Status of This Memo

This is an Internet Standards Track document.¶

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9118.¶

Copyright Notice

Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶

Table of Contents

1.Introduction

The use of certificates[RFC5280] in establishing authority overtelephone numbers is described in[RFC8226]. These certificates areoften called "STIR Certificates". STIR certificates are an importantelement of the overall system that prevents the impersonation oftelephone numbers on the Internet.¶

Section 8 of [RFC8226] provides a certificate extension to constrainthe JSON Web Token (JWT) claims that can be included in the PersonalAssertion Token (PASSporT)[RFC8225]. If the PASSporT signer includesa JWT claim outside the constraint boundaries, then the PASSporT recipientwill reject the entire PASSporT.¶

This document defines an enhanced JWTClaimConstraints certificate extension,which provides all of the capabilities available in the original certificateextension as well as an additional way to constrain the allowable JWTclaims. That is, the enhanced extension can provide a list of claims thatare not allowed to be included in the PASSporT.¶

The Enhanced JWT Claim Constraints certificate extension is needed to limitthe authority when a parent STIR certificate delegates to a subordinate STIRcertificate. For example,[RFC9060] describes thesituation where service providers issue a STIR certificate to enterprises orother customers to sign PASSporTs, and the Enhanced JWT Claim Constraintscertificate extension can be used to prevent specific claims from beingincluded in PASSporTs and accepted as valid by the PASSporT recipient.¶

The JWT Claim Constraints certificate extension defined in[RFC8226]provides a list of claims that must be included in a valid PASSporT as wellas a list of permitted values for selected claims. The Enhanced JWT ClaimConstraints certificate extension defined in this document includes thosecapabilities and adds a list of claims that must not be included in avalid PASSporT.¶

2.Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶

3.Enhanced JWT Claim Constraints Syntax

The Enhanced JWT Claim Constraints certificate extension is non-critical,applicable only to end-entity certificates, and defined withASN.1[X.680]. The syntax of the JWT claims in a PASSporT isspecified in[RFC8225].¶

The Enhanced JWT Claim Constraints certificate extension is optional, but,when present, it constrains the JWT claims that authentication services mayinclude in the PASSporT objects they sign. Constraints are applied bycertificate issuers and enforced by recipients when validating PASSporTclaims as follows:¶

1. mustInclude indicates JWT claims thatMUST appear in the PASSporT in addition to the iat, orig, and dest claims. The baseline PASSporT claims ("iat", "orig", and "dest") are considered to be required by[RFC8225], and these claimsSHOULD NOT be part of the mustInclude list. If mustInclude is absent, the iat, orig, and dest claimsMUST appear in the PASSporT.¶
2. permittedValues indicates that, if the claim name is present, the claimMUST exactly match one of the listed values.¶
3. mustExclude indicates JWT claims thatMUST NOT appear in the PASSporT. The baseline PASSporT claims ("iat", "orig", and "dest") are always permitted, and these claimsMUST NOT be part of the mustExclude list. If one of these baseline PASSporT claims appears in the mustExclude list, then the certificateMUST be treated as if the extension was not present.¶

Following the precedent in[RFC8226], JWT Claim NamesMUST be ASCII strings,which are also known as strings using the International Alphabet No. 5[ISO646].¶

The Enhanced JWT Claim Constraints certificate extension is identified by the following object identifier (OID):¶

    id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 33 }

The Enhanced JWT Claim Constraints certificate extension has the following syntax:¶

    EnhancedJWTClaimConstraints ::= SEQUENCE {      mustInclude [0] JWTClaimNames OPTIONAL,        -- The listed claim names MUST appear in the PASSporT        -- in addition to iat, orig, and dest.  If absent, iat, orig,        -- and dest MUST appear in the PASSporT.      permittedValues [1] JWTClaimValuesList OPTIONAL,        -- If the claim name is present, the claim MUST contain one        -- of the listed values.      mustExclude [2] JWTClaimNames OPTIONAL }        -- The listed claim names MUST NOT appear in the PASSporT.    ( WITH COMPONENTS { ..., mustInclude PRESENT } |      WITH COMPONENTS { ..., permittedValues PRESENT } |      WITH COMPONENTS { ..., mustExclude PRESENT } )    JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValues    JWTClaimValues ::= SEQUENCE {      claim JWTClaimName,      values SEQUENCE SIZE (1..MAX) OF UTF8String }    JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimName    JWTClaimName ::= IA5String

4.Usage Examples

Consider these usage examples with a PASSporT claim called "confidence" withvalues "low", "medium", and "high". These examples illustrate the constraintsthat are imposed by mustInclude, permittedValues, and mustExclude:¶

• If a certification authority (CA) issues a certificate to an authenticationservice that includesan Enhanced JWT Claim Constraints certificate extension that contains themustInclude JWTClaimName "confidence", then an authentication service isrequired to include the "confidence" claim in all PASSporTs it generatesand signs. A verification service will treat any PASSporT itreceives without a "confidence" PASSporT claim as invalid.¶
• If a CA issues a certificate to an authentication service that includesan Enhanced JWT Claim Constraints certificate extension that contains thepermittedValues JWTClaimName "confidence" and a permitted "high" value,then a verification service will treat any PASSporTit receives with a PASSporT "confidence" claim with a value other than"high" as invalid. However, a verification service will not treat aPASSporT it receives without a PASSporT "confidence" claim at all as invalid, unless"confidence" also appears in mustInclude.¶
• If a CA issues a certificate to an authentication service that includesan Enhanced JWT Claim Constraints certificate extension that contains themustExclude JWTClaimName "confidence", then a verification service willtreat any PASSporT it receives with a PASSporT "confidence"claim as invalid regardless of the claim value.¶

5.Certificate Extension Example

A certificate containing an example of the EnhancedJWTClaimConstraintscertificate extension is provided inFigure 1. The certificate isprovided in the format described in[RFC7468]. The example of theEnhancedJWTClaimConstraints extension from the certificateis shown inFigure 2. The example imposes three constraints:¶

1. The "confidence" claim must be present in the PASSporT.¶
2. The "confidence" claim must have a value of "high" or "medium".¶
3. The "priority" claim must not be present in the PASSporT.¶

-----BEGIN CERTIFICATE-----MIICpzCCAk2gAwIBAgIUH7Zd3rQ5AsvOlzLnzUHhrVhDSlswCgYIKoZIzj0EAwIwKTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEUJPR1VTIFNIQUtFTiBST09UMB4XDTIxMDcxNTIxNTIxNVoXDTIyMDcxNTIxNTIxNVowbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMRAwDgYDVQQHDAdIZXJuZG9uMR4wHAYDVQQKDBVCb2d1cyBFeGFtcGxlIFRlbGVjb20xDTALBgNVBAsMBFZvSVAxDzANBgNVBAMMBlNIQUtFTjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNR6C6nBWRA/fXTglV03aXkXy8hx9oBttVLhsTZ1IYVRBao4OZhVf/Xv1a3xLsZ6KfdhuylSeAKuCoSbVGojYDGjggEOMIIBCjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUDlG3dxHyzKL/FZfSPI7rpuueRbswHwYDVR0jBBgwFoAUlToKtrQeFrwwyXpMj1qu3TQEeoEwQgYJYIZIAYb4QgENBDUWM1RoaXMgY2VydGlmaWNhdGUgY2Fubm90IGJlIHRydXN0ZWQgZm9yIGFueSBwdXJwb3NlLjAWBggrBgEFBQcBGgQKMAigBhYEMTIzNDBOBggrBgEFBQcBIQRCMECgDjAMFgpjb25maWRlbmNloSAwHjAcFgpjb25maWRlbmNlMA4MBGhpZ2gMBm1lZGl1baIMMAoWCHByaW9yaXR5MAoGCCqGSM49BAMCA0gAMEUCIQCbNR4QK1um+0vq2CE1B1/W3avYeREsPi/7RKHffL+5eQIgarHot+X9Rl7SOyNBq5X5JyEMx0SQhRLkCY3Zoz2OCNQ=-----END CERTIFICATE-----

  0  64: SEQUENCE {  2  14:   [0] {  4  12:     SEQUENCE {  6  10:       IA5String 'confidence'       :       }       :     } 18  32:   [1] { 20  30:     SEQUENCE { 22  28:       SEQUENCE { 24  10:         IA5String 'confidence' 36  14:         SEQUENCE { 38   4:           UTF8String 'high' 44   6:           UTF8String 'medium'       :           }       :         }       :       }       :     } 52  12:   [2] { 54  10:     SEQUENCE { 56   8:       IA5String 'priority'       :       }       :     }       :   }

6.Guidance to Certification Authorities

The EnhancedJWTClaimConstraints extension specified in this document and the JWTClaimConstraints extension specified in[RFC8226]MUST NOT both appearin the same certificate.¶

If the situation calls for mustExclude constraints, then theEnhancedJWTClaimConstraints extension is the only extension thatcan express the constraints.¶

On the other hand, if the situation does not call for mustExclude constraints,then either the EnhancedJWTClaimConstraints extension or the JWTClaimConstraintsextension can express the constraints. Until such time as support for theEnhancedJWTClaimConstraints extension becomes widely implemented, the use ofthe JWTClaimConstraints extension may be more likely to be supported. Thisguess is based on the presumption that the first specified extension will beimplemented more widely in the next few years.¶

7.IANA Considerations

This document makes use of object identifiers for the Enhanced JWTClaim Constraints certificate extension defined inSection 3 and theASN.1 module identifier defined inAppendix A. Therefore, IANA hasmade the following assignments within the "Structure of Management Information (SMI) Numbers (MIB Module Registrations)" registry.¶

For the Enhanced JWT Claim Constraints certificate extension in the"SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1) registry:¶

For the ASN.1 module identifier in the "SMI Security for PKIX ModuleIdentifier" (1.3.6.1.5.5.7.0) registry:¶

8.Security Considerations

For further information on certificate security and practices,see[RFC5280], especially the Security Considerations section.¶

Since non-critical certificate extensions are ignored by implementationsthat do not recognize the extension object identifier (OID), constraintson PASSporT validation will only be applied by relying partiesthat recognize the EnhancedJWTClaimConstraints extension.¶

The Enhanced JWT Claim Constraints certificate extension can beused by certificate issuers to provide limits on the acceptablePASSporTs that can be accepted by verification services. Enforcementof these limits depends upon proper implementation by the verificationservices. The digital signature on the PASSporT data structure willbe valid even if the limits are violated.¶

Use of the Enhanced JWT Claim Constraints certificate extensionpermittedValues constraint is most useful when the claim definitionallows a specified set of values. In this way, all of the valuesthat are not listed in the JWTClaimValuesList are prohibited in avalid PASSporT.¶

Certificate issuers must take care when imposing constraints on thePASSporT claims and the claim values that can be successfully validated;some combinations can prevent any PASSporT from being successfullyvalidated by the certificate. For example, an entry in mustInclude andan entry in mustExclude for the same claim will prevent successfulvalidation on any PASSporT.¶

Certificate issuersSHOULD NOT include an entry in mustExclude for the"rcdi" claim for a certificate that will be used with the PASSporTExtension for Rich Call Data defined in[STIR-PASSPORT-RCD].Excluding this claim would prevent the integrity protection mechanismfrom working properly.¶

Certificate issuers must take care when performing certificate renewal[RFC4949]to include exactly the same Enhanced JWT Claim Constraints certificate extensionin the new certificate as the old one. Renewal usually takes place before theold certificate expires, so there is a period of time where both the newcertificate and the old certificate are valid. If different constraintsappear in the two certificates with the same public key, some PASSporTsmight be valid when one certificate is used and invalid when the otherone is used.¶

Appendix A.ASN.1 Module

This appendix provides the ASN.1[X.680] definitions forthe Enhanced JWT Claim Constraints certificate extension. The moduledefined in this appendix is compatible with the ASN.1 specificationspublished in 2015.¶

This ASN.1 module imports ASN.1 from[RFC5912].¶

<CODE BEGINS>EnhancedJWTClaimConstraints-2021  { iso(1) identified-organization(3) dod(6) internet(1)    security(5) mechanisms(5) pkix(7) id-mod(0)    id-mod-eJWTClaimConstraints-2021(101) }DEFINITIONS EXPLICIT TAGS ::= BEGINIMPORTSid-peFROM PKIX1Explicit-2009  -- From RFC 5912  { iso(1) identified-organization(3) dod(6) internet(1)    security(5) mechanisms(5) pkix(7) id-mod(0)    id-mod-pkix1-explicit-02(51) }EXTENSIONFROM PKIX-CommonTypes-2009  -- From RFC 5912  { iso(1) identified-organization(3) dod(6) internet(1)    security(5) mechanisms(5) pkix(7) id-mod(0)    id-mod-pkixCommon-02(57) } ;-- Enhanced JWT Claim Constraints Certificate Extensionext-eJWTClaimConstraints EXTENSION ::= {  SYNTAX EnhancedJWTClaimConstraints  IDENTIFIED BY id-pe-eJWTClaimConstraints }id-pe-eJWTClaimConstraints OBJECT IDENTIFIER ::= { id-pe 33 }EnhancedJWTClaimConstraints ::= SEQUENCE {  mustInclude [0] JWTClaimNames OPTIONAL,    -- The listed claim names MUST appear in the PASSporT    -- in addition to iat, orig, and dest.  If absent, iat, orig,    -- and dest MUST appear in the PASSporT.  permittedValues [1] JWTClaimValuesList OPTIONAL,    -- If the claim name is present, the claim MUST contain one    -- of the listed values.  mustExclude [2] JWTClaimNames OPTIONAL }    -- The listed claim names MUST NOT appear in the PASSporT.( WITH COMPONENTS { ..., mustInclude PRESENT } |  WITH COMPONENTS { ..., permittedValues PRESENT } |  WITH COMPONENTS { ..., mustExclude PRESENT } )JWTClaimValuesList ::= SEQUENCE SIZE (1..MAX) OF JWTClaimValuesJWTClaimValues ::= SEQUENCE {  claim JWTClaimName,  values SEQUENCE SIZE (1..MAX) OF UTF8String }JWTClaimNames ::= SEQUENCE SIZE (1..MAX) OF JWTClaimNameJWTClaimName ::= IA5StringEND<CODE ENDS>

Acknowledgements

Many thanks toChris Wendt for his insight into the need for the for the Enhanced JWT Claim Constraints certificate extension.¶

Thanks toBen Campbell,Theresa Enghardt,Ben Kaduk,Erik Kline,Éric Vyncke, andRob Wiltonfor their thoughtful review and comments. The document is muchbetter as a result of their efforts.¶

Author's Address