]> Entrust Limited

2500 Solandt Road -- Suite 100 Ottawa, Ontario K2K 3G5 Canada mike.ounsworth@entrust.com

Entrust - nCipher Security Limited

One Station Square Cambridge CB1 2GA United Kingdom richard.kettlewell@entrust.com

CRYPTO4A

1550 Laperriere Ave Ottawa, On K1Z 7T2 Canada bruno@crypto4a.com

CRYPTO4A

1550 Laperriere Ave Ottawa, On K1Z 7T2 Canada jp@crypto4a.com

Security LAMPS Internet-Draft This document describes syntax for conveying key origin attestation information to a Certification Authority (CA) or other entity, so that they may decide how much trust to place in the management private of the key, for example to support a decision about whether to issue a certificate. In contrast to other key attestation formats, the one defined in this document requires only ASN.1 and the standard PKIX modules. Status information for this document may be found at . Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME (lamps) Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Key attestion refers to the originator of a cryptographic key pair providing information about the provenance of that key pair, in a manner that can be cryptographically verified. The information provided may include, for example, the model and identity of the device that created the key pair and any policies that may be enforced upon the use of the private key, contained in a cryptographic envelope that can be chained to a manufacturing public key of the device vendor. This information can be used by a Certification Authority (CA) to decide whether to issue a certificate, to apply a given policy or certificate template, or by other entities for their own purposes. The CA may choose to publish some or all of the key attestation data in the certificate for the use of parties that will rely on this certificate. Many devices, including Hardware Security Modules, provide attestation information of some form in proprietary formats. A common syntax for key attestations is required to reduce the implementation burden on CA implementors and operators. Furthermore it is desirable that the syntax is sympathetic to existing CA implementations.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 when, and only when, they appear in all capitals, as shown here.

Cryptographic Keys This section describes the cryptographic keys referenced in this document.

Trust Anchor Key A trust anchor key is a signing key held by a vendor. For the purposes of this document, a trust anchor may be a proper Trust Anchor as defined in , or a root certification authority as defined in . It is used either to directly sign device identity keys as defined in or to sign intermediate CA keys. A trust anchor key MUST be associated with a vendor identity. Constraints: A trust anchor key MUST only be used for purposes consistent with signing intermediate CA keys or devices (i.e. signing delegation certificates, CRLs, etc).

Intermediate CA Key An intermediate CA key is a signing key held by a vendor and certified by that vendor's trust anchor. It can be used for one of two purposes: to certify device identity keys (see section ) by signing device identity certificates (see section ) to certify further intermediate CA keys The exact configuration and management of trust anchor keys and intermediate CA keys is beyond the scope of this document. An example configuration is that a vendor have an offline trust anchor, and an intermediate CA in each of its manufacturing sites, certified by the trust anchor key when a manufacturing site is created or during maintenance or recovery activities. It may be impossible recertify a device after manufacture, and it may be impossible for a manufacturer to know when a device has been retired from use. Therefore: an intermediate CA need not track and public revocation information intermediate CA keys MAY have a expiration date of 99991231235959Z ( section 4.1.2.5). Constraints: An intermediate CA key MUST only be used for purposes consistent with certifying intermediate CA keys (i.e. signing delegation certificates, CRLs, etc) or devices.

Device Identity Key A device identity key is a signing key held by a device. It is assumed that the key is unique to the device and cannot be extracted or used for any purpose other than the ones listed below. It is envisaged that this key will persist for the lifetime of the device. It can be used for one of two purposes: to sign key attestations directly to sign device delegation certificates (see section ), which are used to certify device certification subkeys (see section ). Constraints: A device identity key MUST NOT be used for any purpose other than signing key attestation certificates or device delegation certificates.

Device Certification Subkey A device certification key is a signing key held by a device. It is assumed that the key is unique to the device and cannot be extracted or used for any purpose other than the ones listed below. Depending on the device architecture, it may also be limited to a particular context or partition of the device; in this case it is assumed to be unique to the particular context. A device certification key may have any lifetime, from single use to the lifetime of the device. It can be used for one of two purposes: to sign key attestations directly to sign further device delegation certificates. Constraints: A device certification subkey MUST NOT be used for any purpose other than signing key attestation certificates (see section ) or device delegation certificates (see section ).

Application Key An application key is a key created and managed by a device (excluding the device identity key and device certification subkey described above). Its purpose and lifetime are arbitrary - in other words, it can be used for any purpose a user of the device wishes. (MikeO: maybe I'm a noob here, but the distinction between this an a Device Certification Subkey could be stated more clearly. Maybe the distinction "This is envisioned for cases where a device needs an attested key which may be used for arbitrary purposes".) (RJK: it's not really about what the device desires - these are the keys that we are trying to attest the origin of. The user has some higher-level purpose, e.g. code signing, which requires them to define a code signing key and attest to its origins in an HSM; from the point of view of this spec, their code-signing key is an application key. Keeping this comment open in the hope we can find a clear way of articulating this.)

Key Attestations A verifier is an entity which wishes to verify the origin of a key, based on its trust in a trust anchor. For example, it could be a certificate authority with an operational constraint that it only certifies hardware-protected keys.

Key Attestation Bundle A key attestation consists of a nonempty sequence of certificates, containing key attestation extensions as described below. Specifically, a key attestation consists of: Zero or more intermediate certificates (see section ) Exactly one device identity certificate (see section ) Zero or more device delegation certificates (see section ) Exactly one key attestation certificate (see section ) The first certificate (whether it is an intermediate certificate or the device identity certificate) is signed by a trust anchor key. A verifier must decide through its own policies and processes which trust anchors keys to trust and what policies to accept in key attestations certified by them. A trust anchor key MUST be associated with a vendor identity. Constraints: A verifier MUST verify that each certificate is well-formed (except that expiry and revocation information need not be present) A verifier MUST verify that the first certificate is signed by a trust anchor key A verifier MUST verify that each certificate, apart from the first, is certified by the previous certificate in the key attestation. A verifier MUST verify that the ordering of certificates is as described above.

Intermediate CA Certificate An intermediate CA delegation certificate certifies an intermediate CA. Apart from the absence of any constraints on expiry time and revocation, it is little different from any other intermediate CA's certificate. It MUST have the basic constraints extension with the cA boolean set to true. It MAY have the pathLenConstraint, and there is no change to the interpretation this field. Therefore, if it is present, it must permit sufficiently many following certificates to account for certificates signed by the device i.e. device identity certificates (see section ) and device delegation certificates (see section ). It MUST NOT have any of the extensions defined in the following sections (, and ). A verifier may detect an intermediate CA delegation by the presence of a true cA boolean and the absence of these extensions. Constraints: A verifier MUST honor pathLenConstraint if present. There may be any number of intermediate CA certificates, including 0.

Device Identity Certificate A device identity certificate certifies a specific device by binding its public device identity key (defined in ) to a vendor-specific representation of device identity such as vendor name, model, and serial number. For a hardware device, it is envisaged that a manufacturing facility will use its trust anchor or intermediate CA to sign a device identity certificate for each device as it is manufactured. A device identity certificate MUST contain a DeviceInformation extension, identified by id-device-information. This extension contains the vendor identity, device model and device serial. Together these are called the device identity and MUST uniquely define a particular device.

• EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see .

A device identity certificate MUST have the basic constraints extension with the cA boolean set to true (since the device is acting as a CA). No significance is attached to the subject field of a device identity certificate. Constraints: A verifier MUST reject any key attestation that does not contain exactly one device identity certificate. A verifier MUST reject any device identity certificate whose vendor identity as indicated in the vendor field does not match the one associated with the trust anchor used to verify the key attestation. Two distinct devices from the same vendor MUST NOT have the same device identity, i.e. they must have different values for at least one field of DeviceIdentity. Two distinct devices MUST NOT have the same device identity key. As a matter of interpretation, it is envisaged that the uniquess requirement on device identity keys (and all other keys in this specification) is achieved by generating keys of adequate size, using a cryptographically secure pseudorandom number generators, rather than by maintaining an industry-wide database of all device identity keys.

Device Delegation Certificate A device delegation certificate certifies that a specific certification subkey (defined in ) belongs to a specific device by binding it to a vendor-specific representation of the device and the subkey's purpose. It is envisaged that a single hardware device may have multiple certification subkeys each being restricted to, for example, a single partition or application context. The device may create new certification subkeys and therefore new device delegation certificates over time, for instance when the device is re-initialized, or if the device supports dynamic creation of users or application contexts and needs to create distinct certification subkeys for each. A device delegation certificate MUST contain a DeviceSubkeyInformation extension, identified by id-device-subkey-information. This contains the vendor identity, device model, device serial and key purpose. Note that this does not uniquely define the certification subkey.

• EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see .

The meaning of the purpose field is entirely dependent on the device. It MUST have the basic constraints extension with the cA boolean set to true (since the device is acting as a CA). No significance is attached to the subject field of a device delegation certificate. Constraints: A verifier MUST reject any device delegation certificate whose device identity as indicated in the vendor, model and serial fields does not match the values from the device identity certificate. The purpose field may have any value. Two device delegation certificates signed by the same key MAY have the same purpose field.

Key Attestation Certificate A key attestation certificate certifies that an application key was created in a particular device and is managed according to a particular policy. A key attestation certificate MUST contain a ApplicationKeyInformation extension identified by id-application-key-information. This contains the vendor identity, device model, device serial, key use policy (see ) and vendor-specific information.

• EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see .

MikeO: I don't fully grok how the policy will be used. Should it be a list (SEQUENCE of OBJECT IDENTIFIER)? Can it be empty? If the key attestation certificate contains the basic constraints extension then it MUST have the cA boolean set to false. No significance is attached to the subject field of a key attestation certificate. Constraints: A verifier MUST reject any key attestation certificate whose device identity as indicated in the vendor, model and serial fields does not match the values from the device identity certificate. A verifier MUST reject any key attestation certificate whose policy is not in their list of acceptable policies.

Vendor-Specific Information The ApplicationKeyInformation.vendorInfo field of the key attestation certificate MAY contain any octet string (including the empty string). The interpretation is up to the vendor. For example, it may be used to convey information about how the key was generated or a vendor-specific description of the policies that govern its use.

Key Use Policies Key attestation certificates contain object identifiers describing the policies that the device will enforce upon the device's use of the application key. For example id-policy-signature-only indicates that the key may only be used to make signatures (and not to decrypt, as would be possible for an RSA key). (MikeO: nitpick I would say "describing policies surrounding the use of the application key." I'm just thinking that, for example, the device can't control whether some dumb client decides to encrypt for your RSA sig-only key, so in that case the policy OID is as much for the client as for the device itself. Also has "application key" been defined in this document, or should we use one of the existing terms?). *RJK: I've clarified that it's for the private half of the application key, so we're not claiming we can control encrypt/verify. Leaving this open for now to check that's what you mneant. MikeO: I've changed it again from "... enforce upon the use of the private half of the application key" to "... enforce upon the decive's use of the application key". Is that ok? *(MikeO: I wonder if we could just borrow and tweak wording from RFC 5280's Policy OIDs section: In a key attestation certificate, policy object identifiers indicate the policy under which the certificate has been issued and the purposes for which the certificate may be used. ... these are placed within the ApplicationKeyInformation extension of the key attestation certificate, and not it its `certificatePolicies extension (cite 5280 4.2.1.4) because ... )* Note that these are OIDs describing policies within the key attestation ecosystem and are unrelated to the certificate policy OIDs defined in section 4.2.1.4. (MikeO: it seems weird to say "These are unrelated to X.509 policy OIDs", and then give the example id-policy-signature-only which, at first glance, looks like it's basically an X.509 KeyUsage.) *RJK: I see where you're coming from - I'll have a look at what we can do with KeyUsage, and come back to the other stuff about key policies if nothing else changes.

Key Use Policy Variants Each of the policies described below has two variants. In the first, the policy means that a key may be used only in certain ways, and this cannot be overidden even by an administrator. In the second, the policy means that a key may normally be used only in certain ways, but that an authorized administrator may override this in some way (for example, in order to facilitate disaster recovery). For example, for a CA processing a key attestation bundle in a certificate request, normally only the first variant (no administrative override) would be acceptable. If the application key is lost then the application key owner can be expected to generate a new key and certify it. There is no need to recover the old key. *(MikeO: I'm not sure I see the connection between the last two sentences and the first one above. Maybe need to make the connection clearer between losing your key, and key use policies, like mention above that non-exportability is one of the important policies?) In other use cases, the weaker policy may be more appropriate.

Signature-Only Policy This policy is identified by id-policy-signature-only. It means that the private key may only be used for signature, and MAY NOT be exported in plaintext outside the device. (MikeO: for clarity, maybe name this id-keyattest-policy-sig-non-exportable or something like that?)

Signature-Only Policy with Administrator Override This policy is identified by TODO. It means that the private key may normally only be used for signature (MikeO: and MAY NOT be exported?), but that an authorized administrator may override this in some way.

Vendor-Defined Key Use Policies A vendor may define policies outside the list described in the list document, for example reflecting policies not envisaged by this document or to cover device-specific functionality. For example they may describe a policy in terms of their device's proprietary policy or access control syntax# and publish an OID reflecting that policy. A verifier MUST NOT accept such a vendor-defined policy unless they fully understand the intended meaning. (MikeO: This description reinforces a question I asked above about whether this should allow a list of policies?) *RJK: Probably yes, then we don't have to have a sign-and-decrypt policy.

Embedding Key Attestations in Certification Requests A convenient way to convey a key attestation is to embed it into a certification request. This may be done via the AttestationBundle extension, identified by the OID id-attestation-bundle. Constraints: A certification request SHOULD only have one embedded key attestation. A CA MUST follow meet all the constraints on verifiers described above. A CA MUST verify that the subject public key in the certification request is the same as the subject public key in the key attestation certificate. *RJK TODO tidy up all this section (MikeO: We'll need to be explicit about how to bundle this into a Attribute. Do we need an OID for the type? I assume the values is straight-forward: it'll be a single item, which is the OCTET STRING of the AttestationBundle? Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { type ATTRIBUTE.&id({IOSet}), values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } )

• EDNOTE: this is a temporary OID for the purposes of prototyping. We are requesting IANA to assign a permanent OID, see .

Implementation Considerations ... TODO document any (non-security) GOTCHAs ...

IANA Considerations The following Object Identifiers are to be assigned by IANA:

• TODO: suggest to IANA which public arc we want these in (these are just placeholders).

*RJK: the OIDs are assigned by a free OID assignment service. If I can have something under Entrust then I'll replace them with that.

Security Considerations

Key Use Constraints The key use constraints describe above are essential. For example if a device identity key could be used by a user to sign arbitrary messages, that user could forge key attestations.

Verification Model An API that verifies a key attestion may be designed in a number of different ways. It may accept just a key attestation. It will verify it, and return either an error indicator or the public trust anchor key, vendor identity, public application key, and the policy governing is use. The caller must check at least that the trust anchor key is acceptable; the vendor identity from the key attestation matches the one associated with the trust anchor; and that the policy is acceptable, before using the application key. If the caller is running in a context where there are multiple copies of the application key (for example, the certification request verification described in it must also check that all copies of the appcalition key match. It may accept a key attestation, trust anchor, vendor identity and at least one acceptable policy. It will verify the key attestation using the trust anchor, and check that the vendor identities in the key attestation match the trust anchor, and check that the policy is acceptable. It will return either an error indicator or the application key. If the caller is running in a context where there are multiple copies of the application key then it must also check that all copies of the appcalition key match. Apart from that it can use the application key without further checks. It may accept a key attestation, trust anchor, vendor identity, application key and at least one acceptable policy. It will verify the key attestation using the trust anchor, and check that the vendor identities in the key attestation match the trust anchor, check that the policy is acceptable, and that the application key is the expected value. It will return either an error or a success indicator. The caller can use the application key without further checks. In all of these models the same set of checks must be done, but in the first two some of the checks are delegated to the caller. The advantage of the later models is that they are more robust against the caller ommitting some of the necessary checks. For a publicly available API this robustness is particularly appropriate.

Policies with Administrator Override No attempt is made to define the scope of administrator override in policies which include it. Depending on the device it may mean that, for example, a signature-only RSA key could additional be given decrypt permission, or it could mean that private key material could be exploited in plaintext. The range of possibilities is to broad to tie down in a device-independent specification. It should be noted that placing trust in a key does mean generally placing trust in the operators and administrators of the device that contains it, even without any possibilty of administrator override of the policy governing its use. For example there is nothing in the signature-only policy to prevent a key owner exposing a signature oracle for their key, allowing anyone to sign with it. In other words, verifiers should not place undue weight on the distinction between the two classes of policy.

Uniqueness of Keys It's generally assumed that all keys are unique. This is the expected outcome for properly generated cryptographic keys, and while a collision is in principle possible by chance, it's much more likely that a collision indicates a failure in the key generation process (for example, ).

&RFC2986; &RFC5280; &RFC5914; &RFC8411; ITU-T &RFC2119; &RFC8174; Debian Project

Samples ... either place samples here inline, or reference a github. I've got a script I've used in other I-Ds to inline include files, if that's useful here.

ASN.1 Module ... any ASN.1 that we are defining goes here ...

Intellectual Property Considerations ... mention any IP considerations here ...

Contributors and Acknowledgements This document incorporates contributions and comments from a large group of experts. The Editors would especially like to acknowledge the expertise and tireless dedication of the following people, who attended many long meetings and generated millions of bytes of electronic mail and VOIP traffic over the past year in pursuit of this document: ... list of helpful people ... We are grateful to all, including any contributors who may have been inadvertently omitted from this list. This document borrows text from similar documents, including those referenced below. Thanks go to the authors of those documents. "Copying always makes things easier and less error prone" - .