a certificate that is derived from, and signed by, a normal X.509 Public Key End Entity Certificate or by another Proxy Certificate for the purpose of providing restricted impersonation within a PKI based authentication system. Table of Contents 1 Introduction..........................................3 2 Overview of Approach..................................5 2.1 Terminology...........................................5 2.2 Background............................................6 2.3 Motivation for Impersonation..........................6 2.4 Motivation for Restricted Proxies.....................9 2.5 Motivation for Unique Proxy Name.....................10 2.6 Description Of Approach..............................11 2.7 Features Of This Approach............................12 3 Certificate and Certificate Extensions Profile.......15 3.1 Issuer...............................................15 3.2 Issuer Alternative Name..............................15 3.3 Serial Number........................................15 3.4 Subject..............................................15 3.5 Subject Alternative Name.............................16 3.6 Key Usage............................................16 3.7 Extended Key Usage...................................17 3.8 Basic Constraints....................................17 3.9 The ProxyCertInfo Extension..........................18 4 Certificate Path Validation..........................22 5 Commentary...........................................26 5.1 Relationship to Attribute Certificates...............26 5.2 Kerberos 5 Tickets...................................31 5.3 Examples of usage of Proxy Restrictions..............32 5.4 Delegation Tracing...................................33 6 Security Considerations..............................34 6.1 Compromise of a Proxy Certificate....................35 6.2 Restricting Proxy Certificates.......................35 6.3 Relying Party Trust of Proxy Certificates............36 tuecke@mcs.anl.gov 2
X.509 Proxy Certificate Profile October 2002 Expires April 2003 7 References...........................................37 8 Acknowledgments......................................38 9 Change Log...........................................38 10 Contact Information..................................42 11 Copyright Notice.....................................43 12 Intellectual Property Statement......................44 1 Introduction Use of a proxy credential[10] for impersonation is a common technique used in security systems to allow entity A to grant to another entity B the right for B to authenticate with others as if it were A. In other words, entity B is impersonating entity A. This document forms a certificate profile for Proxy Certificates, based on the RFC 3280, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" [7]. In addition to simple, unrestricted impersonation, this profile defines: * A framework for carrying policies in Proxy Certificates that allow impersonation to be limited (perhaps completely disallowed) through either restrictions or enumeration of rights. * Proxy Certificates with unique names, derived from the name of the end entity certificate name. This allows the Proxy Certificates to be used in conjunction with attribute assertion approaches such as Attribute Certificates [4] and have their own rights independent of their issuer. Section 2 provides a non-normative overview of the approach. It begins by defining terminology, motivating Proxy Certificates, and giving a brief overview of the approach. It then introduces the notion of a Proxy Issuer, as distinct from a Certificate Authority, to describe how end entity signing of a Proxy Certificate is different from end entity signing of another end entity certificate, and therefore why this approach does not violate the end entity signing restrictions contained in tuecke@mcs.anl.gov 3
X.509 Proxy Certificate Profile October 2002 Expires April 2003 the X.509 keyCertSign field of the keyUsage extension. It then continues with discussions of how subject names are used by this impersonation approach, and features of this approach. Section 3 defines requirements on information content in Proxy Certificates. This profile addresses two fields in the basic certificate as well as five certificate extensions. The certificate fields are the subject and issuer fields. The certificate extensions are subject alternative name, issuer alternative name, key usage, basic constraints, and extended key usage. A new certificate extension, Proxy Certificate Information, is introduced. Section 4 defines path validation rules for Proxy Certificates. Section 5 provides non-normative commentary on Proxy Certificates. Section 6 discusses security considerations relating to Proxy Certificates. Section 7 contains the references. Section 8 contains acknowledgements. Section 9 contains a log of changes made in each version of this draft. Section 10 contains contact information for the authors. Section 11 contains the copyright information for this document. Section 12 contains the intellectual property information for this document. This document was written under the auspices of the Global Grid Forum Grid Security Infrastructure Working Group. For more information on this and other related work, see http://www.gridforum.org/2_SEC/GSI.htm. tuecke@mcs.anl.gov 4
X.509 Proxy Certificate Profile October 2002 Expires April 2003 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1]. 2 Overview of Approach This section provides non-normative commentary on Proxy Certificates. The goal of this specification is to develop a X.509 Proxy Certificate profile and to facilitate their use within Internet applications for those communities wishing to make use of restricted impersonation and delegation within an X.509 PKI authentication based system. This section provides relevant background, motivation, an overview of the approach, and related work. 2.1 Terminology This document uses the following terms: * CA: A "Certificate Authority", as defined by X.509 [7]. * EEC: An "End Entity Certificate", as defined by X.509. That is, it is an X.509 Public Key Certificate issued to an end entity, such as a user or a service, by a CA. * PKC: An end entity "Public Key Certificate". This is synonymous with an EEC. * PC: A "Proxy Certificate", the profile of which is defined by this document. * PI: A "Proxy Issuer" is the End Entity Certificate or Proxy Certificate that issued a Proxy Certificate. * AC: An "Attribute Certificate", as defined by "An Internet Attribute Certificate Profile for Authorization" [4]. tuecke@mcs.anl.gov 5
X.509 Proxy Certificate Profile October 2002 Expires April 2003 * AA: An "Attribute Authority", as defined in [4]. ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -