Internet DRAFT - draft-chen-pkix-securityinfo
draft-chen-pkix-securityinfo
Network Working Group Shuyi Chen
Internet-Draft ZTE Corporation
Intended status: Informational Yuting Liu
Expires: April 18, 2011 Xiaofeng Qiu
Cheng Cheng
Chunhong Zhang
MINE lab,Beijing University of Posts and Telecommunication
October 15, 2010
X.509 Extension with Security Information
draft-chen-pkix-securityinfo-00
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 18, 2011.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Chen, et al. Expires April 18, 2011 [Page 1]
�
Internet-Draft X.509extension with Security Information October 2010
Abstract
This document defines an X.509v3 certificate extension. It binds a
list of security information to the subject of a certificate, which
may be used to cognize the security posture of the subject.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Conventions used in this documents . . . . . . . . . . . . 3
2. X.509 Extension with security information . . . . . . . . . . . 3
2.1 OID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Criticality . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 X.509 Security Information extension Syntax . . . . . . . . 5
2.4 X.509 Security Information extension semantics . . . . . . 7
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 9
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 9
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1 Normative References . . . . . . . . . . . . . . . . . . . 9
5.2 Informative References . . . . . . . . . . . . . . . . . . 10
Appendix - ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 10
Authors' Address . . . . . . . . . . . . . . . . . . . . . . . . 12
Chen, et al. Expires April 18, 2011 [Page 2]
�
Internet-Draft X.509extension with Security Information October 2010
1. Introduction
This document describes an X.509v3 certificate extension that states
the safety status of the certificate subject.
This certificate extension binds security information to the subject.
Through this extend certificate, the subject's safety status can be
obtained by the authentication entity when identity authenticating,
thus to be aware of security attributes of the subject. If one entity
with extend certificate with security information wants to join a
certain network, network manager can evaluate entity's safety status
according to its assessment standards, then make certain strategies,
such as partition security level or security domain, to guarantee
network safety; if the entity wants to communicate with another, it
can also implements security strategy to ensure a safe between
transactions, such as resource access control.
The issuer of the certificate is a trusted entity (or a trusted third
party) that can identify and verify one subject's security
information.Generically, security information is obtained through
remote scanning measures. If can't, it is gained through local
scanning by entity itself. Security threats and security protection
software installed in the entity reflect the safety status of the
subject directly and indirectly.
When a X.509 certificate contains an extension with security
information, the extension MUST be critical, and MUST contain either
a NULL to indicate that no security information is provided or
explicit security information to indicate that the security
information is provided.
1.1 Conventions used in this documents
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. X.509 Extension with security information
Conventional security mechanisms, such as security domain and
boundary protection system, didn't take underlay safety status of
the entity into consideration, which limit their range of
applicability. Especially for distributed network, security
protection of the nodes on underlay will influence the security
degree of distributed network. Thus nodes with weak protection in
underlay will greatly deteriorate security of the distributed
network.
Chen, et al. Expires April 18, 2011 [Page 3]
�
Internet-Draft X.509extension with Security Information October 2010
This certificate extension keeps underlay security information of the
subject, and provides a basis for security strategy formulation.
Based on X.509 extension certificate with security information, one
entity or node can cognize another's security posture, then adjusts
strategy to avoid attacks from malicious entities.
The issuer of the certificate is a trusted entity (or a trusted third
party) that can identify and verify one subject's security
information. Usually, security information is obtained by a trusted
third party through remote scanning. Specially, if it is unable to
get information through this method, it can be obtained through local
scanning by the entity itself.
In general, security information is reflected in two ways. On one
hand, security protection software such as Antivirus, Firewall and
Operating System (OS) installed in the user reflect safety condition
of the subject directly or indirectly. On the other hand, security
threats such as malicious plug-ins exists in the user can also
represent security status of one subject. The more threats exist,
the more unsafe the entity is. Other retrievable information that can
make sense for security properties of subjects can also be added
according to certain needs.
Parameters of security protection software SHOULD be as specific as
possible. But for private information, such as operating system
software parameters, it SHOULD be abstracted as a security score,
ranges in [0, 99].
The traditional X.509 certificate (without security information) has
a validity period indicating the time interval during which the CA
warrants that it will maintain information about the status of the
certificate. Normally, it updates when the validity period is due or
the key pair is no longer safe. But for certificate with extend
security information, security information changes frequently. In
order to ensure the accuracy of the security information in the
certificate, security information MUST contain a validity period,
while month or week is the unit. When this validity period is due,
the certificate SHOULD be renewed. For security information updates
per month/week, it increases the whole certificate update frequency.
Higher update frequency increases costs.
Therefore, when certificate update is caused by security information,
certificate update process SHOULD be simplified. Only update the
security information of one subject without changing any other
personal information that should be authenticated in certificate
generation. Thus, certificate update only need to reload security
information, thus there is no need of original complicated
Chen, et al. Expires April 18, 2011 [Page 4]
�
Internet-Draft X.509extension with Security Information October 2010
examination process about subject personal information which is
related to its identity.
An example of one use of the extend X.509 certificate with security
information is a user using it to control the access of other users.
Suppose both user A and B contain X.509 certificate with security
information. If user A has some certain resources, and only permits
access for those whose Operating System score is equal to or greater
than 85. User B wants to access this resource. User A can obtain
security information of user B through B's X.509 extension
certificate, and determine whether it is qualified. If proved, user B
can get access to the resources, else user A SHOULD refuse its access
request.
X.509 extension with security information formats are as follows.
2.1 OID
The OID for this extension is id-pe-securityInfo.
id-pe-securityInfo OBJECT IDENTIFIER ::= { id-pe 25 }
where [RFC5280] defines:
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
2.2 Criticality
This extension SHOULD be CRITICAL. The intended use of this extension
is to indicate safety status of the identified subject. The issuer
uses extended certificate to convey the notion that a relying party
MUST understand the semantics of the extension to make use of the
certificate for the purpose it was issued. Newly created applications
that use certificates containing this extension are expected to
recognize the extension.
2.3 X.509 Security Information extension Syntax
The syntax for the X.509 extension is:
SecurityInfo ::= CHOICE {
none NULL, --No security info provided
secInfo SecurityInformation --Explicit security info
}
Chen, et al. Expires April 18, 2011 [Page 5]
�
Internet-Draft X.509extension with Security Information October 2010
SecurityInformation ::= SEQUENCE {
secValidityPeriod ValidityPeriod,
infoTime GeneralizedTime,
secData SecurityData
}
ValidityPeriod ::= SEQUENCE {
notBefore GeneralizedTime,
notAfter GeneralizedTime
}
SecurityData ::= SEQUENCE {
antivirus (0) AntivirusData OPTIONAL,
firewall (1) FirewallData OPTIONAL,
operatingSystem (2) OSData OPTIONAL,
vulnerabilityDatabase (3) VDData OPTIONAL,
maliciousPlug-in (4) MPIData OPTIONAL,
otherSecData (5...MAX) ANY defined security data OPTIONAL
}
AntivirusData ::= SEQUENCE {
antivirusBase BasicInfo,
otherAntivirusData ANY defined AntivirusData OPTIONAL
}
FirewallData ::= SEQUENCE {
firewallBase BasicInfo,
supFTPFileFilter BOOLEAN,
supAntivirus BOOLEAN,
supConFilter BOOLEAN,
defDOS BOOLEAN,
rtInRes BOOLEAN,
autoLogScan BOOLEAN,
otherFirewallData ANY defined FirewallData OPTIONAL
}
BasicInfo ::= SEQUENCE {
version IA5String,
manufacturer IA5String,
renewal BOOLEAN
}
OSData ::= INTERGER
VDData ::= BOOLEAN
MPIData ::= SEQUENCE {
malPlugIn ANY defined malicious Plug-In
}
Chen, et al. Expires April 18, 2011 [Page 6]
�
Internet-Draft X.509extension with Security Information October 2010
2.4 X.509 Security Information extension semantics
SecurityInfo is a CHOICE; it is represented either by NULL or
SecurityInformation. If the issuer selects NULL, it indicates that no
SecurityInfo is provided. If the issuer selects SecurityInfomation,
it is explicitly stating that a SecurityInfo is provided, and type
SecurityInformation MUST provide details about that SecurityInfo.
SecurityInfomation is a SEQUENCE consisting of three elements:
secValidityPeriod, infoTime and secData. It contains all security
information of one subject.
SecValidityPeriod is provided using the ValidityPeriod type.
ValidityPeriod is a SEQUENCE of two GeneralizedTime values. The first
(notBefore) GeneralizedTime value MUST indicate the date and time
that the security information becomes valid, and the second(notAfter)
GeneralizedTime value MUST indicate the date and time that the
security information expires. The period of validity is in months or
weeks.
InfoTime is a GeneralizedTime. It is recorded when the security
information is obtained by the issuer. InfoTime type indicates when
the security information is obtained exactly.
SecData is provided using the SecurityData type. SecurityData is a
SEQUENCE containing security protection software and security
threats. Software including antivirus, firewall and operating system
are optional. Security threats MAY be reflected by
vulnerabilityDatabase and maliciousPlug-in. Other software that is
verified being installed in the user can also be added into this
sequence. If any of software or threat elements exists in one user,
its corresponding data type will be selected, then the data type in
SecurityData MUST provide details of the element. If other
unmentioned security data is included in the user, one can only use
it after type definition.
Antivirus is provided using the AntivirusData type. AntivirusData
MUST contain information about the antivirusBase and MAY contain
other antivirus Data that are defined afterwards. AntivirusBase
information is provided by BasicInfo type. This sequence records
antivirus information, which indicates its antiviral capacity to
some extent.
Firewall is provided using the FirewallData type. FirewallData is a
SEQUENCE, it MUST contain firewallBase information and six boolean
values, and MAY contain other Firewall Data.
Element firewallBase is also provided using BasicInfo type.
Chen, et al. Expires April 18, 2011 [Page 7]
�
Internet-Draft X.509extension with Security Information October 2010
Element supFTPFileFilter is Boolean. Value one indicates this
firewall support FTP (File Transfer Protocol) file filter, and allows
FTP to prevent certain types of documents through this firewall;
value zero is just the opposite.
Element supAntivirus is Boolean. Value one indicates this firewall
support antivirus function, such as scanning the attachments of the
DOC and ZIP files in E-mails to find dangerous information it may
contain; value zero is just the opposite.
Element supConFilter is Boolean. If value of this element is one,
it means this firewall support content filter, and MAY control the
information flow according to the filter criteria. Filter content
mainly refers to the URL, HTTP information--the Subject, To, From
domain in Java Applet, JavaScript, ActiveX and e-mail. Value zero
indicates the opposite.
Element defDOS is Boolean. Value one indicates this firewall can
prevent or reduce the DOS (Denial of Service) attacks to a certain
extent, while value zero is the opposite.
Element rtInRes is Boolean. It indicates whether this firewall can
provide real-time intrusion prevention function. If value of this
element is one, this firewall can adjust the dynamic response when
invasion happens, and block malicious message. If value is zero, it
indicates this firewall don't support this function.
Element autoLogScan is Boolean which indicates whether the firewall
has automatic analysis and scan log function. If value is one,
autoLogScan can obtain detailed log statistical results through
scanning. Value zero indicates the opposite.
OtherFirewallData MAY also be added to the sequence, and can be used
after definition.
BasicInfo is a SEQUENCE of two IA5Strings and a Boolean value which
together specify the basis performance of the certain software.
Element version contains version number information of the software.
Element manufacturer use IA5String to indicate the developer of the
software. The last element (renewal) MUST indicate whether the
corresponding software is up-to-date. For example, an up-to-date
KAPERSRY Anti-Virus V5.3 is represented as:
version = 5.3
manufacturer = KAPERSRY
renewal = 1
Chen, et al. Expires April 18, 2011 [Page 8]
�
Internet-Draft X.509extension with Security Information October 2010
OperatingSystem is provided by OSData type, which is an INTEGER
because OS data is private. OSData is abstracted as a security score,
which indicates Operating System security status of the subject.
Security score is an integer gained through local scanning of OS
data information and specified calculation, ranged in [0, 99].
The bigger the numerical value is, the more safe it will be. OS data
information CAN include version, manufacturer, update cycle and
so on.
VulnerabilityDatabase is provided by VDDate, which is a BOOLEAN value
indicates whether the vulnerability database is up-to-date. A value
of zero indicates the Vulnerability Database of the subject is
outdated; a value of one indicates the Vulnerability Database of the
subject is up to date, which is safe.
MaliciousPlug-in is provided by MPIData. MPIData is a SEQUENCE
contains any defined malicious plug-in with its details, such as
name, manufacturer. The more malicious plug-in exists in the user,
the less safe it is.
3. Security Considerations
This X.509 extension contains private security information, i.e.,
operation system information, so we abstract it into security scores
to ensure confidentiality of specific information.
The trusted entity (or a trusted third party) MUST ensure that the
correct values for the security information are inserted in each
issued certificate, otherwise a user may reject a particular
certificate if it encounters information it doesn't recognize or
cannot process.
4. IANA Considerations
Certificate extensions and extended key usage values are identified
by object identifiers (OIDs). The OIDs used in this document are
derived from X.509 [X.509-97]. No further action by the IANA is
necessary for this document or any anticipated updates.
5. References
5.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Chen, et al. Expires April 18, 2011 [Page 9]
�
Internet-Draft X.509extension with Security Information October 2010
[RFC5280] D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley
and W. Polk, "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL)
Profile", RFC 5280, May 2008.
[X.690] ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1:1998,
"Information Technology - ASN.1 Encoding Rules:
Specification of Basic Encoding Rules(BER), Canonical
Encoding Rules (CER) and Distinguished Encoding
Rules (DER)".
5.2 Informative References
[RFC 4059] Linsenbardt, D., Pontius, S., Sturgeon, A., "Internet
X.509 Public Key Infrastructure Warranty Certificate
Extension", RFC4059, May 2005.
[RFC 3779] Lynn, C., Kent, S., Seo, K., "X.509 Extensions for IP
Addresses and AS Identifiers", RFC 3779, June 2004.
[X.509-97] ITU-T. Recommendation X.509: The Directory-Authentication
Framework. 1997.
Appendix - ASN.1 Modules
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- OID Arcs
id-pe OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1)security(5)
mechanisms(5) pkix(7) 1 }
--Security Information Extension
id-pe-securityInfo OBJECT IDENTIFIER ::= { id-pe 25 }
SecurityInfo ::= CHOICE {
none NULL, --No security info provided
secInfo SecurityInformation --Explicit security info
}
SecurityInformation ::= SEQUENCE {
secValidityPeriod ValidityPeriod,
infoTime GeneralizedTime,
secData SecurityData
}
Chen, et al. Expires April 18, 2011 [Page 10]
�
Internet-Draft X.509extension with Security Information October 2010
ValidityPeriod ::= SEQUENCE {
notBefore GeneralizedTime,
notAfter GeneralizedTime
}
SecurityData ::= SEQUENCE {
antivirus (0) AntivirusData OPTIONAL,
firewall (1) FirewallData OPTIONAL,
operatingSystem (2) OSData OPTIONAL,
vulnerabilityDatabase (3) VDData OPTIONAL,
maliciousPlug-in (4) MPIData OPTIONAL,
otherSecData (5...MAX) ANY defined security data OPTIONAL
}
AntivirusData ::= SEQUENCE {
antivirusBase BasicInfo,
otherAntivirusData ANY defined AntivirusData OPTIONAL
}
FirewallData ::= SEQUENCE {
firewallBase BasicInfo,
supFTPFileFilter BOOLEAN,
supAntivirus BOOLEAN,
supConFilter BOOLEAN,
defDOS BOOLEAN,
rtInRes BOOLEAN,
autoLogScan BOOLEAN,
otherFirewallData ANY defined FirewallData OPTIONAL
}
BasicInfo ::= SEQUENCE {
version IA5String,
manufacturer IA5String,
renewal BOOLEAN
}
OSData ::= INTERGER
VDData ::= BOOLEAN
MPIData ::= SEQUENCE {
malPlugIn ANY defined malicious Plug-In
}
END
Chen, et al. Expires April 18, 2011 [Page 11]
�
Internet-Draft X.509extension with Security Information October 2010
Authors' Addresses
Shuyi Chen
ZTE Corpoporation
17/F, ZTE Plaza, No.19, East HuaYuan Road
Haidian District, Beijing
P.R.China, 100191
Tel:+86-10-82963667
Fax:+86-10-59932043
Email:chen.shuyi@zte.com.cn
Yuting Liu
Mobile lIfe and New mEdia Lab, BUPT.
P.O. Box 92, No.10,
Xitucheng Road BeiJing, Haidian District 100876
P.R.China
Email: viviytliu@gmail.com
Xiaofeng Qiu
Mobile lIfe and New mEdia Lab, BUPT.
P.O. Box 92, No.10,
Xitucheng Road BeiJing, Haidian District 100876
P.R.China
Email: qiuxiaofeng@gmail.com
Cheng Cheng
Mobile lIfe and New mEdia Lab, BUPT.
P.O. Box 92, No.10,
Xitucheng Road BeiJing, Haidian District 100876
P.R.China
Email: chengcheng20090901@gmail.com
Chunhong Zhang
Mobile lIfe and New mEdia Lab, BUPT.
P.O. Box 92, No.10,
Xitucheng Road BeiJing, Haidian District 100876
P.R.China
Email: zhangch.bupt.001@gmail.com
Chen, et al. Expires April 18, 2011 [Page 12]
�
