[lamps] Including 3GPP NF Type in HTTPS certificates

John Mattsson <john.mattsson@ericsson.com> Wed, 27 April 2022 14:20 UTC

From: John Mattsson <john.mattsson@ericsson.com>
To: IETF LAMPS WG <spasm@ietf.org>
Thread-Topic: Including 3GPP NF Type in HTTPS certificates
Thread-Index: AQHYWkD6uYle3rpdB0KY7JUJy0KxLA==
Date: Wed, 27 Apr 2022 14:20:38 +0000
Message-ID: <HE1PR0701MB30509AD4C4E6A9130FF18B6689FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lWhGbdG1gIjDu/cq9abt2WozOr6LERFuFkexR/BxovcaD03Zc5C55+b34JMwkYK6GPGvG+uUw/gzLaOz6aJ3Ktg69D/OxVEgUm1MeiFAghZwreC++rm39c5e10Dm/CVrqmCFQpYDD4Pk5PMZxmb5EWQnN11AyIgZXPJ8VWGrqw7zynRE0zkaCtw5yUoyKBdjlWheaSOB8HkByBOsigpkrSqTCJOyx0T69DLW1v1VA7WHX9KFqVIvhU4dWi5tB3VqQLHtBu4+s7LUHcHu8EZRzfEO6IpHOiLY3EN03mkuNIsbLd/PS/SAh0AXcwgRXebvVFJksf/BnxvuGyFtpRLWpEErSxZvlq9A2TXXCFp9CE4Rkq1MGmTtNqopydlX77iLGg0zLEQ5spJCdloWhWmlQpTIgW3/qaZyNlmz+2tKLkMmrjvTpxYZFBZFyY8lE20w2V28Lmx6aM6wN3577phFfdvhBsJYcKhM4xIVvBEdR+iPRRWnV+f/EgegwFCfbuFPQJi3FL5hE4JSNS8LTHrPrRr+ALHQIJu+roZq/zVp8xfvn2IF7VifPL9IqUcsAPrSI3wmteGYZEUwwrHDBAoshEKyQ5tZz3/BQpOjbz3JP+yn4hq3VUgPCr7+j22C86YZqb5mUM+ofG+7e22a2xYK+afkqbJg8Sv843DwKyjsJXaL3HBgV6MN6SdxEundA02HLjoT/Gti5rOTwDxU1D/pGPOfy1FVklzYsiIWFgJeMAP6kn1YWpg7MfCOtWLJjrLNUSw2v3++7XJjM4Jzw87nHCOBEJkqsLofxHijMVLDA2VLMI8NTDf8eAyR7laMlwJ8lCU1qmi/XSb8jfT2UpOO6vICBh5n6iCMRfdqFUFRlRvS0WXz5PezePZ8Cn4IB9elQEMZAmDnLv13hzPYcl1lJUfgCCEfIXj68KFihsNafZ38WxzuvlMzqy74QNABSXrnmVqiC5qsgkSQE/gT78YrjrDhNKzPzJWMbzvgWHNtnGhQWBSZO90HLd/DmbqA+IMemvYVxQD1t1JwWPm9cfFYXhgMFUj6/1Ieh3bziuhD1OyOy+cnoez/fwpc8smuiD8jcVryhca2oedOX+vfImR/1cFJha38/TAOuFNGau1zlLgN8J1xPq7oYnJHEgXHA3EfRyHrUvFzaDXeYzRV+XqGZfu1AhPGjZkxBcbRXoS+F7XUZ0OSYh3aHhwMhDzOiL0x2V62aYSj4HzdR9X+Lu2aLTTu7/3mqM+HpevLL1dgJXv/BdmQVoqUaTaSTW3yhsXs27pR7Fn45Cgel2Ptc9N0Y2jnzM8pHxO549u++gHuyhl8cRRWb4AdEOCCrjlvAG9QDgKHSPULbv6LDVra8LaL/Ru/3BoyKwnilxZxyGl9ZLwEE7oXBQnN/QPPHescBPh/prd/0Q426EFwNFYlUasjXy0DEhXe9lSRg0rz3dOvQ3xeDdw53U9Xybg8Ccs9+Fgt5w//ANBaLluSJl0t2r3Xt4pjx1SiTxYpUFVJ22CmrOoNR4mA/cW5zMNpywadJ63PeP0P9rvK2Y5e6G3q1LD6f3LeMKVDg/YW0DGTzjfRGFH23pIcTq+Cdh+ViFriNPlvdKq534Lwzz/LOkXXpL+x75TZ6pBVvcksT6CWx/3dbU/oN70HoJ6vH/JxrHVjjkd5WWZj8qRJdg7slw4nUW10FRo2dRkudHYgosvSPmx/cqX6AVcC0ZSYJJV1crFK9DelmQAGzGKWnzobxvIxKJDEmsg9Khu+i4y8IeGUoZgU4ukdJuX7ttGPoAblmUvWxUUU
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30509AD4C4E6A9130FF18B6689FA9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 032b77a8-4314-4a35-47d9-08da28591a1f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2022 14:20:38.1179 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aGOEHtdKKc0uVKhS0KaxDnIAXZ/Y6QAYl2pj6ZAIJyV7dEshtjVF0HLlyaii9AVtXbmPeXf/C4ObL+xVqP49snmqKAdRpPSsBFgpeAcl/+o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6323
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VGJovvuha2lgggmFVIdh_-ImJNE>
Subject: [lamps] Including 3GPP NF Type in HTTPS certificates
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 14:20:49 -0000

Hi,

The signaling in 5G (Service Based Architecture) uses HTTP/2 over mutually authenticated TLS 1.3. 3GPP has specified a X.509 certificate profile in section 6.1.3c of TS 33.310. The profile states that the NF Type (e.g., "NRF", "5G_EIR", "UDM", etc.) should be included as a DNS-ID in client certificates. I don't think this is appropriate in general. It also violates RFC 5280 as several of the NF Types contain an underscore "_" character.

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2293

I think 3GPP needs to update their specification. What would be a recommended way to include the 3GPP NF Type strings in X.509 certificates?

- Should 3GPP/ETSI register a NF type type-id OID for use with otherName that takes a utf8String as value?
- Should 3GPP/ETSI register a registeredID OID for each NF Type?
- Any other recommended way to include the NF type in the 3GPP certificates?

Feedback would be very welcome.

Cheers,
John

[lamps] Including 3GPP NF Type in HTTPS certifica… John Mattsson
Re: [lamps] Including 3GPP NF Type in HTTPS certi… Salz, Rich
Re: [lamps] Including 3GPP NF Type in HTTPS certi… Ryan Sleevi
Re: [lamps] Including 3GPP NF Type in HTTPS certi… Russ Housley
Re: [lamps] Including 3GPP NF Type in HTTPS certi… Salz, Rich
Re: [lamps] Including 3GPP NF Type in HTTPS certi… Daniel Migault
Re: [lamps] Including 3GPP NF Type in HTTPS certi… Tomas Gustavsson