ProtoXEP: E2E Authentication in XMPP: CA Requirements

This commit is contained in:
Jonas Schäfer 2019-02-12 17:23:42 +01:00
parent 000d88abd4
commit b7a3256501
1 changed files with 88 additions and 0 deletions

88
inbox/eax-car.xml Normal file
View File

@ -0,0 +1,88 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>E2E Authentication in XMPP: CA Requirements</title>
<abstract>This specification defines requirements for certificate authorities issuing X.509 certificates for e2e authentication in XMPP.</abstract>
&LEGALNOTICE;
<number>xxxx</number>
<status>ProtoXEP</status>
<type>Procedural</type>
<sig>Standards</sig>
<approver>Board</approver>
<dependencies>
<spec>XEP-0001</spec>
</dependencies>
<supersedes/>
<supersededby/>
<shortname>NOT_YET_ASSIGNED</shortname>
<author>
<firstname>Evgeny</firstname>
<surname>Khramtsov</surname>
<email>ekhramtsov@process-one.net</email>
<jid>xram@zinid.ru</jid>
</author>
<revision>
<version>0.0.1</version>
<date>2019-02-08</date>
<initials>evk</initials>
<remark><p>First draft.</p></remark>
</revision>
</header>
<section1 topic='Introduction' anchor='intro'>
<p>E2E Authentication in XMPP (XEP-EAX) describes how X.509 certificates can be used for end-to-end (e2e) authentication in XMPP. As in any PKIX based authentication, a certificate authority (CA) plays a major role in e2e authentication. This document specifies requirements for certificate authorities issuing certificates for the purpose of e2e authentication in XMPP. In addition, a special role of the XSF is outlined.</p>
</section1>
<section1 topic='Requirements' anchor='reqs'>
<section2 topic='CA Requirements' anchor='ca-reqs'>
<p>The following rules apply to any CA:</p>
<ol>
<li>The CA MUST be Sybil resistant, i.e. it MUST NOT allow massive certificate creation by the same human user. To accomplish this the CA SHOULD identify a human user or an organization behind the XMPP address or the associated domain. The methods for such identification are out of scope of this document.</li>
<li>The CA SHOULD issue enough certificates for a human user owning the XMPP address to run all user's devices. In other words, the CA MAY issue multiple certificates with the same XMPP address but different RELOAD URIs.</li>
<li>The CA MUST issue a valid certificate, which means that the certificate MUST comply to the rules defined in Section 3.2 of XEP-EAX.</li>
<li>The CA MUST generate a cryptographically random 128-bit integer each time it issues a leaf certificate for a new user device. This integer MUST be a part of the RELOAD URI and MUST be included in the certificate as specified under Section 3.2 of XEP-EAX.</li>
<li>The CA MUST maintain a Certificate Revocation List (CRL). The CRL URI is encoded in the certificates as specified under Section 3.2 of XEP-EAX.</li>
</ol>
<p>The following rules apply to domain-associated CAs:</p>
<ol>
<li>The domain-associated CA MAY issue leaf certificates for users of its domain, i.e. a domain part of an XmppAddr of a leaf certificate matches the domain associated with this CA.</li>
<li>The domain-associated CA MUST NOT issue any other certificates.</li>
</ol>
<p>The following rules apply to root CAs:</p>
<ol>
<li>The root CA MUST maintain a RELOAD enrollment server with the Overlay Configuration document (see Section 11.1 of RFC6940). Even if XOR extension (XEP-XOR) is unused, the document can be used to retrieve the list of the root certificates.</li>
<li>All root CAs MUST synchronize the Overlay Configuration between them keeping the same content of the document. This is the minimum required coordination of the root CAs.</li>
<li>The Overlay Configuration MUST be located at HTTP relative path "/.well-known/reload-config" of the enrollment server of each root CA.</li>
</ol>
<p>Failing to follow the above rules MAY lead to certificate revocation by either appending the intermediate certificate to the parent's Certificate Revocation List or by removing the root certificate from the listing of the XSF.</p>
</section2>
<section2 topic='XSF Requirements' anchor='xsf-req'>
<p>The XSF acts as an entry point for the Overlay Configuration. In accordance with Section 11.2 of RFC6940, to provide such an entry point, the following requirements are applied to the XSF:</p>
<ol>
<li>The XSF MUST maintain an HTTP server for domain "xmpp.org".</li>
<li>The XSF MUST serve URL "https://xmpp.org/.well-known/reload-config".</li>
<li>The XSF MUST redirect HTTP requests to the above URL to the URLs provided by representatives of the root CAs. The redirection MUST be performed in a round-robin manner, i.e. no priority should be given to any particular CA URL.</li>
</ol>
<p>Since the location of the Overlay Configuration document is defined in this specification, the XSF doesn't need to maintain SRV DNS entries for a Service name of "reload-config".</p>
<p>It is expected that modifications of the list of root CA URLs will be rarely needed. Also, maintaining URL redirections is a relatively simple task. Thus operational costs for the XSF are expected to be low.</p>
</section2>
</section1>
<section1 topic='Glossary' anchor='glossary'>
<p>Refer to Glossary sections of XEP-EAX and XEP-XOR.</p>
</section1>
<section1 topic='Business Rules' anchor='rules'>
<p class='box'>TODO: describe interaction between the XMPP Board and representatives of the root CAs.</p>
</section1>
<section1 topic='Security Considerations' anchor='security'>
<p>This specification requires to maintain an HTTP server. A standard practice should be used to protect the HTTP server from security threats.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
<p>None required.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>None required.</p>
</section1>
</xep>