]> Interpeer gUG (haftungsbeschraenkt)

ietf@interpeer.io https://interpeer.io/

The Interpeer Project capabilities authorization authentication power of attorney cryptography remote attestation CAProck is a distributed authorization scheme based on cryptographic capabilities . This document describes the schemes additional constraints over the base document, and introduces a method for dealing with revocation of authorization. The result is a complete distributed authorization scheme. The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the The Interpeer Project Working Group mailing list (), which is archived at . Working Group information can be found at . Source for this draft and an issue tracker can be found at .

Introduction CAProck addresses distributed authorization by providing a framework for applications to define and verify their own privilege schemes via cryptographic capabilities. Capabilities in essence provide cryptographic verification for an authorization tuple, and thus confirm a relationship between a subject, a prilege, and an optional object. The privilege itself is an opaque piece of information for this scheme; it only has application defined meaning. As such, CAProck can be viewed as a kind of envelope for distributed authorization schemes. To do this, however, this document needs to define some constraints for identifiers used in this scheme. Not in scope of this document are wire encodings (serialization formats) for capabilities. This is because different applications may have differing requirements, making one kind of encoding more suitable than the other.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Where applicable, this document uses plural pronouns according to inclusive language guidelines from .

Terminology Most terminology is taken from , in which elements of a cryptographic, distributed authorization scheme are listed. Below are alternative names for some of those elements as used in CAProck.

Claim:

In CAProck, authorization tuples are called a claim, because by presenting them, a claim is made about the relationship of its elements. The tuple consists of a subject identifier, a predicate, and an object identifier.

Predicate:

Where the overview draft above speaks about privileges, CAProck uses the more general predicate term. This is terminology from to indicate that a predicate can itself be arbitrarily complex, though for authorization purposes must describe some permission relationship.

Issuer:

The grantee role described in the more general document is called the issuer in CAProck, for consistency with terminology from .

Furthermore, CAProck defines the following terms:

Token:

A token is a serialized capability, as passed over the network. Specific serialization formats are out of scope for this document, but two tokens serialized in different formats but with identical contents MUST be considered equivalent.

Grant:

A grant is a token that makes claims about granting some permissions.

Revocation:

Conversely, a revocation makes claims about revoking some permissions.

Use Case CAProck was designed with a 0-RTT handshake in mind that establishes authorization for some resource. This scenario is adequately described in . Suffice to add that a 0-RTT handshake over IP requires that authentication information as well as a caprock token be transmitted in a single packet. That in turn requires the data to be transmitted, and the encoding used on the wire, to be as sparse as feasible. Where possible, CAProck uses compact data representations for this reason. However, as wire encodings are not in scope for this document, this is mostly discussed in the abstract. Furthermore, CAProck is designed with a fully distributed system in mind. The basic assumption is that an issuer of a capability cannot be used at the time the capability is to be verified.

CAProck The basic functionality of CAProck is to provide a cryptographic signature over a number of claims with the intent that it can be verified at a later date, when actions based on those claims are to be performed. This temporal decouping between the time of signature and time of verification represents both the greatest strength and weakness of capability based schemes, as it raises the question for what time period these claims are to be considered valid. Rare is the case where a privilege should be granted to a subject for perpetuity, but choose the time period too small, and a claim may not be usable. Furthermore, this temporal decoupling introduces the issue of what should happen when a privilege is granted and the associated capability transmitted, but subsequently trust in the subject is lost. This loss of trust should ideally be known to the party that is supposed to execute an action on behalf of the subject. The typical approach is to verify via some real-time blocklist query. However, the design goals for CAProck prohibit such an approach. Note, however, that systems using CAProck may still employ this method. The requirement is included to drive the design to broader applicability also in situations where real-time queries are infeasible. To these ends, CAProck defines additional metadata beyond that described in , namely: A validity timespan (scope) An expiry policy Grant as well as revocation markers Furthermore, this document defines a conflict resolution scheme for resolving multiple capabilities.

Identifiers Generally speaking, a capability based distributed authorization scheme is agnostic to the specific contents of identifiers used for the capability issuer, subject and object. However, such a scheme requires that issuer and subject identifiers can be uniquely mapped to public keys. The issuer public key is required to verify the capability signature. At the same time, accepting and executing an action requires that the capability subject is authenticated, which typically involves use of its public key as well. The space saving concerns suggest that full public keys should only be used in authentication, while shorter identifiers derived from these keys are sufficient for use in capabilities. To that end, CAProck defines two kinds of identifiers for issuers and subjects:

SHA-3 Identifiers:

Identifiers may be SHA-3 hashes () over DER encoded () public keys.

Raw Identifiers:

If the key scheme supports it, identifiers may also be raw public keys. This identifier MUST NOT be chosen if it is longer than the longest identifier generated under the SHA-3 scheme for the same key, but SHOULD be used if the result is shorter than the SHA-3 scheme produces.

Algorithm Identifier Preferred Scheme Reference PureEdDSA for curve25519 ed25519 raw , PureEdDSA for curve448 ed448 raw , DSA dsa SHA-3 RSA rsa SHA-3 ECDSA ecdsa SHA-3

Object Identifiers Unlike with issuer and subject identifiers, object identifiers do not require mapping to public keys, though it may be in the application's interest to also define object identifiers in this fashion. CAProck places only a single constraint on object identifiers: that they have the same length as issuer and subject identifiers. More specifically, object identifers MUST be between 28 and 64 octets in length, and SHOULD be one of the sizes yielded by either of the issuer and subject identifier schemes. In practice, this constraint suggests to use a default SHA-3 digest size for identifiers of any kind, unless the use of EdDSA allows shorter issuer or subject identifiers.

Group Identifiers As CAProck does not define much about identifiers, it is also agnostic as to whether any identifier refers to an individual or group. Such definitions are part of the application concern. Note, however, that as subject and issuer identifiers must be mappable to a public key, the use of groups with a CAProck based scheme essentially becomes a public key management problem.

Predicates Predicate formats are outside of the scope of this document. This is to permit maximum flexibility for the application concern. However, arbitrary length predicates are in conflict with the space saving requirements, while short predicates may limit the application in how to apply them. CAProck takes a compromise approach here: predicates MUST NOT be larger than 2^16 = 65,536 octets. This limit is far too generous for 0-RTT handshakes, so predicates SHOULD be limited to significantly shorter lengths, such that an entire capability fits comfortably into an IP packet with authentication information.

Claims CAProck's capabilities require that one or more claims are provided to create them, i.e. tuples of subject identifier and predicate, and an optional object identifier. Note that a claim that includes an object identifier has a signficantly different semantic from one that does not. Authorization tuples with an object identifier assert that the predicate describes the relationship between the given subject and object. Authorization tuples without an object assert that the predicate describes an aspect of the subject itself.

Wildcards Furthermore, in CAProck each claim component may be a wildcard. As predicate formats are outside of this document's scope, predicates may also contain a wildcard, but the semantics of that must be defined with the predicate scheme to use. Wildcards make more general statements than a claim typically does, and due to this genericity, implementations MUST take great care with their use. Broadly speaking: A wildcard subject states that the predicate applies to an object for any subject. Such a statement may imply that authenticating a subject is no longer of interest, i.e. grant public privileges. A wildcard predicate states that all relationships between the given subject and object are affected. This may e.g. be used to revoke all privileges from a subject. A wildcard object is not the same as omitting an object altogether; instead, it states that the subject and predicate combination applies to all objects. Note, though, that the issuer does not have authority over all possible objects, so this is naturally limited to only those objects the issuer has authority over. Combinations of wildcard fields in a single claim may have sense within the application's privilege scheme, but can also be increasingly confusing, and thus prone to creating security flaws. For that reason, public privilege schemes MUST document the semantics for every combination of wildcard elements they support, and SHOULD limit such combinations to a minimum required amount. Other combinations of wildcards SHOULD be rejected as invalid.

Metadata The most basic data encoded into a CAProck token is mostly described in and consists of the following fields: An issuer identifier (also see ). One or more claims (), each consisting of: A subject identifier (). A predicate (). An optional object identifier (). A validity range (). An expiry policy (). A signature by the issuer over a serialized version of the previous fields (). Please note that the specific encoding or serialization format for the data affected by the signature is not defined in this document; this is because alternative encodings are possible. For this reason, documents specifying such encodings MUST be clear on how this payload data is serialized, and how the signature is added to the token.

Validity Range/Temporal Scope The validty range or temporal scope for a token is defined by a tuple of timestamps, much as in certificates. In these certificates, the validity range is defined by rather awkwardly named "not before" and "not after" fields, CAProck prefers the "from" and "to" fields. The "from" timestamp MUST be provided, while the "to" timestamp is optional. Tokens without the "to" timestamp are valid in perpetuity, after the "from" time has been reached. The range from "from" to "to" is inclusive, i.e. the token is valid not before the "from" date, but both at and after the "from" timestamp. The same logic applies to the "to" timestamp. The wire encoding specifies how to represent these fields in the token. However, implementations MUST accept the subset of ISO-8601 time stamp formats as defined in as input to either field, in order to set consistent expectations with the user base.

Expiry Policy Distributed authorization in general and CAProck in particular are designed for scenarios in which connectivity is not always given. This can mean that having a access to a synchronized clock is impossible at the time of validation, which would imply that evaluating the valdity range timestamps above is impossible. To mitigate this, tokens MAY contain an optional expiry policy field. This field can take the symbolic values of issuer and local. If omitted, the value MUST be assumed to be issuer. The semantics of each value are as follows:

Issuer:

If the expiry policy is set to issuer, then the valdity scope of the issuer MUST be respected. An unsynchronize clock may lead to failures, but that is the issuer's wish.

Local:

The verifier is permitted to apply local policies for failures. That is, a CAProck system must now query the application whether to accept or reject a token.

Leaving the possibility to defer to the applications permits resolving clock conflicts by means outside the ability of CAProck to influence. One such method might be to simply ask the application user. As this behaviour is a potential security risk, implementations MAY reject tokens with local expiry policy outright.

Signature Asymmetric signatures are made over hashes of content; the hash algorithm to use depends on the key type used for signing. The EdDSA algorithm defines what signature hash function to use in . The DSA algorithm requires the selection of a hashing algorithm. Implementations MUST use one of the SHA-2 or SHA-3 family of hash functions (see ). The ECDSA algorithm likewise requires the selection of a hashing algorithm. We also use SHA-2 or SHA-3 here. For ECDSA, specifies that the hash length shall be no less than the ECDSA key bit length. The RSA algorithm also requires specification of a signature hash. Implementations MUST select one of the SHA-3 family of hash functions (see ). CAProck does not specify which digest sizes to use for SHA-2/SHA-3. However, wire encodings may restrict the choices here further.

Grants and Revocations Capabilities in CAProck either grant privileges or revoke them; these are called grants or grant tokens and revocations or revocation tokens, respectively. As each token contains one or more claims, the implication is that each token either grants all of the claimed privilege or revokes all. Other metadata (see ) applies equally to the entire set of claims. But individual tokens may contain differing metadata. If the metadata differs, this can create a set a tokens that make conflicting claims. Consider the following scenario: Grant G1 contains claims C1 and C2 for a period of [S1,E1] defined by a start S1 and end E1 timestamp. Revocation R1 revokes claim C1 for a new, shorter time period [S2,E2] where S2 > S1 and E2 < E1. In this simple scenario, whether C1 is granted or revoked already depends on whether one looks at time period [S1,S2), [S1,E2] or (E2,E1] - or some period before S1 or after E1. If the two tokens are examined in the order listed, that is all there is to it. However, what should happen if the tokens arrive in reverse order? For this, we need to define a conflict resolution algorithm (). Things only gain in complexity when more claims are processed, and revocations are themselves further "revoked" by issuing another grant for a different time period.

Conflict Resolution While privileges encoded in predicates are arbitrarily complex, whether a token represents a grant or revocation is essentially a binary value. It is therefore possible to view a set of grants and revocatons for a given claim as a bit stream, in which only the latest bit has any significance. The question then is how to bring order into this token set. To this end, CAProck introduces a simple counter. This is represented by an unsigned 64 bit integer value. The only requirement on the counter is that tokens issued earlier have smaller values than tokens issued at a later date. The counter value is scoped to the issuer that issues the token; therefore, no synchronization of counters between issuers is required. In order to query the validity of a claim, then, a time point must be provided, and the following algorithm MUST be used: Start with the state that the claim is invalid. Assume a token store containing only tokens with valid cryptographic signatures. From the token store, pick all tokens pertaining to the claim being queried. Note that this may include claims containing wildcards. Order the picked tokens by the counter value from lowest value to highest value, essentially ordering by age of the token. Process each token in order, and compare it's validity range to the given time point: Discard tokens for which the time point does not lie in the validity range. If the token expiry policy is local, consult the local policy whether to discard it. See section for details. If the time point lies in the validity range, set the current state to valid for grants, and invalid for revocations. When all tokens are processed, the current state is the final state of processing. If that state is invalid, reject the claim. For valid end states, process the claim by application specified rules for the predicate. The information contained here may still make the claim invalid, but this is beyond the scope of CAProck. Note that CAProck explicitly does not introduce timestamps for ordering tokens. This is due to several considerations. First, using a counter permits an implementation to update the value more sparsely. Between issuing two tokens, a lot of time may pass, which would increment a timestamp by a significant number. By contrast, a counter may use the value space more efficiently by being incremented only by one each time. Second, the extra information a timestamp imparts is not necessary for deconflicting tokens. However, it is possible to infer information from it that may best be hidden, namely when the token was issued. This permits for analysis on the time periods an issuer was active, and may imply further communications between the issuer and subject. Finally, using timestamps introduces a hard dependency on a valid understanding of the current time for validation. In early boot processes or handshakes for reading a clock, such a dependency cannot necessarily be fulfilled.

State Compression The above algorithm makes it possible to compress state. First, any expired tokens can be discarded, as they are no longer consulted at all. They have the same semantics as a revocation for the claim. Furthermore, subsequent tokens that completely overrule a prior token make it unnecessary to keep storing the prior token. Implementations are not required to perform any state compression, and MAY find additional means to compress state. However, such compressions MUST NOT affect the results as would be achieved by the above algorithm.

Confidentiality All of the data fields described here are required for a party validating a capability or a set thereof; therefore, CAProck cannot provide confidentiality for this data itself. However, individual permissions may well be in need of protection. If any subject is issued a privilege, this should not be visibly to any party other than the issuer, the verifier, and most likely the subject itself. Implementations SHOULD therefore transport capability tokens in such a way that confidentiality is preserved. This leaves room for potentially replacing the cryptographic signature with an authenticated encryption method. Such a scheme, however, should be considered an extension to CAProck and defined in a separate document.

Delegation Delegation of authority comes in two distinct flavors in a distributed authorization system. CAProck addreses the set of scenarios in which a subject wishes to perform an action (on an object), and presents its authorization to do so. The other set of scenarios involves delegating the authority to grant priveleges. This is not explicitly addressed in CAProck, though the following may provide some guidance. First, a predicate that states a subject may itself create subgrants is likely more complex than predicates permitting other actions. At minimum, such a predicate should provide limits on which subgrants may be issued; such limits may include a list of permitted predicates, different time slots for the subgranted privilege, and a limit on whether grants or revocations or both may be issued. Effectively, such a predicate might contain the same information as a CAProck token, or even more. Second, a subgrant may also be issued to grant further subgrants. If this is the case, there is likely need for bounding such subsubgrants to a certain depth, otherwise it is likely that subjects receive grants that the original issuer never intended to issue grants to.

Related Considerations

Human Rights Considerations contains a list of objectives derived from , each with a statement on how these concerns are addressed. This section lists any modifications or additions to that list that is specific to CAProck.

In Scope

Content agnosticism:

Where the base document is entirely content agnostic, CAProck restricts this to content agnosticism about predicates. Without such a restriction, CAProck would not be able to add signficant semantics to the base document.

Localization:

This document refers to time in timestamps in order to provide timestamps unambiguous in any locale.

Out of Scope

Confidentiality:

Confidentiality remains out of scope, but see for some additional considerations.

Protocol Considerations There are no additional protocol considerations for this document.

Security Considerations This document does not specify a network protocol. In fact, it deliberately requires no specific protocol for transmitting capabilities. As such, much of does not apply. Similar to , below we list changes to the base document at .

Confidentiality As above, confidentiality is out of scope, but see .

Message Deletion Deletion of individual tokens in a ordered stream relating to the same claim may result in the wrong verification state at the end of the algorithm presented in . Mitigation against this boils down to knowing that the full set of tokens has been communicated that an issuer generated for a given claim. It is possible to use CAProck in this fashion, but this document assumes other uses are equally valid. To provide mitigation against message deletion, follow the steps below: Start issuer counters at some fixed value, e.g. 0, and strictly increment the counter by one for each token issued. Only provide exactly one claim per token. Communicate the last counter issued as part of the token transmission. Validate this by means out of scope for this document. Given the above information, a recipient of a token set can be certain that they know the full set of tokens, at the point in time when the token set was sent. If the transmission of the token set is synchronous, this corresponds to the point in time at which a claim is checked for validity. However, these additional assumptions counter some of the gains for distributed systems, to the point where a traditional, centralized authorization scheme may be the better choice. It therefore depends strongly on the threat model and application requirements whether to use centralized authorization, distributed authorization, or a mixed model as outlined above.

IANA Considerations This document has no IANA actions.

All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology (U.S.) International Telecommunications Union Interpeer gUG (haftungsbeschraenkt) Instituto Superior de Engenharia do Porto Authorization is often the last remaining centralized function in a distributed system. Advances in compute capabilities of miniaturized CPUs make alternative cryptographic approaches feasible that did not find such use when first envisioned. This document describes the elements of such cryptographically backed distributed authorization schemes as a reference for implementations. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology (U.S.)

US Gaithersburg

This document provides guidance to NIST staff regarding the use of inclusive language in documentary standards and documents which support the realization and dissemination of physical standards; Standards Developing Organizations' (SDOs) policies and procedures; and standards development participation. The document is intended to be used as guidance by NIST standards participants seeking to be impactful in addressing these issues. Archived copy; this document has been withdrawn by NIST due to Executive Order (E.O.) 14151 of the President of the United States of America. This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided. This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. This document defines a date and time format for use in Internet protocols that is a profile of the ISO 8601 standard for representation of dates and times using the Gregorian calendar. This document aims to propose guidelines for human rights considerations, similar to the work done on the guidelines for privacy considerations (RFC 6973). The other parts of this document explain the background of the guidelines and how they were developed. This document is the first milestone in a longer-term research effort. It has been reviewed by the Human Rights Protocol Considerations (HRPC) Research Group and also by individuals from outside the research group. Center for Democracy & Technology University of Amsterdam This document argues for more inclusive language conventions sometimes used by RFC authors and the RFC Production Centre in Internet-Drafts that are work in progress, and in new RFCs that may be published in any of the RFC series, in order to foster greater knowledge transfer and improve diversity of participation in the IETF. Internet Society Foundation International Telecommunications Union RDF Working Group of the World Wide Web Consortium (W3C)

Acknowledgments Jens Finkhäuser's authorship of this document was performed as part of work undertaken under a grant agreement with the Internet Society Foundation .