Certificate Specification
This document contains the specification for Control Plane (CP) Root Certificates, CP CA Certificates and CP AS Certificates.
The SCION Certificate Specification builds on top of [RFC5280], which in turn builds on top of [X509]. The SCION specification is a more restrictive set of [RFC5280], which means that [RFC5280] compliant implementations can be adapted to implement this specification by including the additional checks.
For each SCION CP certificate, this document defines the additional constraints when compared to [RFC5280]. When something is marked as optional, it also includes how the Anapaya implementation behaves.
Note that this document uses the new X.509-style SCION terminology (as opposed to the previous JSON SCION terminology). The following entities are used in this document:
CP Root Key. This is the previous Issuing key/Issuing grant key. It is embedded in TRCs (via a certificate) to signal that an AS can act as a certificate authority in the ISD (a CA AS).
CP Root Certificate. This is the container for the public key associated with the CP Root Key.
CP CA Key. This is the previous Issuing key. It is used by CA ASes to sign AS certificates.
CP CA Certificate. This is the container for the public key associated with the CP AS Key.
CP AS Key. This is the previous Signing key. It is used by an AS to sign control-plane messages.
CP AS Certificate. This is the container for the public key associated with the CP AS Key.
This documents assumes a trusted set of CP Root Certificates already exists. How such a set is selected is outside the scope of this document, and described in the TRC Specification.
This document uses the Anapaya IANA Private Enterprise Number (55324) as root SCION OIDs:
id-ana ::= OBJECT IDENTIFIER {1 3 6 1 4 1 55324}
General certificate requirements
SCION CP certificates are X.509 v3 certificates. Every certificate has a subject (the entity that owns the certificate) and a issuer (the entity that issued the certificate, usually a CA). Like in Internet PKI, in SCION sometimes both the subject and the issuer can be the same entity.
The listing below shows the generic format of SCION CP certificates. For information regarding the full format, please see [X509], clause 7.2.
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier{{SupportedAlgorithms}},
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- disallowed in SCION
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- disallowed in SCION
extensions [3] EXPLICIT Extensions OPTIONAL
}
Version ::= INTEGER { v1(0), v2(1), v3(2)} -- v1, v2 disallowed in SCION
CertificateSerialNumber ::= INTEGER
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time
}
Time ::= CHOICE {
utcTime UTCTime,
generalizedTime GeneralizedTime
}
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier{{SupportedAlgorithms}},
subjectPublicKey BIT STRING
}
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnId OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains DER encoding of ASN.1 value
-- corresponding to type identified by extnID
}
Version
The version field is always v3 in SCION; this is required because
extensions are mandatory.
Deprecation warning: note that the X.509 version field has different
semantics compared to the old SCION JSON format for certificates (where version
was an incrementing counter).
Serial number
The serialNumber is used like in [RFC5280].
Signature
For security reasons, SCION uses a custom list of acceptable algorithms. The list currently contains only the ECDSA signature algorithm (defined in [X962]).
The OIDs for ECDSA are defined as ecdsa-with-SHA256,
ecdsa-with-SHA384, and ecdsa-with-SHA512 in [RFC5758]. We include them
here:
sigAlg-ecdsa-SHA256 ALGORITHM ::= { OID ecdsa-with-SHA256 }
sigAlg-ecdsa-SHA384 ALGORITHM ::= { OID ecdsa-with-SHA384 }
sigAlg-ecdsa-SHA512 ALGORITHM ::= { OID ecdsa-with-SHA512 }
ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 }
The only accepted curves for ECDSA are:
NIST P-256 ([NISTFIPS186-4], section D.1.2.3) (named
secp256r1in [RFC5480])NIST P-384 ([NISTFIPS186-4], section D.1.2.4) (named
secp384r1in [RFC5480])NIST P-521 ([NISTFIPS186-4], section D.1.2.5) (named
secp521r1in [RFC5480])
The OIDs for the above curves are:
secp256r1 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
prime(1) 7 }
secp384r1 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) curve(0) 34 }
secp521r1 OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) curve(0) 35 }
If an ECDSA key is used to produce a signature, the appropriate hash size should be used:
If the signing key is P-256, the signature should use ECDSA with with SHA-256
If the signing key is P-384, the signature should use ECDSA with with SHA-384
If the signing key is P-521, the signature should use ECDSA with with SHA-512
Implementations MUST include support for P-256, P-384, and P-521.
Note that the list might be extended in the future. SCION implementations must reject cryptographic algorithms not found on the list. This document currently serves as the list of accepted cryptographic algorithms.
For convenience, the AlgorithmIdentifier definition is included below:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
As defined in [RFC8410], the parameters field must be absent. If the
AlgorithmIdentifier is not the above, SCION implementations must error out.
Issuer
issuer contains the distinguished name (DN) of the CA that created the
certificate. The issuer field must be non-empty.
The syntax for Name is defined in [X501] (10/2016), clause 9.2. For
reference, it is:
Name ::= CHOICE {
rdnSequence RDNSequence
}
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY -- DEFINED BY AttributeType
Generally, the type will be a DirectoryString type, outlined below:
DirectoryString ::= CHOICE {
teletexStrings TeletexString (SIZE (1..MAX)),
printableString PrintableString (SIZE (1..MAX)),
universalString UniversalString (SIZE (1..MAX)),
utf8String UTF8String (SIZE (1..MAX)),
bmpString BMPString (SIZE (1..MAX)),
}
SCION implementation must support the following standard attribute types:
country
organization
organizational unit
distinguished name qualifier
state or province name
common name
serial number
ISD-AS number
Other than ISD-AS number, all the above attributes are defined in [RFC5280]
as an added restriction when compared to the RFC, SCION implementations must use
the UTF8String value type.
The ISD-AS number attribute is used to identify the SCION ISD and AS. The
attribute type is id-at-ia, defined as:
id-at-ia AttributeType ::= {id-ana id-cppki(1) id-at(2) 1}
The type of the attribute value for the ISD-AS number is a UTF8String.
The string representation MUST follow the canonical formatting defined in ISD and AS numbering.
The canonical string representation of the ISD-AS number uses a --separator
between the ISD and AS numbers.
The ISD numbers are formatted as decimal.
The canonical string formatting of AS numbers in the BGP AS range (
\(0 - 2^{32}-1\)) is the decimal form.
For larger AS numbers, it uses a 16-bit :-separated lower-case hex encoding
with leading 0’s omitted: 1:0:0 to ffff:ffff:ffff.
For example, AS ff00:0:110 in ISD 1 is formatted as 1-ff00:0:110.
The ISD-AS number must be present exactly once in all SCION CP certificates. Implementations must not create nor successfully verify certificates that do not include the ISD-AS number, or include it more than once.
SCION implementations may support other attributes.
Validity
The validity field is defined as in [RFC5280], Section 4.1.2.5.
In addition to the definition, the following constraints apply to SCION CP certificates:
All certificates must have a well-defined expiration date. SCION CP certificates that specify that they do not have a well-defined expiration date (by using the 99991231235959Z Generalized Time value) are not valid. SCION implementations must not create such certificates, and verifiers must error out when encountering such a certificate.
The validity period of a certificate (defined as the duration between
notBeforeandnotAfter) must be under a specific value. The exact value is listed in the sections detailing each certificate type.
Subject
The subject field describes the entity that owns the certificate. It is
defined in the same way as the issuer field (see Issuer). All SCION
CP certificates MUST have the subject field defined (with the same
requirements as the issuer field).
Subject public key info
Field subjectPublicKeyInfo is used to carry the public key of the subject
and identify which algorithm should be used with the key. The SCION constraints
in section Signature still apply: the key must be a valid key
for the selected curve, and the algorithm must be sigAlg-ecdsa.
Extensions
This section includes only extensions that SCION relies on. For each extension, the way the Anapaya implementation deals with the extension is also listed.
Anapaya software does not implement extensions other than those listed in this document.
Subject key identifier extension
This extension is defined in [X509] (10/2016), clause 9.2.2.2.
The subject key identifier extension identifies the public key being certified. It allows for overlapping CP CA keys, for example during updates.
subjectKeyIdentifier EXTENSION ::= {
SYNTAX SubjectKeyIdentifier
IDENTIFIED BY id-ce-subjectKeyIdentifier
}
SubjectKeyIdentifier ::= KeyIdentifier
Anapaya implementation. The current Anapaya implementation supports this extension (this can be used by control-plane messages to identify which certificate to use for verification).
This extension must always be non-critical. However, SCION implementations must error out if it is not present.
Key usage extension
This extension is defined in [X509] (10/2016), clause 9.2.2.3.
The key usage extension dictates how the public key within a certificate may be used. The ASN.1 definition is as follows:
keyUsage EXTENSION ::= {
SYNTAX KeyUsage
IDENTIFIED BY id-ce-keyUsage
}
KeyUsage ::= BIT STRING {
digitalSignature (0),
contentCommitment (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8),
}
Each key usage attribute has the following semantics in SCION:
digitalSignature: the key can be used to sign control-plane payloadscontentCommitment: not usedkeyEncipherment: not useddataEncipherment: not usedkeyAgreement: not usedkeyCertSign: the key can be used to sign certificatescRLSign: not usedencipherOnly: not useddecipherOnly: not used
Note that whenever a certificate is used for digitalSignature, there needs to
be a way to go back from the signature to the certificate/key that signed it.
This can be easily done by referencing the ISD-AS and Subject Key Identifier.
For more information about the latter, see Subject key identifier extension.
Each control-plane certificate type has different key usage attributes. These are listed in the certificate descriptions below.
When this extension is present, it should be marked as critical.
Extended key usage extension
This extension is defined in [X509], clause 9.2.2.4.
The extended key usage extension adds one or more purposes for which the certified public key may be used.
It is defined as follows:
extKeyUsage EXTENSION ::= {
SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId
IDENTIFIED BY id-ce-extKeyUsage
}
KeyPurposeId ::= OBJECT IDENTIFIER
This extension may be present in SCION certificates. Note that certain CP interactions require it (see the certificate-specific sections below for details).
The following extended key usage defined by [RFC5280], Section 4.2.1.12, are used by SCION:
id-kp-serverAuth: means that the key can be used for SCION CP server authenticationid-kp-clientAuth: means that the key can be used for SCION CP client authentication
Each control-plane certificate type has different extended key usage attributes. These are listed in the certificate descriptions below.
Basic constraints extension
This extension is defined in [X509], clause 9.4.2.1.
The basic constraints extension specifies whether the subject may act as a CA.
The ASN.1 definition is as follows:
basicConstraints EXTENSION ::= {
SYNTAX BasicConstraintsSyntax
IDENTIFIED BY id-ce-basicConstraints
}
BasicConstraintsSyntax ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER(0..MAX) OPTIONAL,
}
Each control-plane certificate has different basic constraints. There are listed in the certificate descriptions below.
CP Root Certificate
CP Root Certificates state which ASes are CA ASes for an ISD.
In X.509 terms, CP Root Certificates are self-signed CA certificates
(issuer and subject are the same entity, and the key within the
certificate was used to sign it). They are owned by CA ASes.
To bootstrap trust for CP Root Certificates, they are embedded in TRCs (see the TRC document for more information about the embedding). This is also how the set of ASes that can issue certificates for an ISD is defined.
All constraints in General certificate requirements apply to CP Root Certificates.
The recommended maximum validity period of a CP Root certificate is 1 year.
Extension constraints
Key usage. The keyCertSign attributes must be set. The
digitalSignature attribute must not be set, as in the context of SCION this
has the semantics of allowed to sign control-plane messages.
Extended key usage. This extension must present. The id-kp-serverAuth
and id-kp-clientAuth purposes must not be set. The id-kp-root and
id-kp-timeStamping purpose must be set.
id-kp-root AttributeType ::= {id-ana id-cppki(1) id-kp(3) 3}
Basic constraints. The extension must be present, with the cA component
set to TRUE. The pathLenConstraint value should be set to 1. Note that
X.509 requires that this be marked as critical.
CP CA Certificate
CP CA Certificates are used by CA ASes for signing CP AS Certificates.
In X.509 terms, CP CA Certificates are self-issued CA certificates
(issuer and subject are the same entity). They are owned by CA ASes.
CP CA Certificates are signed by CP Root Certificates.
The recommended maximum validity period of a CP CA certificate is 1 week.
Extension constraints
Key usage. The keyCertSign attributes must be set. The
digitalSignature attribute must not be set, as in the context of SCION this
has the semantics of allowed to sign control-plane messages.
Extended key usage. This extension may be present. If it is present, the
id-kp-serverAuth and id-kp-clientAuth purposes must not be present.
Basic constraints. The extension must be present, with the cA component
set to TRUE. The pathLenConstraint value should be set to 0. This means
that the subject can only issue end-entity certificates. Note that X.509
requires that this be marked as critical.
CP AS Certificate
CP AS Certificates are used by SCION ASes to sign control-plane messages.
In X.509 terms, CP AS Certificates are end-entity certificates.
The recommended maximum validity period of a CP AS certificate is 3 days.
Extension constraints
Key usage. The digitalSignature attribute must be set.
The keyCertSign attribute must not be set.
Extended key usage. This extension must be present. id-kp-timeStamping
must be set. If used on the server-side of CP TLS session establishment,
id-kp-serverAuth must be set. If used on the client-side of a CP TLS session
establishment, id-kp-clientAuth must be set.
Basic constraints. The extension should not be included.