]> SIROS Foundation

leifj@siros.org

SEC authzen trust registries Trust registries come in many forms; ETSI trust status lists, OpenID Federation, ledgers. This document describes a simple protocol in the form of a profile of AuthZen that provides a local interface to one or more trust registries. The protocol is mant to be used as a local abstraction layer for any application that needs to evaluate trust. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction Technical trust in systems using asymmetric cryptography often involves binding a name to a public key. One such example is, given an X.509 certificate (as a representative of a public key and name), determining its validity relative to a set of trust anchors by means of PKIX path construction and path validation. In this example the trust registry is the set of trust anchors together with the rules for path validation and construction set down in . The proliferation of distributed identity systems have led to the development of a multitude of trust registries each with their own APIs for querying the registry and rules for evaluating trust. Application developers are often faced with the choice of choosing one of these trust registries which leads to interoperability problems. It is often common for an service to register with multiple trust registries in order to reach all intended audiences. This document describes an API for trust evaluation that is intended to fill a role similar to the stub resolver in the DNS architecture. The API is defined as a profile of . AuthZen is a proposed standard for communicating between an authorization policy enforcement point (PEP) and a policy decision point (PDP).

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This specification uses the terms "PDP" and "PEP" defined by and . A trust registry refers to any service that provides a binding (or mapping) between public keys and names. This is referred to as "name to key" or name-to-key binding.

Endpoints Implementations of this specification MUST provide the /evaluation endpoint and SHOULD also provide the /evaluations and discovery endpoints. The /search endpoint MAY be provided but providing this endpoint may provide significant challenges for this profile and clients MUST NOT assume that it is present.

Authorization Request This profile implements the following semantic: The client (PEP) requests that the server (PDP) authorizes the binding between the name specified by the Subject with the public key specified by the Resource. Optionally the Action is used to constrain the authorization to a specific role that the entity that the public key is bound to must have for the authorization to be approved. The PDP may also attempt to resolve the name into metadata that provides additional information about the name-to-key binding.

Subject Subject is used to represent the name part of the name-to-key binding. The subject datafield MUST be present in requests and MUST contain the following elements:

• id MUST be the name bound to the public key to be validated or resolved
• type MUST be the constant string "key"

Resource The resource datafield MUST be present in requests and MUST contain the following elements:

• id MUST be the name bound to the public key to be validated or resolved. Furthermore, the value of the resource.id element MUST be the same string as in the subject.id element.
• type MAY be present and if present MUST be one of "jwk" or "x5c".
• key If present, MUST be the public key in a format that depends on the type. If type is absent then key MUST NOT be present.

If typeis present then,

• If type is "jwk" then key MUST contain a JWK () format key.
• If type is "x5c" then key MUST contain an array of base64 encoded X.509 certificates formatted according to section 4.7 of .

Some trust registries support unambiguous name-to-key discovery. For such trust registries key and type MAY be elided from the Resource as described above. When type and key is present however, a PDP implementing this specification MUST validate that the key is bound to subject.id even if subject.id is a name bound to a trust registry that supports unambiguous name-to-key discovery. The PDP MAY include additional metadata associated with subject.id in the result. The method by which this is done is an implementation detail but for instance when the subject.id is a "DID" then the resolution MAY be done by the lookup process of a supported DID method. It is RECOMMENDED that PDPs that support such trust registries return the appropriate metadata in the response. Other specifications may define additional key formats in the future.

Action The action datafield MAY be present in requests and SHOULD if present be used to represent the role associated with the name-to-key binding. This is used to distinguish different uses of the same name-to-key binding. For instance the action can be used to request authorization that a X.509 certificate is allowed to act as a TLS server endpoint or as a digital credential issuer. If the action is present then it MUST contain at least the name parameter which MUST contain a string that represents the role. The interpretation of the role depends on the deployment.

Context The context datafield MAY be present in requests but MUST NOT contain information that is critical for the correct processing of the request.

Authorization Response The Authorization Response MAY return metadata associated with subject.id in the response using the trust_metadata field. When the request type is absent then the trust_metadata field SHOULD be present.

Examples (non-normative) The following example is a query to check if a provided certificate chain is bound to the name "did:foo:bla" and is allowed act as a EUDI wallet provider. The following example is a query to check if a provided certificate chain is bound to "www.example.com" and is allowed to act as a TLS server. The following is an example response with no additional context: The following is an example response with trust_metadata that contains an (abbreviated) DID document. The following is an hypothetical response with error messages:

AuthZen Trust as a DID resolver As should be obvious from the specification above, a DID resolver as specified in section 7 of share many properties with this specification. Notable differences is that error handling is slightly different and content negotiation is handled by the PDP which means that DID resolution options (section 7.1.1 of ) isn't needed in this case.

Security Considerations The protocol described in this specification is meant to be used by applications that share a common security domain and it may be perfectly reasonable for deployments of this specification to be deployed without authentication on "localhost" or in situations where security requirements for the protocol is provided elsewhere in the stack. In general implementations of this specification MAY implement authentication for the purpose of authenticating the client (PDP) to the server (PEP) and SHOULD provide a way for the PDP to be authenticated to the client. In addition to the above the security considerations for authentication for AuthZen applies in equal measure to this profile.

IANA Considerations This document has no IANA actions.

References Normative References Aserto Axiomatics SGNL A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification. The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK] JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data. This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions. This document obsoletes RFC 6125. Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory National Institute of Standards and Technology

US Gaithersburg

Overxeer Entrust n.d.

Acknowledgments TODO acknowledge.