Internet-Draft | External X.509 Keys | September 2023 |
Ounsworth, et al. | Expires 2 April 2024 | [Page] |
Many of the post quantum cryptographic algorithms have large public keys. In the interest of reducing bandwidth of transitting X.509 certificates, this document defines new public key and algorithms for referencing external public key data by hash, and location, for example URL. This mechanism is designed to mimic the behaviour of an Authority Information Access extension.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://EntrustCorporation.github.io/draft-pq-external-pubkeys/draft-ounsworth-pq-external-pubkeys.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ounsworth-lamps-pq-external-pubkeys/.¶
Source for this draft and an issue tracker can be found at https://github.com/EntrustCorporation/draft-pq-external-pubkeys.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 April 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The id-external-value algorithm identifier is used for identifying a public key or signature which is provided as a reference to external data.¶
id-external-value OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) algorithms(6) TBDOID }¶
EDNOTE: for prototyping purposes, id-external-value ::= 1.3.6.1.4.1.22554.4.2
¶
The corresponding subjectPublicKey is the DER encoding of the following structure:¶
ExternalValue ::= SEQUENCE { location GeneralName, hashAlg AlgorithmIdentifier, hashVal OCTET STRING }¶
Upon retrieval of the referenced data, the hash of the OCTET STRING of the retrieved data (removing base64 encoding as per [RFC4648] if necessary) MUST be verified using hashAlg to match the ExternalPublicKey.hash
value.¶
When used with a public key, algorithm parameters for id-external-value are absent.¶
When ExternalValue is placed into a SubjectPublicKeyInfo.subjectPublicKey, the ExternalValue.location MUST refer to a DER-encoded SubjectPublicKeyInfo, which MAY be base64 encoded as per [RFC4648] for easier transport over text protocols.¶
## Object Identifier Allocations¶
There are no security implications to externalizing a public key from a certificate as described in this draft. It is of course possible for a malicious actor to replace or tamper with the public key data at the referenced location, but since the hash of the public key data is included in the signed certificate, any such tampering will be detected and the certificate verification will fail. For this reason, external public key data MAY be served over an insecure channel such as HTTP.¶
In practice, situations will arise where the ExternalPublicKey.location refers to a location which is not publicly available either because it is in a local keystore, on a private network, or no longer being hosted.¶
Not having the public key in a certificate signing request (CSR) could make it substantially harder for CAs to perform vetting of the key, for example for cryptographic strength or checking for prior revocation due to key compromise. A certificate requester MUST make the full public key available to the CA at the time of certificate request either by ensuring that the link in the ExternalPublicKey.location is visible to the CA, or by supplying the full public key to the CA out of band.¶
Not having the public key in Certificate Transparency (CT) logs could make it substantially harder for researchers to perform auditing tasks on CT logs. This may require additional CT mechanisms.¶
EXTERNAL-PUBKEY-2023 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-external-pubkey(TBDMOD)} DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS GeneralName FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} AlgorithmIdentifier{} FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} ; id-external-value OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) algorithms(6) TBDOID } ExternalValue ::= SEQUENCE { location GeneralName, hashAlg AlgorithmIdentifier, hashVal OCTET STRING } END¶
Here is a sample of a Kyber1024 end entity certificate with an external public key. A trust anchor certificate using the algorithm ecdsaWithSHA256 is provided so that the Kyber1024 End Entity certificate can be verified.¶
This is a modest example demonstrating a 550 byte Kyber1024 certificate and a 2.2 kb external Kyber1024 public key. This "compression" effect will be even more pronounced with algorithms such as Classic McEliece which have public keys in the hundreds of kilobytes; with the external public key mechanism, the size of the certificate remains constant regardless of how large the externalized subject public key is.¶
End entity Kyber1024 Certificate with ExternalValue
public key:¶
-----BEGIN CERTIFICATE----- MIIBajCCAQ+gAwIBAgIGAYrnq6R7MAoGCCqGSM49BAMCMDoxDjAMBgNVBAMMBVFT IENBMRswGQYDVQQKDBJRdWFudGl0eSBTdXJ2ZXlvcnMxCzAJBgNVBAYTAlhYMB4X DTIzMDkzMDE5NTgyMFoXDTI0MDEwODE5NTgyMFowHTEbMBkGA1UEAwwSRXRoZWwg dGhlIEFhcmR2YXJrMGcwDAYKKwYBBAGBsBoEAgNXADBUhiNmaWxlOi8vbG9jYWxf a2V5c2VydmVyL3N1cnZleW9ycy5kYjALBglghkgBZQMEAgEEIOc9S8iXUv01kSjc XaG0mpL5O0a5GOOOckd6m84UK/VToxAwDjAMBgNVHRMBAf8EAjAAMAoGCCqGSM49 BAMCA0kAMEYCIQCsdcyyIrcGy3Ro4WyOYhAHoxSXFO0Ptgfm9FaXAqno9wIhAJLy vNED2FxrxJCu5y+4EZyFIA2cZ2IU40FILxaB3Y72 -----END CERTIFICATE-----¶
For illustrative purposes, the SubjectPublicKeyInfo
within the end entity certificate decodes as:¶
subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE (2 elem) algorithm AlgorithmIdentifier SEQUENCE (1 elem) algorithm OBJECT IDENTIFIER 1.3.6.1.4.1.22554.4.2 ExternalValue subjectPublicKey BIT STRING (688 bit) SEQUENCE (3 elem) [6] (35 byte) file://local_keyserver/surveyors.db SEQUENCE (1 elem) OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.1 sha-256 OCTET STRING (32 byte) E73D4BC89752FD359...¶
The external public key object referenced by the end entity certificate is:¶
-----BEGIN PUBLIC KEY----- MIIGNDANBgsrBgEEAYGwGgUGAwOCBiEAb4wXewtjbrOj8aATsKNEsylhQhGacYZO lFUEIOeXVeK1/ZqjZSISJNuVTvoZvxjJXoV24vO/CLFi+HqCoNK6jZGsSwQ963k4 gRRAbxkuzIc1bvRpofeTyNgVD9EQVwa1mJqYFmi3iJnI8ENG3rsMi7Obqlh26qRD eUkh5PQGyZap8YOy7+k02AjEAFAzxzSqyfl1Nip3PLREfWs6SpF4/7ace5UIkGi/ AXaZegUSSJORm9sOi2FDOFhhzglf/+I6YKyTPczCqaIk+wdjPDJLU0i+PDLKEwZa BlglVPqTDwpENKXMIUPI+3OXqExlHEWIB2uy/8ZlKzNSFFWwKeVSOJJLH0Uqe4AO VfVZDrIXVfBQYsN4W9fCIKCKk1WKk3PAsCEXqOGMUgGFAUuqd6U0cHqAEKeXYFMl GCsJ8qd2mLgTUol3eBavlURa3HledZskZiik1JlCCvi6wGPFtwVj1JJE9ntF7smp OZyxUhhWvFiR4qWGPbSNhgAUd5qrKzphU5aDjWsUTIVryKFfYZC2DGy32oIua6s3 NqcR0+tz4Vg7UIbAurFVQPh7AppRyflsXpkWZJR2toxYsmGzs7di2HFUsIyNVsoF ztFbT0vJEXsuEHhleWKYJSUKZiGQokKgUrHIEwhu0dLDnDG3eSPDbgpJ1iHDknqQ FSNKl5Yp6LqM7sFB5uZTDIIzbdsJ+mwsXYp5oIevcegbmno5CXNP56Mg6UKnZOmI GGwxGPUSoJB4hBhl7QwC1PoDOuCTQ0KRW1JeiPUsvbiAyIM/dNG7LqR5ZHzFREe7 NdEbyhrEHFu5Z5pgm6J9crGWJ0QzmvLP3MKm5/CqbDMbsBSPD+vJarIzAeWxzElP UjK3bDBvH1l2cFQW1NpP4Hl6zYF5o2h5rKM6qHwpzogTM+IIe1Ua4fhc+ysCZ+yi WWd8UXdcNEJ3WaINEceYktLPJJnGVEM2+asH9eyLyOsglxQhibAgnEdh3XKTAKqB /EyhYbLLOKJfz9GiDzSqFJIecZGxRdvK4aam2yG86/dco6IorWDPa1GyC7xBubwl LDBZGNhPqEHP47lIsfpRYRa1tDsoH0tP5GAAUUUI+6tLU+LCo5sqXoxt9PDGZfmq P9InsZQfeWksDhQvNtDKpiMHrKo1+HeCL/suUPvNd0VOLbKZufS9UCRH/pGqGGxU o6kcrsN4krQfNrIphAoGcyy9u+XPOXw0NUxeReBIQPE+URijogsH2BYQ+6ITEqki RQSGtZuNoUwLUxtb2/pe5YStwESuqRUfMYB3pzcdEKbLkbnG/mRMNJWUtdOQAkcI SFF9DdJ/+YgLfzqiuemhsJGprmqPXzKQ6XecvVdkRrYjotgOjHBl4GBxAL1DdKdc JfSRfcegxCQAPOLE95UJ10ouEyMnSAJS2EgVaqpLK+Ayb8AKmrOJkuc8vFOLw9Ul cqd+7DnGFNVyT8XCldti7kQRlSUvq2eIPcCqdOQ1CzmffIxg42wuN2skgXSN00eo VLt+HHm/q7p48hQTL2R8bLYqJHbKRetXz0yAXqkBMDck71QDg9so+0ZAO3W4nyqC 2zKYdxItCJEZkxs6rvJaJwq8WQxmXMgoUUeNjmduVFJ5FGas6rQRWRhaWYquj7Om H0dsgSYeRPmG89lViCYEVjfO6AgI4rG7H6ZOqokNQeeEHSo6ZJmo1+AbzoKimFev M2axfjokPzm8CjgQVMOxCJdgxamkXzasjZOxZourBUJYBCA5lztlEiKDD4G0UzGs muaO7HSVxyWNJ+QELRmh/LQnj+UwE6JcdJIoQEA2iCvIrWSHwTcS17oIE4aQocMs DGEqoigjmVh/1YAiXrStzlzGiSkxAiU5b5eXsYwqqoZKVpNYR7O2k/mLdxwhA7cY 9YTMUQY7WqCESslAycCJ0luKEPNbLOMHs4tsAlxUj5igbEOkK3weYKecndE/aGNW nKCh18aKT8U8idLDvpBuGmMAW3ZhhPRLSrJXQpMkwKaAOcl547iPYRiQAqIDgiyT qAkqPbJ9BwvEs6xb8iZCJna5d5lXQiNrD0v+OU8P28vZ7zbjf6oEfmI/6j3OydtS S5EjF9K6/ZQ= -----END PUBLIC KEY-----¶
For illustrative purposes, the key data, which is itself a SubjectPublicKeyInfo
, decodes as:¶
SEQUENCE (2 elem) SEQUENCE (1 elem) OBJECT IDENTIFIER 1.3.6.1.4.1.22554.5.6.3 Kyber1024 BIT STRING (12544 bit) 01101111...¶
The following trust anchor certificate can be used to validate the above end entity certificate.¶
-----BEGIN CERTIFICATE----- MIIBfzCCASSgAwIBAgIGAYrnq6N3MAoGCCqGSM49BAMCMDoxDjAMBgNVBAMMBVFT IENBMRswGQYDVQQKDBJRdWFudGl0eSBTdXJ2ZXlvcnMxCzAJBgNVBAYTAlhYMB4X DTIzMDkzMDE5NTgyMFoXDTI0MDEwODE5NTgyMFowOjEOMAwGA1UEAwwFUVMgQ0Ex GzAZBgNVBAoMElF1YW50aXR5IFN1cnZleW9yczELMAkGA1UEBhMCWFgwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAARWnuLUvnLty9QwvqwuksCYe9LMASE7PmJ47S6w ob28VOZKDYaRu6Kx8Yj5cA/g/FaxrwX6FDN2S0NJsva5wmfMoxYwFDASBgNVHRMB Af8ECDAGAQH/AgEAMAoGCCqGSM49BAMCA0kAMEYCIQDZsojipbuEYL8wzY3MqceN uvs15XZtKdihrBt/B+blfgIhAJemmt2HY33zD9XRvtbLE4Rg/vLsuB3Oo+TUWlWS g+g6 -----END CERTIFICATE-----¶
This document incorporates contributions and comments from a large group of experts. The Editors would especially like to acknowledge the expertise and tireless dedication of the following people, who attended many long meetings and generated millions of bytes of electronic mail and VOIP traffic over the past year in pursuit of this document:¶
Serge Mister (Entrust).¶
We are grateful to all, including any contributors who may have been inadvertently omitted from this list.¶
This document borrows text from similar documents, including those referenced below. Thanks go to the authors of those documents. "Copying always makes things easier and less error prone" - [RFC8411].¶
Additional contributions to this draft are welcome. Please see the working copy of this draft at, as well as open issues at:¶
https://github.com/EntrustCorporation/draft-ounsworth-pq-external-keys¶