Network Working Group C. Adams
Request for Comments: 3029 Entrust Technologies
Category: Experimental P. Sylvester
EdelWeb SA - Groupe ON-X Consulting
M. Zolotarev
Baltimore Technologies Pty Limited
R. Zuccherato
Entrust Technologies
February 2001
Internet X.509 Public Key Infrastructure
Data Validation and Certification Server Protocols
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document describes a general Data Validation and Certification
Server (DVCS) and the protocols to be used when communicating with
it. The Data Validation and Certification Server is a Trusted Third
Party (TTP) that can be used as one component in building reliable
non-repudiation services.
Useful Data Validation and Certification Server responsibilities in a
PKI are to assert the validity of signed documents, public key
certificates, and the possession or existence of data.
Assertions created by this protocol are called Data Validation
Certificates (DVC).
We give examples of how to use the Data Validation and Certification
Server to extend the lifetime of a signature beyond key expiry or
revocation and to query the Data Validation and Certification Server
regarding the status of a public key certificate. The document
includes a complete example of a time stamping transaction.
Adams, et al. Experimental [Page 1]
RFC 3029 DVCS Protocols February 2001
Table of Contents
1. Introduction ................................................. 2
2. Services provided by DVCS .................................... 4
2.1 Certification of Possession of Data ........................ 4
2.2 Certification of Claim of Possession of Data ............... 4
2.3 Validation of Digitally Signed Documents ................... 4
2.4 Validation of Public Key Certificates ...................... 5
3. Data Certification Server Usage and Scenarii ................. 5
4. Functional Requirements for DVCS ............................. 7
5. Data Certification Server Transactions ....................... 7
6. Identification of the DVCS ................................... 8
7. Common Data Types ............................................ 9
7.1 Version .................................................... 9
7.2 DigestInfo ................................................. 10
7.3. Time Values ............................................... 10
7.4. PKIStatusInfo ............................................. 11
7.5. TargetEtcChain ............................................ 11
7.6. DVCSRequestInformation .................................... 12
7.7. GeneralName and GeneralNames .............................. 13
8. Data Validation and Certification Requests ................... 13
9. DVCS Responses ............................................... 17
9.1. Data Validation Certificate ............................... 18
9.2. DVCS Error Notification ................................... 21
10. Transports .................................................. 22
10.1 DVCS Protocol via HTTP or HTTPS ........................... 22
10.2 DVCS Protocol Using Email ................................. 22
11. Security Considerations ..................................... 23
12. Patent Information .......................................... 23
13. References .................................................. 25
14. Authors' Addresses .......................................... 26
APPENDIX A - PKCS #9 Attribute .................................. 27
APPENDIX B - Signed document validation ......................... 27
APPENDIX C - Verifying the Status of a Public Key Certificate ... 28
Appendix D - MIME Registration .................................. 30
Appendix E - ASN.1 Module using 1988 Syntax ..................... 31
Appendix F - Examples ........................................... 34
Appendix G - Acknowledgements ................................... 50
Full Copyright Statement ........................................ 51
1. Introduction
This document is the result of work that has been proposed and
discussed within the IETF PKIX working group. The authors and some
members of the group felt that promoting the rather new concepts into
the standards process seemed premature. The concepts presented have
been stable for some time and partially implemented. It was agreed
that a publication as experimental RFC was an appropriate means to
Adams, et al. Experimental [Page 2]
RFC 3029 DVCS Protocols February 2001
get a stable reference document to permit other implementations to
occur.
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
as shown) are to be interpreted as described in [RFC2119].
A Data Validation and Certification Server (DVCS) is a Trusted Third
Party (TTP) providing data validation services, asserting correctness
of digitally signed documents, validity of public key certificates,
and possession or existence of data.
As a result of the validation, a DVCS generates a Data Validation
Certificate (DVC). The data validation certificate can be used for
constructing evidence of non-repudiation relating to the validity and
correctness of an entity's claim to possess data, the validity and
revocation status of an entity's public key certificate and the
validity and correctness of a digitally signed document.
Services provided by a DVCS do not replace the usage of CRLs and OCSP
for public key certificate revocation checking in large open
environments, due to concerns about the scalability of the protocol.
It should be rather used to support non-repudiation or to supplement
more traditional services concerning paperless document environments.
The presence of a data validation certificate supports
non-repudiation by providing evidence that a digitally signed
document or public key certificate was valid at the time indicated in
the DVC.
A DVC validating a public key certificate can for example be used
even after the public key certificate expires and its revocation
information is no longer or not easily available. Determining the
validity of a DVC is assumed to be a simpler task, for example, if
the population of DVCS is significantly smaller than the population
of public key certificate owners.
An important feature of the protocol is that DVCs can be validated by
using the same protocol (not necessarily using the same service), and
the validity of a signed document, in particular a DVC, can also be
determined by means other than by verifying its signature(s), e.g.,
by comparing against an archive.
The production of a data validation certificate in response to a
signed request for validation of a signed document or public key
certificate also provides evidence that due diligence was performed
by the requester in validating a digital signature or public key
certificate.
Adams, et al. Experimental [Page 3]
RFC 3029 DVCS Protocols February 2001
This document defines the use of digital signatures to insure the
authenticity of documents and DVCs, and uses a corresponding
terminology; the use of other methods to provide evidence for
authenticity is not excluded, in particular it is possible to replace
a SignedData security envelope by another one.
2. Services provided by DVCS
The current specification defines 4 types of validation and
certification services:
- Certification of Possession of Data (cpd),
- Certification of Claim of Possession of Data (ccpd),
- Validation of Digitally Signed Document (vsd), and
- Validation of Public Key Certificates (vpkc).
A DVCS MUST support at least a subset of these services. A DVCS may
support a restricted vsd service allowing to validate data validation
certificates.
On completion of each service, the DVCS produces a data validation
certificate - a signed document containing the validation results and
trustworthy time information.
2.1 Certification of Possession of Data
The Certification of Possession of Data service provides evidence
that the requester possessed data at the time indicated and that the
actual data were presented to the Data Validation Server.
2.2 Certification of Claim of Possession of Data
The Certification of Claim of Possession of Data service is similar
to the previous one, except that the requester does not present the
data itself but a message digest.
2.3 Validation of Digitally Signed Documents
The Validation of Digitally Signed Document service is used when
validity of a signed document is to be asserted.
The DVCS verifies all signatures attached to the signed document
using all appropriate status information and public key certificates.
The DVCS verifies the mathematical correctness of all signatures
attached to the document and also checks whether the signing entities
can be trusted, for example by validating the full certification path
from the signing entities to a trusted point (e.g., the DVCS's CA, or
the root CA in a hierarchy).
Adams, et al. Experimental [Page 4]
RFC 3029 DVCS Protocols February 2001
The DVCS may be able to rely on relevant CRLs or may need to
supplement this with access to more current status information from
the CAs for example by accessing an OCSP service, a trusted directory
service, or other DVCS services.
The DVCS will perform verification of all signatures attached to the
signed document. A failure of the verification of one of the
signatures does not necessarily result in the failure of the entire
validation, and vice versa, a global failure may occur if the
document has an insufficient number of signatures.
2.4 Validation of Public Key Certificates
The Validation of Public Key Certificates service is used to verify
and assert the validity (according to [RFC2459]) of one or more
public key certificates at the specified time.
When verifying a public key certificate, the DVCS verifies that the
certificate included in the request is a valid certificate and
determines its revocation status at a specified time. DVS checks the
full certification path from the certificate's issuer to a trusted
point. Again, the DVCS MAY be able to rely on external information
(CRL, OCSP, DVCS).
3. Data Certification Server Usage and Scenarii.
It is outside the scope of this document to completely describe
different operational scenarii or usages for DVCS.
See Appendix B and C for a set of some basic examples and use cases.
The Validate Signed Document service can be used to support non-
repudiation services, to allow use of the signed document beyond
public key certificate revocation or expiry, or simply to delegate
signature validation to a trusted central (company wide) service.
The Validate Public Key Certificate service can be used when timely
information regarding a certificate's revocation status is required
(e.g., high value funds transfer or the compromise of a highly
sensitive key) or when evidence supporting non-repudiation is
required.
A data validation certificate may be used to simplify the validation
of a signature beyond the expiry or subsequent revocation of the
signing certificate: a Data validation certificate used as an
authenticated attribute in a signature includes an additional
Adams, et al. Experimental [Page 5]
RFC 3029 DVCS Protocols February 2001
assertion about the usability of a certificate that was used for
signing. In order to validate such a signature it may be sufficient
to only validate the data validation certificate.
A DVCS may include additional key exchange certificates in a data
validation certificate to validate a key exchange certificate in
order to provide to an application a set of additional authorised
recipients for which a session key should also be encrypted. This
can be used for example to provide central management of a company
wide recovery scheme. Note, that the additional certificates may not
only depend on the requested certificate, but also on the requester's
identity.
The Certification of Claim of Possession of Data service is also
known as time stamping.
The Certification of Possession of Data service can be used to assert
legal deposit of documents, or to implement archival services as a
trusted third party service.
The Data Validation and Certification Server Protocols can be used in
different service contexts. Examples include company-wide
centralised services (verification of signatures, certification of
company certificates), services to cooperate in a multi-organization
community, or general third party services for time stamping or data
archival.
An important application of DVCS is an enterprise environment where
all security decisions are based on company wide rules. A company
wide DVCS service can be used to delegate all technical decisions
(e.g., path validation, trust configuration) to a centrally managed
service.
In all cases, the trust that PKI entities have in the Data Validation
and Certification Server is transferred to the contents of the Data
Validation Certificate (just as trust in a CA is transferred to the
public key certificates that it issues).
A DVCS service may be combined with or use archiving and logging
systems, in order to serve as a strong building block in non-
repudiation services. In this sense it can be regarded as an
Evidence Recording Authority [ISO-NR].
Adams, et al. Experimental [Page 6]
RFC 3029 DVCS Protocols February 2001
4. Functional Requirements for DVCS
The DVCS MUST
1. provide a signed response in the form of a data validation
certificate to the requester, as defined by policy, or an error
response. The DVCS service definition and the policy define how
much information that has been used by the DVCS to generate the
response will be included in a data validation certificate, e.g.,
public key certificates, CRLs, and responses from other OCSP
servers, DVCS, or others.
2. indicate in the data validation certificate whether or not the
signed document, the public key certificate(s), or the data were
validated, and, if not, the reason why the verification failed.
3. include a strictly monotonically increasing serial number in each
data validation certificate.
4. include a time of day value or a time stamp token into each data
validation certificate.
5. sign each data certification token using a key that has been
certified with a dvcs signing extended key purpose, and include a
reference to this certificate as a signed attribute in the
signature.
6. check the validity of its own signing key and certificate before
delivering data validation certificates and MUST not deliver data
validation certificate in case of failure.
A DVCS SHOULD include within each data validation certificate a
policy identifier to determine the trust and validation policy used
for DVC's signature.
5. Data Certification Server Transactions
A DVCS transaction begins with a client preparing a Data Validation
and Certification Request. The request always contains data for
which validity, correctness or possession is to be certified.
The request MAY be encapsulated using a security envelope to provide
for authentication of both requester and server. Requester
authentication can be achieved by several of the formats described in
CMS, in particular, signedData.
Adams, et al. Experimental [Page 7]
RFC 3029 DVCS Protocols February 2001
The DVCS client chooses an appropriate transport mechanism to convey
the requests to a DVCS. It may also be necessary to choose a
transport mechanism providing confidentiality and, in particular,
allowing authentication of the DVCS by the requestor, e.g., TLS or
CMS or S/MIME encryption.
If the request is valid, the DVCS performs all necessary
verifications steps, and generates a Data Validation Certificate
(DVC), and sends a response message containing the DVC back to the
requestor.
The Data Validation Certificate is formed as a signed document (CMS
SignedData).
As with the request, it may be necessary to choose a transport
mechanism that provides for confidentiality to carry the DVC. DVCs
are not necessarily transported the same way as requests, e.g., they
can be returned using e-mail after an online request received via
HTTPS.
If the request was invalid, the DVCS generates a response message
containing an appropriate error notification.
Upon receiving the response, the requesting entity SHOULD verify its
validity, i.e., whether it contains an acceptable time, the correct
name for the DVCS, the correct request information and message
imprint, a valid signature, and satisfactory status, service and
policy fields.
When verifying the validity of a DVC, it is up to the requestor's
application to check whether a DVCS's signing certificate is valid.
Depending on the usage environment, different methods, online or out
of band, e.g., CRLs, DVCS, or OCSP, may have to be used.
After all checks have passed, the data validation certificate can be
used to authenticate the correctness or possession of the
corresponding data.
A DVCS may return more than one DVC corresponding to one request. In
this case, all but one request have a global status of 'WAITING'.
6. Identification of the DVCS
In order to be able to import elements from dvcs the following object
identifier is used as a ASN.1 module identifier.
The DVCS that use SignedData to provide authentication for DVCs MUST
sign all data certification messages with a key whose corresponding
certificate MUST contain the extended key usage field extension as
defined in [RFC2459] Section 4.2.1.14 with KeyPurposeID having value
id-kp-dvcs. This extension MUST be marked as critical.
The Data Validation Certificate MUST contain an ESSCertID
authenticated attribute for the certificate used by the DVCS for
signing.
A DVCS's certificate MAY contain an Authority Information Access
extension [RFC2459] in order to convey the method of contacting the
DVCS. The accessMethod field in this extension MUST contain the OID
id-ad-dvcs:
The value of the 'accessLocation' field defines the transport (e.g.,
an URI) used to access the DVCS.
7. Common Data Types
There are several common data types that occur in the request and the
response data structures. These data types are either defined by
this document or imported from other sources. This chapter defines
and describes these types and lists their usages.
7.1 Version:
The request and the response include an optional integer field
specifying the version of the data structure. For both fields the
value is 1, or the field is not present at all in this version of the
protocol.
Adams, et al. Experimental [Page 9]
RFC 3029 DVCS Protocols February 2001
7.2 DigestInfo:
This element is defined in [RFC2315]. Since the status of that
document is informational, the definition is repeated here:
The fields of type DigestInfo have the following meanings:
- The field 'digestAlgorithm' identifies the message-digest algorithm
(and any associated parameters) under which data are digested.
- The field 'digest' is the result of the message-digesting process.
A DigestInfo is used in two places:
- as a data portion for the ccpd service, and
- in all a data validation certificates to hold a digest of the data
portion of the corresponding request or a copy of the data field
for a ccpd service.
7.3. Time Values
Indicators of time can be present in requests and responses. In the
most simple form, the time is represented as GeneralizedTime where
fractions of seconds are allowed.
An alternate form is a timeStampToken from a TSA, or as a DVC (or
some other token) from another third party service.
It is a matter of policy whether a DVCS tries to interpret or
validate a Time Value in a request.
Future versions of the protocol MAY include additional time formats.
Time values generated by the DVCS are increasing but not necessarily
unique, an order among DVCs is defined by serial numbers.
Adams, et al. Experimental [Page 10]
RFC 3029 DVCS Protocols February 2001
7.4. PKIStatusInfo
This structure is defined in [RFC2510]. It is used as component of
the 'chain' field of a TargetEtcChain structure, and as a global
status indicator in the DVCSResponse structure. Every occurrence of
PKIStatusInfo is generated by the responding DVCS to reflect the
result of some local verification.
7.5. TargetEtcChain
A TargetEtcChain structure contains certificates and other indicators
to describe either (in a request for a cpkc service) information to
be validated, or the result of the verifications. The structure may
also contain information about policies and policy mappings.
The details about how to fill in and to interpret the structure are
defined later for each service.
The 'pathProcInput' field contains information about policies and
policy mapping to be used or used during a validation.
In a response, the 'pkistatus' and `certstatus' choices can only
occur in the 'chain' sequence. If present, they contain the result
of a local verification of the immediately preceding element, or of
the target value, if it is the first element in the 'chain' sequence.
If no 'pkistatus' or 'certstatus' is present, the DVCS considers all
elements in the 'chain' as trustworthy. Note, that there may be a
valid OCSP response or DVC indicating an invalid certificate.
Certificate, PolicyInformation and CertificateList are defined in
[RFC2459]. ESSCertId is defined in [RFC2634]. CertId, OCSPResponse
and CertStatus are defined in [RFC2560]. PKIStatusField is defined
in [RFC2510].
The choice 'assertion' can contain a data validation certificate, or
a timeStamp, or other assertions.
The choices 'assertion', 'ocspresponse' and 'crl' are provided by
services external to the responding DVCS. The choices 'certStatus'
and 'pkistatus' reflect decisions made directly by the responding
DVCS.
As a replacement for certificates, certification identifiers
(ESSCertId, CertId) MAY be used in requests and responses, if this
is sufficient to perform the service, e.g., when the corresponding
certificates are provided elsewhere in a request or response (as part
of the SignedData type).
Certificate or certification identifiers of certification authorities
MAY occur in any order and MAY represent several certification
chains.
The choice 'capabilities' can be used to indicate SMIMECapabilities.
It applies to the certificate identified by the preceding element in
the sequence.
7.6. DVCSRequestInformation
A DVCSRequestInformation data structure contains general information
about the Data Validation and Certification Request. This structure
occurs in a request, and is also included in a corresponding Data
Validation Certificate.
These data are optionally encapsulated by contenttypes that provide
for authentication and/or confidentiality.
This document describes the usage of a SignedData construct of
[RFC2630] where the contenttype indicated in the eContentType of the
encapContentInfo is id-ct-DVCSRequestData and the eContent of the
encapContentInfo, carried as an octet string, contains a
DVCSRequestData structure.
When using a SignedData structure, a Data Validation and
Certification Request MAY contain several SignerInfo structures, and
countersignature attributes depending on operational environments.
When an end user client creates the request, there is one or zero
SignerInfo. A relaying DVCS MAY add an additional signature or a
countersignature attribute, or MAY use another encapsulation from
[RFC2630] that provides for authentication and/or confidentiality.
The content of a request consists of a description of the desired
service and additional parameters, the data to be validated, and an
optional identifier of the request.
The 'DVCSRequest.requestInformation' element contains general
information about the request. It is filled in by the requester as
follows:
- The 'version' field is set to 1 or the field is absent in this
version of the protocol.
The field 'service' contains the requested service.
- The 'nonce' field MAY be used to provide additional protection
against replay or content guessing attacks.
- The 'requestTime' field MAY be used to indicate the time for which
the requested service should be performed. For a vsd and cpkc
service, it specifies the time for which the validity of a signed
document or certicates is to be asserted. For the other service,
the field is ignored by the DVCS. If the field is absent, the
current time is assumed.
- The value of the 'requester' field indicates the requesting entity.
The interpretation and usage of this field MUST be defined by the
DVCS policy.
Some usage examples are:
If the field is present, and the request is signed, a DVCS MAY
require that the field MUST match the identity (subjectName or
subjectAltName extension) of the corresponding signature
certificate.
A request MAY be signed by a DVCS when relaying it to another DVCS.
When acting as a relay, a DVCS MAY add its own identity in the
request relayed to another service provider, and it MAY remove the
initial value.
- The 'requestPolicy' field SHOULD indicate the policy under which
the validation is requested. This field MUST be checked by the
DVCS to verify agreement with its own policy. The absence of this
field indicates that any policy is acceptable.
Adams, et al. Experimental [Page 14]
RFC 3029 DVCS Protocols February 2001
- The 'dvcs' field MAY be used to indicate a list of DVCS which can
be contacted to provide (additional) information or to perform
additional operations necessary to produce the response.
It is up to the DVCS policy whether to honor this field or not, and
to define which choice of a general name is acceptable (e.g., an
URL or a DN).
- The 'dataLocations' field MAY be used to indicate where a copy of
the 'data' field of the request or supplementary information can be
obtained. The DVCS does not use this field for its own operation,
the exact interpretation of this field is defined by applications.
- The 'requestTime' field MAY be used to indicate the time for which
the requested service should be performed. For a vsd and cpkc
service, it specifies the time for which the validity of a signed
document or certicates is to be asserted. For the other service,
the field is ignored by the DVCS. If the field is absent, the
current time is assumed. The DVCS service may have a time limit or
a delta time limit regarding current time which are specified in
the local policy of the DVCS service.
- The 'extensions' field MAY be used to include additional
information. Extensions may be marked critical or not in order to
indicate whether the DVCS is supposed to understand them. This
document does not define extensions.
The DVCSRequest.data contains service-specific content, defined by
each particular service provided by the DVCS.
Depending on the requested service type, the field may contain a
signed document, a list of certificates, a message digest or
arbitrary data.
The following type is used:
Data ::= CHOICE {
message OCTET STRING ,
messageImprint DigestInfo,
certs SEQUENCE SIZE (1..MAX) OF
TargetEtcChain
}
The requester fills the 'data' element as follows:
- For a vsd service request, the requestor encapsulates a CMS
SignedData object in the value octets of the 'message' choice.
Adams, et al. Experimental [Page 15]
RFC 3029 DVCS Protocols February 2001
It is up to the requester to decide whether and how to provide any
certificate that may be needed to verify the signature(s) in the
signedData object. A requester MAY add certificates to the
encapsulated signedData object or in the certificate list of the
request.
- For a cpkc service request the 'certs' choice is used.
Each certificate to be verified MUST be included in a separate
instance of TargetEtcChain. The 'TargetEtcChain.chain' field, if
present, indicates one or more chains of trust that can be used to
validate the certificate. The DVCS MAY choose to select a subset
of certificates as certification path, or to ignore this field.
The 'TargetEtcChain.pathProcInput' field, if present, indicates the
acceptable policy set and initial settings for explicit-policy-
indicator and inhibit-policy-mapping indicators to be used in X.509
public key certificate path validation (see [RFC2459]).
Only the Certificate, ESSCertId, CertId or Extension choices of the
TargetEtcChain can be used in the request.
The requester is responsible for providing sufficient information
to the DVCS to identify the corresponding certificates.
- For a ccpd service the 'messageImprint' choice is used.
The hash algorithm indicated in the hashAlgorithm field SHOULD be a
"strong" hash algorithm (that is, it SHOULD be one-way and
collision resistant). It is up to the Data Certification Server to
decide whether or not the given hash algorithm is sufficiently
"strong" (based on the current state of knowledge in cryptanalysis
and the current state of the art in computational resources, for
example).
- For a cpd service the 'message' choice is used.
The field contains requester-specific data with any type of
content. The DVCS does not inspect, modify, or take any particular
action based on the particular content of the 'message' field.
The field 'DVCSRequest.transactionIdentifier' MAY be used in order to
associate DVCS responses containing error messages, to requests. For
example, in a mail based environment, the parameter could be a copy
of a messageid. Note, that the transactionIdentifier is not
necessary for associating a request with a valid data validation
certificate.
Adams, et al. Experimental [Page 16]
RFC 3029 DVCS Protocols February 2001
9. DVCS Responses
This chapters describes the data structures that are created by a
DVCS to indicate the results of validation and certification
requests.
A DVCS Response structure is generated by the DVCS as a result of
processing of the data validation and certification request.
A Data Validation response contains an [RFC2630] ContentInfo with a
type of id-ct-DVCSResponseData signalling a DVCSResponse structure.
The data MAY be encapsulated by constructs of [RFC2630] in order to
provide authentication of the DVCS, and or integrity and
confidentiality of the request. This document specifies the usage of
a SignedData construct of [RFC2630].
The contenttype indicated in the eContentType of the encapContentInfo
is of type id-ct-DVCSResponseData, signalling a DVCSResponse as
eContent of the encapContentInfo (carried as an octet string). The
DVCS SHOULD use a key for which a corresponding certificate indicates
in an extendedKeyUsage the purpose of DVCS signing.
In a critical situation when a DVCS cannot produce a valid signature
(if the DVCS's signing key is known to be compromised, for example),
the DVCSResponse, containing the error notification, MUST be
generated as a signedData with no signerInfo attached. Receiving
unsigned DVCSResponse MUST be treated by the clients as a critical
and fatal error, and the content of the message should not be
implicitly trusted.
A valid response can contain one of the following:
1. A Data Validation Certificate (DVC), delivering the results of
data validation operations, performed by the DVCS.
2. An error notification. This may happen when a request fails due
to a parsing error, requester authentication failure, or anything
else that prevented the DVCS from executing the request.
The DVCSCertInfo structure is returned as a result of successful
execution of data validation service. It contains the results of the
data validation, a reference to the original request, and other
parameters. Please note that 'successful execution' does not
necessarily mean that the validation itself was successful - a
DVCSCertInfo may contain both the 'valid' and 'invalid' results.
The DVCS creates a DVCSCertInfo as follows:
- The 'version' field is never present in this version of the
protocol.
The 'dvReqInfo' is essentially a copy of the 'requestInformation'
field of the corresponding request. The DVCS MAY modify the fields
'dvcs', 'requester', 'dataLocations', and 'nonce' of the ReqInfo
structure, e.g., if the request was processed by a chain of DVCS,
if the request needs to indicate DVCS, or to indicate where to find
a copy of the data from a 'vpd' request. The only modification
allowed to a 'nonce' is the inclusion of a new field if it was not
present, or to concatenate other data to the end (right) of an
existing value.
Adams, et al. Experimental [Page 18]
RFC 3029 DVCS Protocols February 2001
- The 'DVCSCertInfo.messageImprint' field is computed from the 'data'
field of the corresponding request as follows:
For the 'certs' choice (the 'vpkc' service), the digest is computed
over the DER encoded data value. For a 'message' choice (the 'vsd'
and the 'vpd' services) the digest is computed over the value
octets (not including tag and length octets) of the OCTET STRING.
It is up to the DVCS to choose an appropriate digest algorithm.
For a 'messageImprint' choice (the 'vcpd' service), the
'messageImprint' of the DVCSRequest is copied as is.
- The 'DVCSCertInfo.serialNumber' field contains a unique identifier
of the request.
- The field 'responseTime' indicates a time value associated with the
response. The value MAY be a locally generated one, or a signed
TimeStampToken (TST) or DVC obtained from an external service.
Before using a value obtained from an external service, the DVCS
must validate it according the rules of the external service.
- The field 'DVCSCertInfo.dvStatus' reflects a collective result of
the validation.
If the field is missing, it is an equivalent of the SUCCESS
status.
For a vkpc, if the status field is present and set to SUCCESS, it
indicates that all certificates were successfully validated. If it
is present and set to FAILED, it indicates that all or some of the
certificates failed validation, and the specific status of the
'certs' should be investigated, at least one of the elements of the
'certs' TargetEtcChain structures MUST have a failure status.
If the field 'dvStatus' does not indicate success ('granted' or
'granted with mods') the element 'failInfo' MAY indicate the reason
for the failure. Note that the field 'certs' MAY contain
additional information about verification failures.
A failure of the verification of one of the signatures does not
necessarily result in failing to validate a signed document. For
example, as long as a sufficient number of signature was
successfully verified, a DVC with status 'grantedWithMods' may be
produced. A DVC with status 'granted' MUST only be produced if all
signatures verified successfully.
Adams, et al. Experimental [Page 19]
RFC 3029 DVCS Protocols February 2001
The field MUST be present, and the status must be set to WAITING,
if no final response can be immediately available. It is assumed
that the DVCS provides an additional final status some time later.
The details of the necessary procedures are part of the DVCS
policy.
In case of failure, the requester can further investigate the cause
of the failure, by looking into the TargetEtcChain fields.
'CertEtctoken.pkistatus' fields will indicate which item(s) has
failed or succeeded the validation and for what reason.
- The 'DVCSCertInfo.policy' field indicates the policy under which
the DVCS operates.
- If present, 'DVCSCertInfo.reqSignature' MUST be the same value as
the signerInfos field of the corresponding request. It is a policy
decision whether to include this field.
- The 'DVCSCertInfo.certs' field contains the results of the
verifications made by the DVCS. For the cpkc service, each element
contains a copy of a corresponding field of the request with the
selected subset in the targetAndChain subfield and the results of
the verifications, and additional certificates or certificate
references, e.g., from certification authorities or as described in
appendix C.3. For a vsd service, each element contains the result
of the validation of one signature of the signed document to be
validated.
In case of a global status of WAITING, the DVCS MAY choose to
return an individual status of waiting in some of the 'certs'
field, or not to return such a TargetEtcChain at all.
The 'acceptablePolicySet' sequence indicates the policies and
mappings that were processed during X.509 public key certificate
path validation. PolicyMappingsSyntax is defined in [RFC2459].
- The 'extensions' field MAY be used to return additional information
to the client. Extensions MAY be marked critical or not in order
to indicate whether the client MUST understand them. This document
does not define extensions.
Adams, et al. Experimental [Page 20]
RFC 3029 DVCS Protocols February 2001
9.2. DVCS Error Notification
A DVCS Error Notification is a CMS signedData object containing a
DVCSResponse with a 'dvErrorNote' choice.
The PKIStatusInfo is defined in [RFC2511]. For the purposes of
communicating the DVCSErrorNotice, the following subset of
PKIFailureInfo values is used:
PKIFailureInfo ::= BITSTRING {
badRequest (2),
-- transaction not permitted or supported
badTime (3),
-- messageTime was not sufficiently close to the system time,
-- as defined by local policy
badDataFormat (5),
-- the data submitted has the wrong format
wrongAuthority (6),
-- the DVCS indicated in the request is different from the
-- one creating the response token
incorrectData (7)
--the requester's data (i.e., signature) is incorrect )
In the DVCSErrorNotice, the PKIStatus field of the PKIStatusInfo must
be set to REJECTED.
The 'statusString' field of PKIStatusInfo can be used to accommodate
extra text, such as a reason for the failure, for example "I have
gone out of service". The DVCS initializes the
'DVCSErrorNotice.transactionIdentifier' with a copy of the
'DVCSRequest.transactionIdentifier' field of the corresponding
request.
In certain circumstances, a DVCS may not be able to produce a valid
response to a request (for example, if it is unable to compute
signatures for a period of time). In these situations the DVCS MAY
create a response with an DVCSErrorNotice but no signature.
DVCS clients SHOULD NOT trust unsigned responses. A DVCS client MAY
trust unsigned responses, if the communication channel provides for
server authentication (e.g., by services defined by TLS [RFC2246]).
Adams, et al. Experimental [Page 21]
RFC 3029 DVCS Protocols February 2001
10. Transports
There is no mandatory transport mechanism in this document. All
mechanisms are optional. Two examples of transport protocols are
given which allow online exchange of request and a response, and
asynchronous communication between a client and a DVCS.
A DVCS MAY use a combination of protocols, for example in order to
return additional DVCs.
10.1 DVCS Protocol via HTTP or HTTPS
This subsection specifies a means for conveying ASN.1-encoded
messages for the DVCS protocol exchanges via the HyperText Transfer
Protocol.
The DER encoded DVCS requests and responses are encapsulated using a
simple MIME object with Content-Type application/dvcs (and with the
default binary encoding).
This MIME object can be sent and received using common HTTP or HTTPS
processing engines over WWW links and provides a simple client-server
transport for DVCS messages.
10.2 DVCS Protocol Using Email
This section specifies a means for conveying ASN.1-encoded messages
for the protocol exchanges described in Section 8 via Internet mail.
The DER encoded DVCS requests and responses are encapsulated using a
simple MIME object with Content-Type application/dvcs with an
appropriate Content-Transfer-Encoding.
This MIME object can be sent and received using MIME processing
engines and provides a simple Internet mail transport for DVCS
messages.
In order to be able to associate a possible error response with a
request, the requester SHOULD use the field 'transactionIdentifier'.
The requester SHOULD not make any assumption about the usage of
message header fields by the responding service, in particular the
usage of fields like Subject, Message-ID or References.
Adams, et al. Experimental [Page 22]
RFC 3029 DVCS Protocols February 2001
11. Security Considerations
This entire chapter discusses security considerations.
When designing a data validation and certification service, the
following considerations have been identified that have an impact
upon the validity or "trust" in the data validation certificate.
It is imperative that keys used to sign DVCs are guarded with proper
security and controls in order to minimize the possibility of
compromise. Nevertheless, in case the private key does become
compromised, an audit trail of all the DVC generated by the DVCS
SHOULD be kept as a means to help discriminate between genuine and
false DVCs. A DVCS MAY provide for a vsd service to validate DVCs
created by this DVCS or another one solely based on the audit trail.
When confidentiality and server authentication is required, requests
and responses MAY be protected using appropriate mechanisms (e.g.,
CMS encapsulation [RFC 2630] or TLS [RFC2246]).
Server authentication is highly recommended for the vsd and cpd
service.
Client identification and authentication MAY use services defined by
TLS [RFC2246]) instead of, or in addition to, using a CMS format
providing authentication.
12. Patent Information
The following United States Patents related to data validation and
certification services, listed in chronological order, are known by
the authors to exist at this time. This may not be an exhaustive
list. Other patents may exist or be issued at any time.
Implementers of the DVCS protocol and applications using the protocol
SHOULD perform their own patent search and determine whether or not
any encumberences exist on their implementation.
# 4,309,569 Method of Providing Digital Signatures
(issued) January 5, 1982
(inventor) Ralph C. Merkle
(assignee) The Board of Trustees of the Leland Stanford Junior
University
# 5,001,752 Public/Key Date-Time Notary Facility
(issued) March 19, 1991
(inventor) Addison M. Fischer
Adams, et al. Experimental [Page 23]
RFC 3029 DVCS Protocols February 2001
# 5,022,080 Electronic Notary
(issued) June 4, 1991
(inventors) Robert T. Durst, Kevin D. Hunter
# 5,136,643 Public/Key Date-Time Notary Facility
(issued) August 4, 1992
(inventor) Addison M. Fischer
(Note: This is a continuation of patent # 5,001,752.)
# 5,136,646 Digital Document Time-Stamping with Catenate Certificate
(issued) August 4, 1992
(inventors) Stuart A. Haber, Wakefield S. Stornetta Jr.
(assignee) Bell Communications Research, Inc.,
# 5,136,647 Method for Secure Time-Stamping of Digital Documents
(issued) August 4, 1992
(inventors) Stuart A. Haber, Wakefield S. Stornetta Jr.
(assignee) Bell Communications Research, Inc.,
# 5,373,561 Method of Extending the Validity of a Cryptographic
Certificate
(issued) December 13, 1994
(inventors) Stuart A. Haber, Wakefield S. Stornetta Jr.
(assignee) Bell Communications Research, Inc.,
# 5,422,95 Personal Date/Time Notary Device
(issued) June 6, 1995
(inventor) Addison M. Fischer
# 5,781,629 Digital Document Authentication System
(issued) July 14, 1998
(inventor) Stuart A. Haber, Wakefield S. Stornetta Jr.
(assignee) Surety Technologies, Inc.,
Adams, et al. Experimental [Page 24]
RFC 3029 DVCS Protocols February 2001
13. References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2510] Adams, C. and S. Farrell, "Internet X.509 Public Key
Infrastructure, Certificate Management Protocols", RFC
2510, March 1999.
[RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
X.509 Public Key Infrastructure, Certificate and CRL
Profile", RFC 2459, January 1999.
[RFC2630] Housley, R., "Cryptographic Message Syntax", RFC 2630,
June 1999.
[ISONR] ISO/IEC 10181-5: Security Frameworks in Open Systems.
Non-Repudiation Framework.
[RFC2119] Bradner, S., "Key works for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2511] Myers, M., Adams, C., Solo, D. and D. Kemp, "Internet
X.509 Certificate Request Message Format", RFC 2511, March
1999.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol, Version 1.0",
RFC 2246, January 1999.
[RFC2634] Hoffman P., "Enhanced Security Services for S/MIME", RFC
2634, June 1999.
[RFC2560] Myers, M., Ankney, R., Malpani, A., Galperin, S. and C.
Adams, "X.509 Internet Public Key Infrastructure Online
Certificate Status Protocol", RFC 2560, June 1999.
The attribute may be used as an authenticated or unauthenticated
attribute in CMS SignedData documents.
APPENDIX B - Signed document validation.
We present some examples of a possible use of DVCS in the context of
validation of signed documents.
B.1 Signed document validation
The example covers the case where a DVCS is used by a signer to
obtain a proof that a document's structure, including one or more
attached signatures, is/was correct, after the document was signed.
The DVC can be produced either by a DVCS that is trusted by the
signer, or by a DVCS that is trusted by an intended verifier of the
document.
The signer uses the obtained DVC as an evidence that its intentions
were good and it produced a signed document using the
environment(keys, algorithms, etc) that was known to be OK.
It produces a stand-alone document that can be used to extend the
life of a signature. This example assumes that we have total trust
in the Data Validation and Certification Server.
Signature algorithms and keys have a finite lifetime. Therefore,
signatures have a finite lifetime. The Data Certification Server can
be used to extend the lifetime of a signature.
In order to extend the lifetime of a signature in this way, the
following technique can be used:
1) The signature needs to be certified:
The signed message is presented to the Data Validation and
Certification Server in a 'vsd' service request.
Adams, et al. Experimental [Page 27]
RFC 3029 DVCS Protocols February 2001
The DVCS verifies that the signature and certificates are valid at
that time by checking expiry dates, status information, or DVCs,
and returns a DVC.
2) The DVC SHOULD be verified.
The signature of the Data Validation and Certification Server in
data certification token SHALL be verified using the Data
Certification Server's valid verification key.
A signer's signing key (and therefore, its signature) is only valid
until some specified time T1. The DVCS's signing key (and therefore,
its signature) is valid until some specified time T2 that is
(usually) after time T1. Without certification, the signer's
signature would only be valid until time T1. With certification, the
signer's signature remains valid until time T2, regardless of
subsequent revocation or expiry at time T1.
If the signature of the DVCS is valid, the trust we have in the DVCS
allows us to conclude that the original signature on the data was
valid at the time included in the DVC.
The DVCS signing key MUST be of a sufficient length to allow for a
sufficiently long lifetime. Even if this is done, the key will have
a finite lifetime. Since data validation certificates are just
another type of signed documents, they can be validated using
(another) DVCS.
APPENDIX C - Verifying the Status of a Public Key Certificate
We now present three examples of how to produce a data validation
certificate that can be used to assert that a public key certificate
is valid, trusted, and can be used for a particular purpose.
A client wants to use a given public key certificate either to use it
to verify a signature on a document or to use it for document
encryption.
A DVCS MUST have access to current information regarding public
certificate status, it can therefore be used to verify the revocation
status of a certificate at the current time.
The following technique can be used:
A) The public key certificate needs to be validated.
The certificate is presented to the Data Certification Server
using a 'vpkc' service.
Adams, et al. Experimental [Page 28]
RFC 3029 DVCS Protocols February 2001
The Data Validation and Certification Server verifies that the
public key certificate is valid and that it hasn't been revoked
and then returns a data validation certificate.
B) The data validation certificate MUST be verified.
The signature of the Data Certification Server in the data
certification token SHALL be verified using the Data Validation
and Certification Server's valid certificate.
C) The public key certificate is used:
C.1) A clients's own public key certificate (i.e., the corresponding
private key) can be used to add a signature to a document. The
signing certificate and the data validation certificate can be
added as signed attributes to the signature.
A data validation certificate can now be used during the
validation signatures using the key contained in the public key
certificate. This service provided by the DVCS can be thought
of as a supplement to the usual method of checking revocation
status.
In other words, signature validation at a later time does not
necessarily require access to the revocation status of the
user's signing certificate, access to a DVCS service and
validation of the DVC is sufficient to verify a signature. Note
that the DVC does not tell when the signature had been created,
it only indicates when the signing certificate was valid.
C.2) A public key certificate for key exchange can be used after
having obtained a data validation certification certificate to
encrypt data. The DVC can be stored with the data and/or stored
by the creator of the encrypted document.
If an intended recipient of the document claims that the creator
did not use an appropriate encryption key, the DVC (obtained by
a recipient's DVCS) can be used as evidence that the recipient's
DVCS has authorized the usage of the public key.
C.3) The procedure described in the previous paragraph can be
enhanced to provide domain encryption in several ways.
Organizations require that encrypted documents need to be
recoverable. One simple way is to always encrypt documents with
additional recipients that act as 'domain encryption centers' or
'recovery centers'. This is not a technically difficult
Adams, et al. Experimental [Page 29]
RFC 3029 DVCS Protocols February 2001
problem, but may require complicated and difficult interactions
with the end user, in particular when the document's recipients
are in several different organizations.
One possible solution consists of adding additional certificates
to the dvc that validates the usage of a particular public key
certificate used for encryption. In an environment of several
organizations, one of the possible procedures may be:
The client asks its local dvcs to validate the public key
certificate. The dvcs forwards the request to a dvcs of a
remote organization. The remotes organization's dvcs verifies
the certificate and provides a dvc assertion validating the
certificate. It adds additional certificates usable for key
exchange to the certEtcChain structure indicating additional
required recipients. The local dvc creates a dvc containing the
dvc of the remote dvcs. It may add additional certificates or
references to the dvc. The clients use all validated
certificates to be usable for key exchange to enhance its list
of recipients.
In the local dvcs may as well use local information about the
remote organization's need for additional recipients.
Appendix D - MIME Registration
To: [email protected] Subject: Registration of MIME media type
application/timestamp
MIME media type name: application
MIME subtype name: dvcs
Required parameters: None
Optional parameters: None
Encoding considerations: binary or Base64
Security considerations: Carries a request for a data validation and
certification service and the response. A request may be
cryptographically signed. The response will be cryptographically
signed.
Interoperability considerations: None
Published specification:
RFC 3029 on Data Validation and Certification Server Protocols
Adams, et al. Experimental [Page 30]
RFC 3029 DVCS Protocols February 2001
Applications which use this media type: Data Validation and
Certification Servers and Clients
Additional information:
Magic number(s): None
File extension(s): .dvc
Macintosh File Type Code(s): none
Person & email address to contact for further information: Peter
Sylvester <[email protected]>
This chapter contains an example of a request and a response of a
'Certify Claim of Possession of Data' transaction of the Clepsydre
Demonstration Project sponsored by La Poste, France.
The information has been formatted with a slightly modified version
of Peter Gutmann's dumpasn1 program.
Adams, et al. Experimental [Page 34]
RFC 3029 DVCS Protocols February 2001
The response Data Validation Certificate contains the signing
certificate.
The data that are time stamped is the binary of the client program
used to make the request.
This document is based on two initial works from Robert Zuccherato
and Carlisle Adams, both at Entrust Technologies, for time stamping
and for notary and data certification services.
Thanks to Denis Pinkas, Bull and Bruno Salgueiro, SIBS for valuable
comments.
Adams, et al. Experimental [Page 50]
RFC 3029 DVCS Protocols February 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
