<?xml version='1.0' encoding='utf-8'?>

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-lamps-keyusage-crl-validation-latest" category="std" consensus="true" submissionType="IETF" xml:lang="en" number="10007" updates="5280" tocInclude="true" sortRefs="true" symRefs="true" version="3">

  <link href="https://datatracker.ietf.org/doc/draft-ietf-lamps-keyusage-crl-validation-latest" rel="prev"/>
  <front>
    <title abbrev="CRL Validation Clarification">Clarification to Processing Key Usage Values During Certificate Revocation List (CRL) Validation</title>
    <seriesInfo name="RFC" value="10007"/>
    <author fullname="Corey Bonnell">
      <organization>DigiCert, Inc.</organization>
      <address>
        <email>corey.bonnell@digicert.com</email>
      </address>
    </author>
    <author fullname="伊藤 忠彦" asciiFullname="Tadahiko Ito">
      <organization ascii="SECOM CO., LTD.">セコム株式会社</organization>
      <address>
        <email>tadahiko.ito.public@gmail.com</email>
      </address>
    </author>
    <author fullname="大久保 智史" asciiFullname="Tomofumi Okubo">
      <organization>Penguin Securities Pte. Ltd.</organization>
      <address>
        <email>tomofumi.okubo+ietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="June"/>
    <area>SEC</area>
    <workgroup>lamps</workgroup>
    <keyword>Public Key Infrastructure</keyword>
    <keyword>Certificate validation</keyword>
    <keyword>Security</keyword>
    <abstract>

<t>RFC 5280 defines the profile of X.509 certificates and Certificate Revocation Lists (CRLs) for use in the Internet. Section 4.2.1.3 of RFC 5280 requires CRL issuer certificates to contain the <tt>keyUsage</tt>
extension with the <tt>cRLSign</tt> bit asserted. However, the CRL validation
algorithm specified in Section 6.3 of RFC 5280 does not explicitly
include a corresponding check for the presence of the <tt>keyUsage</tt>
certificate extension. This document updates RFC 5280 to require
that check.</t>
    </abstract>
  </front>
  <middle>
<section anchor="introduction">
      <name>Introduction</name>
      <t><xref target="RFC5280"/> defines the profile of X.509 certificates and certificate
revocation lists (CRLs) for use in the Internet. <xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/> requires CRL issuer certificates to contain the <tt>keyUsage</tt>
extension with the <tt>cRLSign</tt> bit asserted. However, the CRL validation
algorithm specified in <xref section="6.3" sectionFormat="of" target="RFC5280"/> does not explicitly
include a corresponding check for the presence of the <tt>keyUsage</tt>
certificate extension. This document updates <xref target="RFC5280"/> to require
that check.</t>
      <t><xref target="the-issue"/> describes the security concern that motivates this update.</t>
      <t><xref target="crl-validation-algo-amendment"/> updates the CRL validation algorithm (<xref section="6.3" sectionFormat="of" target="RFC5280"/>)
to resolve this concern.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
</section>
    <section anchor="the-issue">
      <name>The Risk of Trusting CRLs Signed with Non-Certified Keys</name>
      <t>In some Public Key Infrastructures, entities are delegated by
Certification Authorities (CAs) to sign CRLs. CRLs whose scope encompasses
certificates that have not been signed by the CRL issuer are known as
"indirect CRLs".</t>
      <t>Applications that consume CRLs follow the validation algorithm as
specified in <xref section="6.3" sectionFormat="of" target="RFC5280"/>. In particular, <xref section="6.3.3" sectionFormat="of" target="RFC5280"/>
contains the following step for CRL validation:</t>
      <blockquote>
        <t>(f) Obtain and validate the certification path for the issuer of
      the complete CRL.  The trust anchor for the certification
      path <bcp14>MUST</bcp14> be the same as the trust anchor used to validate
      the target certificate.  If a key usage extension is present
      in the CRL issuer's certificate, verify that the cRLSign bit
      is set.</t>
      </blockquote>
      <t>This step does not explicitly specify a check for the presence of the
<tt>keyUsage</tt> extension itself.</t>
      <t>Similarly, the certificate profile in <xref section="4" sectionFormat="of" target="RFC5280"/> does not require
the inclusion of the <tt>keyUsage</tt> extension in a certificate if the
certified public key is not used for verifying the signatures of other
certificates or CRLs.</t>
      <t>CAs can delegate the issuance of CRLs
to other entities by issuing to the entity a certificate that asserts
the <tt>cRLSign</tt> bit in the <tt>keyUsage</tt> extension. The CA
will then sign certificates that fall within the scope of the
indirect CRL by including the <tt>crlDistributionPoints</tt> extension (<xref section="4.2.1.13" sectionFormat="of" target="RFC5280"/>) and
specifying the distinguished name (DN) of the CRL issuer in the
<tt>cRLIssuer</tt> field of the corresponding distribution point.</t>
      <t>The CRL issuer signs CRLs that assert the <tt>indirectCRL</tt> boolean within
the <tt>issuingDistributionPoint</tt> extension.</t>
      <t>The allowance for the issuance of certificates without the <tt>keyUsage</tt>
extension and the lack of a check for the inclusion of the <tt>keyUsage</tt>
extension during CRL verification can manifest in a security issue. A
concrete example is described below:</t>
      <ol spacing="normal" type="1"><li>
          <t>The CA signs an end-entity CRL issuer
certificate to subject <tt>X</tt> that certifies key <tt>A</tt> for signing CRLs by
explicitly including the <tt>keyUsage</tt> extension and asserting the
<tt>cRLSign</tt> bit in accordance with <xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/>.</t>
        </li>
        <li>
          <t>The CA signs one or more certificates that
include the <tt>crlDistributionPoints</tt> extension with the DN for subject
<tt>X</tt> included in the <tt>cRLIssuer</tt> field. This indicates that the
CRL-based revocation information for these certificates will be
provided by subject <tt>X</tt>.</t>
        </li>
        <li>
          <t>The CA signs an end-entity certificate to
subject <tt>X</tt> that certifies key <tt>B</tt>. This certificate contains no key
usage extension, as the certified key is not intended to be used for
signing CRLs and could be a "mundane" certificate of any type (e.g.,
S/MIME, a document signing certificate where the corresponding private
key is stored on the file system of the secretary's laptop, etc.).</t>
        </li>
        <li>
          <t>Subject <tt>X</tt> signs a CRL using key <tt>B</tt> and publishes the CRL at the
<tt>distributionPoint</tt> field specified in the <tt>crlDistributionPoints</tt>
extension of the certificates signed in step 2.</t>
        </li>
        <li>
          <t>Relying parties download the CRL published in step 4. The CRL
validates successfully according to <xref section="6.3.3" sectionFormat="of" target="RFC5280"/>,
as the CRL issuer DN matches, and the check for the presence of the
<tt>cRLSign</tt> bit in the <tt>keyUsage</tt> extension is skipped because the
<tt>keyUsage</tt> extension is absent.</t>
        </li>
      </ol>
    </section>
    <section anchor="crl-validation-algo-amendment">
      <name>Checking the Presence of the <tt>keyUsage</tt> Extension</name>
      <t>To remediate the security issue described in <xref target="the-issue"/>, this
document specifies the following amendment to step (f) of the CRL
algorithm as specified in <xref section="6.3.3" sectionFormat="of" target="RFC5280"/>.</t>
      <t><em>OLD:</em></t>
      <blockquote>
        <t>(f) Obtain and validate the certification path for the issuer of
    the complete CRL.  The trust anchor for the certification
    path <bcp14>MUST</bcp14> be the same as the trust anchor used to validate
    the target certificate.  If a key usage extension is present
    in the CRL issuer's certificate, verify that the cRLSign bit
    is set.</t>
      </blockquote>
      <t><em>NEW:</em></t>
      <blockquote>
        <t>(f) Obtain and validate the certification path for the issuer of
    the complete CRL.  The trust anchor for the certification
    path <bcp14>MUST</bcp14> be the same as the trust anchor used to validate
    the target certificate.  If the version of the CRL issuer's
    certificate is version 3 (v3), then verify that the key usage
    extension is present and verify that the cRLSign bit is set.</t>
      </blockquote>
      <t>This change ensures that the CRL issuer's key is certified for
CRL signing. However, this check is not performed if the CRL
issuer's key is certified using a version 1 (v1) or version 2 (v2) X.509
certificate, as these versions do not have an <tt>extensions</tt> field where
the key usage extension can be included.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>If a CA has signed certificates to be used for
CRL verification but do not include the <tt>keyUsage</tt> extension in
accordance with <xref section="4.2.1.3" sectionFormat="of" target="RFC5280"/>, then relying party
applications that have implemented the modified verification algorithm
as specified in this document will be unable to verify CRLs signed by
the CRL issuer in question.</t>
      <t>It is <bcp14>RECOMMENDED</bcp14> that CAs include the
<tt>keyUsage</tt> extension in certificates to be used for CRL verification to
ensure that there are no interoperability issues where updated
applications are unable to verify CRLs.</t>
      <t>If it is not possible to update the profile of CRL issuer certificates,
then the policy management authority of the affected Public Key
Infrastructure <bcp14>SHOULD</bcp14> update the subject naming requirements to ensure
that certificates to be used for different purposes contain unique DNs.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document has no IANA actions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
      <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
    </references>
<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors would like to thank the participants on the LAMPS Working Group mailing list for their insightful feedback and comments. In particular, the authors extend sincere appreciation to <contact fullname="Carl Wallace"/>, <contact fullname="David Hook"/>, <contact fullname="Deb Cooley"/>, <contact fullname="John Gray"/>, <contact fullname="Michael StJohns"/>, <contact fullname="Mike Ounsworth"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Russ Housley"/>, <contact fullname="Serge Mister"/>, and <contact fullname="Tomas Gustavsson"/> for their reviews and suggestions, which greatly improved the quality of this document.</t>
    </section>
  </back>
</rfc>
