rfc9447xml2.original.xml   rfc9447.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- <!DOCTYPE rfc [
vim:et:ts=2:sw=2:spell:spelllang=en:tw=80 <!ENTITY nbsp "&#160;">
<!-- This template is for creating an Internet Draft using xml2rfc, <!ENTITY zwsp "&#8203;">
which is available here: http://xml.resource.org. --> <!ENTITY nbhy "&#8209;">
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ <!ENTITY wj "&#8288;">
<!ENTITY I-D.ietf-acme-authority-token-tnauthlist SYSTEM "http://xml.resource.or
g/public/rfc/bibxml3/reference.I-D.ietf-acme-authority-token-tnauthlist.xml">
<!ENTITY I-D.ietf-acme-star SYSTEM "http://xml.resource.org/public/rfc/bibxml3/r
eference.I-D.ietf-acme-star.xml">
<!ENTITY I-D.ietf-acme-telephone SYSTEM "http://xml.resource.org/public/rfc/bibx
ml3/reference.I-D.ietf-acme-telephone.xml">
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2119.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8174.xml">
<!ENTITY RFC7515 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7515.xml">
<!ENTITY RFC7519 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7519.xml">
<!ENTITY RFC7231 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7231.xml">
<!ENTITY RFC8226 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8226.xml">
<!ENTITY RFC8396 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8396.xml">
<!ENTITY RFC8555 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8555.xml">
<!ENTITY RFC8725 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8725.xml">
<!ENTITY RFC3986 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.3986.xml">
<!ENTITY RFC4648 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4648.xml">
<!ENTITY RFC9115 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.9115.xml">
]> ]>
<!--?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?-->
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<!--?rfc strict="yes" ?-->
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="no" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-ietf-acme-authority-token-09"
ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902
,
or pre5378Trust200902
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category=" std" consensus="true" docName="draft-ietf-acme-authority-token-09" number="9447" ipr="trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDe pth="4" symRefs="true" sortRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.16.0 -->
<front> <front>
<!-- The abbreviated title is used in the page header - it is only necessary <title abbrev="ACME Authority Token">Automated Certificate Management
if the Environment (ACME) Challenges Using an Authority Token</title>
full title is longer than 39 characters --> <seriesInfo name="RFC" value="9447"/>
<author initials="J." surname="Peterson" fullname="Jon Peterson">
<title abbrev="ACME Authority Token">ACME Challenges Using an Authority Toke <organization abbrev="Neustar">Neustar, Inc.</organization>
n</title> <address>
<email>jon.peterson@team.neustar</email>
<author initials="J." surname="Peterson" fullname="Jon Peterson"> </address>
<organization abbrev="Neustar">Neustar, Inc.</organization> </author>
<address> <author fullname="Mary Barnes" initials="M." surname="Barnes">
<email>jon.peterson@team.neustar</email>
</address>
</author>
<author fullname="Mary Barnes" initials="M." surname=
"Barnes">
<organization abbrev="Neustar">Neustar, Inc.</organization> <organization abbrev="Neustar">Neustar, Inc.</organization>
<address> <address>
<email>mary.ietf.barnes@gmail.com</email> <email>mary.ietf.barnes@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="David Hancock" initials="D." surname="Hancock">
<author fullname="David Hancock" initials="D." surname="Hancock"> <organization>Somos</organization>
<organization>Comcast</organization>
<address> <address>
<email>davidhancock.ietf@gmail.com</email> <email>davidhancock.ietf@gmail.com</email>
</address> </address>
</author> </author>
<author fullname="Chris Wendt" initials="C." surname="Wendt">
<author fullname="Chris Wendt" initials="C." surname="Wendt">
<organization>Somos</organization> <organization>Somos</organization>
<address> <address>
<email>chris-ietf@chriswendt.net</email> <email>chris-ietf@chriswendt.net</email>
</address> </address>
</author> </author>
<date year="2023" month="September"/>
<date year="2022" /> <area>sec</area>
<workgroup>acme</workgroup>
<!-- <area>
Security
</area>-->
<keyword>ACME</keyword> <keyword>ACME</keyword>
<abstract> <abstract>
<t> <t>
Some proposed extensions to the Automated Certificate Management Enviro nment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token Some proposed extensions to the Automated Certificate Management Enviro nment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token
according to a particular policy. This document specifies a generic Aut hority Token challenge for ACME which supports subtype claims for different iden tifiers or namespaces according to a particular policy. This document specifies a generic Aut hority Token Challenge for ACME that supports subtype claims for different ident ifiers or namespaces
that can be defined separately for specific applications. that can be defined separately for specific applications.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section title="Introduction"> <section numbered="true" toc="default">
<t> <name>Introduction</name>
<xref target="RFC8555">ACME</xref> is a mechanism for automating certific <t>
ate management on the Internet. It enables administrative entities to prove effe <xref target="RFC8555" format="default">ACME</xref> is a mechanism for au
ctive control over tomating certificate management on the Internet. It enables administrative entit
resources like domain names, and automates the process of issuing certifi ies to prove effective control over
cates that attest control or ownership of those resources. resources, like domain names, and automates the process of issuing certif
</t><t> icates that attest control or ownership of those resources.
In some cases, proving effective control over an identifier requires an a </t>
ttestation from a third party who has authority over the resource, for example, <t>
an external policy administrator for a namespace other than the DNS application In some cases, proving effective control over an identifier requires an a
ACME was originally designed to support. In order to automate the process of iss ttestation from a third party who has authority over the resource, for example,
uing certificates for those resources, this specification defines a generic Auth an external policy administrator for a namespace other than the DNS application
ority Token challenge that ACME servers can ACME was originally designed to support. In order to automate the process of iss
uing certificates for those resources, this specification defines a generic Auth
ority Token Challenge that ACME servers can
issue in order to require clients to return an Authority Token that autho rizes a given issuance. The challenge contains a type indication that tells the client what sort of token it needs to acquire. issue in order to require clients to return an Authority Token that autho rizes a given issuance. The challenge contains a type indication that tells the client what sort of token it needs to acquire.
It is expected that the Authority Token challenge will be usable for a va It is expected that the Authority Token Challenge will be usable for a va
riety of identifier types. riety of identifier types.
In particular, this document describes an architecture for Authority Toke In particular, this document describes an architecture for Authority Toke
ns, defines a JSON Web Token (JWT, <xref target="RFC7519"/>) Authority Token for ns, defines a JSON Web Token (JWT) <xref target="RFC7519" format="default"/> Aut
mat along with a protocol for token acquisition, and shows how to integrate thes hority Token format along with a protocol for token acquisition, and shows how t
e tokens into an ACME challenge. o integrate these tokens into an ACME challenge.
</t><t> </t>
As a concrete example, <xref target="I-D.ietf-acme-authority-token-tnauth <t>
list"/> provides a mechanism that allows service providers to acquire certificat As a concrete example, <xref target="RFC9448" format="default"/> provides
es corresponding to a Service Provider Code (SPC) as defined in <xref target="RF a mechanism that allows service providers to acquire certificates corresponding
C8226"/> by consulting an external authority responsible for those codes. Furthe to a Service Provider Code (SPC) as defined in <xref target="RFC8226" format="d
rmore, Communications Service Providers (CSPs) can delegate authority over numbe efault"/> by consulting an external authority responsible for those codes. Furth
rs to their customers, and those CSPs who support ACME can then help customers t ermore, Communications Service Providers (CSPs) can delegate authority over numb
o acquire certificates for those numbering resources with ACME. This can permit ers to their customers, and those CSPs who support ACME can then help customers
number acquisition flows compatible with those shown in <xref target="RFC8396"/ to acquire certificates for those numbering resources with ACME. This can permi
>. t number acquisition flows compatible with those shown in <xref target="RFC8396"
</t> format="default"/>.
</t>
</section> </section>
<section numbered="true" toc="default">
<section title="Terminology"> <name>Requirements Language</name>
<t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this d IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
ocument NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref targ RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
et="RFC8174"/> when, and only when, they appear in all capitals, as shown here.< "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
/t> be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section> </section>
<section anchor="challenges" numbered="true" toc="default">
<section anchor="challenges" title="ACME Authority Token Challenge"> <name>ACME Authority Token Challenge</name>
<t>
Proving that a device on the Internet has effective control over a non-In
ternet resource is not as straightforward as proving control over an Internet re
sources like a DNS zone or a
web page. Provided that the issuer of identifiers in a namespace, or some
one acting on the issuer's behalf, can implement a service that grants Authority
Tokens to the people to whom it has issued identifiers, a generic token could b
e used as a response to an ACME challenge. This specification, therefore, define
s an Authority Token issued by an authority over a namespace to an ACME client f
or delivery to an ACME server in response to a challenge. Authority over a hiera
rchical namespace can also be delegated, so that delegates of a root authority c
an themselves act as Token Authorities for certain types of names.
</t><t>
This architecture assumes a trust relationship between CAs and Token Auth
orities: that CAs are willing to accept the attestation of Token Authorities for
particular types of identifiers as sufficient proof to issue a credential. It f
urthermore assumes that ACME clients have a relationship with Token Authorities
which permits them to authenticate and authorize the issuance of Authority Token
s to the proper entities. This ACME challenge has no applicability to identifier
s or authorities where those pre-associations cannot be assumed.
</t><t>
The ACME Authority Token Challenge type, "tkauth-01", is here specified f
or use with the "TNAuthList" ACME Identifier Type described in <xref target="I-D
.ietf-acme-authority-token-tnauthlist"/>; in order to use "tkauth-01" Validation
Method with an ACME Identifier type other than "TNAuthList," that identifier ty
pe would need to be listed in a new registration in the ACME Validation Methods
registry maintained by IANA. "tkauth-01" furthermore supports different token su
btypes. The token subtype is determined by a new ACME challenge field, tkauth-ty
pe. An IANA registry is used to manage the values of tkauth-type, see <xref targ
et="IANA-3"/>. Additionally, this challenge type also has a new "token-authority
" field to designate a location where a token can be acquired.
</t>
<section anchor="req" title="Token Type Requirements">
<t> <t>
The IANA will maintain a registry of tkauth-types under a policy of Spe Proving that a device on the Internet has effective control over a non-In
cification Required. In order to register a new tkauth-type, specifications must ternet resource is not as straightforward as proving control over Internet resou
address the following requirements; in cases where a tkauth-type admits of its rces, like a DNS zone or a
own subtypes, subtypes inherit these requirements. web page. Provided that the issuer of identifiers in a namespace, or some
</t><t> one acting on the issuer's behalf, can implement a service that grants Authority
Tokens to the people to whom it has issued identifiers, a generic token could b
e used as a response to an ACME challenge. This specification, therefore, define
s an Authority Token issued by an authority over a namespace to an ACME client f
or delivery to an ACME server in response to a challenge. Authority over a hiera
rchical namespace can also be delegated so that delegates of a root authority ca
n themselves act as Token Authorities for certain types of names.
</t>
<t>
This architecture assumes a trust relationship between certification auth
orities (CAs) and Token Authorities, i.e., that CAs are willing to accept the at
testation of Token Authorities for particular types of identifiers as sufficient
proof to issue a credential. It furthermore assumes that ACME clients have a re
lationship with Token Authorities, which permits them to authenticate and author
ize the issuance of Authority Tokens to the proper entities. This ACME challenge
has no applicability to identifiers or authorities where those pre-associations
cannot be assumed.
</t>
<t>
The ACME Authority Token Challenge type, "tkauth-01", is here specified f
or use with the "TNAuthList" (Telephone Number Authentication List) ACME Identif
ier Type described in <xref target="RFC9448" format="default"/>; in order to use
the "tkauth-01" Validation Method with an ACME Identifier Type other than "TNAu
thList", that identifier type would need to be listed in a new registration in t
he ACME Validation Methods registry maintained by IANA. "tkauth-01" furthermore
supports different token subtypes. The token subtype is determined by a new ACME
challenge field, tkauth-type. An IANA registry is used to manage the values of
tkauth-type (see <xref target="IANA-3" format="default"/>). Additionally, this c
hallenge type also has a new "token-authority" field to designate a location whe
re a token can be acquired.
</t>
<section anchor="req" numbered="true" toc="default">
<name>Token Type Requirements</name>
<t>
IANA will maintain a registry of tkauth-types under a policy of Specifi
cation Required. In order to register a new tkauth-type, specifications must add
ress the following requirements; in cases where a tkauth-type admits of its own
subtypes, subtypes inherit these requirements.
</t>
<t>
While Authority Token types do not need to be specific to a namespace, every token must carry enough information for a CA to determine the name for whi ch certificate issuance is authorized. Some types of Authority Token types might be reusable for a number of different namespaces; others might be specific to a particular type of name. Therefore, While Authority Token types do not need to be specific to a namespace, every token must carry enough information for a CA to determine the name for whi ch certificate issuance is authorized. Some types of Authority Token types might be reusable for a number of different namespaces; others might be specific to a particular type of name. Therefore,
in defining tkauth-types, future specifications must indicate how a tok en conveys to the CA the name(s) that the Token Authority is attesting that the ACME client controls. in defining tkauth-types, future specifications must indicate how a tok en conveys to the CA the name(s) that the Token Authority is attesting that the ACME client controls.
</t><t> </t>
While nothing precludes use cases where an ACME client is itself a Toke <t>
n Authority, an ACME client will typically need a protocol to request and retrie While nothing precludes use cases where an ACME client is itself a Toke
ve an Authority Token. The Token Authority will require certain information from n Authority, an ACME client will typically need a protocol to request and retrie
an ACME client in order to ascertain that it is an authorized entity to request ve an Authority Token. The Token Authority will require certain information from
a certificate for a particular name. The protocols used to request an Authority an ACME client in order to ascertain that it is an authorized entity to request
Token MUST convey to the Token Authority the identifier type and value that wil a certificate for a particular name. The protocols used to request an Authority
l be used in the ACME challenge, as well as the binding (see <xref target="bind" Token <bcp14>MUST</bcp14> convey to the Token Authority the identifier type and
/>), and those MUST be reflected in the Authority Token. A baseline mechanism fo value that will be used in the ACME challenge, as well as the binding (see <xre
r how the Token Authority authenticates and authorizes ACME clients to receive A f target="bind" format="default"/>), and those <bcp14>MUST</bcp14> be reflected
uthority Tokens is given in <xref target="acquire"/>. in the Authority Token. A baseline mechanism for how the Token Authority authent
</t><t> icates and authorizes ACME clients to receive Authority Tokens is given in <xref
Because the assignment of resources can change over time, demonstration target="acquire" format="default"/>.
s of authority must be regularly refreshed. Definitions of a tkauth-type MUST sp </t>
ecify how they manage the freshness of authority assignments. Typically, a CA wi <t>
ll expect a regular refreshing of the token. Because the assignment of resources can change over time, demonstration
</t> s of authority must be regularly refreshed. Definitions of a tkauth-type <bcp14>
</section> MUST</bcp14> specify how they manage the freshness of authority assignments. Typ
<section anchor="scope" title="Authority Token Scope"> ically, a CA will expect a regular refreshing of the token.
<t> </t>
An Authority Token is used to answer a challenge from an ACME server, upo </section>
n a request for the issuance of a certificate. It could be that the Authority To <section anchor="scope" numbered="true" toc="default">
ken is requested from the Token Authority after a challenge has been received, o <name>Authority Token Scope</name>
r it could be that the Authority Token was acquired prior to the initial ACME cl <t>
ient request. A Token Authority could grant to a client an Authority Token that An Authority Token is used to answer a challenge from an ACME server, upo
has the exact same scope as the requested certificate; alternatively, an Authori n a request for the issuance of a certificate. It could be that the Authority To
ty Token could attest to all of the resources that the client is eligible to rec ken is requested from the Token Authority after a challenge has been received, o
eive certificates for, which could be a superset of the scope of the requested c r it could be that the Authority Token was acquired prior to the initial ACME cl
ertificate. ient request. A Token Authority could grant an Authority Token that has the exac
</t><t> t same scope as the requested certificate to a client; alternatively, an Authori
For example, imagine a case where an Authority for DNS names knows that a ty Token could attest to all of the resources that the client is eligible to rec
client is eligible to receive certificates for "example.com" and "example.net". eive certificates for, which could be a superset of the scope of the requested c
The client asks an ACME server for a certificate for "example.com", the server ertificate.
directs the client to acquire an Authority Token from the Token Authority. When </t>
the client sends an acquisition request (see <xref target="acquire"/>) to the To <t>
ken Authority, the Token Authority could issue a token scoped just to "example.c For example, imagine a case where a Token Authority for DNS names knows t
om", or a token that attests the client is eligible to receive certificates for hat a client is eligible to receive certificates for "example.com" and "example.
both "example.com" or "example.net". The advantage of the latter is that if, at net". The client asks an ACME server for a certificate for "example.com", and th
a later time (but one within the expiry of the token), the client wanted to acqu e server directs the client to acquire an Authority Token from the Token Authori
ire a certificate for "example.net", it would not have to return to the Token Au ty. When the client sends an acquisition request (see <xref target="acquire" for
thority, as the Token effectively pre-authorized the issuance of that certificat mat="default"/>) to the Token Authority, the Token Authority could issue a token
e. scoped just to "example.com" or a token that attests the client is eligible to
</t><t> receive certificates for both "example.com" or "example.net". The advantage of t
Applications of the Authority Token to different identifier types might r he latter is that if, at a later time (but one within the expiry of the token),
equire different scopes, so registrations of tkauth-types should be clear if and the client wanted to acquire a certificate for "example.net", it would not have
how a scope greater than that of the requested certificate would be conveyed in to return to the Token Authority, as the Token effectively pre-authorized the is
a token. suance of that certificate.
</t> </t>
</section> <t>
<section anchor="bind" title="Binding Challenges"> Applications of the Authority Token to different identifier types might r
<t> equire different scopes, so registrations of tkauth-types should be clear about
Applications that use the Authority Token need a way to correlate tokens if and how a scope greater than that of the requested certificate would be conve
issued by a Token Authority with the proper ACME client, to prevent replay or cu yed in a token.
t-and-paste attacks using a token issued for a different purpose. To mitigate th </t>
is, Authority Tokens contain a binding signed by a Token Authority; an ACME serv </section>
er can use the binding to determine that a Token presented by a client was in fa <section anchor="bind" numbered="true" toc="default">
ct granted by the Token Authority based on a request from the client, and not fr <name>Binding Challenges</name>
om some other entity. It is RECOMMENDED that the ACME account fingerprint be use <t>
d for this purpose. Applications that use the Authority Token need a way to correlate tokens
</t><t> issued by a Token Authority with the proper ACME client to prevent replay or cut
-and-paste attacks using a token issued for a different purpose. To mitigate thi
s, Authority Tokens contain a binding signed by a Token Authority; an ACME serve
r can use the binding to determine that a Token presented by a client was in fac
t granted by the Token Authority based on a request from the client and not from
some other entity. It is <bcp14>RECOMMENDED</bcp14> that the ACME account finge
rprint be used for this purpose.
</t>
<t>
Creating a binding from an Authority Token to a particular ACME account e ntails that the Token could be reused up until its expiry for multiple challenge s issued by an ACME server. This might be a desirable property Creating a binding from an Authority Token to a particular ACME account e ntails that the Token could be reused up until its expiry for multiple challenge s issued by an ACME server. This might be a desirable property
when using short-lived certificates, for example, or in any cases where t when using short-lived certificates, for example, in any cases where the
he ACME server issues challenges more frequently that an Authority Token can or ACME server issues challenges more frequently that an Authority Token can or sho
should issue tokens, or in cases where the Authority Token scope (see <xref targ uld issue tokens or in cases where the Authority Token scope (see <xref target="
et="scope"/>) is broad, so certificates with a more narrow scope may periodicall scope" format="default"/>) is broad, so certificates with a more narrow scope ma
y be issued. y periodically be issued.
</t><t> </t>
<t>
For some identifier types, it may be more appropriate to bind the Authori ty Token to a nonce specific to the challenge rather than to an ACME account fin gerprint. Any specification of the use of the nonce or other factors for this pu rpose is left to the identifier type profile for the Authority Token. For some identifier types, it may be more appropriate to bind the Authori ty Token to a nonce specific to the challenge rather than to an ACME account fin gerprint. Any specification of the use of the nonce or other factors for this pu rpose is left to the identifier type profile for the Authority Token.
</t><t> </t>
Note that the fingerprint value in the client's JWT is reflected in the A <t>
uthority Token returned by the Token Authority; the Token Authority has no requi Note that the fingerprint value in the client's JWT is reflected in the A
rement to validate that fingerprint. Were a fingerprint to be captured by an att uthority Token returned by the Token Authority; the Token Authority has no requi
acker which had its own account with the Token Authority, it could replay that f rement to validate that fingerprint. Were a fingerprint to be captured by an att
ingerprint in its own JWT in order to receive an Authority Token with that finge acker that had its own account with the Token Authority, it could replay that fi
rprint. However, were the attacker to present that Authority Token to an ACME se ngerprint in its own JWT in order to receive an Authority Token with that finger
rvice, the service would see the fingerprint does not match the attacker's ACME print. However, were the attacker to present that Authority Token to an ACME ser
account fingerprint. So unless an attacker can compromise a target ACME account vice, the service would see the fingerprint does not match the attacker's ACME a
or gain similar privileges, the binding would be secure. ccount fingerprint. So unless an attacker can compromise a target ACME account o
</t> r gain similar privileges, the binding would be secure.
</section> </t>
</section> </section>
</section>
<section anchor="tn" title="Authority Token Challenge tkauth-type Registr <section anchor="tn" numbered="true" toc="default">
ation"> <name>Authority Token Challenge tkauth-type Registration</name>
<t> <t>
This draft specifies a tkauth-type of "atc" which contains a standard This document specifies a tkauth-type of "atc", which contains a standard
JWT <xref target="RFC7519"/> using a JWS-defined signature string <xref target JWT <xref target="RFC7519" format="default"/> using a signature string defined
="RFC7515"/>. by a JSON Web Signature (JWS) <xref target="RFC7515" format="default"/>.
The "atc" tkauth-type MAY be used for any number of different ACME The "atc" tkauth-type <bcp14>MAY</bcp14> be used for any number of different ACM
identifier types in the ACME challenge. E
</t><t> Identifier Types in the ACME challenge.
</t>
<t>
A new JWT claim, "atc", is A new JWT claim, "atc", is
defined below and lists the identifier type used in this Authority defined below and lists the identifier type used in this Authority
Token. The "atc" tkauth-type is restricted to the JWTs; if a Token. The "atc" tkauth-type is restricted to the JWTs; if a
non-JWT format is desired for the ACME Authority Token non-JWT format is desired for the ACME Authority Token
Challenge, a different tkauth-type should be specified and registered in the Challenge, a different tkauth-type should be specified and registered in the
"ACME Authority Token Challenge Types" "ACME Authority Token Challenge Types"
registry defined in Section 8. registry defined in <xref target="IANA-3" format="default"/>.
</t><t> </t>
For this ACME Authority Token usage of JWT, the payload of the JWT OPTIO <t>
NALLY contain an "iss" indicating the Token Authority that generated the token, For this ACME Authority Token usage of a JWT, it is <bcp14>OPTIONAL</bcp
if the "x5u" or "x5c" element in the header does not already convey that informa 14> for the payload of the JWT to contain an "iss", indicating the Token Authori
tion; typically, this will be the same location that appeared in the "token-auth ty that generated the token if the "x5u" or "x5c" element in the header does not
ority" field of the ACME challenge, when present. In order to satisfy the requir already convey that information; typically, this will be the same location that
ement for replay prevention the JWT MUST contain a "jti" element, and an "exp" c appeared in the "token-authority" field of the ACME challenge, when present. In
laim; the "exp" claim manages token freshness. In addition to helping to manage order to satisfy the requirement for replay prevention, the JWT <bcp14>MUST</bc
replay, the "jti" provides a convenient way to reliably track when the same "atc p14> contain a "jti" element and an "exp" claim; the "exp" claim manages token f
" Authority Token is being used for multiple challenges over time within its set reshness. In addition to helping to manage replay, the "jti" provides a convenie
lifetime. nt way to reliably track when the same "atc" Authority Token is being used for m
</t><t> ultiple challenges over time within its set lifetime.
The JWT payload MUST also contain a new JWT claim, "atc", for Authority </t>
Token Challenge, which contains three mandatory elements in a JSON map: the ATC <t>
identifier type ("tktype"), the identifier value ("tkvalue"), and the binding (" The JWT payload <bcp14>MUST</bcp14> also contain a new JWT claim, "atc",
fingerprint"). The use of "tktype" is restricted to the values in the "ACME Iden for Authority Token Challenge, which contains three mandatory elements in a JSO
tifier Types" registry as defined by <xref target="RFC8555"/>. The identifier ty N map: the ATC identifier type ("tktype"), the identifier value ("tkvalue"), and
pe and value are those given in the ACME challenge and conveyed to the Token Aut the binding ("fingerprint"). The use of "tktype" is restricted to the values in
hority by the ACME client. For the purposes of the "atc" tkauth-type, the bindin the "ACME Identifier Types" registry, as defined by <xref target="RFC8555" form
g "fingerprint" is assumed to be a fingerprint of the ACME credential for the ac at="default"/>. The identifier type and value are those given in the ACME challe
count used to request the certificate, but the specification of how the binding nge and conveyed to the Token Authority by the ACME client. For the purposes of
is generated is left to the identifier type profile for the Authority Token (see the "atc" tkauth-type, the binding "fingerprint" is assumed to be a fingerprint
<xref target="bind"/>). The "tkvalue" indicates the scope of the authority that of the ACME credential for the account used to request the certificate, but the
the token, and its semantics are outside the scope of this document, as they wi specification of how the binding is generated is left to the identifier type pro
ll be specified by the "tkvalue" identifier in a separate specification. file for the Authority Token (see <xref target="bind" format="default"/>). The "
</t><t> tkvalue" indicates the scope of the authority that the token and its semantics a
Following the example of <xref target="I-D.ietf-acme-authority-to re outside the scope of this document, as they will be specified by the "tkvalue
ken-tnauthlist"/>, the "tktype" identifier type could be the TNAuthList, with a " identifier in a separate specification.
"tkvalue" as defined in <xref target="RFC8226"/> that the Token Authority is att </t>
esting. Practically speaking, that scope may comprise a list of Service Provider <t>
Code elements, telephone number range elements, and/or individual telephone num Following the example of <xref target="RFC9448" format="default"/
bers. So for example: >, the "tktype" identifier type could be the TNAuthList (as defined in <xref tar
</t><t> get="RFC8226"/>), which would be the value for the "tkvalue" element that the To
<figure> ken Authority is attesting. Practically speaking, that scope may comprise a list
<artwork><![CDATA[ of Service Provider Code elements, telephone number range elements, and/or indi
{ vidual telephone numbers. So for example:
"protected": base64url({ </t>
"typ":"JWT", <sourcecode type=""><![CDATA[
"alg":"ES256", {
"x5u":"https://authority.example.org/cert" "protected": base64url({
}), "typ":"JWT",
"payload": base64url({ "alg":"ES256",
"iss":"https://authority.example.org/authz", "x5u":"https://authority.example.org/cert"
"exp":1300819380, }),
"jti":"id6098364921", "payload": base64url({
"atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint": "iss":"https://authority.example.org/authz",
"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50: "exp":1300819380,
9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} "jti":"id6098364921",
}), "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==",
"signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:
} BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"}
]]></artwork> }),
</figure> "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ"
</t> }
<t>Optionally, the "atc" claim may contain a fourth boolean element, "ca". I ]]></sourcecode>
f set to "true", the "ca" element indicates that the Token Authority is granting <t>Optionally, the "atc" claim may contain a fourth boolean element, "ca".
permission to issue a certification authority certificate rather than an end-en If set to "true", the "ca" element indicates that the Token Authority is granti
tity certificate for the names in question. This permits subordinate delegations ng permission to issue a certification authority certificate rather than an end-
from the issued certificate (using <xref target="RFC9115"/> or similar mechanis entity certificate for the names in question. This permits subordinate delegatio
ms). If the "ca" element is absent, the Token Authority is explicitly withholdin ns from the issued certificate (using <xref target="RFC9115" format="default"/>
g permission. The "atc" object in the example above would then look like: or similar mechanisms). If the "ca" element is absent, the Token Authority is ex
<figure> plicitly withholding permission. The "atc" object in the example above would the
<artwork><![CDATA[ n look like:
"atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","ca":true, </t>
"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F <sourcecode type=""><![CDATA[
8:50: "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==",
9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} } "ca":true,"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:
]]></artwork> 71:D3:BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }
</figure> ]]></sourcecode>
</t><t> <t>
Specifications of "tktype" identifier types may define additional optional " atc" elements. Specifications of "tktype" identifier types may define additional optional " atc" elements.
</t> </t>
</section> </section>
<section anchor="acquire" numbered="true" toc="default">
<section anchor="acquire" title="Acquiring a Token"> <name>Acquiring a Token</name>
<t> <t>
The acquisition of an Authority Token requires a network interface, apart fr om potential use cases where the entity that acts as an ACME client itself also acts as a Token Authority trusted by the ACME server. Implementations compliant with this specification MUST support an HTTPS interface for Authority Token acqu isition as described below, though other interfaces MAY be supported as well. The acquisition of an Authority Token requires a network interface, apart fr om potential use cases where the entity that acts as an ACME client itself also acts as a Token Authority trusted by the ACME server. Implementations compliant with this specification <bcp14>MUST</bcp14> support an HTTPS interface for Autho rity Token acquisition as described below, though other interfaces <bcp14>MAY</b cp14> be supported as well.
</t> </t>
<section anchor="ex" title="Basic REST Interface"> <section anchor="ex" numbered="true" toc="default">
<t> <name>Basic REST Interface</name>
In order to request an Authority Token from a Token Authority, a client sen <t>
ds a HTTPS POST request <xref target="RFC7231"/> . This specification assumes th In order to request an Authority Token from a Token Authority, a client sen
at Token Authority URIs are known to clients through preexisting business relati ds a HTTPS POST request <xref target="RFC9110" format="default"/>. This specific
onships, and that the credentials and related authentication and authorization f ation assumes that Token Authority URIs are known to clients through preexisting
or Authority Token acquisition are encompassed in that relationship. Different s business relationships and that the credentials and related authentication and
ervices may organize their web resources in domain-specific ways, but the resour authorization for Authority Token acquisition are encompassed in that relationsh
ce locator should specify the account of the client, an identifier for the servi ip. Different services may organize their web resources in domain-specific ways,
ce provider, and finally a locator for the token. but the resource locator should specify the account of the client, an identifie
</t><t> r for the service provider, and finally a locator for the token.
<figure><artwork><![CDATA[ </t>
<sourcecode type=""><![CDATA[
POST /at/account/:id/token HTTP/1.1 POST /at/account/:id/token HTTP/1.1
Host: authority.example.com Host: authority.example.com
Content-Type: application/json Content-Type: application/json
]]></artwork></figure> ]]></sourcecode>
</t><t>Note that ":id" here is a placeholder for an actual account identifi <t>Note that ":id" here is a placeholder for an actual account identifie
er. The body of the POST request MUST contain the Authority Token Challenge elem r. The body of the POST request <bcp14>MUST</bcp14> contain the Authority Token
ent (the key "atc", colon, and its value) that the client is requesting the Toke Challenge element (the key "atc", colon, and its value) that the client is reque
n Authority generate. In this way, the client proposes the scope of the Authorit sting the Token Authority generate. In this way, the client proposes the scope o
y Token it would like to receive from the Token Authority. f the Authority Token it would like to receive from the Token Authority.
</t><t> </t>
In common use cases, the "tkvalue" in this request is asking that the Token <t>
Authority issue a token that attests the entire scope of authority to which the In common use cases, the "tkvalue" in this request is asking that the Token
client is entitled. The client may also request an Authority Token with some sub Authority issue a token that attests the entire scope of authority to which the
set of its own authority via the "tkvalue" element in the Authority Token Challe client is entitled. The client may also request an Authority Token with some sub
nge object. The way that "tkvalue" is defined will necessarily be specific to th set of its own authority via the "tkvalue" element in the Authority Token Challe
e identifier type. For the TNAuthlist identifier type, for example, an object re nge object. The way that "tkvalue" is defined will necessarily be specific to th
questing an Authority Token could request authority for only a single telephone e identifier type. For the TNAuthList identifier type, for example, an object re
number in a way that is defined in the TNAuthList specification. questing an Authority Token could request authority for only a single telephone
</t><t> number in a way that is defined in the TNAuthList specification.
Finally, the JSON object MAY also contain an optional boolean element "ca" w </t>
hich signifies that the client is requesting that the Token Authority issue an A <t>
uthority Token with the "ca" flag set, as described in <xref target="tn"/>.</t> Finally, the JSON object <bcp14>MAY</bcp14> also contain an optional boolean
<t> element, "ca", which signifies that the client is requesting that the Token Aut
After an HTTPS-level challenge (e.g. a 401 HTTP response code) to verify the hority issue an Authority Token with the "ca" flag set, as described in <xref ta
identity of the client and subsequently making an authorization decision about rget="tn" format="default"/>.</t>
whether the client should receive an Authority Token with the requested scope, t <t>
hen in the success case, the Token Authority MUST return a 200 OK with a body of After an HTTPS-level challenge (e.g., a 401 HTTP response code) to verify th
type "application/json" containing the Authority Token. e identity of the client and subsequently making an authorization decision about
</t><t> whether the client should receive an Authority Token with the requested scope,
A full example of "atc" token acquisition using the HTTP interface, with then in the success case, the Token Authority <bcp14>MUST</bcp14> return a 200 O
the "tktype" of "TNAuthList", is given in <xref target="I-D.ietf-acme-authority- K with a body of type "application/json" containing the Authority Token.
token-tnauthlist"/> Section 5.5. </t>
</t> <t>
</section> A full example of "atc" token acquisition using the HTTP interface, with
the "tktype" of "TNAuthList", is given in <xref target="RFC9448" format="default
</section> " sectionFormat="of" section ="5.5"/>.
</t>
<section anchor="Acknowledgements" title="Acknowledgements"> </section>
<t>We would like to Roman Danyliw and Ben Kaduk for contributions to this
problem statement and framework.</t>
</section> </section>
<section anchor="iana" numbered="true" toc="default">
<name>IANA Considerations</name>
<section anchor="IANA-1" numbered="true" toc="default">
<name>ACME Validation Method Registration</name>
<t>IANA has added a new ACME Validation Method (per <xref target="RFC855
5" format="default"/>) in the "ACME Validation Methods" subregistry of the "Auto
mated Certificate Management Environment (ACME) Protocol" registry group as fol
lows:</t>
<dl newline="false" spacing="normal">
<dt>Label:</dt> <dd>tkauth-01</dd>
<dt>Identifier Type:</dt> <dd>TNAuthList</dd>
<dt>ACME:</dt> <dd>Y</dd>
<dt>Reference:</dt> <dd>RFC 9447</dd>
</dl>
</section>
<section anchor="IANA-2" numbered="true" toc="default">
<name>JSON Web Token Claim Registration</name>
<t>
IANA has added a new claim in the "JSON Web Token Claims" registr
y, as defined in <xref target="RFC7519" format="default"/>, as follows:
</t>
<dl newline="false" spacing="normal">
<dt>Claim name:</dt> <dd>atc</dd>
<dt>Claim Description:</dt> <dd>Authority Token Challenge</dd>
<dt>Change Controller:</dt> <dd>IETF</dd>
<dt>Specification document(s):</dt> <dd>RFC 9447</dd>
</dl>
</section>
<section anchor="IANA-3" numbered="true" toc="default">
<name>Creation of ACME Authority Token Challenge Types Registry</name>
<t>
IANA has created a new registry for "ACME Authority Token Challenge Ty
pes" as used in these challenges, under a policy of Specification Required and f
ollowing the requirements in <xref target="req" format="default"/>, with three c
olumns: Label, Description, and Reference. The initial content of the registry i
s as follows:</t>
<dl newline="false">
<dt>Label:</dt> <dd> atc (as defined in <xref target="tn" format="default"/>)</
dd>
<dt>Description:</dt> <dd>JSON Web Token (JWT) challenge type</dd>
<dt>Reference:</dt> <dd>RFC 9447</dd>
</dl>
<section anchor="iana" title="IANA Considerations"> </section>
<section anchor="IANA-1" title="ACME Validation Method Registration">
<t>This document requests that IANA populate a new ACME Validation Method
(again per <xref target="RFC8555"/>) in the ACME Validation Methods sub-registry
of the Automated Certificate Management Environment (ACME) Protocol registry gr
oup for the label "tkauth-01", identifier type "TNAuthList", an ACME value of "Y
", and a reference pointing to [RFCThis].
</t><t>
Note to the RFC Editor: Please replace [RFCThis] throughout this docume
nt with the RFC number assigned to this specification.
</t>
</section>
<section anchor="IANA-2" title="JSON Web Token Claim Registration">
<t>
This document asks IANA to populate a new claim in the "JSON Web
Token Claims" registry as defined in <xref target="RFC7519"/> as follows:
</t><t><list><t>
Claim name: atc
</t><t>
Claim Description: Authority Token Challenge
</t><t>
Change Controller: IESG
</t><t>
Specification document(s): [RFCThis]
</t></list></t>
</section>
<section anchor="IANA-3" title="Creation of ACME Authority Token Challeng
e Type Registry">
<t>
This document requests that the IANA create a new registry for "ACME A
uthority Token Challenge Types" as used in these challenges, under a policy of S
pecification Required and following the requirements in <xref target="req"/>, wi
th three columns: Label, Reference and Description. The registry should be pre-p
opulated with a Label of "atc" per <xref target="tn"/> with a Reference value of
[RFCThis], and a Description of "JSON Web Token (JWT) challenge type."</t>
</section>
</section> </section>
<section anchor="Security" numbered="true" toc="default">
<section anchor="Security" title="Security Considerations"> <name>Security Considerations</name>
<t>
Per the guidance in <xref target="RFC8555" format="default"/>, ACME tr
ansactions <bcp14>MUST</bcp14> use TLS, and similarly, the HTTPS REST transactio
ns used to request and acquire Authority Tokens <bcp14>MUST</bcp14> use TLS. The
se measures are intended to prevent the capture of Authority Tokens by eavesdrop
pers. A preexisting trust relationship between the HTTPS REST client and the Tok
en Authority must also exist in order for the parties to meaningfully authentica
te one another. The security considerations of <xref target="RFC8555" format="de
fault"/> apply to the use of the mechanism in this specification. Implementation
s should follow the best practices identified in <xref target="RFC8725" format="
default"/>.
</t>
<t>
As described in <xref target="scope" format="default"/>, an Aut
hority Token can either have a scope that attests all of the resources that a cl
ient is eligible to receive certificates for or potentially a more limited scope
that is intended to capture only those resources for which a client will receiv
e a certificate from a particular certification authority. Any certification aut
hority that sees an Authority Token can learn information about the resources a
client can claim. In cases where this incurs a privacy risk, Authority Token sco
pes should be limited to only the resources that will be attested by the request
ed ACME certificate.
</t>
<t>
In cases where a tkauth-type, as defined in <xref target="tn" f
ormat="default"/>, admits of its own subtypes, the security of features like bin
ding challenges (see <xref target="bind" format="default"/>) will depend on the
subtype specification.
</t>
<t>
The capture of Authority Tokens by an adversary could enable an attacker
to acquire a certificate from a CA. Therefore, all Authority Tokens <bcp14>MUST<
/bcp14> contain a field that identifies to the CA which ACME client requested th
e token from the Token Authority; here, that is the fingerprint specified in <xr
ef target="tn" format="default"/>. All Authority Tokens must specify an expiry (
of the token itself as proof for a CA, as opposed to the expiry of the name), an
d for some applications, it may make sense for that expiry to be quite short.
ACME services relying on Authority Tokens <bcp14>SHOULD NOT</bcp14> issue
certificates with a longer expiry than the expiry of the Authority Token. Any p
rotocol used to retrieve Authority Tokens from a Token Authority <bcp14>MUST</bc
p14> use confidentiality to prevent eavesdroppers from acquiring an Authority To
ken. The details of this protocol are out of the scope of this specification.
</t>
<t> <t>
Per the guidance in <xref target="RFC8555"/>, ACME transactions MUST u
se TLS, and similarly the HTTPS REST transactions used to request and acquire Au
thority Tokens MUST use TLS. These measures are intended to prevent the capture
of Authority Tokens by eavesdroppers. A preexisting trust relationship between t
he HTTPS REST client and the Token Authority must also exist in order for the pa
rties to meaningfully authenticate one another. The security considerations of <
xref target="RFC8555"/> apply to the use of the mechanism in this specification.
Implementations should follow the best practices identified in <xref target="RF
C8725"/>.
</t><t>
As described in <xref target="scope"/>, an Authority Token can
either have a scope that attests all of the resources which a client is eligible
to receive certificates for, or potentially a more limited scope that is intend
ed to capture only those resources for which a client will receive a certificate
from a particular certification authority. Any certification authority that see
s an Authority Token can learn information about the resources a client can clai
m. In cases where this incurs a privacy risk, Authority Token scopes should be l
imited to only the resources that will be attested by the requested ACME certifi
cate.
</t><t>
In cases where a tkauth-type as defined in <xref target="tn"/>
admits of its own subtypes, the security of features like binding challenges (se
e <xref target="bind"/>) will depend on the subtype specification.
</t><t>
The capture of Authority Tokens by an adversary could enable an a
ttacker to acquire a certificate from a CA. Therefore, all Authority Tokens MUST
contain a field that identifies to the CA which ACME client requested the token
from the Token Authority; here that is the fingerprint specified in <xref targe
t="tn"/>). All Authority Tokens must specify an expiry (of the token itself as p
roof for a CA, as opposed to the expiry of the name), and for some application,
it may make sense of that expiry to be quite short. ACME services relying on Aut
hority Tokens SHOULD not issue certificates with a longer expiry than the expiry
of the Authority Token. Any protocol used to retrieve Authority Tokens from a T
oken Authority MUST use confidentiality to prevetn eavesdroppers from acquiring
an Authority Token. The details of this protocol are out of the scope of this sp
ecification.
</t><t>
This document only specifies SHA256 for the fingerprint hash. How ever, the syntax of the fingerprint object would permit other keys if, due to co ncerns about algorithmic agility, a more robust algorithm were required at a fut ure time. Future specifications can define new keys for the fingerprint object a s needed. This document only specifies SHA256 for the fingerprint hash. How ever, the syntax of the fingerprint object would permit other keys if, due to co ncerns about algorithmic agility, a more robust algorithm were required at a fut ure time. Future specifications can define new keys for the fingerprint object a s needed.
</t> </t>
</section> </section>
</middle> </middle>
<!-- *****BACK MATTER ***** -->
<back> <back>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2
119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
515.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7
519.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
110.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
725.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
555.xml"/>
<!-- References split into informative and normative --> <reference anchor='RFC9448' target='https://www.rfc-editor.org/info/rfc9448'>
<front>
<!-- There are 2 ways to insert reference entries from the citation librarie <title>TNAuthList Profile of Automated Certificate Management Environment (ACME)
s: Authority Token</title>
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here ( <author initials='C' surname='Wendt' fullname='Chris Wendt'>
as shown) <organization />
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml </author>
"?> here <author initials='D' surname='Hancock' fullname='David Hancock'>
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.x <organization />
ml") </author>
Both are cited textually in the same manner: by using xref elements. <author initials='M' surname='Barnes' fullname='Mary Barnes'>
If you use the PI option, xml2rfc will, by default, try to find included fil <organization />
es in the same </author>
directory as the including file. You can also define the XML_LIBRARY environ <author initials='J' surname='Peterson' fullname='Jon Peterson'>
ment variable <organization />
with a value containing a set of directories to search. These can be either </author>
in the local <date year='2023' month='September'/>
filing system or remote ones accessed by http (http://domain/dir/... ).--> </front>
<seriesInfo name="RFC" value="9448"/>
<seriesInfo name="DOI" value="10.17487/RFC9448"/>
</reference>
<references title="Normative References"> </references>
&RFC2119; <references>
&RFC8174; <name>Informative References</name>
&RFC7515; <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
&RFC7519; 226.xml"/>
&RFC7231; <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
&RFC3986; 396.xml"/>
&RFC8725; <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
&RFC4648; 115.xml"/>
&RFC8555; </references>
&I-D.ietf-acme-authority-token-tnauthlist;
</references>
<references title="Informative References">
&RFC8226;
&RFC8396;
&RFC9115;
</references> </references>
<section anchor="Acknowledgements" numbered="false" toc="default">
<name>Acknowledgements</name>
<t>We would like to <contact fullname="Roman Danyliw"/> and <contact fulln
ame="Ben Kaduk"/> for contributions to this problem statement and framework.</t>
</section>
</back> </back>
</rfc> </rfc>
 End of changes. 41 change blocks. 
521 lines changed or deleted 485 lines changed or added

This html diff was produced by rfcdiff 1.48.