HTT Consulting

Oak Park MI 48237 USA rgm@labs.htt-consult.com

AX Enterprize, LLC

4947 Commercial Drive Yorkville NY 13495 USA stu.card@axenterprize.com

Internet INTAREA RFC Request for Comments I-D Internet-Draft DRIP PKIX The DRIP Entity Tag (DET) public Key Infrastructure (DKI) is a specific variant of classic Public Key Infrastructures (PKI) where the organization is around the DET, in place of X.520 Distinguished Names. Further, the DKI uses DRIP Endorsements in place of X.509 certificates for establishing trust within the DKI. There are two X.509 profiles for shadow PKI behind the DKI, with many of their X.509 fields mirroring content in the DRIP Endorsements. This PKI can at times be used where X.509 is expected and non-constrained communication links are available that can handle their larger size.

Introduction A DRIP Entity Tag (DET, ) public Key Infrastructure (DKI) is designed as a strict hierarchy, governed by the administrator of the DET prefix and having the authority to authorize RAAs. RAAs in turn authorize HDAs within their domain. This authorization is managed via a set of DETs whose sole use is to define the DKI. The RAA Authorization DETs MUST reside in HID = RAA#|0 (Apex Authorization DET in HID = 0|0). There are three main classifications/types of DETs:

• Authorization DETs

  Used to assert the authorization of a DKI level.

  Issuing DETs

  Used to assert operations within DKI level.

  Operational DETs

  Used by operational entities within DKI level

All DETs exist in DET-Endorsements (). These DET-Endorsements provide the proof of registration and thus trust. These DETs, through chained Endorsements define the DKI as follows:

The DKI Endorsements

The Authorization DETs exist in a set of DET-Authorization-Endorsements. The lifetime of these endorsements SHOULD be no less than 1 year, recommended 5 years, and should not exceed 10 years. Endorsements SHOULD be reissued prior to expiry (may be for a new DET). DETs used to define this authorization are replaced per undetermined policy (note these DETs do very little signing, see ). This separation of DET type roles reduce the risk of private key loss for the critical Authentication DETs by making them infrequently used and only used in offline operations. It does make the chain of trust for a HDA customers' Operational DETs to be 4 Endorsements.

The DKI without an Apex Entity The hierarchial design of the DKI is the most efficient possible with the least data transmission overhead. But it requires the participation of an Entity, in the role of the Apex, trusted by all the RAAs. The logical Entity for this role is the International Civil Aviation Authority (ICAO), but the processes for ICAO to take on this role are complex. Work is ongoing with the ICAO, but timing is indeterminate and immediately implementable alternatives are needed. The DKI can work by the RAAs establishing mutual trust within a geographic region. It is envisioned that the initial RAA assignments will follow . Without an Apex, each RAA self-endorses its Authentication DET, acting as its own apex. However, RAAs issued DETs (via their HDAs) will not exist in the air by themselves (except perhaps for some small island nations), thus a geographic regional consortium of RAAs will need to deploy some mechanism for mutual trust for their End Entities to fly together. There are three reasonable approaches for RAAs to manage their mutual trust and it is likely that all will occur:

• 1. RAA Trust lists
  2. RAA Cross-endorsements
  3. Bridge RAA with cross-endorsements to RAAs

It is recommended that the RAA Trust List be used during initial DKI testing. The cross-endorsing options will need their own testing to work out how best to deploy them.

RAA Trust lists A consortium of RAAs MAY choose to maintain a list of RAAs they trust. It is recommended that this list consist of the RAA's Authentication DET and HI. Each RAA in the consortium SHOULD maintain its own list, signed with its Authentication DET. This Trust List MAY contain each RAA's Authentication DET self-endorsement validity dates. If a trusted RAA has more than one self-endorsement (most likely to support key rollover), including these dates makes it easier to have an RAA duplicated in the list. How the RAAs communicate between themselves to maintain these lists is out of scope here. Each RAA SHOULD include validity dates in its Trust List. Frequency of Trust List updates is also out of scope here. Trust Lists is the simplest method to implement, but may not be the simplest to maintain over time.

RAA Cross-endorsements A consortium of RAAs MAY choose to cross-endorse each's Authentication DET. This is done by one RAA endorsing for its community, another's Authentication DET. This establishes one-way trust; thus, in practice, each RAA needs to cross-endorse each RAA's Authentication DET within the consortium. RAA Cross-endorsements definitely has a scaling (n^2) problem. It works for a starting point or for a very small group of RAAs. How these RAA Cross-endorsements are discovered has not been defined at this point. One potential is via a to-be-defined DNS HHIT RR within the endorsing RAA's zone. This information would need to be cached by any potential offline entity.

Bridge RAA with cross-endorsements to RAAs A consortium of RAAs MAY select one RAA to function as a "Bridge" between all members of the consortium. In this approach, the "Bridge RAA" does not authorize any sub-HDAs. Its sole purpose is the cross-endorse to member RAAs. The Bridge and each RAA cross endorse as in . Bridge RAA Cross-endorsementing reduces the scaling challenge to only the number of RAAs in the consortium. Plus there is little need to communicate any changes in the cross-endorsementing to the various parties within the consortium. Thus this option scales the best out of the three alternatives to DKI Apex hierarchy. How these RAA Cross-endorsements are discovered has not been defined at this point. The Bridge RAA will have to be known to all parties within the consortium. One potential, as above, is via a to-be-defined DNS HHIT RR within the endorsing RAA's zone. This information would need to be cached by any potential offline entity.

Terms and Definitions

Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Definitions This document uses the terms defined in and in . The following new terms are used in the document:

Authorization DETs

DETs whose use is to define a hierarchy level and endorse lower hierarchy level Authorization DETs and finally Issuing DETs at this hierarchy level. They the DETs in the Authentication Endorsements and X.509 certificates.

DKI

A DRIP Entity Tag (DET) public Key Infrastructure. Similar to an X.509 PKI, but built on the DRIP Endorsements.

Issuing DETs

DETs whose use is to sign Endorsements and X.509 certificates for Operational DETs that are at the same hierarchy level as the Issuing DET.

Operational DETs

DETs used by various entities in DRIP protocols and as non-routable IPv6 addresses. A partial list of such entities includes: GCS, Infrastructure (e.g. wireless tower systems), Pilots-in-command, Servers, UA.

The DET public Key Infrastructure (DKI)

The DKI Levels

The Apex The Apex Authorization DET is used to endorse RAA Authorization DETs and its own Apex Issuing DETs; it has no other use. This is the case for all Authorization DETs. Apex Issuing DETs are used to endorse DETs, with HID= 0|0, used by Apex services.

The RAAs Each RAA use its Authorization DET (HID = RAA#|0) to endorse its RAA Issuing DET(s) (also HID = RAA#|0) and for signing its HDA Authorization DETs (HID = RAA#|HDA#). An RAA may have multiple Issuing DETs (HID = RAA#|0), each for a different use (e.g. CRL signing, RAA server signing). It is expected that, over time, an RAA will rollover its Issuing DETs, thus at times there will be more than ONE Issuing DET per role in use. These Issuing DETs, like those at the Apex level, constitute an implicit HDA. There is no Authorization DET for this implicit HDA, but other than only signing for entities like servers needed by the RAA, it should be considered as an HDA in terms of policies.

Initial RAA assignments It is expected that each nation state will manage RAAs for use of its National Air Space (NAS). The allocation of RAA numbers for this purpose will initially be based on the ISO 3166 3-digit codes (). The initial allocation of RAAs will be (ISO-3166 number)*4 + [0-3]. It is up to each state what they do with this initial allocation. Each UAS Manufacturer with a CTA-2063A number will be allocated an HDA out of a specific Manufacturer's RAA range. To manage the large CTA Manufacturer Code space (34 character set; 4 characters; 1,336,336 possible codes) a range of RAA values are set aside for this purpose. These are the RAA values of 4000 (0x0FA0) to 4095 (0x0FFF). This allows a single HDA for each Manufacturer Code. Any allocation of RAAs to non-states will start with RAA 4096.

The HDAs Each HDA use its Authorization DET to endorse its HDA Issuing DETs (e.g. RAA=267, HDA=567). An HDA Issuing DET is used to endorse Operational DETs; those used by the HDA for its services (e.g. USS) and for Devices (e.g. UA, GCS, ground infrastructure) partaking in the HDA's services. If the Operational DET is a Manufacturer DET, the "valid not after" date (vna) MUST be 99991231235959Z.

The Offline Requirement for Authentication DETs The Authentication DETs private keys MUST NEVER be on a system with any network connectivity. Also efforts MUST be taken to limit any external digital media connections to these offline systems. Compromise of an Authentication DET compromises its and all lower hierarchy levels. Such a compromise could result in a major re-signing effort with a new Authentication DET. Also, during the time of compromise, fraudulent additions to the DKI could have occurred. This means that the process whereby the Authentication DET is used to sign the Endorsement/X.509 certificate of its level's Issuing DET(s) and lower level Authentication DETs MUST be conducted in an offline manner. This offline process need not be onerous. For example, QR codes could be used to pass CSR objects to the offline Authentication DET system, and this system could produce QR codes containing the Endorsements and X.509 certificates it signed. A video conference between the parties could have one side show its QR code and the other copy and print it to move between the video conferencing system and the offline system. This is a simplification of a larger signing operation, but shows how such a signing need not require travel and expensive hand-off methodologies. It should be noted that the endorsement of Issuing DETs follow the same restriction, as it is done with the Authentication DET. It MUST be conducted in an offline manner.

DNS view of DKI The primary view of the DKI is within DNS. There are two main DNS structures, one for DETs and one for DKI entities. In the DET DNS structure, only the Apex and RAA levels MUST be DNSSEC signed. The HDA level may be too dynamic for DNSSEC signing (e.g. hundreds of new EE Operational DETs per hour); trust in the EE Operational DETs within the HDA level comes through inclusion of the HDA Endorsement of EE object. A slow-churn HDA MAY use DNSSEC. The RAA and HDA levels MUST contain their Endorsement by higher object; this provides the needed trust in the Endorsement of EE objects. The Apex level Endorsement is self-signed, thus trust in it is only possible via DNSSEC. Endorsements are currently stored in DNS via the CERT RR using a private OID of 1.3.6.1.4.1.6715.2 (an alternative OID may be 1.3.9.16.2) and further classified by the Endorsement Type. The CERT RR is only a temporary RR for Endorsements, as it cannot support DET revocation (). Other RR within these levels will vary. There may be HIP, TLSA, and/or URI RR. Each level needs FQDNs for its Authorization DET and Issuing DET(s) (e.g. PTR to DETs?). FQDNs for services offered may also be present, or a URI for the commercial FQDN for the DKI Entity. TLSA RR of DET SPKI may be directly included here. Same with HIP RR. The Authorization Endorsement SHOULD be present, as SHOULD be Issuing Endorsements.

Managing DET Revocation For Operational DETs, there is no direct concept of DET revocation. Operational DETs are either discoverable via DNS or not valid despite being in a non-expired Endorsement signed an Issuing DET. Thus if an Issuing Entity needs to "revolk" an Operational DET it removes all entries for it from DNS, so a short TTL on those records is recommended. Authorization and Issuing DETs are not so easily "revoked"; something akin to an X.509 CRL mechanism is needed. This could best be dealt with by Endorsements managed in a RR that includes revocation status. Thus needs to define a specific RR for Endorsements that will be used here. Minimally, at least the revocation status and revocation date(s) need to be in this RR. Until this RR is defined, there is no mechanism, other than removal for Authorization and Issuing DET revocations.

The Offline cache of HDA Issuing Endorsements The Offline cache of HDA Issuing Endorsements, used to verify various EE signed objects without needing DNS access, SHOULD consist of the HDA Authentication DET Endorsements of the HDA Issuing DETs. Thus the receiver has a trusted source of the HDA Issuing DET Public Key (HI) in a DRIP standard object (136 bytes). If the DKI DNS tree includes GEO location data and coverage, a receiver could query some service for a trusted cache within some radius of its location. Such as, please tell me of all HDAs within 100KM of... This cache MAY contain the full chain up to the Apex. This could be helpful in limited connectivity environments when encountering an HDA Issuing DET under a unknowned Authenticated HDA or RAA. The needed trust chain could be shorter.

HDA Offline Trust cache There situations where a list of specific HDAs for an entity to trust for some application is needed. This can best be met by maintaining a cache as above but only of the trusted HDA Issuing Endorsements. How a list of this limited trust is maintain and distributed is out of scope of this document and is left to those needing this specific feature.

RAAs set aside for Testing The RAA range of 16376 - 16383 are reserved for testing. It test DET DNS structure under drip-testing.org will use these. RAAs 16376 - 16389 are preallocated in this test DNS with 16390 - 16383 available for testing setting up RAAs. Within RAAs 16376 - 16383, HDAs 16376 - 16383 will be preset for testing of Operational DETs. Other HDAs within RAAs 16376 - 16383 additional HDAs can be made available for testing of HDA setup and running said HDAs. It is anticipated that once a production DNS is established, these test RAAs and HDAs will carry forward. The migration could be as simple as the production Apex endorsing the test RAA Authorization DETs and moving the various test DNS structures to the production structure.

The DKI's Shadow PKI The following defines the components of a DKI's shadow PKI built from X.509 certificates with content that mirrors that in the DKI Endorsements. There are two profiles provided; both may be used, or the community may select one for deployment. In both cases, the PKI tree mirrors that of the DKI levels (). At this point in defining the shadow PKIs, alternatives to a strict hierarchy is still an open work item. This work will follow the pattern set in .

Shadow Lite-PKI with minimal content Certificates The Lite-PKI is designed to fully mirror the DKI in the smallest reasonable X.509 certificates (e.g. 240 bytes for DER), but still adhere to MUST field usage.

DRIP Lite X.509 certificate profile The following is the profile for the DRIP X.509 certificates

DRIP Lite certificate profile

Serial Number The Serial Number is a MUST field, but it has no usage in this Lite-PKI. It is 1-byte in size and thus duplicates are guaranteed. To drop this field could make many X.509 parsing libraries fail.

Subject The Subject field is only used in Authentication and Issuing Certificates. In this usage it will be the left 8 bytes of the DET encoded in the commonName attribute. Thus CN=2001003000000005 is for an Apex Authentication certificate for prefix 2001003/28 and SuiteID 5. For Entity Certificates, the Subject is Empty and the DET will be in Subject Alternative Name (SAN). In the SAN, the DET can be properly encoded as an IPv6 address. To distinguish the various Issuing DET certificates under an Authentication DET certificate, they will have a letter appended to the CN to identify their role. For consistency across the PKI, these should be in an IANA registry. Current thought is for at least:

• Issuing - I
• CRL signing - CRL

Issuer The Issuer MUST be the higher level's Subject. The Issuer for the Apex Authentication certificate MUST be the Subject (indicating self-signed). As the Subject field streams down to Issuer, it is very important for walking the trust chain via the FQDNs derived from the CN. Note that there may be multiple certificates with a CN, particularly during key rollover. It is up to applications to select the proper signing certificate for validation.

Subject Alternative Name Subject Alternative Name is only used in Operational (End Entity) certificates. It is used to provide the DET as an IP address with an Empty Subject (SAN MUST be flagged as Critical). The Subject Alternative Name is also used in Manufacturer DET certificates. These may contain the hardwareModuleName as described in that references . Per and , Manufacturer DET certificates with hardwareModuleName MUST have the notAfter date as 99991231235959Z.

The Lite test PKI The Lite test PKI, following the test DKI, was built with openSSL using the "req" command to create a CSR and the "ca" command to sign the CSR, making the certificate. It should be noted that these CSRs have all the content for making a DRIP Endorsement, such that a registrar may prefer to receive CSRs and use it to make both structures. The self-signed certificates created by "req -x509" does not allow selection of the validity dates, only the number of days from NOW. The hack used around this limitation is to create a throw-away self-signed certificate as above with the Apex's DET. Then create a CSR with that DET and sign it with the throw-away certificate, setting the validity dates as desired. This now becomes the actual Apex self-signed Authentication certificate and the throw-away certificate can now be thrown away.

Shadow PKI with PKIX-like Certificates The X.509 certificates are minimalistic (less than 400 bytes for DER). Any DRIP specific OIDs should come from the ICAO arc (e.g. 1.3.27.16.2).

DRIP X.509 certificate profile The following is the profile for the DRIP X.509 certificates

DRIP certificate profile

Serial Number The certificates will contain a 8-byte randomly generated Serial Number, compliant with CABForum recommendations. Serial Numbers are included for CRL functionality.

Subject The certificates Subject will be coded in the commonName attribute. This will either be the DET or the left 8 bytes of the DET (for Authentication and Issuing DET certificates). Thus CN=2001003000000005 is for an Apex Authentication certificate for prefix 2001003/28 and SuiteID 5. Author's Note: When the Subject is a DET, it may be better to put it in Subject Alternative Name and leave out Subject. As the DET is an IPv6 address and using SAN for them is recommended in . To distinguish the various Issuing DET certificates for the Authentication DET certificate, they will have a letter appended to the CN to identify their role. For consistency across the PKI, these should be in an IANA registry. Current thought is for at least:

• Issuing - S
• CRL signing - CRL

Subject Alternative Name The Subject Alternative Name is NOT used in DET certificates with the exception of Manufacturer DETs. These will contain the hardwareModuleName as described in that references . Per and , Manufacturer DET certificates MUST have the notAfter date as 99991231235959Z.

Issuer The Issuer MUST be the higher level's Subject. The Issuer for the Apex Authentication certificate MUST be the Subject (indicating self-signed).

Subject Key Identifier The Subject Key Identifier MUST be the DET. This is a major deviation from "standard" X.509 certificates that hash (normally with SHA2) the Public Key to fill the Subject Key Identifier.

Authority Key Identifier The Authority Key Identifier MUST be the higher level's Subject Key Identifier (i.e. DET). This partially follows standard practice to chain up the Authority Key Identifier' from the Subject Key Identifier, except for how the Subject Key Identifiers are populated. The Authority Key Identifier for the Apex Authentication certificate MUST be the Subject Key Identifier (indicating self-signed).

The PKIX-like test PKI The PKIX-like test PKI, following the test DKI, was built with openSSL using the "req" command to create a CSR and the "ca" command to sign the CSR, making the certificate. It should be noted that these CSRs have all the content for making a DRIP Endorsement, such that a registrar may prefer to receive CSRs and use it to make both structures. The self-signed certificates created by "req -x509" does not allow selection of the validity dates, only the number of days from NOW. The hack used around this limitation is to create a throw-away self-signed certificate as above with the Apex's DET. Then create a CSR with that DET and sign it with the throw-away certificate, setting the validity dates as desired. This now becomes the actual Apex self-signed Authentication certificate and the throw-away certificate can now be thrown away.

IANA Considerations TBD - may need a registry of Signing certificate types.

Security Considerations Risks in the DKI are similar to those in any X.509 PKI. The methodologies to mitigate risk in PKI management should be considered and implemented as appropriate. The DKI presents a tree-breath problem that is rarely seen in PKIs and needs practical solutions to minimize cost of operations and not introduce risks needlessly. Consider that there can be 16,384 RAAs. Assume only 10,000 RAAs, each of which Authentication DET Endorsement has a 10 year validity period. This means that, on average, 1,000 RAAs per year need to rekey their Authentication DET Endorsement, or on average, 3 per day. Current witnessed key signing processes will not scale to this volume. Some virtual method (like in ) is needed.

Protecting against DKI/PKI compromise There is always a risk of key compromise that could be a major setback to the operation of a PKI and likewise the DRIP DKI. To mitigate this risk, the Authentication DETs MUST only be used in offline signing operations. They MUST NEVER be used on connected systems. The information needed to create the Endorsements and X.509 certificates are brought to them on media that cannot transfer code, for example in a QR code. The objects that are created are then transferred away from the offline system to be used where needed. It should be noted that this offline process MUST be followed down the DKI/PKI tree. That is, the Apex has offline operations that include signing the RAA Authentication DET that will be used in the RAA's set up.

References IANA ANSI/CTA ISO

Test DETs and Endorsements The following are test DETs and Endorsements for the test DKI. This testing environment is open to all. There are 4 RAAs available for others to build out. HDAs under the 4 preset RAAs, or under any of the 4, built out be others, are available. Finally the test HDAs are available for setting up a handful of entities. Any tester wanting more than a few DETs for entities should plan on doing that under their own HDA. The following are the test values and objects. They were generated using the det-gen.py and endorse.py scripts available at .

Test DKI values

Test DNS The DNS tree(s) for the above test data is still in limbo and will be added in a later version of this draft. But some of the RR for these DETs are available below:

Test DNS Records

Test X.509 certificates

Test Lite X.509 certificates The following the test DRIP X.509 certificates that mirror the test Endorsements.

DRIP Apex Lite X.509 certificate

DRIP RAA 16376 Lite X.509 certificate

DRIP HDA 16376-16376 Authentication LiteX.509 certificate

DRIP HDA 16376-16376 Issuing Lite X.509 certificate

DRIP UA in HDA 16376-16376 Lite X.509 certificate

openSSL Lite config file The following openssl-conf file was used to create the above Lite, certificates. It is dependent on a number of environment variables to make each unique certificate. The conf file is a bit of a hack of multiple conf files and some sections are really not used. It is included here as a guide.

openSSL config file used for DRIP Lite X.509 certificates . #countryName = Country Name (2 letter code) #stateOrProvinceName = State or Province Name #localityName = Locality Name #0.organizationName = Organization Name #organizationalUnitName = Organizational Unit Name commonName = Common Name [ req_ext ] #basicConstraints = $ENV::basicConstraints #keyUsage = $ENV::certkeyusage [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = none #subjectKeyIdentifier = $ENV::DET authorityKeyIdentifier = none #authorityKeyIdentifier = keyid:always #basicConstraints = $ENV::basicConstraints #keyUsage = $ENV::certkeyusage [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). #basicConstraints = $ENV::basicConstraints subjectKeyIdentifier = none authorityKeyIdentifier = none #authorityKeyIdentifier = keyid:always #keyUsage = $ENV::certkeyusage #extendedKeyUsage = $ENV::certextkeyusage [ usr_req ] # Extensions for client certificates (`man x509v3_config`). subjectAltName = critical, $ENV::subjectAltName ]]>

Test PKIX-like X.509 certificates The following the test DRIP X.509 certificates that mirror the test Endorsements.

DRIP Apex X.509 certificate

DRIP RAA 16376 X.509 certificate

DRIP HDA 16376-16376 Authentication X.509 certificate

DRIP HDA 16376-16376 Issuing X.509 certificate

DRIP UA in HDA 16376-16376 X.509 certificate

openSSL config file The following openssl-conf file was used to create the above certificates. It is dependent on a number of environment variables to make each unique certificate. The conf file is a bit of a hack of multiple conf files and some sections are really not used. It is included here as a guide.

openSSL config file used for DRIP X.509 certificates . countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name # Optionally, specify some defaults. # countryName_default = US # stateOrProvinceName_default = MI # localityName_default = Oak Park # 0.organizationName_default = HTT Consulting # organizationalUnitName_default = [ req_ext ] #basicConstraints = critical, CA:true basicConstraints = $ENV::basicConstraints # keyUsage = critical, digitalSignature, cRLSign, keyCertSign # keyUsage = critical, cRLSign, keyCertSign keyUsage = $ENV::certkeyusage [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = $ENV::DET #subjectKeyIdentifier = hash #authorityKeyIdentifier = keyid:always,issuer authorityKeyIdentifier = keyid:always basicConstraints = critical, CA:true # keyUsage = critical, digitalSignature, cRLSign, keyCertSign # keyUsage = critical, cRLSign, keyCertSign keyUsage = $ENV::certkeyusage # subjectAltName = $ENV::subjectAltName [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = $ENV::basicConstraints subjectKeyIdentifier = $ENV::DET #authorityKeyIdentifier = keyid:always keyUsage = $ENV::certkeyusage extendedKeyUsage = $ENV::certextkeyusage # uncomment the following if the ENV variables set # crlDistributionPoints = $ENV::crlDP # authorityInfoAccess = $ENV::ocspIAI [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 # keyUsage = critical, digitalSignature, cRLSign, keyCertSign # keyUsage = critical, cRLSign, keyCertSign keyUsage = $ENV::certkeyusage [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer # keyUsage = critical, digitalSignature keyUsage = $ENV::certkeyusage # extendedKeyUsage = critical, OCSPSigning extendedkeyUsage = $ENV::certextkeyusage ]]>

Acknowledgments Many people assisted in creating the python scripts for making DETs and DRIP Endorsements. Any roughness in the scripts is all my doing. The openssl-user mailing list provided needed help in getting openssl command line to do what was needed to build the test PKI.