]> DigiCert, Inc.

corey.bonnell@digicert.com

SECOM CO., LTD.

tadahiko.ito.public@gmail.com

Penguin Securities Pte. Ltd.

tomofumi.okubo+ietf@gmail.com

next generation unicorn sparkling distributed ledger RFC 5280 defines the profile of X.509 certificates and certificate revocation lists (CRLs) for use in the Internet. Section 4.2.1.3 of RFC 5280 requires CRL issuer certificates to contain the keyUsage extension with the cRLSign bit asserted. However, the CRL validation algorithm specified in Section 6.3 of RFC 5280 does not explicitly include a corresponding check for the presence of the keyUsage certificate extension. This document updates RFC 5280 to require that check. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction defines the profile of X.509 certificates and certificate revocation lists (CRLs) for use in the Internet. Section 4.2.1.3 of requires CRL issuer certificates to contain the keyUsage extension with the cRLSign bit asserted. However, the CRL validation algorithm specified in Section 6.3 of does not explicitly include a corresponding check for the presence of the keyUsage certificate extension. This document updates to require that check. describes the security concern that motivates this update. updates the CRL validation algorithm to resolve this concern.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The risk of trusting CRLs signed with non-certified keys In some Public Key Infrastructures, entities are delegated by Certification Authorities to sign CRLs. CRLs whose scope encompasses certificates that have not been signed by the CRL issuer are known as "indirect CRLs". Applications which consume CRLs follow the validation algorithm as specified in Section 6.3 of . In particular, Section 6.3.3 contains the following step for CRL validation:

• (f) Obtain and validate the certification path for the issuer of the complete CRL. The trust anchor for the certification path MUST be the same as the trust anchor used to validate the target certificate. If a keyUsage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.

This step does not explicitly specify a check for the presence of the keyUsage extension itself. Similarly, the certificate profile in does not require the inclusion of the keyUsage extension in a certificate if the certified public key is not used for verifying the signatures of other certificates or CRLs. Certification Authorities can delegate the issuance of CRLs to other entities by issuing to the entity a certificate that asserts the cRLSign bit in the keyUsage extension. The Certification Authority will then sign certificates that fall within the scope of the indirect CRL by including the crlDistributionPoints extension and specifying the distinguished name ("DN") of the CRL issuer in the cRLIssuer field of the corresponding distribution point. The CRL issuer signs CRLs that assert the indirectCRL boolean within the issuingDistributionPoint extension. The allowance for the issuance of certificates without the keyUsage extension and the lack of a check for the inclusion of the keyUsage extension during CRL verification can manifest in a security issue. A concrete example is described below.

1. The Certification Authority signs an end-entity CRL issuer certificate to subject X that certifies key A for signing CRLs by explicitly including the keyUsage extension and asserting the cRLSign bit in accordance with Section 4.2.1.3 of .
2. The Certification Authority signs one or more certificates that include the crlDistributionPoints extension with the DN for subject X included in the cRLIssuer field. This indicates that the CRL-based revocation information for these certificates will be provided by subject X.
3. The Certification Authority signs an end-entity certificate to subject X that certifies key B. This certificate contains no key usage extension, as the certified key is not intended to be used for signing CRLs and could be a “mundane” certificate of any type (e.g., S/MIME, document signing certificate where the corresponding private key is stored on the filesystem of the secretary's laptop, etc.).
4. Subject X signs a CRL using key B and publishes the CRL at the distributionPoint specified in the crlDistributionPoints extension of the certificates signed in step 2.
5. Relying parties download the CRL published in step 4. The CRL validates successfully according to Section 6.3.3 of , as the CRL issuer DN matches, and the check for the presence of the cRLSign bit in the keyUsage extension is skipped because the keyUsage extension is absent.

Checking the presence of the keyUsage extension To remediate the security issue described in , this document specifies the following amendment to step (f) of the CRL algorithm as found in Section 6.3.3 of . OLD:

• (f) Obtain and validate the certification path for the issuer of the complete CRL. The trust anchor for the certification path MUST be the same as the trust anchor used to validate the target certificate. If a keyUsage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set.

NEW:

• (f) Obtain and validate the certification path for the issuer of the complete CRL. The trust anchor for the certification path MUST be the same as the trust anchor used to validate the target certificate. If the version of the CRL issuer’s certificate is version 3 (v3), then verify that the keyUsage extension is present and verify that the cRLSign bit is set.

This change ensures that the CRL issuer's key is certified for CRL signing. However, this check is not performed if the CRL issuer's key is certified using a version 1 (v1) or version 2 (v2) X.509 certificate, as these versions do not have an extensions field where the key usage extension can be included.

Security Considerations If a Certification Authority has signed certificates to be used for CRL verification but do not include the keyUsage extension in accordance with Section 4.2.1.3 of , then relying party applications that have implemented the modified verification algorithm as specified in this document will be unable to verify CRLs signed by the CRL issuer in question. It is strongly RECOMMENDED that Certification Authorities include the keyUsage extension in certificates to be used for CRL verification to ensure that there are no interoperability issues where updated applications are unable to verify CRLs. If it is not possible to update the profile of CRL issuer certificates, then the policy management authority of the affected Public Key Infrastructure SHOULD update the subject naming requirements to ensure that certificates to be used for different purposes contain unique DNs.

IANA Considerations This document has no IANA actions.

Normative References This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.

Acknowledgments The authors would like to thank the participants on the LAMPS Working Group mailing list for their insightful feedback and comments. In particular, the authors extend sincere appreciation to Carl Wallace, David Hook, Deb Cooley, John Gray, Michael St. Johns, Mike Ounsworth, Russ Housley, Serge Mister, and Tomas Gustavsson for their reviews and suggestions, which greatly improved the quality of this document.