]> Huawei Technologies

guowei90@huawei.com

Huawei Technologies

dingbeijing@huawei.com

Huawei Technologies

liji100@huawei.com

Huawei Technologies

wusongqi@huawei.com

General Internet Engineering Task Force keyword1 keyword2 keyword3 This document introduces a Certificate Validation extension and a Certificate Hash extension in the Online Certificate Status Protocol (OCSP) request message and response message, respectively. OCSP is used to check the status of a certificate, and these two extensions are used to check the validity of that certificate.

Introduction In some secure protocols (e.g., TLS , IPsec ), the X.509 v3 certificate is the most commonly used means to authenticate the peer's identity. The validity of a certificate can be checked by relying parties by using a locally stored trust anchor and the received certificate chain. Moreover, relying parties can also use Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) to check the status of that certificate. Today, a large number of network devices across different vendors (or different trust domains) need to connect securely. For example, the first use case is that a user equipment (UE) roams onto a visited network, secure connection needs to be established between the visited network and the UE's home network for authentication and other services; the second use case is that in the 5G service-based architecture (SBA), network functions (NFs) from various vendors can interact with each other through secure connection for confidentiality and integrity. This makes the certificate validation more complex, since it requires every device to configure a list of trusted CAs and transmit the certificate chain. Moreover, factors such as CA changes further complicate the process. In the post-quantum era, the public key and signature sizes of post-quantum algorithms are significantly large compared to that of classical algorithms, leading to excessively large post-quantum certificates. This, in turn, results in higher transmission costs for certificate chains, thereby affecting the speed of secure connection establishment. This document provides a mechanism that uses the extended OCSP to additionally check the validity of a certificate, without transmitting and verifying the entire certificate chain.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

OCSP Extensions The message formats for OCSP requests and responses are defined in . also defines the standard extensions for OCSP messages following X.509 v3 certificate extensions (see ). Thus, each such extension requires an OID, a criticality flag, and ASN.1 syntax as defined by the OID. This document defines two new OCSP extensions: Certificate Validation extension in the OCSP request message and Certificate Hash extension in the OCSP response message. The criticality flags for these two extensions are optional: per , support for all OCSP extensions is optional. If the OCSP responder does not understand the requested extension, it will provide the baseline validation of the certificate.

OCSP Request Extension An OCSP requestor MAY wish to use this extended OCSP to additionally check the validity of a certificate. To do so, it SHOULD use an extension with the OID id-pkix-ocsp-cert-valid and the extnValue CertificateValidation. This extension is included as one of the request's singleRequestExtensions; it carries the preferred hash algorithms that will be used by the OCSP responder to compute the requested certificate's hash. The syntax of AlgorithmIdentifier is defined in . The client MUST support each of the specified preferred hash algorithms, and the client MUST specify the algorithms in the order of preference, from the most preferred to the least preferred.

OCSP Response Extension An OCSP responder MAY maximize the potential for ensuring interoperability by selecting a supported hash algorithm using the following order of precedence, as long as the selected algorithm meets all security requirements of the OCSP responder, where the first selection mechanism has the highest precedence:

• Select an algorithm specified as a preferred hash algorithm in the requestor's request.
• Select a mandatory or recommended hash algorithm, which is SHA-256 specified in this document.

If the OCSP responder does understand the requested extension, it SHOULD use an extension with OID id-pkix-ocsp-cert-hash and the extnValue CertHash. This extension is included as one of the response's singleExtensions; it carries a certificate hash that is requested by the OCSP requestor.

• The "hashAlgorithm" field indicates a supported hash algorithm selected by the OCSP responder.
• The "certHash" field contains the hash value of the requested certificate, which is computed over the entire DER-encoded certificate including the signature. The hash algorithm used to compute the "certHash" value is specified in the "hashAlgorithm" field.

For an OCSP request with the id-pkix-ocsp-cert-valid extension, if the status of a requested certificate is unknown or revoked (non-issued), then the OCSP responder SHOULD include the id-pkix-ocsp-cert-hash extension in the singleExtensions field of the corresponding SingleResponse, and the value of the extension SHALL be NULL.

OCSP CertID Update Recall that defines a struct CertID to identify a certificate, and the "issuerKeyHash" field of this struct is often computed from the issuer's certificate. As said that in , the primary reason to use the hash of the CA's public key in addition to the hash of the CA's name to identify the issuer is that it is possible that two CAs may choose to use the same Name (uniqueness in the Name is a recommendation that cannot be enforced). However, if the names of different CAs are unique, then only the hash of CA's name can identify the issuer. In this case, it should be better to set the "issuerKeyHash" field to be optional as shown below, so the CertID value can be constructed only from a single end-entity certificate. Therefore, when receiving only the end-entity certificate, the CertID value (where the "issuerKeyHash" field is NULL) can be constructed without transmission of the entire certificate chain. Furthermore, the constructed CertID can be used with the extended OCSP to query both the status and the hash of the received certificate, which will be used to check whether the certificate is invoked and valid, respectively.

Normative References This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Over the past few years, the number of RFCs that define and use IPsec and Internet Key Exchange (IKE) has greatly proliferated. This is complicated by the fact that these RFCs originate from numerous IETF working groups: the original IPsec WG, its various spin-offs, and other WGs that use IPsec and/or IKE to protect their protocols' traffic. This document is a snapshot of IPsec- and IKE-related RFCs. It includes a brief description of each RFC, along with background information explaining the motivation and context of IPsec's outgrowths and extensions. It obsoletes RFC 2411, the previous "IP Security Document Roadmap." The obsoleted IPsec roadmap (RFC 2411) briefly described the interrelationship of the various classes of base IPsec documents. The major focus of RFC 2411 was to specify the recommended contents of documents specifying additional encryption and authentication algorithms. This document is not an Internet Standards Track specification; it is published for informational purposes. This document specifies a protocol useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists (CRLs). Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFCs 2560 and 6277. It also updates RFC 5912. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.