Internet-Draft | ACME DTN Node ID | March 2021 |
Sipos | Expires 8 September 2021 | [Page] |
This document specifies an extension to the Automated Certificate Management Environment (ACME) protocol which allows an ACME server to validate the Delay-Tolerant Networking (DTN) Node ID for an ACME client. The DTN Node ID is encoded as a certificate Subject Alternative Name (SAN) of type Uniform Resource Identifier (URI) and ACME Identifier type "uri".¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 8 September 2021.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Although the original purpose of the Automatic Certificate Management Environment (ACME) [RFC8555] was to allow Public Key Infrastructure Using X.509 (PKIX) certificate authorities to validate network domain names of clients, the same mechanism can be used to validate any of the subject claims supported by the PKIX profile [RFC5280].¶
In the case of this specification, the claim being validated is a Subject Alternative Name (SAN) of type Uniform Resource Identifier (URI) used to represent the Node ID of a Delay-Tolerant Networking (DTN) Node. A DTN Node ID is a URI with a specific set of allowed schemes, and determines how bundles are routed within a DTN. Currently the schemes "dtn" and "ipn" as defined in [I-D.ietf-dtn-bpbis] are valid for a Node ID.¶
Once an ACME server validates a Node ID, either as a pre-authorization of the "uri" or as one of the authorizations of an order containing a "uri", the client can finalize the order using an associated certificate signing request. Because a single order can contain multiple identifiers of multiple types, there can be operational issues for a client attempting to, and possibly failing to, validate those multiple identifiers as described in Section 4.1. Once a certificate is issued for a Node ID, how the ACME client configures the BP agent with the new certificate is an implementation matter.¶
The scope and behavior of this validation mechanism is similar to that of secured email validation of [I-D.ietf-acme-email-smime]. For that reason some token splitting terminology in this document is taken from the email specification.¶
The basic unit of data exchange in a DTN is a Bundle [I-D.ietf-dtn-bpbis], which consists of a data payload with accompanying metadata. An Endpoint ID is used as the destination of a Bundle and can indicate both a unicast or a multicast destination. A Node ID is used to identify the source of a Bundle and is used for routing through intermediate nodes, including the final node(s) used to deliver a Bundle to its destination endpoint. A Node ID can also be used as an endpoint for administrative bundles. More detailed descriptions of the rationale and capabilities of these networks can be found in "Delay-Tolerant Network Architecture" [RFC4838].¶
When a ACME client requests a pre-authorization or an order with a "uri" which could be used as a DTN Node ID, the ACME server offers a challenge type to validate that Node ID. If the ACME client attempts the authorization challenge to validate a Node ID, the ACME server sends an ACME Node ID Validation Challenge Bundle with a destination of the Node ID being validated. The BP agent on that node receives the Challenge Bundle, generates an ACME signature, and sends an ACME Node ID Validation Response Bundle with the signature. Finally, the ACME server receives the Response Bundle and checks that the signature came from the client account key associated with the original request.¶
Because the DTN Node ID is used both for routing bundles between BP agents and for multiplexing services within a BP agent, there is no possibility to separate the ACME validation of a Node ID from normal bundle handling on that same Node ID. This leaves Bundle administrative records as a way to leave the Node ID unchanged while disambiguating from normal service data bundles.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In this document, several terms are shortened for the sake of terseness. These terms are:¶
This document defines CBOR structure using the Concise Data Definition Language (CDDL) of [RFC8610]. The entire CDDL structure can be extracted from the XML version of this document using the XPath expression:¶
'//sourcecode[@type="cddl"]'¶
The following initial fragment defines the top-level symbols of this document's CDDL, which includes the example CBOR content.¶
start = acme-record / bundle / tstr¶
This specification is the first to make use of a URI to identify a service for a certificate request in ACME. The URI-type identifier is general purpose, and validating ownership of a URI requires a specific purpose related to its "scheme" component. In this document, the only purpose for which a URI ACME identifier is validated is as a DTN Node ID (see Section 3), but other specifications can define challenge types for other URI uses.¶
Identifiers of type "uri" MUST appear in an extensionRequest attribute [RFC2985] requesting a subjectAltName extension of type uniformResourceIdentifier having a value consistent with the requirements of [RFC3986].¶
Any identifier of type "uri" in a newOrder request MUST NOT have a wildcard ("*") character in its value.¶
If an ACME server wishes to request proof that a user controls a URI, it SHALL create an authorization with the identifier type "uri". The value field of the identifier SHALL contain the textual form of the URI as defined in Section 3 of [RFC3986]. The ACME server SHALL NOT decode or attempt to dereference the URI value on its own. It is the responsibility of a validation method to ensure the URI ownership via scheme-specific means authorized by the ACME client.¶
An identifier for the Node ID of "dtn://example/" would be formatted as:¶
{"type": "uri", "value": "dtn://example/"}¶
The DTN Node ID validation method proves control over a Node ID by requiring the ACME client to configure a BP agent to respond to specific Challenge Bundles sent from the ACME server. The ACME server validates control of the Node ID URI by verifying that received Response Bundles correspond with the BP Node and client account key being validated.¶
Similar to the ACME use case for validating email address ownership [I-D.ietf-acme-email-smime], this challenge splits the token into two parts. Each part reaches the client through a different channel: one via the ACME channel in the challenge object, the other via the DTN channel within the Challenge Bundle. The Key Authorization result requires that the ACME client have access to the results of each channel to get both parts of the token.¶
The DTN Node ID Challenge SHALL only be allowed for URIs usable as a DTN Node ID, which are currently the schemes "dtn" and "ipn" as defined in [I-D.ietf-dtn-bpbis]. When an ACME server supports Node ID validation, the ACME server SHALL define a challenge object in accordance with Section 3.1. Once this challenge object is defined, the ACME client may begin the validation.¶
To initiate a Node ID validation, the ACME client performs the following steps:¶
The ACME server verifies the client's control over a Node ID by performing the following steps:¶
An ACME server MAY send multiple challenges from different origins in the DTN network to avoid possible on-path attacks, as recommended in Section 10.2 of [RFC8555]. If responses are received from multiple challenges, any response failure SHALL cause a failure of the overall validation. Each response failure MAY be indicated to the ACME client as a validation subproblem.¶
When responding to a Challenge Bundle, a BP agent SHALL send a single Response Bundle in accordance with Section 3.4. A BP agent SHALL respond to ACME challenges only within the interval of time, only for the Node ID, and only for the validation token indicated by the ACME client. A BP agent SHALL respond to multiple challenges with the same parameters. These correspond with the ACME server validating via multiple routing paths.¶
The DTN Node ID Challenge request object is defined by the ACME server when it supports validating Node IDs.¶
The DTN Node ID Challenge request object has the following content:¶
{ "type": "dtn-nodeid-01", "url": "https://example.com/acme/chall/prV_B7yEyA4", "source": "dtn://example-acme-server/", "token-part2": "tPUZNY4ONIk6LxErRFEjVw" }¶
The only over-the-wire data required by ACME for a Challenge Bundle is a nonce token, split into two parts, but the response data needs a client account key to generate the Key Authorization and its digest. The client account key is kept within the ACME client, the BP agent needs only the derived key thumbprint for its Response Bundle.¶
The DTN Node ID Challenge response object is defined by the ACME client when it authorizes validation of a Node ID. Because a DTN has the potential for significantly longer delays than a non-DTN network, the ACME client is able to inform the ACME server if a particular validation round-trip is expected to take longer than normal network delays (on the order of seconds).¶
The DTN Node ID Challenge response object has the following content:¶
{ "rtt": 300.0 }¶
A challenge response is not sent until the BP agent has been configured to properly respond to the challenge, so the RTT value is meant to indicate any node-specific path delays expected to encountered from the ACME server. Because there is no requirement on the path (or paths) which bundles may traverse between the ACME server and the BP agent, and the ACME server can attempt some path diversity, the RTT value SHOULD be pessimistic.¶
Each ACME Node ID Validation Challenge Bundle has parameters as listed here:¶
An example full Challenge Bundle is included in Appendix B.1¶
Challenge Bundles SHOULD be BIB-signed in accordance with [I-D.ietf-dtn-bpsec] if the ACME server is capable of signing bundles. BP agents SHALL refuse to respond to a Challenge Bundle which is signed by a known ACME server but has an invalid signature. Challenge Bundles SHOULD NOT be directly encrypted (by BCB or any other method).¶
Each ACME Node ID Validation Response Bundle has parameters as listed here:¶
An example full Response Bundle is included in Appendix B.2¶
Response Bundles MAY be BIB-signed in accordance with [I-D.ietf-dtn-bpsec] if the BP agent is capable of signing bundles. A BIB on the bundle gives no more security than the Key Authorization itself. Response Bundles SHOULD NOT be directly encrypted (by BCB or any other method).¶
A proper Response Bundle meets all of the following criteria:¶
Any of the failures above SHALL cause the validation to fail. Any of the failures above SHOULD be indicated as subproblems to the ACME client.¶
The ultimate purpose of this ACME validation is to allow a CA to issue certificates following the profiles of Section 4.4.2 of [I-D.ietf-dtn-tcpclv4] and [I-D.bsipos-dtn-bpsec-cose]. These purposes are referred to here as bundle security certificates.¶
One common behavior of bundle security certificates are the use of the Extended Key Usage key purpose "id-kp-bundleSecurity". Any CA implementing the validation method defined in this document SHOULD also support issuing certificates with the bundle security Extended Key Usage.¶
A single bundle security certificate request MAY contain a mixed set of SAN claims, including combinations of "ip", "dns", and "uri" claims. There is no restriction on how a certificate combines these claims, but each claim MUST be validated by an ACME server to issue such a certificate as part of an associated ACME order. This is no different than the existing behavior of [RFC8555] but is mentioned here to make sure that CA policy handles such situations; especially related to validation failure of an identifier in the presence of multiple identifiers. The specific use case of [I-D.ietf-dtn-tcpclv4] allows, and for some network policies requires, that a certificate authenticate both the DNS name of an entity as well as the Node ID of the entity.¶
ACME extensions specified in this document can be used to request encryption-only or signing-only bundle security certificates.¶
In order to request signing only S/MIME certificate, the CSR MUST include the key usage extension with digitalSignature and/or nonRepudiation bits set and no other bits set.¶
In order to request encryption only S/MIME certificate, the CSR MUST include the key usage extension with keyEncipherment or keyAgreement bits set and no other bits set.¶
Presence of both of the above sets of key usage bits in the CSR, as well as absence of key usage extension in the CSR, signals to ACME server to issue an S/MIME certificate suitable for both signing and encryption.¶
[NOTE to the RFC Editor: please remove this section before publication, as well as the reference to [RFC7942] and [github-acme-dtnnodeid].]¶
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC7942]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations can exist.¶
An example implementation of the this draft of ACME has been created as a GitHub project [github-acme-dtnnodeid] and is intended to use as a proof-of-concept and as a possible source of interoperability testing. This example implementation only constructs encoded bundles and does not attempt to provide a full BP Agent interface.¶
This section separates security considerations into threat categories based on guidance of BCP 72 [RFC3552].¶
Because this challenge mechanism is used to bootstrap security between DTN Nodes, the challenge and its response are likely to be transferred in plaintext. The ACME data itself is a random token (nonce) and a cryptographic signature, so there is no sensitive data to be leaked within the Node ID Validation bundle exchange.¶
Under certain circumstances, when BPSEC key material is available to the BP agent managed by the ACME client, the use of a BCB for the Request Bundle and/or Response Bundle can give additional confidentiality to the bundle metadata. This is not expected to be a general use case, as the whole point of ACME is to validate identifiers of untrusted client services.¶
As described in Section 8.1 of [RFC8555], it is possible for an active attacker to alter data on both ACME client channel and the DTN validation channel.¶
One way to mitigate single-path on-path attacks is to attempt validation of the same Node ID via multiple bundle routing paths, as recommended in Section 3. It is not a trivial task to guarantee bundle routing though, so more advanced techniques such as onion routing (using bundle-in-bundle encapsulation [I-D.ietf-dtn-bibect]) could be employed.¶
Under certain circumstances, when BPSEC key material is available to the BP agent managed by the ACME client, the use of a BIB signature on the Response Bundle can give additional assurance that the response is coming from a valid BP agent.¶
The behaviors described in this section all amount to a potential denial-of-service to a BP agent.¶
A malicious entity can continually send ACME Node ID challenges to a BP agent. The victim BP agent can ignore ACME challenges which do not conform to the specific time interval and challenge token for which the ACME client has informed the BP agent that challenges are expected. The victim BP agent can require all Challenge Bundles to be BIB-signed to ensure authenticity of the challenge.¶
Similar to other validation methods, an ACME server validating a DTN Node ID could be used as a denial of service amplifier. For this reason any ACME server can rate-limit validation activities for individual clients and individual certificate requests.¶
This specification adds to the ACME registry and BP registry for this behavior.¶
Within the "Automated Certificate Management Environment (ACME) Protocol" registry [IANA-ACME], the following entry has been added to the "ACME Identifier Types" sub-registry.¶
Label | Reference |
---|---|
uri | This specification and [RFC3986] |
Within the "Automated Certificate Management Environment (ACME) Protocol" registry [IANA-ACME], the following entry has been added to the "ACME Validation Methods" sub-registry.¶
Label | Identifier Type | ACME | Reference |
---|---|---|---|
dtn-nodeid-01 | uri | Y | This specification |
Within the "Bundle Protocol" registry [IANA-BP], the following entry has been added to the "Bundle Administrative Record Types" sub-registry. [NOTE to the RFC Editor: For RFC5050 compatibility this value needs to be no larger than 15, but such compatibility is not needed. BPbis has no upper limit on this code point value.]¶
Value | Description | Reference |
---|---|---|
TBD | ACME Node ID Validation | This specification |
This specification is based on DTN use cases related to PKIX certificate generation.¶
[NOTE to the RFC Editor: The "0xFFFF" in this CDDL is replaced by the "ACME Node ID Validation" administrative record type code.]¶
The CDDL extension of BP [I-D.ietf-dtn-bpbis] for the ACME bundles is:¶
; All ACME records have the same structure $admin-record /= [0xFFFF, acme-record] acme-record = { token-part1, ? key-auth-digest ; present for Response Bundles } token-part1 = (1 => bstr) key-auth-digest = (2 => bstr)¶
[NOTE to the RFC Editor: The "0xFFFF" in these examples are replaced by the "ACME Node ID Validation" administrative record type code.]¶
This example is a bundle exchange for the ACME server with Node ID "dtn://acme-server/" performing a verification for ACME client Node ID "dtn://acme-client/". The example bundles use no block CRC or BPSec integrity, which is for simplicity and is not recommended for normal use. The provided figures are extended diagnostic notation [RFC8610].¶
For this example the ACME client key thumbprint has the base64url encoded value of:¶
"LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ"¶
And the ACME-server generated token-part2 (transported to the ACME client via HTTPS) has the base64url-encoded value of:¶
"tPUZNY4ONIk6LxErRFEjVw"¶
For the single challenge bundle in this example, the token-part1 (transported as byte string via BP) has the base64url-encoded value of:¶
"p3yRYFU4KxwQaHQjJ2RdiQ"¶
The minimal-but-valid Challenge Bundle is shown in Figure 1. This challenge requires that the ACME client respond within a 60 second time window.¶
When the tokens are combined with the key fingerprint, the full Key Authorization value (a single string split across lines for readability) is:¶
"p3yRYFU4KxwQaHQjJ2RdiQtPUZNY4ONIk6LxErRFEjVw.LPJNul-wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ"¶
The minimal-but-valid Response Bundle is shown in Figure 2. This response indicates that there is 30 seconds remaining in the response time window.¶