Internet-Draft | PKIX Key Attestation | March 2023 |
Ounsworth, et al. | Expires 14 September 2023 | [Page] |
This document describes syntax for conveying key origin attestation information to a Certification Authority (CA) or other entity, so that they may decide how much trust to place in the management of the private key. For example, a reliant party may use this information to support a decision about whether to issue a certificate. In contrast to other key attestation formats, the one defined in this document requires only ASN.1 and the standard PKIX modules.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ounsworth-pkix-key-attestation/.¶
Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME (lamps) Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/.¶
Source for this draft and an issue tracker can be found at https://github.com/EntrustCorporation/draft-ounsworth-pq-composite-keys.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Key attestation refers to the originator of a cryptographic key pair providing information about the provenance of that key pair, in a manner that can be cryptographically verified. The information provided may include, for example, the model and identity of the device that created the key pair and any policies that may be enforced upon the use of the private key, contained in a cryptographic envelope that can be chained to a manufacturing public key of the device vendor.¶
This information can be used by a Certification Authority (CA) to decide whether to issue a certificate, to apply a given policy or certificate template, or by other entities for their own purposes. The CA may choose to publish some or all of the key attestation data in the certificate for the use of parties that will rely on this certificate.¶
Many devices, including Hardware Security Modules, provide attestation information of some form in proprietary formats. A common syntax for key attestations is required to reduce the implementation burden on CA implementors and operators. Furthermore it is desirable that the syntax is sympathetic to existing CA implementations.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section describes the cryptographic keys referenced in this document.¶
A trust anchor key is a signing key held by a vendor. For the purposes of this document, a trust anchor may be a proper Trust Anchor as defined in [RFC5914], or a root certification authority as defined in [RFC5280]. It is used either to directly sign device identity keys as defined in Section 3.3 or to sign intermediate CA keys. A trust anchor key MUST be associated with a vendor identity.¶
Constraints:¶
An intermediate CA key is a signing key held by a vendor and certified by that vendor's trust anchor.¶
It can be used for one of two purposes:¶
The exact configuration and management of trust anchor keys and intermediate CA keys is beyond the scope of this document. An example configuration is that a vendor have an offline trust anchor, and an intermediate CA in each of its manufacturing sites, certified by the trust anchor key when a manufacturing site is created or during maintenance or recovery activities.¶
It may be impossible recertify a device after manufacture, and it may be impossible for a manufacturer to know when a device has been retired from use. Therefore:¶
Constraints:¶
A device identity key is a signing key held by a device. It is assumed that the key is unique to the device and cannot be extracted or used for any purpose other than the ones listed below. It is envisaged that this key will persist for the lifetime of the device.¶
It can be used for one of two purposes:¶
Constraints:¶
A device certification key is a signing key held by a device. It is assumed that the key is unique to the device and cannot be extracted or used for any purpose other than the ones listed below. Depending on the device architecture, it may also be limited to a particular context or partition of the device; in this case it is assumed to be unique to the context. A device certification key may have any lifetime, from single use to the lifetime of the device.¶
It can be used for one of two purposes:¶
Constraints:¶
An application key is a key created and managed by a device (excluding the device identity key and device certification subkey described above). Its purpose and lifetime are arbitrary - in other words, it can be used for any purpose a user of the device wishes.¶
(MikeO: maybe I'm a noob here, but the distinction between this an a Device Certification Subkey could be stated more clearly. Maybe the distinction "This is envisioned for cases where a device needs an attested key which may be used for arbitrary purposes".)¶
(RJK: it's not really about what the device desires - these are the keys that we are trying to attest the origin of. The user has some higher-level purpose, e.g. code signing, which requires them to define a code signing key and attest to its origins in an HSM; from the point of view of this spec, their code-signing key is an application key. Keeping this comment open in the hope we can find a clear way of articulating this.)¶
A verifier is an entity which wishes to verify the origin of a key, based on its trust in a trust anchor.¶
For example, it could be a certificate authority with an operational constraint that it only certifies hardware-protected keys.¶
A key attestation consists of a nonempty sequence of [RFC5280] certificates, containing key attestation extensions as described below.¶
Specifically, a key attestation consists of:¶
The first certificate (whether it is an intermediate certificate or the device identity certificate) is signed by a trust anchor key. A verifier must decide through its own policies and processes which trust anchors keys to trust and what policies to accept in key attestations certified by them. A trust anchor key MUST be associated with a vendor identity.¶
Constraints:¶
An intermediate CA delegation certificate certifies an intermediate CA. Apart from the absence of any constraints on expiry time and revocation, it is little different from any other intermediate CA's certificate.¶
It MUST have the [RFC5280] basic constraints extension with the cA
boolean set to true.¶
It MAY have the [RFC5280] pathLenConstraint
,
and there is no change to the [RFC5280] interpretation this field.
Therefore, if it is present,
it must permit sufficiently many following certificates to account for certificates signed by the device
i.e. device identity certificates (see Section 4.3) and device delegation certificates (see Section 4.4).¶
It MUST NOT have any of the extensions defined in the following sections (Section 4.3, Section 4.4 and Section 4.5).
A verifier may detect an intermediate CA delegation by the presence of a true cA
boolean and the absence of these extensions.¶
Constraints:¶
A device identity certificate certifies a specific device by binding its public device identity key (defined in Section 3.3) to a vendor-specific representation of device identity such as vendor name, model, and serial number. For a hardware device, it is envisaged that a manufacturing facility will use its trust anchor or intermediate CA to sign a device identity certificate for each device as it is manufactured.¶
A device identity certificate MUST contain a DeviceInformation
extension,
identified by id-device-information
.
This extension contains the vendor identity, device model and device serial.
Together these are called the device identity and MUST uniquely define a particular device.¶
id-device-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1567 } DeviceInformation ::= SEQUENCE { vendor UTF8STring -- manufacturer of device model UTF8STring -- device model information serial UTF8STring -- device instance information }¶
EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see Section 8.¶
A device identity certificate MUST have the [RFC5280] basic constraints extension with the cA
boolean set to true
(since the device is acting as a CA).¶
No significance is attached to the subject field of a device identity certificate.¶
Constraints:¶
vendor
field does not match the one associated with the trust anchor used to verify the key attestation.¶
DeviceIdentity
.¶
As a matter of interpretation, it is envisaged that the uniqueness requirement on device identity keys (and all other keys in this specification) is achieved by generating keys of adequate size and using cryptographically secure pseudorandom number generators, rather than by maintaining an industry-wide database of all device identity keys.¶
A device delegation certificate certifies that a specific certification subkey (defined in Section 3.4) belongs to a specific device by binding it to a vendor-specific representation of the device and the subkey's purpose. It is envisaged that a single hardware device may have multiple certification subkeys each being restricted to, for example, a single partition or application context. The device may create new certification subkeys and therefore new device delegation certificates over time, for instance when the device is re-initialized, or if the device supports dynamic creation of users or application contexts and needs to create distinct certification subkeys for each.¶
A device delegation certificate MUST contain a DeviceSubkeyInformation
extension,
identified by id-device-subkey-information
.
This contains the vendor identity, device model, device serial and key purpose.
Note that this does not uniquely define the certification subkey.¶
id-device-subkey-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1568 } DeviceSubkeyInformation ::= SEQUENCE { vendor UTF8STring -- manufacturer of device model UTF8STring -- device model information serial UTF8STring -- device instance information purpose UTF8String -- description of subkey purpose }¶
EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see Section 8.¶
The meaning of the purpose
field is entirely dependent on the device.¶
It MUST have the [RFC5280] basic constraints extension with the cA
boolean set to true
(since the device is acting as a CA).¶
No significance is attached to the subject field of a device delegation certificate.¶
Constraints:¶
vendor
, model
and serial
fields does not match the values from the device identity certificate.¶
purpose
field may have any value.¶
purpose
field.¶
A key attestation certificate certifies that an application key was created in a particular device and is managed according to a particular policy.¶
A key attestation certificate MUST contain a ApplicationKeyInformation
extension
identified by id-application-key-information
.
This contains the vendor identity, device model, device serial and vendor-specific information.¶
A key attestation certificate MUST contain an [RFC5280] Extended Key Usage extension documenting how the device will permit the key to be used. See Section 5 for more details.¶
ApplicationKeyInformation ::= SEQUENCE { vendor UTF8STring -- manufacturer of device model UTF8STring -- device model information vendorinfo OCTET STRING -- vendor-specific information }¶
EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see Section 8.¶
If the key attestation certificate contains the [RFC5280] Basic Constraints extension then it MUST have the cA
boolean set to false.¶
No significance is attached to the subject field of a key attestation certificate.¶
Constraints:¶
vendor
, model
and serial
fields does not match the values from the device identity certificate.¶
The ApplicationKeyInformation.vendorInfo
field of the key attestation certificate MAY contain any octet string (including the empty string).
The interpretation is up to the vendor.
For example,
it may be used to convey information about how the key was generated
or a vendor-specific description of the policies that govern its use.¶
Key attestation certificates contain an [RFC5280] s4.2.1.12 Extended Key Usage extension describing how the device will permit the key to be used.¶
The standard ExtendedKeyUsage purposes defined in [RFC5280] are not necessarily suitable in this context. For example the standard ExtendedKeyUsage OIDs are also not necessarily suitable. For example the device may have no information about whether a signing key is intended to be used for server authentication, client authentication, or any other application of digital signatures. For this reason an additional set of key usage purposes are defined here.¶
id-Signature OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1613 } -- the device will generate signatures with the key id-Decryption OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1614 } -- the device will decrypt messages with the key and return the plaintext id-KeyAgreement OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1615 } -- the device will use the key for key agreement id-KeyTransport OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1616 } -- the device will use the key for key transport id-Recoverable OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1612 } -- the key is can be recovered under administrative authorization¶
EDNOTE: these are a temporary OIDs for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see Section 8.¶
EDNOTE: We should consult particularly with CAs to see if there are other properties that would be beneficial to include in this list.¶
Constraints:¶
id-Signature
in the list of key use purposes then it MUST NOT generate signatures with the key.¶
id-Decryption
in the list of key use purposes then it MUST NOT decrypt ciphertexts with the key.¶
id-KeyAgreement
in the list of key use purposes then it MUST NOT use the key for key agreement.¶
id-KeyTransport
in the list of key use purposes then it MUST NOT use the key for key transport.¶
id-Recoverable
in the list of key use purposes then it MUST NOT permit recovery operations on the key.¶
The id-Recoverable
key use purpose indicates that the policies controlling use of the key may
be modified by a suitably authorized administrator.
This may be necessary, for example, to ensure that the key remains available for use
even when an authentication token is lost or destroyed.¶
The scope of possible modifications, and the kind of authorization required, are intentionally vague.¶
See Section 9.3 for further discussion.¶
These key use purposes are not intended to describe how applications keys is protected by the device. For example one device may protect keys by maintaining them inside a hardened boundary at all times; another may allow keys to be used across multiple devices by encrypting them under a shared master key, or by sharing them with other authorized devices via a secure channel.¶
Provided the device is able to guarantee that the key use policy it signs will be honored, the mechanism is uses to protect application keys is not relevant.¶
A vendor may define key use policies outside the list above, for example reflecting policies not envisaged by this document or to cover device-specific functionality. For example they may describe a policy in terms of their device's proprietary policy or access control syntax and publish an OID reflecting that policy.¶
A verifier MUST NOT accept such a vendor-defined policy unless they fully understand the intended meaning.¶
A convenient way to convey a key attestation is to embed it into a [RFC2986] certification request.
This may be done via the AttestationBundle
extension, identified by the OID id-attestation-bundle
.¶
Constraints:¶
*RJK TODO tidy up all this section¶
(MikeO:
We'll need to be explicit about how to bundle this into a [RFC2986] Attribute. Do we need an OID for the type
? I assume the values
is straight-forward: it'll be a single item, which is the OCTET STRING of the AttestationBundle
?¶
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { type ATTRIBUTE.&id({IOSet}), values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) }¶
)¶
id-attestation-bundle OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1571 } AttestationBundle ::= SEQUENCE OF Certificate¶
... TODO document any (non-security) GOTCHAs ...¶
The following Object Identifiers are to be assigned by IANA:¶
id-device-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1567 } id-device-subkey-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1568 } id-application-key-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1569 } id-attestation-bundle OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1571 } id-Signature OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1613 } id-Decryption OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1614 } id-KeyAgreement OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1615 } id-KeyTransport OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1616 } id-Recoverable OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1612 }¶
TODO: suggest to IANA which public arc we want these in (these are just placeholders).¶
TODO update for our new EKU OIDs¶
*RJK: the OIDs are assigned by a free OID assignment service. If I can have something under Entrust then I'll replace them with that.¶
The key use constraints describe above are essential. For example if a device identity key could be used by a user to sign arbitrary messages, that user could forge key attestations.¶
An API that verifies a key attestation may be designed in a number of different ways.¶
In all of these models the same set of checks must be done, but in the first two some of the checks are delegated to the caller. The advantage of the later models is that they are more robust against the caller ommitting some of the necessary checks. For a publicly available API this robustness is particularly appropriate.¶
The definition of recoverability is intentionally vague. Depending on the device it may mean that, for example, a signature-only RSA key could additionally be given decrypt permission, or it could mean that private key material could be extracted in plaintext. The range of possibilities is too broad to tie down in a device-independent specification.¶
It should be noted that placing trust in a key does mean generally placing trust in the operators and administrators of the device that contains it, even without any possibility of administrator override of the policy governing its use. For example, even if a key is not recoverable, there is nothing to prevent a key owner exposing a signature oracle for their key, allowing anyone to sign with it. As such, if the key owner and the device administrator belong to the same organization, and have aligned priorities, there is not much practical difference between recoverable and non-recoverable keys.¶
However, in the example where a device is owned and managed by a service provider but leased to an end user, the key owner and the device administrators belong to separate organizations and have different priorities. In that case a verifier may prefer to reject recoverable keys.¶
It's generally assumed that all keys are unique. This is the expected outcome for properly generated cryptographic keys, and while a collision is in principle possible by chance, it's much more likely that a collision indicates a failure in the key generation process (for example, [DSA1571]).¶
... either place samples here inline, or reference on Github. I've got a script I've used in other I-Ds to inline include files, if that's useful here.¶
... any ASN.1 that we are defining goes here ...¶
-- TODO probably need some ASN.1 furniture around this -- TODO need to import Certificate from RFC5280 id-device-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1567 } DeviceInformation ::= SEQUENCE { vendor UTF8STring -- manufacturer of device model UTF8STring -- device model information serial UTF8STring -- device instance information } id-device-subkey-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1568 } DeviceSubkeyInformation ::= SEQUENCE { vendor UTF8STring -- manufacturer of device model UTF8STring -- device model information serial UTF8STring -- device instance information purpose UTF8String -- description of subkey purpose } id-application-key-information OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1569 } ApplicationKeyInformation ::= SEQUENCE { vendor UTF8STring -- manufacturer of device model UTF8STring -- device model information policy OBJECT IDENTIFIER -- policy governing key use vendorinfo OCTET STRING -- vendor-specific information } id-attestation-bundle OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 54392 5 1571 } AttestationBundle ::= SEQUENCE OF Certificate¶
... mention any IP considerations here ...¶
This document incorporates contributions and comments from a large group of experts. The Editors would especially like to acknowledge the expertise and tireless dedication of the following people, who attended many long meetings and generated millions of bytes of electronic mail and VOIP traffic over the past year in pursuit of this document:¶
Chris Trufan (Entrust).¶
We are grateful to all, including any contributors who may have been inadvertently omitted from this list.¶
This document borrows text from similar documents, including those referenced below. Thanks go to the authors of those documents. "Copying always makes things easier and less error prone" - [RFC8411].¶