[stir] x5u
Russ Housley <housley@vigilsec.com> Mon, 18 March 2024 08:10 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67536C151098 for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 01:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=vigilsec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSuHCg0ZtJfn for <stir@ietfa.amsl.com>; Mon, 18 Mar 2024 01:10:07 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71934C151535 for <stir@ietf.org>; Mon, 18 Mar 2024 01:09:34 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id C47DE11EC79 for <stir@ietf.org>; Mon, 18 Mar 2024 04:09:33 -0400 (EDT)
Received: from smtpclient.apple (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 3BFC111F5BE for <stir@ietf.org>; Mon, 18 Mar 2024 04:09:33 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Message-Id: <68E625F9-F114-4B40-AC5B-9F636C32D2AE@vigilsec.com>
Date: Mon, 18 Mar 2024 04:09:20 -0400
To: IETF STIR Mail List <stir@ietf.org>
X-Mailer: Apple Mail (2.3731.700.6)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vigilsec.com; h=from:content-type:content-transfer-encoding:mime-version:subject:message-id:date:to; s=pair-202402141609; bh=nIv0RcXR1z53QpUQXHltE2BL2bF8cZmhkBUZv4SjAKw=; b=NoL9O4oP2669GZwJ/fj69AkQR0wfEwwNJTAtGUbI3U8Dm7cXNq/WL2B3+zVJbcr6LOPT+HRHI/uSDl4S7inYasCCeWa0csSqugJKxGWeNy3QtaN7w4IrZ9CFsIcSoLw5Q4VIxrLymuYIB10Dd8Dd+bl502+WFfia59W4Q+yLXZ7jqWjo1YupSz2JIDfyxU8xo6BftNOm24iJayXthg68M+6uqd1F9EEaf5AU079lY8gTGPXjN/xY4X/VAU3bLcN+3HEusqmVGQEGjDyYvBI6g3Fx8jIdplE8YW6HwCZa1PhATD6BVHg6myCSuxsHQboHyOup8Vk/yqRrHMDfTNMaFg==
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Y7m1v9mwX17cpaC8J5Z88PdKZdU>
Subject: [stir] x5u
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 08:10:11 -0000
RFC 5715 says:
4.1.5. "x5u" (X.509 URL) Header Parameter
The "x5u" (X.509 URL) Header Parameter is a URI [RFC3986] that refers
to a resource for the X.509 public key certificate or certificate
chain [RFC5280] corresponding to the key used to digitally sign the
JWS. The identified resource MUST provide a representation of the
certificate or certificate chain that conforms to RFC 5280 [RFC5280]
in PEM-encoded form, with each certificate delimited as specified in
Section 6.1 of RFC 4945 [RFC4945]. The certificate containing the
public key corresponding to the key used to digitally sign the JWS
MUST be the first certificate. This MAY be followed by additional
certificates, with each subsequent certificate being the one used to
certify the previous one. The protocol used to acquire the resource
MUST provide integrity protection; an HTTP GET request to retrieve
the certificate MUST use TLS [RFC2818] [RFC5246]; and the identity of
the server MUST be validated, as per Section 6 of RFC 6125 [RFC6125].
Also, see Section 8 on TLS requirements. Use of this Header
Parameter is OPTIONAL.
And, RFC 4945 says:
6.1. Certificates
Certificates MUST be Base64 [19] encoded and appear between the
following delimiters:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
An example of a file that uses this encoding is here:
https://www.ietf.org/enc/verifybundle.pem
Russ
- [stir] x5u Russ Housley
- Re: [stir] x5u Alec Fenichel
- Re: [stir] x5u Russ Housley