| Internet-Draft | ACME JWTClaimConstraints Auth Token | June 2026 |
| Wendt & Hancock | Expires 1 January 2027 | [Page] |
This document defines an authority token profile for the validation of JWTClaimConstraints and EnhancedJWTClaimConstraints certificate extensions within the Automated Certificate Management Environment (ACME) protocol. This profile is based on the Authority Token framework and establishes the specific ACME identifier type, challenge mechanism, and token format necessary to authorize a client to request a certificate containing these constraints.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 1 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The validation of certificate extensions that constrain the use of a certificate's credentials, such as the JWTClaimConstraints extension defined in [RFC8226] and the EnhancedJWTClaimConstraints extension defined in [RFC9118], is critical for defining the scope of an issued certificate. This document specifies an authority token profile for validating these constraints, modeled after the authority token framework established in [RFC9447] and the TNAuthList validation defined in [RFC9448].¶
This profile facilitates proper delegation and authorization for entities requesting certificates under ACME and similar frameworks. It defines the use of the JWTClaimConstraints Authority Token in the ACME challenge to prove an authoritative or trusted use of the contents of the JWTClaimConstraints and EnhancedJWTClaimConstraints extensions based on the issuer of the token.¶
This document is intended for use by Secure Telephone Identity (STI) Certification Authorities. In this ecosystem, certificates contain telephone-number-related (TNAuthList) extensions and JWTClaimConstraints extensions defined in [RFC8226] and [RFC9118], and certificate issuance is governed by a set of STI-specific Token Authorities. The TNAuthList Authority Token profile ([RFC9448]) is the parallel specification for telephone number authorization in this ecosystem and is already widely deployed. This document follows the same pattern to address authorization of the JWTClaimConstraints and EnhancedJWTClaimConstraints extensions. ACME implementers unfamiliar with the STIR ecosystem can treat the validation of the JWTClaimConstraints token value as a domain-specific authorization step analogous to TNAuthList validation: the ACME wire protocol mechanics are identical, and the Token Authority is responsible for the domain-specific semantic validation described in [RFC8226] and [RFC9118].¶
This document also discusses the ability for an authority to authorize the creation of CA types of certificates for delegation as defined in [RFC9060].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
In [RFC8555], Section 7 defines the procedure that an ACME client uses to order a new certificate from a Certification Authority (CA). This draft defines a new type of identifier object called JWTClaimConstraints. A JWTClaimConstraints identifier contains the Token Claim Constraints information to be populated in the JWTClaimConstraints or EnhancedJWTClaimConstraints of the new certificate.¶
For the JWTClaimConstraints identifier, the new-order request includes a type set to the string "JWTClaimConstraints". The value of the JWTClaimConstraints identifier MUST be set to the details of the JWTClaimConstraints or EnhancedJWTClaimConstraints extension requested.¶
The format of the string that represents the JWTClaimConstraints MUST be constructed using base64url encoding, as per [RFC8555] base64url encoding described in Section 5 of [RFC4648] according to the profile specified in JSON Web Signature in Section 2 of [RFC7515]. The base64url encoding MUST NOT include any padding characters and the JWTClaimConstraints ASN.1 object MUST be encoded using DER encoding rules. DER (the canonical subset of BER) and unpadded base64url together uniquely determine the octet sequence for a given JWTClaimConstraints or EnhancedJWTClaimConstraints ASN.1 value. The same canonical encoding is used as the "tkvalue" string in the "atc" claim of the corresponding Authority Token, so that the value carried in the new-order identifier and the value carried in the token are octet-by-octet identical and can be compared as described in Section 6, step 5.¶
An example of an ACME order object "identifiers" field containing a JWTClaimConstraints certificate:¶
"identifiers": [{"type":"JWTClaimConstraints",
"value":"F83n2a...avn27DN3"}]
¶
where the "value" object string represents the arbitrary length base64url encoded string.¶
A full new-order request would look as follows,¶
POST /acme/new-order HTTP/1.1
Host: example.com
Content-Type: application/jose+json
{
"protected": base64url({
"alg": "ES256",
"kid": "https://example.com/acme/acct/evOfKhNU60wg",
"nonce": "5XJ1L3lEkMG7tR6pA00clA",
"url": "https://example.com/acme/new-order"
}),
"payload": base64url({
"identifiers": [{"type":"JWTClaimConstraints",
"value":"F83n...n27DN3"}],
"notBefore": "2025-01-01T00:00:00Z",
"notAfter": "2025-01-08T00:00:00Z"
}),
"signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g"
}
¶
On receiving a valid new-order request, the ACME server creates an authorization object, [RFC8555] Section 7.1.4, containing the challenge that the ACME client must satisfy to demonstrate authority for the identifiers specified by the new order (in this case, the JWTClaimConstraints identifier). The CA adds the authorization object URL to the "authorizations" field of the order object, and returns the order object to the ACME client in the body of a 201 (Created) response.¶
HTTP/1.1 201 Created
Content-Type: application/json
Replay-Nonce: MYAuvOpaoIiywTezizk5vw
Location: https://example.com/acme/order/1234
{
"status": "pending",
"expires": "2025-01-08T00:00:00Z",
"notBefore": "2025-01-01T00:00:00Z",
"notAfter": "2025-01-08T00:00:00Z",
"identifiers": [
{"type": "JWTClaimConstraints",
"value": "F83n2a...avn27DN3"}
],
"authorizations": [
"https://example.com/acme/authz/1234"
],
"finalize": "https://example.com/acme/order/1234/finalize"
}
¶
Upon receiving a response to the challenge, the ACME server MUST perform the following steps to determine the validity of the response. Steps 1 through 3 and steps 6 through 8 are general ACME authority token validation steps applicable to any Authority Token profile. Steps 4 and 5 are specific to the JWTClaimConstraints profile. The semantic validation of whether the JWTClaimConstraints or EnhancedJWTClaimConstraints content accurately reflects the requesting party's authorized resources is the responsibility of the Token Authority prior to issuing the token (see Section 5.3), and is governed by [RFC8226] and [RFC9118].¶
Verify that the value of the "atc" claim is a well-formed JSON object containing the mandatory key values ("tktype", "tkvalue", "fingerprint").¶
Verify Token Issuer: If there is an "x5u" parameter, verify the "x5u" parameter is an HTTPS URL with a reference to a certificate representing the trusted issuer of authority tokens. If there is an "x5c" parameter, verify the certificate array contains a certificate representing the trusted issuer of authority tokens.¶
Verify Signature: Verify the JWTClaimConstraints Authority Token signature using the public key of the certificate referenced by the token's "x5u" or "x5c" parameter.¶
Verify Token Type: Verify that the "atc" claim contains a "tktype" identifier with the value "JWTClaimConstraints".¶
Verify Constraints Match: Verify that the value of the "atc" claim "tkvalue" is octet-by-octet identical to the "value" of the JWTClaimConstraints identifier in the original new-order request. Both values are the canonical encoding defined in Section 3: the base64url encoding (without padding) of the DER encoding of a JWTClaimConstraints or EnhancedJWTClaimConstraints ASN.1 object. The ACME server MUST perform this verification as a direct octet-by-octet comparison of the two base64url strings, and MUST NOT decode, re-encode, canonicalize, normalize, or otherwise transform either value before comparison. If either value contains characters outside the base64url alphabet defined in Section 5 of [RFC4648], contains padding characters ("="), or differs from the other in any octet, this step MUST fail. See Section 8 for discussion of identifier comparison considerations.¶
Verify Claims: Verify that the remaining claims are valid (e.g., verify that the token has not expired using the "exp" claim).¶
Verify Account Control: Verify that the "atc" claim "fingerprint" is valid and matches the account key of the client making the request.¶
Verify CA Flag: Verify that the "atc" claim "ca" identifier boolean corresponds to the CA boolean in the Basic Constraints extension in the Certificate Signing Request (CSR) for either a CA certificate or an end-entity certificate.¶
If all steps in the token validation process pass, then the ACME server MUST set the challenge object "status" to "valid". If any step of the validation process fails, the "status" in the challenge object MUST be set to "invalid".¶
JSON Web Signature (JWS) objects can include an "x5u" header parameter to refer to a certificate for signature validation. In order to support this usage, the Certificate Authority (CA) MAY host the newly issued certificate and provide a URL that the ACME client owner can directly reference in the "x5u" header parameter of their signed JWS objects.¶
To facilitate this, the CA MAY add a newly defined field called "x5u" to the 200 (OK) order object response when the certificate is ready for the finalize request:¶
x5u (optional, string): A URL that can be used to reference the certificate in the "x5u" parameter of a JWS object.¶
An example of a 200 (OK) response containing the new "x5u" field:¶
HTTP/1.1 200 OK
Content-Type: application/json
Replay-Nonce: CGf81JWBsq8QyIgPCi9Q9X
Link: <https://example.com/acme/directory>;rel="index"
Location: https://example.com/acme/order/TOlocE8rfgo
{
"status": "valid",
"expires": "2016-01-20T14:09:07.99Z",
"notBefore": "2016-01-01T00:00:00Z",
"notAfter": "2016-01-08T00:00:00Z",
"identifiers": [
"type": "JWTClaimConstraints",
"value": "F83n2a...avn27DN3"
],
"authorizations": ["https://example.com/acme/authz/1234"],
"finalize": "https://example.com/acme/order/TOlocE8rfgo/finalize",
"certificate": "https://example.com/acme/cert/mAt3xBGaobw",
"x5u": "https://example.com/cert-repo/giJI53km23.pem"
}
¶
The token represented by this document has the credentials to represent JWTClaimConstraints and EnhancedJWTClaimConstraints, which constrain the resources and claims a certificate holder can assert. The creation, transport, and any storage of this token MUST follow the strictest of security best practices, beyond the recommendations of the use of encrypted transport protocols in this document, to protect it from getting in the hands of bad actors with illegitimate intent to impersonate or misuse the constrained resources.¶
This document inherits the security properties of [RFC9447]. Implementations SHOULD follow the best practices identified in [RFC8725] for cryptographic security.¶
This document only specifies SHA256 for the fingerprint hash. However, the syntax of the fingerprint object would permit other algorithms if, due to concerns about algorithmic agility, a more robust algorithm were required at a future time. Future specifications CAN define new algorithms for the fingerprint object as needed.¶
The "value" field of the JWTClaimConstraints identifier and the "tkvalue" string in the "atc" claim are opaque identifiers from the ACME server's perspective. [RFC6943] describes a class of vulnerabilities that arises when implementations apply ad hoc normalization, decoding, or "equivalence" judgments to identifier values during comparison: differences between what an implementation considers equivalent and what an attacker can produce can be turned into authorization bypasses. To eliminate this class of vulnerability for this profile, this document requires that both values be produced in a single canonical form (DER under unpadded base64url, as specified in Section 3) and that the ACME server's comparison in Section 6, step 5, be a direct octet-by-octet comparison with no intervening transformation. Implementations MUST NOT be permissive about variations such as padded base64url, alternate base64url alphabets, BER encodings that are not also valid DER, embedded whitespace, or differences in canonical ordering inside ASN.1 SET constructs (DER fixes the ordering). Any deviation from the canonical form yields a different identifier value, and the validation step MUST fail.¶
Implementations SHOULD perform the octet-by-octet comparison in constant time. While the values compared in this profile are not themselves secret, constant-time comparison removes a class of timing side channels that have caused issues in other identifier-comparison contexts.¶
This document requests the addition of a new identifier object type to the "ACME Identifier Types" registry defined in Section 9.7.7 of [RFC8555].¶
+---------------------+-----------+ | Label | Reference | +---------------------+-----------+ | JWTClaimConstraints | RFCThis | +---------------------+-----------+¶
We would like to thank ACME and STIR working groups for valuable contributions to the authority token framework used in this document.¶
This appendix provides informative examples of JWTClaimConstraints and EnhancedJWTClaimConstraints ASN.1 structures as defined in [RFC8226] and [RFC9118], along with their DER encodings and base64url values as used in the ACME identifier "value" field and the "tkvalue" of the "atc" claim. These examples are intended for implementers of STI Token Authorities and certificate requestors in the STIR/SHAKEN ecosystem. ACME server implementations treat the identifier value as opaque and are not required to parse or validate its internal structure.¶
Note: single-quote delimiters in the ASN.1 notation below denote string values; inner double quotes are part of the JSON-formatted claim values as defined in [RFC8226].¶
The following substantive changes were made between -01 and -02:¶
Section 6, step 5 ("Verify Constraints Match") was rewritten to require octet-by-octet comparison of the canonically-encoded values, with an explicit prohibition on decoding, re-encoding, canonicalization, or other normalization before comparison. Explicit failure conditions were added for non-canonical inputs (characters outside the base64url alphabet, padding characters, or any octet difference). This change addresses the considerations of [RFC6943].¶
A clarifying sentence was added to Section 3 making the producer-side canonical-encoding contract explicit (DER under unpadded base64url uniquely determines the octet sequence) and previewing the verifier's comparison rule in Section 6.¶
A new "Identifier Comparison Considerations" subsection was added to Section 8, citing [RFC6943], enumerating the specific encoding variations that implementations must not treat as equivalent, and recommending constant-time comparison.¶
The forward-reference sentence in the multi-token subsection was aligned with the new octet-by-octet language.¶