From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc5636.txt | 1739 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1739 insertions(+) create mode 100644 doc/rfc/rfc5636.txt (limited to 'doc/rfc/rfc5636.txt') diff --git a/doc/rfc/rfc5636.txt b/doc/rfc/rfc5636.txt new file mode 100644 index 0000000..852b49a --- /dev/null +++ b/doc/rfc/rfc5636.txt @@ -0,0 +1,1739 @@ + + + + + + +Network Working Group S. Park +Request for Comments: 5636 H. Park +Category: Experimental Y. Won + J. Lee + KISA + S. Kent + BBN Technologies + August 2009 + + + Traceable Anonymous Certificate + +Abstract + + This document defines a practical architecture and protocols for + offering privacy for a user who requests and uses an X.509 + certificate containing a pseudonym, while still retaining the ability + to map such a certificate to the real user who requested it. The + architecture is compatible with IETF certificate request formats such + as PKCS10 (RFC 2986) and CMC (RFC 5272). The architecture separates + the authorities involved in issuing a certificate: one for verifying + ownership of a private key (Blind Issuer) and the other for + validating the contents of a certificate (Anonymity Issuer). The end + entity (EE) certificates issued under this model are called Traceable + Anonymous Certificates (TACs). + +Status of This Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (c) 2009 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents in effect on the date of + publication of this document (http://trustee.ietf.org/license-info). + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. + + + + + + + + +Park, et al. Experimental [Page 1] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +Table of Contents + + 1. Introduction ....................................................2 + 1.1. Conventions Used in This Document ..........................4 + 2. General Overview ................................................4 + 3. Requirements ....................................................5 + 4. Traceable Anonymous Certificate Model ...........................6 + 5. Issuing a TAC ...................................................7 + 5.1. Steps in Issuing a TAC .....................................8 + 5.2. Mapping a TAC to a User's Real Identity ...................15 + 5.3. TAC Request Message Format Profile ........................17 + 5.3.1. PKCS10 Profile .....................................17 + 5.3.2. CMC Profile ........................................18 + 6. Security Considerations ........................................19 + 7. Acknowledgments ................................................21 + 8. References .....................................................21 + 8.1. Normative References ......................................21 + 8.2. Informative References ....................................22 + Appendix A. Traceable Anonymous Certificate ASN.1 Modules .........24 + Appendix B. TAC Message Exchanges over Transport Layer Security ...26 + B.1. Message Exchanges between a User and the BI or the AI .....26 + B.2. Message Exchanges between the BI and the AI ...............27 + B.3. Message Exchanges between the Aggrieved Party and the AI + or the BI .................................................27 + Appendix C. Cryptographic Message Syntax Profile for TAC Token ....28 + C.1. Signed-Data Content Type ..................................28 + C.1.1. encapContentInfo ...................................29 + C.1.2. signerInfos ........................................29 + +1. Introduction + + Public Key Infrastructure (PKI) provides a powerful means of + authenticating individuals, organizations, and computers (e.g., web + servers). However, when individuals use certificates to access + resources on the public Internet, there are legitimate concerns about + personal privacy, and thus there are increasing demands for privacy- + enhancing techniques on the Internet. + + In a PKI, an authorized entity such as a Certification Authority (CA) + or a Registration Authority (RA) may be perceived, from a privacy + perspective, as a "big brother", even when a CA issues a certificate + containing a Subject name that is a pseudonym. This is because such + entities can always map a pseudonym in a certificate they issued to + the name of the real user to whom it was issued. This document + defines a practical architecture and protocols for offering privacy + for a user who requests and uses an X.509 certificate containing a + pseudonym, while still retaining the ability to map such a + certificate to the real user who requested it. + + + +Park, et al. Experimental [Page 2] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + A PKI typically serves to identify the holder of a private key (to + the corresponding public key in a certificate), in a standard + fashion. The public key, identity, and related information are + signed by an entity acting as a CA as specified in X.509 [11] and as + profiled for use in the Internet [2]. During the past decade, PKIs + have been widely deployed to support various types of communications + and transactions over the Internet. + + However, with regard to privacy on the Internet, a PKI is generally + not supportive of privacy, at least in part because of the following + issues: + + - A certificate typically contains in the Subject field the true + identity of the user to whom it was issued. This identity is + disclosed to a relying party (e.g., a web site or the recipient of + an S/MIME message [18]) whenever the certificate holder presents + it in a security protocol that requires a user to present a + certificate. In some protocols, e.g., TLS, a user's certificate + is sent via an unencrypted channel prior to establishing a secure + communication capability. + + - A certificate often is published by the CA, for example, in a + directory system that may be widely accessible. + + - An anonymous (end entity) certificate [9] is one that indicates + that the holder's true identity is not represented in the subject + field. (Such a certificate might more accurately be called + "pseudonymous" since an X.509 certificate must contain an + identifier to comply with PKI format standards, and a CA must not + issue multiple certificates with the same Subject name to + different entities. However, we use the more common term + "anonymous" throughout this document to refer to such + certificates.) Issuance of anonymous certificates could enhance + user privacy. + + There is however, a need to balance privacy and accountability when + issuing anonymous certificates. If a CA/RA is unable to map an + anonymous certificate to the real user to whom it was issued, the + user might abuse the anonymity afforded by the certificate because + there would be no recourse for relying parties. + + A CA or RA generally would be able to map an anonymous certificate to + the user to whom it was issued, to avoid such problems. To do so, + the CA/RA would initially identify the user and maintain a database + that relates the user's true identity to the pseudonym carried in the + certificate's Subject field. + + + + + +Park, et al. Experimental [Page 3] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + In a traditional PKI, there is a nominal separation of functions + between a RA and a CA, but in practice these roles are often closely + coordinated. Thus, either the RA or CA could, in principle, + unilaterally map an autonomous certificate to the real user identity. + + The architecture, syntax, and protocol conventions described in this + document allow anonymous certificates to be issued and used in + existing PKIs in a way that provides a balance between privacy and a + conditional ability to map an anonymous certificate to the individual + to whom it was issued. + + An anonymous certificate (Traceable Anonymous Certificate) in this + document is issued by a pair of entities that operate in a split + responsibility mode: a Blind Issuer (BI) and an Anonymity Issuer + (AI). The conditional traceability offered by this model assumes + strong separation between the RA and CA roles, and employs technical + means (threshold cryptography and "blinded" signatures), to + facilitate that separation. (A blinded signature is one in which the + value being signed is not made visible to the signer, via + cryptographic means. Additional details are provided later.) + + The AI has knowledge of the certificate issued to the user, but no + knowledge of the user's real identity. The BI knows the user's real + identity, but has no knowledge of the certificate issued to that + user. Only if the AI and BI collaborate can they map the TAC issued + to a user to the real identity of that user. + +1.1. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [1]. + +2. General Overview + + This section defines the notion of a Traceable Anonymous Certificate + (referred to as TAC or anonymous certificate in this document). It + is distinguished from a conventional pseudonymous certificate [8, 9] + in that a TAC containing a pseudonym in the Subject field will be + conditionally traceable (as defined that it is not trivial to design + a system that issues anonymous certificates, consistent with Internet + PKI standards, when additional constraints are imposed, as + illustrated by the following scenarios. + + - If a CA issues an anonymous certificate without verifying a true + identity, it is untraceable, which provides inadequate recourse if + the user to whom the certificate was issued abuses the anonymity + it provides. (Even without the ability to trace an anonymous + + + +Park, et al. Experimental [Page 4] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + certificate to the corresponding user, the certificate can always + be revoked, but this may not be a sufficient response to abuse.) + + - If a CA issues an anonymous certificate but verifies the real + identity and maintains a record of that identity, the CA can link + the pseudonym in the Subject field to the real identity, hence a + potential "big brother" problem [12]. + + - If the CA issues a certificate with a certificate containing a + user-selected Subject name, and does not verify the user's + identity, the certificate is effectively untraceable. + + - If the CA issues an anonymous certificate using a blind signature + (see below), the CA cannot verify the contents of the certificate, + making the certificate untraceable and essentially forgeable. (If + a CA signs a certificate without examining its content, even after + verifying a user's identity, certificates issued by the CA are + essentially forgeable.) + + To address the issues described above, we extend the simple + separation-of-authority concept already defined in the RA/CA PKI + model. First we restate the requirements in a more precise and + concise fashion, and introduce a basic model for achieving the goals + from a more general perspective [16]. + +3. Requirements + + This document describes a new separation-of-authority model and + protocols for certificate issuance in a way that enables issuing + Traceable Anonymous Certificates, while maintaining compatibility + with the standards used in existing PKIs. To do this, the following + requirements must be satisfied. + + - The Traceable Anonymous Certificate MUST be a syntactically valid + X.509 certificate in which the Subject field contains a pseudonym. + + - There must be technical means to counter a claim by a malicious + user who later denies having participated in the activities that + resulted in issuing a TAC. Specifically, when a user is + identified and requests issuance of a TAC, the mechanisms employed + MUST ensure that the user to whom the TAC is issued is the one who + requested the TAC (unless that user transfers the private key to + another party, unknown to the RA/CA). + + + + + + + + +Park, et al. Experimental [Page 5] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + - The traceability and revocation functions MUST support the linkage + between a user's true identity and the pseudonym in a certificate + issued to the user. Thus, the solution MUST enable determining a + true identity from the anonymous certificate, upon agreement among + the authorities who collaborated to issue the certificate. + +4. Traceable Anonymous Certificate Model + + A TAC is an end entity (EE) certificate issued by a pair of entities + that operate in a split responsibility mode: a Blind Issuer (BI) and + an Anonymity Issuer (AI). The pair appear as a single CA to the + outside world, e.g., they are represented by a single CA certificate. + The public key in the CA certificate is used to verify certificates + issued by this CA in the normal fashion, i.e., a relying party + processes a TAC just like any other EE certificates. + + In this model, the BI acts as a RA. It interacts with a user to + verify the user's "real" identity, just like a normal RA. The BI + maintains a database that can be used to map a TAC to the user to + whom it was issued, but only with the cooperation of the AI. + + This mapping will be initiated only if there is evidence that the + user to whom the TAC was issued has abused the anonymity provided by + the TAC. + + The AI acts as a CA. It validates a certificate request submitted by + the user, using a standard certificate request format such as PKCS10. + The AI performs the functions common to a CA, including a private-key + proof-of-possession (PoP) check, a name uniqueness check among all + certificates issued by it, assignment of a serial number, etc. To + effect issuance of the TAC, the AI interacts with the BI, over a + secure channel, to jointly create the signature on the TAC, and sends + the signed TAC to the user. + + The AI does this without learning the user's real identity (either + from the user or from the BI). + + The result of this split functionality between the BI and the AI is + that neither can unilaterally act to reveal the real user identity. + The AI has knowledge of the certificate issued to the user, but no + knowledge of the user's real identity. The BI knows the user's real + identity, but has no knowledge of the certificate issued to that + user. Only if the AI and BI collaborate can they map the TAC issued + to a user to the real identity of that user. + + This system is not perfect. For example, it assumes that the AI and + BI collaborate to reveal a user's real identity only under + appropriate circumstances. The details of the procedural security + + + +Park, et al. Experimental [Page 6] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + means by which this assurance is achieved are outside the scope of + this document. Nonetheless, there are security benefits to adopting + this model described in this document, based on the technical + approach used to enable separation of the BI and AI functions. + + For example, the BI and AI can be operated by different organizations + in geographically separate facilities, and managed by different + staff. As a result, one can have higher confidence in the anonymity + offered to a user by the system, as opposed to a monolithic CA + operating model that relies only on procedural security controls to + ensure anonymity. + +5. Issuing a TAC + + The follow subsections describe the procedures and the protocols + employed to issue a TAC. To begin, BI and AI collaborate to generate + a public key pair (that represents the CA as seen by relying parties) + using a threshold signature scheme. Such schemes have been defined + for RSA. The details of how this is accomplished depend on the + algorithm in question, and thus are not described here. The reader + is referred to [15] where procedures for implementing RSA threshold + signatures are described. A DSA-based threshold signature scheme + will be incorporated into a future version of TAC [14]. + + Note that this split signing model for certificate issuance is an + especially simple case of a threshold signature; the private key used + to sign a TAC is divided into exactly two shares, one held by the BI + and one held by the AI. Both shares must be used, serially, to + create a signature on a TAC. After the key pair for the (nominal) CA + has been generated and the private key split between the BI and the + AI, the public key is published, e.g., in a self-signed certificate + that represents the TAC CA. + + Another public-key cryptographic function that is an essential part + of this system is called "blind signing". To create a blind + signature, one party encrypts a value to be signed, e.g., a hash + value of a certificate, and passes it to the signer. The signer + digitally signs the encrypted value, and returns it to the first + party. The first party inverts the encryption it applied with the + random value in the first place, to yield a signature on the + underlying data, e.g., a hash value. + + This technique enables the signer to digitally sign a message, + without seeing the content of the message. This is the simplest + approach to blind signing; it requires that the public key needed to + invert the encryption not be available to the blind signer. Other + blind signing techniques avoid the need for this restriction, but are + more complex. + + + +Park, et al. Experimental [Page 7] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + The tricky part of a cryptographic blinding function is that is must + be associative and commutative, with regard to a public-key signature + function. Let B be a blinding function, B-INV is its inverse, and S + is a public-key signature. The following relationship must hold: + B-INV( S (B (X) ) ) = B-INV( B( S (X) ) ) = S (X). RSA can be used + to blind a value with random value and to sign a blinded value + because the modular exponentiation operation used by RSA for both + signature and for encryption is associative and commutative. + + The TAC issuance process described below requires an ability for the + BI, the AI, and the user to employ secure communication channels + between one another. + + Use of TLS [17] is one suitable means to establish such channels, + although other options also are acceptable. To this end, this + document assumes TLS as the default secure communication channel, and + thus requires that the BI and the AI have X.509 certificates that + represent them. + + These certificates are independent of the certificate that represents + the CA (formed by the BI and the AI) and may be either self-signed or + issued by other CA(s). + + Appendix B provides a top-level description of the application of TLS + to these message exchanges. + +5.1. Steps in Issuing a TAC + + Figure 1 depicts the procedures for issuing a TAC. The lines + represent steps in the issuance process, and the numbers refer to + these steps. + + 1 +---------------+ + +<-------->| Blind | + | 2 | Issuer (BI)| + | +---------------+ + +-------+ | ^ + | user |<------------>| 4 | 5 + +-------+ | v + | 3 +----------------+ + +--------->| | + | | Anonymity | + | | Issuer (AI) | + +<-------- | | + 6 +----------------+ + + Figure 1. TAC Issuance Procedures + + + + +Park, et al. Experimental [Page 8] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + Step 1: + + A user authenticates himself to the BI. This may be effected via + an in-person meeting or electronically. The same sorts of + procedures that RAs use for normal certificate issuance are used + here. Such procedures are not standardized, and thus they are not + described here in detail. For purposes of the TAC architecture, + we require the BI to establish a record in a database for the user + and to generate a (locally) unique identifier, called the UserKey, + that will serve as a (database) key for the record. The UserKey + value MUST NOT be generated in a fashion that permits any external + entity (including the AI) to infer a user's real identity from its + value. (For example, if the user's name is used as an input to a + one-way hash algorithm to generate the UserKey value, then + additional random data must be used as an input to prevent simple + guessing attacks.) Associated with the UserKey in this database is + an expiration time. The expiration time is used by the BI and AI + to reject session-level replay attacks in some exchanges, and to + enable the BI and AI to garbage-collect database records if a user + initiates but does not complete the certificate request process. + + It is RECOMMENDED that the UserKey be a random or pseudo-random + value. Whenever the BI passes a UserKey to an external party, or + accepts the UserKey from an external party (e.g., the AI), the + value is embedded in a digitally signed CMS object called a Token, + accompanied by the timestamp noted above. The signature on a + Token is generated by the BI. (Note that the certificate used is + just a certificate suitable for use with CMS, and is NOT the + split-key certificate used to verify TAC.) + + The following ASN.1 syntax represents the UserKey and an + expiration time: + + UserKey ::= OCTET STRING + Timeout ::= GeneralizedTime + + In the context of this specification, the GeneralizedTime value + MUST be expressed in Greenwich Mean Time (Zulu) and MUST include + seconds (YYYYMMDDHHMMSSZ). + + Step 2: + + BI presents to the user a data structure called a Token. The + Token must be conveyed to the user via a secure channel, e.g., in + person or via a secure communication channel. The secure channel + is required here to prevent a wiretapper from being able to + + + + + +Park, et al. Experimental [Page 9] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + acquire the Token. For example, if the user establishes a one-way + authenticated TLS session to the BI in Step 1, this session could + be used to pass the Token back to the user. + + The Token serves two purposes. During TAC issuance, the Token is + used to verify that a request to the AI has been submitted by a + user who is registered with the BI (and thus there is a record in + the BI's database with the real identity of the user). This is + necessary to ensure that the TAC can later be traced to the user. + If there is a request to reveal the real identity of a user, the + AI will release the Token to the entity requesting that a TAC be + traced, and that entity will pass the Token to the BI, to enable + tracing the TAC. If the BI does not perform its part of the + certificate issuance procedure (in Step 6) before the Token + expires, the BI can delete the Token from the database as a means + of garbage collection. The timeout value in a Token is selected + by the BI. + + The Token is a ContentInfo with a contentType of id-kisa-tac-token + and a content that holds a SignedData of CMS SignedData object + [6], signed by the BI, where the eContent + (EncapsulatedContentInfo) is a SEQUENCE consisting of the UserKey + and Timeout, and eContentType MUST be id-data. + + EncapsulatedContentInfo ::= SEQUENCE { + eContentType ContentType, -- OBJECT IDENTIFIER : id-data + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + -- DER encoded with the input of 'SEQUENCE of the UserKey and + -- Timeout' + + id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs7(7) 1 } + + The signature (SignatureValue of SignerInfo) is generated using + the BI's private signature key, corresponding to the public key + present in the BI's certificate. (Note that this certificate is + just a certificate suitable for use with TLS, and is NOT the + split-key certificate used to verify a TAC.) The certificate (or + certificates) MUST be present. Appendix A provides the ASN.1 + syntax for the Token, as a profiled CMS ContentInfo object. + Appendix C provides the CMS SignedData object profile for wrapping + the Token. + + Token ::= ContentInfo + + Upon receipt of the Token, the user SHOULD verify the signature + using the BI public key and note the Timeout value to ensure that + the certificate request process is completed prior to that time. + + + +Park, et al. Experimental [Page 10] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + Step 3: + + The user prepares a certificate request in a standard format, + e.g., PKCS10 [3] or CMC [4]. The Subject field of the certificate + contains a pseudonym generated by the user. It is anticipated + that the CA (BI + AI) may provide software for users to employ in + constructing certificate requests. + + If so, then this software can generate a candidate Subject name to + minimize the likelihood of a collision. If the user selects a + candidate pseudonym without such support, the likelihood of a + subject name collision probably will be greater, increasing the + likelihood that the certificate request will be rejected or that + the AI will have to generate a pseudonym for the user. + + After constructing the certificate request, the user sends it, + along with the Token from Step 2, to the AI, via a secure channel. + This channel MUST be encrypted and one-way authenticated, i.e., + the user MUST be able to verify that it is communicating with the + AI, but the AI MUST NOT be able to verify the real identity of the + user. Typical use of TLS for secure web site access satisfies + this requirement. The certificate request of PKCS10 [3] or CMC + [4] carries the Token from Step 2. + + The Token is carried as an attribute in a certificate request + (CertificationRequestInfo.attributes) where the attrType MUST be + id-kisa-tac below in PKCS10 format. The Token is set to + attrValues (Certificate Request Controls) where the attrType MUST + be id-kisa-tac in CMC [4] format. The TAC request message profile + is described in the section 5.3. + + Step 4: + + The AI, upon receipt of the certificate request containing a + Token, verifies that the request is consistent with the processing + defined for the request format (PKCS10). If a Subject name is + present, it verifies that the proposed pseudonym is unique. The + AI also verifies the signature on the Token and, if it is valid, + checks the Timeout value to reject a replay attack based on a + "timed-out" Token. + + A Token with an old Timeout value is rejected out-of-hand by the + AI. (After a Token's Timeout time is reached, the AI deletes the + Token from its cache.) Next, the AI compares the received Token + against a cache of recent (i.e., not "timed out"), validated + Tokens. The AI matches the resubmitted request to the original + request, and responds accordingly. For example, if a duplicate is + detected, the certificate request can be rejected as a replay. + + + +Park, et al. Experimental [Page 11] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + If the Subject field contains a Subject name already issued by the + AI, the AI MUST either reject the certificate request, or + substitute a pseudonym it generates, depending on the policy of + the TAC CA. If the certificate request is acceptable, the AI + assigns a serial number and constructs a tbsCertificate (i.e., the + final form of the certificate payload, ready to be signed). + + The AI then computes a hash over this data structure and blinds + the hash value. (The AI blinds the hash value using a key from a + public-key encryption pair where neither key is ever made public. + The other key from this pair is used by the AI in Step 6 to "un- + blind" the signed hash value.) + + The AI sends the CMS ContentInfo object of TokenandBlindHash to + the BI, via a two-way authenticated and encrypted channel. The + two-way authentication and encryption is required to ensure that + the AI is sending these values to the BI, to allow the BI to + verify that the values were transmitted by the AI, and to prevent + a wiretapper from acquiring the Token. A TLS session in which + both parties employ certificates to authenticate one another is + the RECOMMENDED way to achieve this communication. + + The TokenandBlindHash is a CMS ContentInfo with a contentType of + id-kisa-tac-tokenandblindhash and a content that holds a + SignedData of CMS SignedData object [6], signed by the AI, where + the eContent (EncapsulatedContentInfo) is a SEQUENCE consisting of + the Token and BlindedCertificateHash, and eContentType MUST be + id-data. + + EncapsulatedContentInfo ::= SEQUENCE { + eContentType ContentType, -- OBJECT IDENTIFIER : id-data + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + -- DER encoded with the input of 'SEQUENCE of the Token and + -- BlindedCertificateHash' + + The signature (SignatureValue of SignerInfo) is generated using + the AI's private signature key, corresponding to the public key + present in the AI's certificate. (Note that this certificate is + just a certificate suitable for use with TLS, and is NOT the + split-key certificate used to issue a TAC.) The certificate (or + certificates) MUST be present. + + The following ASN.1 syntax represents the Token and + BlindedCertificateHash: + + Token ::= ContentInfo + BlinedCertificateHash ::= OCTET STRING + + + + +Park, et al. Experimental [Page 12] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + Token is the value of ContentInfo in the certificate request + message (CertificationRequestInfo.attributes) from Step 3. + + BlindedCertificateHash is the blinded hash value for the + tbsCertificate. + + Appendix A provides the ASN.1 syntax for the Token, as a profiled + CMS ContentInfo object. Appendix C provides the CMS SignedData + object profile for wrapping the Token. + + TokenandBlindHash ::= ContentInfo + + Step 5: + + The BI receives the Token and blinded certificate hash via the + secure channel described above. First the BI verifies the + signature on the TokenandBlindHash generated by AI and then + verifies the signature on the Token to ensure that it is a + legitimate Token generated by the BI. Next, the BI checks its + database to ensure that the UserKey value from the Token is + present and that the Token has not been used to authorize issuance + of a certificate previously. + + This check is performed to ensure that the BI has authenticated + the user and entered the user's real identity into the BI's + database. Each Token authorizes issuance of only one certificate, + so the check also ensures that the same Token has not been used to + authorize issuance of more than one certificate. These checks + ensure that the certificate issued by the AI to this user will be + traceable, if needed. + + The BI uses its share of the threshold private signature key to + sign the blinded certificate hash and returns the CMS SignedData + back to the AI. The eContent of the SignedData is a SEQUENCE + consisting of the Token and PartiallySignedCertificateHash. + + The following ASN.1 syntax represents the Token and + PartiallySignedCertificateHash: + + Token ::= ContentInfo + PartiallySignedCertificateHash ::= OCTET STRING + + Token is the token value of the TokenandBlindHash (where the + eContent is a SEQUENCE consisting of the Token and + PartiallySignedCertificateHash) from Step 4. + + + + + + +Park, et al. Experimental [Page 13] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + PartiallySignedCertificateHash is the signature value generated by + BI's share of the threshold private signature key on + BlindedCertificateHash from Step 4. + + The TokenandPartiallySignedCertificateHash is a CMS ContentInfo + with a contentType of id-kisa-tac-tokenandpartially and a content + that holds a SignedData of CMS SignedData object [6], signed by + the BI, where the eContent (EncapsulatedContentInfo) is a SEQUENCE + consisting of the Token and PartiallySignedCertificateHash, and + eContentType MUST be id-data. + + EncapsulatedContentInfo ::= SEQUENCE { + eContentType ContentType, -- OBJECT IDENTIFIER : id-data + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + -- DER encoded with the input of 'SEQUENCE of the Token and + -- PartiallySignedCertificateHash' + + The signature (SignatureValue of SignerInfo) is generated using + the BI's private signature key, corresponding to the public key + present in the BI's certificate. (Note that this certificate is + just a certificate suitable for use with TLS, and is NOT the + split-key certificate used to issue a TAC.) The certificate (or + certificates) MUST be present. Appendix A provides the ASN.1 + syntax for the Token, as a profiled CMS SignedData object. + Appendix C provides the CMS SignedData object profile for wrapping + the Token. + + TokenandPartiallySignedCertificateHash ::= ContentInfo + + Step 6: + + Upon receipt of the TokenandPartiallySignedCertificateHash, the AI + verifies the signature on the PartiallySignedCertificateHash, + generated by BI and then matches the Token against its list of + outstanding requests to the BI. The AI then "un-blinds" the + blindHashValue, using the other key from the key pair employed in + Step 4. This reveals the partially signed certificate hash. The + AI then applies its part of the split private key to complete the + signature of the certificate for the user. + + It records the certificate and the Token value in its database, to + enable later tracing of the certificate to the real user identity, + if needed. The AI transmits the completed certificate to the + user, via the response message from the request protocol employed + by the user in Step 3, PKCS10. + + + + + + +Park, et al. Experimental [Page 14] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + The user may now employ the certificate with any PKI-enabled + application or protocol that makes use of X.509 certificates + (consistent with the key usage, and Extended Key Usage (EKU) + values in the certificate). Note that the user should be prepared + to accommodate delays in the certificate issuance process. For + example, a connection between the user and the AI might fail + sometime after the user submits a certificate request at the end + of Step 3 and before the AI returns the certificate at the end of + Step 6. If this happens, the user should resubmit the request. + The AI and BI retain sufficient state to be able to match the + resubmitted request to the original request, and respond + accordingly. If the process failed in steps 5 or 6, the AI + returns an error indication to the user. + +5.2. Mapping a TAC to a User's Real Identity + + If a user to whom a TAC has been issued abuses the anonymity provided + by the TAC, the TAC can be traced to the identity of that user. + Mapping a TAC to a user's real identity is a four-step process, + described below and illustrated in Figure 2. + + C +---------------+ + +<-------->| Blind | + | D | Issuer (BI)| + | +---------------+ + +---------+ | + | Relying |<---------->| + | Party | | + +---------+ | + | A +----------------+ + +<-------->| Anonymity | + B | Issuer (AI) | + +----------------+ + + Figure 2. Revealing a TAC User's Real Identity + + Step A: + + The AI verifies the assertion by an aggrieved party that a TAC + user has abused the anonymity provided by his TAC. The procedures + used by AI to verify that such abuse has occurred are outside the + scope of this document. No protocol is defined here for the + interaction between the aggrieved party and AI. The only + technical requirement is that the TAC of the offending user be + provided to the AI. If the AI determines that there is sufficient + evidence of abuse to trace the TAC to the user, the AI revokes the + TAC, by listing its serial number on the next Certificate + Revocation List (CRL) issued by the AI. + + + +Park, et al. Experimental [Page 15] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + An AI unilaterally manages the CRL for a TAC. Because RFC 5280 + implementations are not required to process indirect CRLs, we + create a second certificate for the CA, under the TAC CA. Revoked + EE certificates issued by the TAC CA are recorded on this CRL and + validated using this second CA certificate. + + This CA certificate will have the cRLSign bit set in the KeyUsage + extension, but not the keyCertSign bit. The private key for this + certificate will be held by the AI, so that it can issue CRLs + unilaterally. + + The Subject DN (Distinguished Name) will be the same in both CA + certificates, which reinforces the notion that the CRL issuer is + the same entity as the TAC issuer, and that this CRL is not an + indirect CRL. Because the CRL issuer does not issue any + certificates itself, there is no possible serial number conflict. + This will be the only CA certificate issued under the TAC CA + certificate (and thus it will be signed jointly by the BI and AI). + We recommend that the CRL for this CA certificate be similarly + long-lived, as it too needs to be signed by the BI and AI. Each + EE TAC certificate MUST contain a CRL Distribution Point that + points to the CRL issued by this CA, to ensure that relying + parties know to check this CRL vs. the CRL that covers only the + CRL CA. (If the AI uses the Online Certificate Status Protocol + (OCSP) [13] to convey the revocation status of TACs, an equivalent + procedure is employed.) If it is later determined that the + revocation was not warranted, a new TAC can be issued, to preserve + the anonymity of the user in future transactions. + + Step B: + + The AI searches its database, e.g., based on the serial number in + the TAC, to locate the Token that was passed between the AI and BI + during the issuance process (Steps 5 and 6 above). The AI passes + this Token to the aggrieved party via an encrypted and two-way + authenticated channel. Encryption is required to prevent + disclosure of the Token, and two-way authentication is required to + ensure that the aggrieved party and the AI know that they are + communicating with each other. Two-way authenticated TLS is the + RECOMMENDED means of implementing this channel, though other + approaches are allowed. + + Steps C and D: + + The aggrieved party transits the Token to the BI, via an encrypted + and two-way authenticated channel. The channel MUST be encrypted + to prevent disclosure of the Token, and two-way authentication is + required to ensure that the aggrieved party and the BI know that + + + +Park, et al. Experimental [Page 16] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + they are communicating with each other. If specified by the + Certificate Policy (CP) for the TAC CA, the BI will independently + determine that there is sufficient evidence of abuse to trace the + TAC to the user, before proceeding. The BI verifies its signature + on the Token, to verify that this is a Token generated by it and + presumably released to the aggrieved party by the AI. Next, the + BI searches its database using the UserKey value extracted from + the Token. The BI retrieves the user's real identity and provides + it to the aggrieved party. (By requiring the aggrieved party to + interact with both the AI and the BI, the BI can verify that it is + dealing with an aggrieved party, not with the AI acting + unilaterally.) + +5.3. TAC Request Message Format Profile + + TAC request MAY use either PKCS10 or CMC. An AI MUST support PKCS10 + and MAY support CMC. + +5.3.1. PKCS10 Profile + + This profile refines the specification in PKCS10 [3], as it relates + to TAC. A Certificate Request Message object, formatted according to + PKCS10, is passed to the AI. + + This profile applies the following additional constraints to fields + that may appear in a CertificationRequestInfo: + + Version + This field is mandatory and MUST have the value 0. + + Subject + This field MUST be present. If the value of this field is + empty, the AI will generate a subject name that is unique in + the context of certificates issued by this issuer. If the + Subject field contains a Subject name already issued by the AI, + the AI MUST either reject the certificate request, or + substitute a pseudonym it generates, depending on the policy of + the TAC CA. + + SubjectPublicKeyInfo + This field specifies the subject's public key and the algorithm + with which the key is used. + + Attributes + PKCS10 [3] defines the attributes field as key-value pairs + where the key is an OID and the value's structure depends on + the key. The attribute field MUST include the id-kisa-tac + attribute, which holds the Token and is defined below. The + + + +Park, et al. Experimental [Page 17] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + Attributes field MAY also contain X509v3 Certificate Extensions + and any PKCS9 [7] extensionRequest attributes that the + subscriber would like to have included in the certificate. The + profile for extensions in certificate requests is specified in + RFC 5280 [2]. + +5.3.2. CMC Profile + + This profile refines the Certificate Request messages in Certificate + Management over CMS in CMC [4], as they relate to TACs. + + A Certificate Request message, formatted according to CMC [4], is + passed to the AI. + + With the exception of the public-key-related fields, the CA is + permitted to alter any requested field when issuing a corresponding + certificate. + + This profile recommends the full PKI Request of the two types of PKI + requests (Simple or Full PKI Request), and the PKI Request SHOULD be + encapsulated in SignedData with an eContentType of id-cct-PKIData. + + This profile applies the following additional constraints to fields + that may appear in a Certificate Request Template of Certificate + Request Message Format (CRMF) [5]: + + Version + This field MAY be absent, or MAY specify the request of a + Version 3 Certificate. It SHOULD be omitted. + + SerialNumber + As per CRMF [5], this field is assigned by the CA and MUST be + omitted in this profile. + + SigningAlgorithm + As per CRMF [5], this field is assigned by the CA and MUST be + omitted in this profile. + + Issuer + This field is assigned by the CA and MUST be omitted in this + profile. + + Validity + This field MAY be omitted. If omitted, the AI will issue a + Certificate with Validity dates as determined by the TAC CA + policy. If specified, then the CA MAY override the requested + values with dates as determined by the TAC CA policy. + + + + +Park, et al. Experimental [Page 18] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + Subject + This field MUST be present. If the value of this field is + empty, the AI MUST generate a subject name that is unique in + the context of certificates issued by this issuer. If the + Subject field contains a Subject name already issued by the AI, + the AI MUST either reject the certificate request, or + substitute a pseudonym it generates, depending on the policy of + the TAC CA. + + PublicKey + This field MUST be present. + + This profile also refines constraints that may appear in a + Certificate Request controls: The Token is set to attrValues (in + CertRequest.controls) where the attrType MUST be id-kisa-tac. + + See Section 5.3.1, "PKCS10 Profile", for the certification request + formats based on PKCS10. + +6. Security Considerations + + The anonymity provided by the architecture and protocols defined in + this document is conditional. Moreover, if the user employs the same + TAC for multiple transactions (with the same or different parties), + the transactions can be linked through the use of the same TAC. + Thus, the anonymity guarantee is "weak" even though the user's real + identity is still hidden. + + To achieve stronger anonymity, a user may acquire multiple TACs, + through distinct iterations of the protocol. Since each TAC is + generated independently, it should not be possible for a relying + party to discover a link between pseudonyms unless the tracing + feature of this scheme is invoked. If the TAC has a long validity + interval, this increases the probability that the identity of a TAC + user will be discovered, e.g., as a result of linking user + transactions across multiple servers. Thus, we recommend that each + TAC CA consider carefully how long the validity for a TAC certificate + should be. In the course of issuing a TAC, the AI and the user + interact directly. Thus, the AI may have access to lower-layer + information (e.g., an IP address) that might reveal the user's + identity. A user concerned about this sort of possible identity + compromise should use appropriate measures to conceal such + information, e.g., a network anonymity service such as Tor [10]. + + This document makes no provisions for certificate renewal or rekey; + we recommend TAC users acquire new TACs periodically, to further + reduce the likelihood of linkage. It also may be possible to + determine the identity of a user via information carried by lower- + + + +Park, et al. Experimental [Page 19] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + level protocols, or by other, application-specific means. For + example, the IP address of the user might be used to identify him. + For this reason, we recommend that a TAC be used primarily to access + web services with anonymity. Note that the TAC architecture + described in this document is not capable of using certificates for + use with S/MIME, because there is no provision to issue two + certificates (one for encryption and one for signatures) that contain + the same (anonymous) Subject name. An analogous problem might arise + if a user visits a site (and does not conceal his identity), the site + deposits a "cookie" into the user's browser cache, and the user later + visits a site and employs a TAC with the presumption of anonymity. + + The use of a TAC is a tool to help a user preserve anonymity, but it + is not, per se, a guarantee of anonymity. We recommend that each TAC + CA issue certificates with only one lifetime, in order to avoid the + complexity that might arise otherwise. If a TAC CA offered + certificates with different lifetimes, then it would need to + communicate this information from the BI to AI in a way that does not + unduly compromise the anonymity of the user. + + This architecture uses the UserKey to link a TAC to the corresponding + real user identity. The UserKey is generated in a fashion to ensure + that it cannot be examined to determine a user's real identity. + UserKey values are maintained in two distinct databases: the BI + database maps a UserKey to a real user identity, and the AI database + maps a TAC to a UserKey. The UserKey is always carried in a signed + data object, a Token. The Token is signed to allow the BI to verify + its authenticity, to prevent attacks based on guessing UserKey + values. The Token also carries a Timeout value to allow the AI and + BI to reject session-level replay attacks, and to facilitate garbage + collection of AI and BI databases. + + Threshold cryptography is employed to enable strong separation of the + BI and AI functions, and to ensure that both must cooperate to issue + certificates under the aegis of a TAC CA. (The AI and BI must ensure + that the threshold cryptographic scheme they employ does not provide + an advantage to either party based on the way the key-splitting is + effected.) Blind signatures are used with threshold cryptography to + preserve the separation of functions, i.e., to prevent the BI from + learning the hash value of the TAC issued by the AI. + + Message exchanges between a user and the BI or the AI, between the AI + and BI, and between an aggrieved party and the AI and BI all make use + of secure channels. These channels are encrypted to prevent + disclosure of the Token value and of the pseudonym in the TAC request + and response and in a tracing request. The channels are two-way + authenticated to allow the AI and BI to verify their respective + identities when communication with one another, and one-way + + + +Park, et al. Experimental [Page 20] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + authenticated to allow the user to verify their identities when he + communicates with them. Two-way authentication is employed for + communication between an aggrieved party and the AI and BI, to allow + all parties to verify the identity of one another. + + There is an opportunity for the AI to return the wrong UserKey to + an aggrieved party, which will result in tracing a certificate to + the wrong real user identity. This appears to be unavoidable in + any scheme of this sort, since the database maintained by the BI + is intentionally ignorant of any info relating a UserKey to a TAC. + + A TAC CA MUST describe in its CP how long it will retain the data + about certificates it issued, beyond the lifetime of these + certificates. This will help a prospective TAC subject gauge the + likelihood of unauthorized use of his identity as a result of a + compromise of this retained data. It also alerts relying parties of + the timeframe (after expiration of a certificate) in which an alleged + abuse must be brought to the attention of the AI and BI, before the + data linking a certificate to the real user identity is destroyed. + +7. Acknowledgments + + Tim Polk (NIST), Stefan Santesson (ACC-sec.com), Jim Schaad (Soaring + Hawk), David A. Cooper (NIST), SeokLae Lee, JongHyun Baek, SoonTae + Park (KISA), Taekyoung Kwon (Sejong University), JungHee Cheon (Seoul + National University), and YongDae Kim (Minnesota University) have + significantly contributed to work on the concept of TAC and have + identified security issues. Their comments enhanced the maturity of + the document. + +8. References + +8.1. Normative References + + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., + and W. Polk, "Internet X.509 Public Key Infrastructure + Certificate and Certificate Revocation List (CRL) Profile", RFC + 5280, May 2008. + + [3] Nystrom, M. and B. Kaliski, "PKCS #10: Certification Request + Syntax Specification Version 1.7", RFC 2986, November 2000. + + [4] Schaad, J. and M. Myers, "Certificate Management over CMS + (CMC)", RFC 5272, June 2008. + + + + +Park, et al. Experimental [Page 21] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + [5] Schaad, J., "Internet X.509 Public Key Infrastructure + Certificate Request Message Format (CRMF)", RFC 4211, September + 2005. + + [6] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, + July 2004. + + [7] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object Classes + and Attribute Types Version 2.0", RFC 2985, November 2000. + +8.2. Informative References + + [8] S. Brands, "Rethinking public key infrastructures and digital + certificates - Building in Privacy", PhD thesis, Eindhoven + Institute of Technology, Eindhoven, The Netherlands, 1999. + + [9] D. Chaum, "Blind signature system", CRYPTO '83, Plenum Press, + page 153, 1984. + + [10] "Tor: anonymity online", http://www.torproject.org. + + [11] X.509, "Information technology - Open Systems Interconnection - + The Directory: Public-key and attribute certificate frameworks", + ITU-T Recommendation X.509, March 2000. Also available as + ISO/IEC 9594-8, 2001. + + [12] S. Rafaeli, M. Rennhard, L. Mathy, B. Plattner, and D. + Hutchison, "An Architecture for Pseudonymous e-Commerce", + AISB'01 Symposium on Information Agents for Electronic Commerce, + pp. 33-41, 2001. + + [13] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams, + "X.509 Internet Public Key Infrastructure Online Certificate + Status Protocol - OCSP", RFC 2560, June 1999. + + [14] Philip MacKenzie and Michael K. Reiter, "Two-Party Generation of + DSA Signature", Crypto 2001. + + [15] Shaohua Tang, "Simple Threshold RSA Signature Scheme Based on + Simple Secret Sharing", in "Computational Intelligence and + Security", CIS 2005, Part II, Springer, pp. 186-191, 2005. + + [16] Taekyoung Kwon, Jung Hee Cheon, Yongdae Kim, Jae-Il Lee, + "Privacy Protection in PKIs: A Separation-of-Authority + Approach", in "Information Security Applications", WISA 2006, + Springer, pp. 297-311, 2007. + + + + + +Park, et al. Experimental [Page 22] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + [17] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) + Protocol Version 1.2", RFC 5246, August 2008. + + [18] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail Extensions + (S/MIME) Version 3.1 Certificate Handling", RFC 3850, July 2004. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Park, et al. Experimental [Page 23] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +Appendix A. Traceable Anonymous Certificate ASN.1 Modules + +DEFINITIONS IMPLICIT TAGS ::= + +-- +-- Copyright (c) 2009 IETF Trust and the persons identified as +-- authors of the code. All rights reserved. +-- +-- Redistribution and use in source and binary forms, with or +-- without modification, are permitted provided that the following +-- conditions are met: +-- +-- - Redistributions of source code must retain the above +-- copyright notice, this list of conditions and the following +-- disclaimer. +-- +-- - Redistributions in binary form must reproduce the above +-- copyright notice, this list of conditions and the following +-- disclaimer in the documentation and/or other materials provided +-- with the distribution. +-- +-- - Neither the name of Internet Society, IETF or IETF Trust, nor +-- the names of specific contributors, may be used to endorse or +-- promote products derived from this software without specific +-- prior written permission. +-- +-- +-- +-- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND +-- CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, +-- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +-- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +-- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +-- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +-- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +-- TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +-- DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +-- ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +-- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +-- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +-- POSSIBILITY OF SUCH DAMAGE. +-- +-- This version of the ASN.1 module is part of RFC 5636; +-- see the RFC itself for full legal notices. +-- + + + + + + +Park, et al. Experimental [Page 24] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +BEGIN + + -- EXPORTS All + -- The types and values defined in this module are exported for + -- use in the other ASN.1 modules. Other applications may use + -- them for their own purposes. + + IMPORTS + + -- Imports from RFC 3280 [PROFILE], Appendix A.1 + AlgorithmIdentifier, Certificate, CertificateList, + CertificateSerialNumber, Name FROM PKIX1Explicit88 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) + mod(0) pkix1-explicit(18) } + + -- Imports from CMS + ContentInfo, SignedData FROM + CryptographicMessageSyntax2004{ iso(1) + member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) cms-2004(24)} + +UserKey ::= OCTET STRING + +Timeout ::= GeneralizedTime + +BlinedCertificateHash ::= OCTET STRING + +PartiallySignedCertificateHash ::= OCTET STRING + +EncapsulatedContentInfo ::= SEQUENCE { + eContentType ContentType, -- OBJECT IDENTIFIER : id-data + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + +id-data OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) +rsadsi(113549) pkcs(1) pkcs7(7) 1 } + +Token ::= ContentInfo + +TokenandBlindHash ::= ContentInfo + +TokenandPartiallySignedCertificateHash ::= ContentInfo + +id-KISA OBJECT IDENTIFIER ::= {iso(1) member-body(2) korea(410) +kisa(200004)} + +id-npki OBJECT IDENTIFIER ::= {id-KISA 10} + + + + +Park, et al. Experimental [Page 25] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +id-attribute OBJECT IDENTIFIER ::= {id-npki 1} + +id-kisa-tac OBJECT IDENTIFIER ::= {id-attribute 1} + +id-kisa-tac-token OBJECT IDENTIFIER ::= { id-kisa-tac 1} + +id-kisa-tac-tokenandblindbash OBJECT IDENTIFIER ::= { id-kisa-tac 2} + +id-kisa-tac-tokenandpartially OBJECT IDENTIFIER ::= { id-kisa-tac 3} + +END + +Appendix B. TAC Message Exchanges over Transport Layer Security + + TAC message exchanges between a user and the BI or the AI, between + the AI and BI, and between an aggrieved party and the AI and BI all + make use of secure channels to prevent disclosure of the Token value + and of the pseudonym in the TAC request and response and in a tracing + request. The Transport Layer Security Protocol v1.2 (TLS) [17] is a + suitable security protocol to protect these message exchanges, and + this document recommends use of TLS to protect these exchanges. The + following text describes how the handshake part of TLS should be + employed to protect each type of exchange. Note that no specific + cipher suites are specified for use here; the choice of suites is up + to the client and servers, as is commonly the case. + +B.1. Message Exchanges between a User and the BI or the AI + + The channels between a User and the BI or the AI are one-way + authenticated to allow the user to verify their identities when he + communicates with them. + + User BI or AI + + ClientHello --------> + + ServerHello + Certificate + <-------- ServerHelloDone + ClientKeyExchange + [ChangeCipherSpec] + Finished --------> + [ChangeCipherSpec] + <--------- Finished + TAC Message <---------> TAC Message + + Figure 3. TAC Message exchanges between a User and the BI or the AI + + + + +Park, et al. Experimental [Page 26] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +B.2. Message Exchanges between the BI and the AI + + The channels between the BI and the AI are two-way authenticated to + allow the AI and BI to verify their respective identities when + communication with one another. + + BI AI + + ClientHello --------> + ServerHello + Certificate + CertificateRequest + <-------- ServerHelloDone + Certificate + ClientKeyExchange + CertificateVerify + [ChangeCipherSpec] + Finished --------> + [ChangeCipherSpec] + <--------- Finished + TAC Message <---------> TAC Message + + Figure 4. TAC Message exchanges between BI and AI + +B.3. Message Exchanges between the Aggrieved Party and the AI or the BI + + The channels between a User and the BI or the AI are two-way + authenticated, to allow both parties to verify the identity of one + another. + + User BI or AI + + ClientHello --------> + ServerHello + Certificate + CertificateRequest + <-------- ServerHelloDone + Certificate + ClientKeyExchange + CertificateVerify + [ChangeCipherSpec] + Finished --------> + [ChangeCipherSpec] + <--------- Finished + TAC Message <---------> TAC Message + + Figure 5. TAC Message Exchanges between an Aggrieved Party and + the BI or the AI + + + +Park, et al. Experimental [Page 27] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +Appendix C. Cryptographic Message Syntax Profile for TAC Token + + Using the Cryptographic Message Syntax(CMS)[6], TAC Token is a type + of signed-data object. The general format of a CMS object is: + + ContentInfo ::= SEQUENCE { + contentType ContentType, + content [0] EXPLICIT ANY DEFINED BY contentType } + + ContentType ::= OBJECT IDENTIFIER + + As a TAC is a signed-data object, it uses the corresponding OID, + 1.2.840.113549.1.1.2. + +C.1. Signed-Data Content Type + + According to the CMS specification, the signed-data content type + shall have ASN.1 type SignedData: + + SignedData ::= SEQUENCE { + version CMSVersion, + digestAlgorithms DigestAlgorithmIdentifiers, + encapContentInfo EncapsulatedContentInfo, + certificates [0] IMPLICIT CertificateSet OPTIONAL, + crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, + signerInfos SignerInfos } + + DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier + + SignerInfos ::= SET OF SignerInfo + + The elements of the signed-data content type are as follows: + + Version + The version is the syntax version number. It MUST be 3, + corresponding to the signerInfo structure having version number + 3. + + digestAlgorithms + This field specifies digest Algorithms. + + encapContentInfo + This element is defined in Appendix C.1.1. + + + + + + + + +Park, et al. Experimental [Page 28] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + certificates + The certificates element MUST be included and MUST contain only + the single PKI EE certificate needed to validate this CMS + Object. The CertificateSet type is defined in section 10 of + RFC3852 [6]. + + crls + The crls element MUST be omitted. + + signerInfos + This element is defined in Appendix C.1.2. + +C.1.1. encapContentInfo + + encapContentInfo is the signed content, consisting of a content type + identifier and the content itself. + + EncapsulatedContentInfo ::= SEQUENCE{ + eContentType ContentType, + eContent [0] EXPLICIT OCTET STRING OPTIONAL } + + ContentType ::= OBJECT IDENTIFIER + + The elements of this signed content type are as follows: + + eContentType + The ContentType for an TAC Token is id-data and has the + numerical value of 1.2.840.113549.1.7.1. + + eContent + The content of a TAC Token is the DER-encoded SEQUENCE of + UserKey and Timeout. + +C.1.2. signerInfos + + SignerInfo is defined under CMS as: + + SignerInfo ::= SEQUENCE { + version CMSVersion, + sid SignerIdentifier, + digestAlgorithm DigestAlgorithmIdentifier, + signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, + signatureAlgorithm SignatureAlgorithmIdentifier, + signature SignatureValue, + unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL } + + + + + + +Park, et al. Experimental [Page 29] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + + The contents of the SignerInfo element are as follows: + + Version + The version number MUST be 3, corresponding with the choice of + SubjectKeyIdentifier for the sid. + + sid + The sid is defined as: + + SignerIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier } + + For a TAC Token, the sid MUST be a SubjectKeyIdentifier. + + digestAlgorithm + This field specifies digest Algorithms. + + signedAttrs + The signedAttr element MUST be omitted. + + SignatureAlgorithm + This field specifies the signature Algorithm. + + Signature + The signature value is defined as: + + SignatureValue ::= OCTET STRING + + The signature characteristics are defined by the digest and + signature algorithms. + + UnsignedAttrs + unsignedAttrs MUST be omitted. + + + + + + + + + + + + + + + + + +Park, et al. Experimental [Page 30] + +RFC 5636 Traceable Anonymous Certificate August 2009 + + +Authors' Addresses + + SangHwan Park + Korea Internet & Security Agency + 78, Garak-Dong, Songpa-Gu, Seoul, Korea + EMail: shpark@kisa.or.kr + + Haeryong Park + Korea Internet & Security Agency + 78, Garak-Dong, Songpa-Gu, Seoul, Korea + EMail: hrpark@kisa.or.kr + + YooJae Won + Korea Internet & Security Agency + 78, Garak-Dong, Songpa-Gu, Seoul, Korea + EMail: yjwon@kisa.or.kr + + JaeIl Lee + Korea Internet & Security Agency + 78, Garak-Dong, Songpa-Gu, Seoul, Korea + EMail: jilee@kisa.or.kr + + Stephen Kent + BBN Technologies + 10 Moulton Street Cambridge, MA 02138 + EMail: kent@bbn.com + + + + + + + + + + + + + + + + + + + + + + + + + +Park, et al. Experimental [Page 31] + -- cgit v1.2.3