One document matched: draft-lear-ietf-pkix-mud-extension-00.xml

<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.0.28 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
]>

<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>

<rfc ipr="trust200902" docName="draft-lear-ietf-pkix-mud-extension-00" category="std">

  <front>
    <title abbrev="X.509 MUD">An X.509 Extension for Manufacturer Usage Description URI</title>

    <author initials="E." surname="Lear" fullname="Eliot Lear">
      <organization>Cisco Systems</organization>
      <address>
        <postal>
          <street>Richtistrasse 7</street>
          <city>Wallisellen</city>
          <code>CH-8304</code>
          <country>Switzerland</country>
        </postal>
        <phone>+41 44 878 9200</phone>
        <email>lear@cisco.com</email>
      </address>
    </author>

    <date year="2016" month="February" day="02"/>

    <area>Internet</area>
    <workgroup>pkix</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<t>Manufacturer User Descriptions are used by device manufacturers to
provide indications to the network as to the intended use of a
particular device and with what end points it might communicate.  A
URI points to those descriptions.  This memo specifies an X.509
certificate extension to specify that URI in a device certificate to
be used with IEEE 802.1AR.</t>



    </abstract>


  </front>

  <middle>


<section anchor="introduction" title="Introduction">

<t><xref target="I-D.lear-mud-framework"/> introduces the concept of manufacturer
usage description.  In other documents, DHCP is used to identify a URI
that network systems can use to retrieve YANG-based XML that advises
the network on appropriate usage of a device.</t>

<t>Use of DHCP as a means of transmission may not be appropriate for all
use cases, particularly for devices intended for use in critical
environments.  The IEEE has developed <xref target="IEEE8021AR"/> that provides a
certificate-based approach to communicate device characteristics,
which itself relies on <xref target="RFC5280"/>.</t>

<t>This document specifies an X.509 extension so that such MUD URI
may be communicated via 802.1AR.  The MUD URI extension is
non-critical, as required by IEEE 802.1AR.</t>

</section>
<section anchor="the-manufacturer-usage-description-mud-uri-extension" title="The Manufacturer Usage Description (MUD) URI Extension">

<t><xref target="RFC7299"/> provides a procedure and means to specify extensions to
X.509 certificates.  The object identifier (OID) for extensions is as
follows:</t>

<t>– PKIX certificate extensions
  id-pe   OBJECT IDENTIFIER ::= { id-pkix 1 }</t>

<t>The choice of id-pe is based on guidance found in Section 4.2.2 of
<xref target="RFC5280"/>:</t>

<figure><artwork><![CDATA[
   These extensions may be used to direct applications to on-line
   information about the issuer or the subject.
]]></artwork></figure>

<t>The MUD URI is precisely that: online information about the particular
subject.</t>

<t>The new extension is identified as follows:</t>

<t>– The MUD URI extension
  id-pe-mud-uri   OBJECT IDENTIFER ::= { id-pe TBD }</t>

<t>The extension returns a single value:</t>

<t>mud-uri ::= uniformResourceIdentifier – for use with mud architecture.</t>

<t>The semantics of the URI are defined <xref target="I-D.lear-ietf-netmod-mud"/>.</t>

</section>
<section anchor="security-considerations" title="Security Considerations">

<t>This document specifies a certificate extension to communicate a
Manufacturer Usage Description URI.  The semantics of the URI are
defined in draft-lear-ietf-netmod-mud.  At this time, no security
concerns are visible to the author for inclusion of such an extension.</t>

</section>
<section anchor="iana-considerations" title="IANA Considerations">

<t>The IANA is requested to assign a value for id-pe-mud-uri in the “SMI
Security for PKIX Certificate Extension” Registry.</t>

</section>
<section anchor="acknowledgments" title="Acknowledgments">
<t>The author wishes to thank Max Pritikin for his review and suggestions.</t>

</section>


  </middle>

  <back>

    <references title='Normative References'>





<reference  anchor='RFC7299' target='http://www.rfc-editor.org/info/rfc7299'>
<front>
<title>Object Identifier Registry for the PKIX Working Group</title>
<author initials='R.' surname='Housley' fullname='R. Housley'><organization /></author>
<date year='2014' month='July' />
<abstract><t>When the Public-Key Infrastructure using X.509 (PKIX) Working Group was chartered, an object identifier arc was allocated by IANA for use by that working group.  This document describes the object identifiers that were assigned in that arc, returns control of that arc to IANA, and establishes IANA allocation policies for any future assignments within that arc.</t></abstract>
</front>
<seriesInfo name='RFC' value='7299'/>
<seriesInfo name='DOI' value='10.17487/RFC7299'/>
</reference>



<reference anchor='I-D.lear-ietf-netmod-mud'>
<front>
<title>Manufacturer Usage Description YANG Model</title>

<author initials='E' surname='Lear' fullname='Eliot Lear'>
    <organization />
</author>

<date month='January' day='22' year='2016' />

<abstract><t>This memo specifies a YANG model to be used to generate and parse manufacturer usage descriptions.  These descriptions are retrieved by network management systems in order to instantiate policies associated with those devices.  This memo also specifies a well known URI suffix to indicate that a file contains XML derived from this model.</t></abstract>

</front>

<seriesInfo name='Internet-Draft' value='draft-lear-ietf-netmod-mud-00' />
<format type='TXT'
        target='http://www.ietf.org/internet-drafts/draft-lear-ietf-netmod-mud-00.txt' />
</reference>




    </references>

    <references title='Informative References'>





<reference anchor='I-D.lear-mud-framework'>
<front>
<title>Manufacturer Usage Description Framework</title>

<author initials='E' surname='Lear' fullname='Eliot Lear'>
    <organization />
</author>

<date month='January' day='21' year='2016' />

<abstract><t>A key presumption of the Internet architecture has been that devices are general purpose computers.  By constraining the set of devices that connect to the Internet to non-general purpose devices, we can introduce a set of network capabilities that provides an additional layer of protection to those devices.  One such capability is the Manufacturer Usage Description (MUD).  This work builds on many existing network capabilities so as to be easily deployable by all involved.  The focus of this work is primarily, but not exclusively, in the realm of security; and again primarily, but not exclusively, relating to smart objects.</t></abstract>

</front>

<seriesInfo name='Internet-Draft' value='draft-lear-mud-framework-00' />
<format type='TXT'
        target='http://www.ietf.org/internet-drafts/draft-lear-mud-framework-00.txt' />
</reference>



<reference  anchor='RFC5280' target='http://www.rfc-editor.org/info/rfc5280'>
<front>
<title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
<author initials='D.' surname='Cooper' fullname='D. Cooper'><organization /></author>
<author initials='S.' surname='Santesson' fullname='S. Santesson'><organization /></author>
<author initials='S.' surname='Farrell' fullname='S. Farrell'><organization /></author>
<author initials='S.' surname='Boeyen' fullname='S. Boeyen'><organization /></author>
<author initials='R.' surname='Housley' fullname='R. Housley'><organization /></author>
<author initials='W.' surname='Polk' fullname='W. Polk'><organization /></author>
<date year='2008' month='May' />
<abstract><t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet.  An overview of this approach and model is provided as an introduction.  The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms.  Standard certificate extensions are described and two Internet-specific extensions are defined.  A set of required certificate extensions is specified.  The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions.  An algorithm for X.509 certification path validation is described.  An ASN.1 module and examples are provided in the appendices.  [STANDARDS-TRACK]</t></abstract>
</front>
<seriesInfo name='RFC' value='5280'/>
<seriesInfo name='DOI' value='10.17487/RFC5280'/>
</reference>


<reference anchor="IEEE8021X" >
  <front>
    <title>Port Based Network Access Control</title>
    <author >
      <organization>Institute for Electrical and Electronics Engineers</organization>
    </author>
    <date year="1998"/>
  </front>
</reference>
<reference anchor="IEEE8021AR" >
  <front>
    <title>Secure Device Identity</title>
    <author >
      <organization>Institute for Electrical and Electronics Engineers</organization>
    </author>
    <date year="1998"/>
  </front>
</reference>


    </references>



  </back>
</rfc>