Independent Submission                                         S. Turner
Request for Comments: 7169                                    IECA, Inc.
Category: Informational                                     1 April 2014
ISSN: 2070-1721
        
Independent Submission                                         S. Turner
Request for Comments: 7169                                    IECA, Inc.
Category: Informational                                     1 April 2014
ISSN: 2070-1721
        

The NSA (No Secrecy Afforded) Certificate Extension

NSA(不提供保密)证书扩展

Abstract

摘要

This document defines the NSA (No Secrecy Afforded) certificate extension appropriate for use in certain PKIX (X.509 Pubic Key Certificates) digital certificates. Historically, clients and servers strived to maintain the privacy of their keys; however, the secrecy of their private keys cannot always be maintained. In certain circumstances, a client or a server might feel that they will be compelled in the future to share their keys with a third party. Some clients and servers also have been compelled to share their keys and wish to indicate to relying parties upon certificate renewal that their keys have in fact been shared with a third party.

本文档定义了适用于某些PKIX(X.509公钥证书)数字证书的NSA(无保密)证书扩展。历史上,客户机和服务器努力维护其密钥的隐私;然而,他们的私钥不能总是保密的。在某些情况下,客户机或服务器可能会觉得他们将来将被迫与第三方共享密钥。一些客户端和服务器还被迫共享其密钥,并希望在证书续订时向依赖方表明其密钥实际上已与第三方共享。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7169.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7169.

Copyright Notice

版权公告

Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

1. Introduction
1. 介绍

Insecurity abounds when clients and servers are unable to keep their private keys private. Situations exist nonetheless where client and servers have shared their private keys with a third party. An example of over-sharing might be lawful intercept.

当客户端和服务器无法将其私钥保持为私钥时,就会产生不安全感。尽管如此,仍然存在客户机和服务器与第三方共享其私钥的情况。过度共享的一个例子可能是合法拦截。

Just because the private key has been shared does not mean that the private key holder wants to conceal the fact they have shared their private key with a third party. Overtly indicating that the private key may be or has been shared with a third party is the best way to indicate to relying parties that this sharing has occurred. Knowledge is power, after all. Extensions for certificates [RFC5280] offer an excellent mechanism to indicate that the entities key(s) have been shared, and this document specifies one such certificate extension for use by entities that have shared their private key: the NSA (No Secrecy Afforded) certificate extension.

私钥被共享并不意味着私钥持有者想要隐瞒他们与第三方共享私钥的事实。公开表明私钥可能或已经与第三方共享是向依赖方表明已发生这种共享的最佳方式。毕竟,知识就是力量。证书扩展[RFC5280]提供了一种很好的机制来指示实体密钥已共享,本文档指定了一个此类证书扩展,供共享私钥的实体使用:NSA(无保密)证书扩展。

2. The NSA Certificate Extension
2. NSA证书扩展

In order to allow entities that have shared their keys with a third party, the NSA certificate extension is defined herein. ASN.1 [X.680] for the extension follows:

为了允许与第三方共享其密钥的实体,本文定义了NSA证书扩展。ASN.1[X.680]的扩展如下:

   ext-KeyUsage EXTENSION ::= { SYNTAX
         BOOLEAN  IDENTIFIED BY id-pe-nsa }
        
   ext-KeyUsage EXTENSION ::= { SYNTAX
         BOOLEAN  IDENTIFIED BY id-pe-nsa }
        
   id-pe-nsa OBJECT IDENTIFIER ::=  { id-pe 23 }
        
   id-pe-nsa OBJECT IDENTIFIER ::=  { id-pe 23 }
        

Making the boolean TRUE indicates that the key has been shared with a third party, and making the extension FALSE indicates that the key may have also been shared with a third party but the signer does not want to overtly indicate that the key has been shared. This extension is always marked critical.

将布尔值设为TRUE表示密钥已与第三方共享,将扩展名设为FALSE表示密钥也可能已与第三方共享,但签名者不希望公开表示密钥已共享。此扩展始终标记为关键。

3. Security Considerations
3. 安全考虑

Having to disclose keys is sometimes unavoidable. Explicitly indicating that the keys have been shared is one way to mitigate the risk that the relying party might be unaware of this over share. Whatever the case for having shared the keys, the certificate signer needs to careful consider whether to include this extension.

有时不得不透露钥匙是不可避免的。明确指出密钥已共享是减轻依赖方可能不知道这种过度共享的风险的一种方法。无论共享密钥的情况如何,证书签名者都需要仔细考虑是否包括这个扩展。

Any key with this extension must be trusted with care. Lengthy deliberations about whether to trust the keys is necessary. Rushing a security analysis is never a good thing. Ultimately, the keys need not be trusted. Secrecy is hard.

必须小心信任具有此扩展名的任何密钥。关于是否信任密钥的冗长讨论是必要的。匆忙进行安全分析从来都不是一件好事。最终,密钥不需要被信任。保密很难。

4. Normative References
4. 规范性引用文件

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。

[X.680] ITU-T, "Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, 2002.

[X.680]ITU-T,“信息技术-抽象语法符号1(ASN.1):基本符号规范”,ITU-T建议X.680(2002)| ISO/IEC 8824-1:2002。

Author's Address

作者地址

Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA

Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031

   EMail: turners@ieca.com
   XMPP:  sean.turner@jabber.psg.com
        
   EMail: turners@ieca.com
   XMPP:  sean.turner@jabber.psg.com