]> Vigil Security, LLC

516 Dranesville Road Herndon VA 20170 United States of America housley@vigilsec.com

ART STIR X.509 Certificate Extension RFC 8226 specifies the use of certificates for Secure Telephone Identity Credentials; these certificates are often called "Secure Telephone Identity Revisited (STIR) Certificates". RFC 8226 provides a certificate extension to constrain the JSON Web Token (JWT) claims that can be included in the Personal Assertion Token (PASSporT), as defined in RFC 8225. If the PASSporT signer includes a JWT claim outside the constraint boundaries, then the PASSporT recipient will reject the entire PASSporT. This document updates RFC 8226; it provides all of the capabilities available in the original certificate extension as well as an additional way to constrain the allowable JWT claims. The enhanced extension can also provide a list of claims that are not allowed to be included in the PASSporT.

Introduction The use of certificates in establishing authority over telephone numbers is described in . These certificates are often called "STIR Certificates". STIR certificates are an important element of the overall system that prevents the impersonation of telephone numbers on the Internet. provides a certificate extension to constrain the JSON Web Token (JWT) claims that can be included in the Personal Assertion Token (PASSporT) . If the PASSporT signer includes a JWT claim outside the constraint boundaries, then the PASSporT recipient will reject the entire PASSporT. This document defines an enhanced JWTClaimConstraints certificate extension, which provides all of the capabilities available in the original certificate extension as well as an additional way to constrain the allowable JWT claims. That is, the enhanced extension can provide a list of claims that are not allowed to be included in the PASSporT. The Enhanced JWT Claim Constraints certificate extension is needed to limit the authority when a parent STIR certificate delegates to a subordinate STIR certificate. For example, describes the situation where service providers issue a STIR certificate to enterprises or other customers to sign PASSporTs, and the Enhanced JWT Claim Constraints certificate extension can be used to prevent specific claims from being included in PASSporTs and accepted as valid by the PASSporT recipient. The JWT Claim Constraints certificate extension defined in provides a list of claims that must be included in a valid PASSporT as well as a list of permitted values for selected claims. The Enhanced JWT Claim Constraints certificate extension defined in this document includes those capabilities and adds a list of claims that must not be included in a valid PASSporT.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Enhanced JWT Claim Constraints Syntax The Enhanced JWT Claim Constraints certificate extension is non-critical, applicable only to end-entity certificates, and defined with ASN.1 . The syntax of the JWT claims in a PASSporT is specified in . The Enhanced JWT Claim Constraints certificate extension is optional, but, when present, it constrains the JWT claims that authentication services may include in the PASSporT objects they sign. Constraints are applied by certificate issuers and enforced by recipients when validating PASSporT claims as follows:

1. mustInclude indicates JWT claims that MUST appear in the PASSporT in addition to the iat, orig, and dest claims. The baseline PASSporT claims ("iat", "orig", and "dest") are considered to be required by , and these claims SHOULD NOT be part of the mustInclude list. If mustInclude is absent, the iat, orig, and dest claims MUST appear in the PASSporT.
2. permittedValues indicates that, if the claim name is present, the claim MUST exactly match one of the listed values.
3. mustExclude indicates JWT claims that MUST NOT appear in the PASSporT. The baseline PASSporT claims ("iat", "orig", and "dest") are always permitted, and these claims MUST NOT be part of the mustExclude list. If one of these baseline PASSporT claims appears in the mustExclude list, then the certificate MUST be treated as if the extension was not present.

Following the precedent in , JWT Claim Names MUST be ASCII strings, which are also known as strings using the International Alphabet No. 5 . The Enhanced JWT Claim Constraints certificate extension is identified by the following object identifier (OID): The Enhanced JWT Claim Constraints certificate extension has the following syntax:

Usage Examples Consider these usage examples with a PASSporT claim called "confidence" with values "low", "medium", and "high". These examples illustrate the constraints that are imposed by mustInclude, permittedValues, and mustExclude:

• If a certification authority (CA) issues a certificate to an authentication service that includes an Enhanced JWT Claim Constraints certificate extension that contains the mustInclude JWTClaimName "confidence", then an authentication service is required to include the "confidence" claim in all PASSporTs it generates and signs. A verification service will treat any PASSporT it receives without a "confidence" PASSporT claim as invalid.
• If a CA issues a certificate to an authentication service that includes an Enhanced JWT Claim Constraints certificate extension that contains the permittedValues JWTClaimName "confidence" and a permitted "high" value, then a verification service will treat any PASSporT it receives with a PASSporT "confidence" claim with a value other than "high" as invalid. However, a verification service will not treat a PASSporT it receives without a PASSporT "confidence" claim at all as invalid, unless "confidence" also appears in mustInclude.
• If a CA issues a certificate to an authentication service that includes an Enhanced JWT Claim Constraints certificate extension that contains the mustExclude JWTClaimName "confidence", then a verification service will treat any PASSporT it receives with a PASSporT "confidence" claim as invalid regardless of the claim value.

Certificate Extension Example A certificate containing an example of the EnhancedJWTClaimConstraints certificate extension is provided in . The certificate is provided in the format described in . The example of the EnhancedJWTClaimConstraints extension from the certificate is shown in . The example imposes three constraints:

1. The "confidence" claim must be present in the PASSporT.
2. The "confidence" claim must have a value of "high" or "medium".
3. The "priority" claim must not be present in the PASSporT.

Example Certificate

Example EnhancedJWTClaimConstraints Extension

Guidance to Certification Authorities The EnhancedJWTClaimConstraints extension specified in this document and the JWTClaimConstraints extension specified in MUST NOT both appear in the same certificate. If the situation calls for mustExclude constraints, then the EnhancedJWTClaimConstraints extension is the only extension that can express the constraints. On the other hand, if the situation does not call for mustExclude constraints, then either the EnhancedJWTClaimConstraints extension or the JWTClaimConstraints extension can express the constraints. Until such time as support for the EnhancedJWTClaimConstraints extension becomes widely implemented, the use of the JWTClaimConstraints extension may be more likely to be supported. This guess is based on the presumption that the first specified extension will be implemented more widely in the next few years.

IANA Considerations This document makes use of object identifiers for the Enhanced JWT Claim Constraints certificate extension defined in and the ASN.1 module identifier defined in . Therefore, IANA has made the following assignments within the "Structure of Management Information (SMI) Numbers (MIB Module Registrations)" registry. For the Enhanced JWT Claim Constraints certificate extension in the "SMI Security for PKIX Certificate Extension" (1.3.6.1.5.5.7.1) registry:

Decimal	Description
33	id-pe-eJWTClaimConstraints

For the ASN.1 module identifier in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry:

Decimal	Description
101	id-mod-eJWTClaimConstraints-2021

Security Considerations For further information on certificate security and practices, see , especially the Security Considerations section. Since non-critical certificate extensions are ignored by implementations that do not recognize the extension object identifier (OID), constraints on PASSporT validation will only be applied by relying parties that recognize the EnhancedJWTClaimConstraints extension. The Enhanced JWT Claim Constraints certificate extension can be used by certificate issuers to provide limits on the acceptable PASSporTs that can be accepted by verification services. Enforcement of these limits depends upon proper implementation by the verification services. The digital signature on the PASSporT data structure will be valid even if the limits are violated. Use of the Enhanced JWT Claim Constraints certificate extension permittedValues constraint is most useful when the claim definition allows a specified set of values. In this way, all of the values that are not listed in the JWTClaimValuesList are prohibited in a valid PASSporT. Certificate issuers must take care when imposing constraints on the PASSporT claims and the claim values that can be successfully validated; some combinations can prevent any PASSporT from being successfully validated by the certificate. For example, an entry in mustInclude and an entry in mustExclude for the same claim will prevent successful validation on any PASSporT. Certificate issuers SHOULD NOT include an entry in mustExclude for the "rcdi" claim for a certificate that will be used with the PASSporT Extension for Rich Call Data defined in . Excluding this claim would prevent the integrity protection mechanism from working properly. Certificate issuers must take care when performing certificate renewal to include exactly the same Enhanced JWT Claim Constraints certificate extension in the new certificate as the old one. Renewal usually takes place before the old certificate expires, so there is a period of time where both the new certificate and the old certificate are valid. If different constraints appear in the two certificates with the same public key, some PASSporTs might be valid when one certificate is used and invalid when the other one is used.

References Normative References ITU-T Informative References ISO

ASN.1 Module This appendix provides the ASN.1 definitions for the Enhanced JWT Claim Constraints certificate extension. The module defined in this appendix is compatible with the ASN.1 specifications published in 2015. This ASN.1 module imports ASN.1 from .

Acknowledgements Many thanks to for his insight into the need for the for the Enhanced JWT Claim Constraints certificate extension. Thanks to , , , , , and for their thoughtful review and comments. The document is much better as a result of their efforts.