Re: [lamps] Including 3GPP NF Type in HTTPS certificates
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 27 April 2022 19:13 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29239C1594AC for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 12:13:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lty-FWTgDSGe for <spasm@ietfa.amsl.com>; Wed, 27 Apr 2022 12:13:53 -0700 (PDT)
Received: from mail-ua1-f43.google.com (mail-ua1-f43.google.com [209.85.222.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B28A3C1594AB for <spasm@ietf.org>; Wed, 27 Apr 2022 12:13:53 -0700 (PDT)
Received: by mail-ua1-f43.google.com with SMTP id 63so965659uaw.10 for <spasm@ietf.org>; Wed, 27 Apr 2022 12:13:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gdUUwFno2YBTO8tHhImULGQk6d5N2UnRGXGkb5ykzrk=; b=7zpykVHR82mW+n/V3vlCyHjTLZ/L7HF3yl9A8UAi2EzQ/NdKBet/WzWxJoRgQhK6Xd pPzLf4EOjewQiuMLc2nUSa64qfZ/PxwWgZDav0u12PCU8P/43/u14Ww0/xb+Deun1LCb 2j0R1alrBOiuesd0CJ02iAy8WjR/YgzjpFvQBAXSmZLMwAOX7wJPDQALKdfAmq5V7joy ZFCjPNg9ibVVLx5EzspbTUyAIlFiy5RqO9IYauLucjqUY5CHqckVgTnixmswSuNufmHd /kDgjJ4MEui0p+xLjoQIHZfSMlXPfKaEm3AxBNli5SWcANaXUMYgYPMW/OgFXgR91nZD w1Ww==
X-Gm-Message-State: AOAM532cvlObBzgQEqyxBuiwBYBiWQX3gOba/FLZX9J/ZmeVUpbqiP/o IRYJTxTwu+P9QCFy9W8JhgD96NbjF4M=
X-Google-Smtp-Source: ABdhPJzPMJzKvxLbqVpJ3EP+Uscdx3nXLlzsMbdNHKj1JijIUesxi7NqGrxVVK/uAbclRzEq706e2Q==
X-Received: by 2002:ab0:708d:0:b0:362:85f2:7f56 with SMTP id m13-20020ab0708d000000b0036285f27f56mr6291168ual.99.1651086832316; Wed, 27 Apr 2022 12:13:52 -0700 (PDT)
Received: from mail-vk1-f169.google.com (mail-vk1-f169.google.com. [209.85.221.169]) by smtp.gmail.com with ESMTPSA id o189-20020a1f28c6000000b003450695fe93sm1948681vko.25.2022.04.27.12.13.51 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Apr 2022 12:13:51 -0700 (PDT)
Received: by mail-vk1-f169.google.com with SMTP id o132so1331675vko.11 for <spasm@ietf.org>; Wed, 27 Apr 2022 12:13:51 -0700 (PDT)
X-Received: by 2002:a1f:9b84:0:b0:344:fe87:b0b1 with SMTP id d126-20020a1f9b84000000b00344fe87b0b1mr9318682vke.6.1651086831196; Wed, 27 Apr 2022 12:13:51 -0700 (PDT)
MIME-Version: 1.0
References: <HE1PR0701MB30509AD4C4E6A9130FF18B6689FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB30509AD4C4E6A9130FF18B6689FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 27 Apr 2022 15:13:40 -0400
X-Gmail-Original-Message-ID: <CAErg=HEgj1-U41sojWaQHwXb9hS+V_s6Qq0+g_g1tyx6Ki6Ybg@mail.gmail.com>
Message-ID: <CAErg=HEgj1-U41sojWaQHwXb9hS+V_s6Qq0+g_g1tyx6Ki6Ybg@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: IETF LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000011213705dda79ce8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MTDH1Y7lbcRWQWmZ6VDhhZKh2Mw>
Subject: Re: [lamps] Including 3GPP NF Type in HTTPS certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 19:13:58 -0000
On Wed, Apr 27, 2022 at 10:20 AM John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org> wrote: > Hi, > > > > The signaling in 5G (Service Based Architecture) uses HTTP/2 over > mutually authenticated TLS 1.3. 3GPP has specified a X.509 certificate > profile in section 6.1.3c of TS 33.310. The profile states that the NF Type > (e.g., "NRF", "5G_EIR", "UDM", etc.) should be included as a DNS-ID in > client certificates. I don't think this is appropriate in general. It also > violates RFC 5280 as several of the NF Types contain an underscore "_" > character. > > > > > https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2293 > > > > I think 3GPP needs to update their specification. > Agreed. 5280 is clear this is a hostname in preferred name syntax, not an arbitrary DNS label. That said, it seems that 6.1.3c.3 makes normative reference to NFProfile/NFService encoding rules for NF to FQDN, is it possible that there’s a translation function for ensuring that the FQDN is in preferred name syntax of host names? What would be a recommended way to include the 3GPP NF Type strings in > X.509 certificates? > > > > - Should 3GPP/ETSI register a NF type type-id OID for use with otherName > that takes a utf8String as value? > - Should 3GPP/ETSI register a registeredID OID for each NF Type? > No, to both of these, not unless you’re saying the NF type id is a fully qualified and unambiguous name. That is, SAN 1 (the NF type) should not be presumed to scope or restrict SAN 2 (the hostname) Setting that important/critical bit aside, it’s also a recipe for interop pain to go that route. - Any other recommended way to include the NF type in the 3GPP certificates? > If the NF type is a scoping or restriction of the certificate, then simply assigning an extension to indicate the appropriate NF type(s) is the way consistent with RFC 5280 and X.509. It does not need to be an attribute for a name field (like Subject or SAN), even if it is seen as a narrowing in scope, since most of the core 5280 extensions (such as KU, EKU, and basicConstraints) already exist to more narrowly scope the use of a certificate. If the goal is to have the NF type part of the validated data processed by a client, and have that be meaningfully useful for a 5280 client, then the main mechanisms are either assigning a per-NF EKU (to restrict a given certificate to a particular NF “protocol”/“use case”) or to use the certificatePolicies. The former is more widely practiced and supported, but canonically “non-standard” (for reasons), while the latter is more consistent with the model envisaged by X.500. In both cases, the client supplies an expected keyPurpose/certificatePolicy as an input to the verification function, and on output receives whether or not the certificate (and chain) was authorized for that purpose/policy. If the NF identity is purely advisory, and not meant to be checked by clients, then it’s somewhat silly to include in the certificate to begin with, but any extension will work for that. Things not to do would be what you’ve highlighted (smuggling it into host name), using policyQualifiers (which formally don’t serve as standard restrictions), or using arbitrary SAN types (which generally prove more hassle than value).
- [lamps] Including 3GPP NF Type in HTTPS certifica… John Mattsson
- Re: [lamps] Including 3GPP NF Type in HTTPS certi… Salz, Rich
- Re: [lamps] Including 3GPP NF Type in HTTPS certi… Ryan Sleevi
- Re: [lamps] Including 3GPP NF Type in HTTPS certi… Russ Housley
- Re: [lamps] Including 3GPP NF Type in HTTPS certi… Salz, Rich
- Re: [lamps] Including 3GPP NF Type in HTTPS certi… Daniel Migault
- Re: [lamps] Including 3GPP NF Type in HTTPS certi… Tomas Gustavsson