You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
submissiontype: IETF # also: "independent", "editorial", "IAB", or "IRTF"
9
-
date: 2025-11-11
9
+
date: 2026-02-26
10
10
consensus: true
11
11
v: 3
12
12
area: Security
@@ -189,18 +189,15 @@ The hashAlg field MUST contain the AlgorithmIdentifier of the hash algorithm use
189
189
190
190
The bindingType field MAY contain an identifier that specifies how the data to be signed is derived from the digital object to be signed.
191
191
192
+
Adding this extension to a certificate is a statement by the CA that the signing key is generated exclusively for the purpose of signing the document bound by this extension, and that the signing key is destroyed after signing. The details for this procedure and how the destruction of the signing key is assured SHOULD be outlined in the certificate policy {{RFC3647}} of the issued certificate.
193
+
192
194
## Defined bindingType identifiers
193
195
194
196
The bindingType field defines how the data to be signed (dataTbsHash) is derived from the signed document.
195
197
This field identifies a deterministic procedure for selecting the portion of the signed content that is included in the hash computation.
196
198
When the field is omitted, the rules for the default binding type apply.
197
199
198
-
The purpose of the dataTbsHash value is to bind the certificate to the document being signed, not to protect the document’s integrity.
199
-
The integrity of the signed content is provided by the signature itself.
200
-
If any byte of the signed document is modified, the calculated hash will no longer match the certificate.
201
-
Therefore, the dataTbsHash enables validators and relying parties to confirm that the certificate was issued for the exact content that was signed.
202
-
203
-
Validators SHOULD verify that the signed document matches the certificate’s binding information.
200
+
The purpose of the dataTbsHash value is to bind the certificate to the document being signed in order to prevent re-use of the signing key for multiple signed documents. This enforces the contract that the signing key is used only once for creation of one signature only. Validators SHOULD verify that the signed document matches the certificate’s binding information.
204
201
This verification is not required for the signature to validate successfully but provides an additional safeguard against misuse or substitution of certificates.
205
202
206
203
This document defines a set of bindingType identifiers. Additional bindingType identifiers MAY be defined by future specifications.
@@ -297,12 +294,71 @@ This exclusion avoids circular dependencies where certificate data may appear in
297
294
298
295
# Security Considerations
299
296
300
-
TODO Security Considerations. Including text on reliance on certificates without revocation.
297
+
## Certificates Without Revocation
298
+
299
+
Certificates conforming to this profile include the id-ce-noRevAvail extension and therefore do not provide any revocation mechanism. Such certificates attest only to the state of trust and correctness of procedures at the time of issuance.
300
+
301
+
The Security considerations in {{RFC9608}} also applies to this document.
302
+
303
+
## Signed Document Binding
304
+
305
+
The signedDocumentBinding extension binds the certificate to specific signed content by including a hash of the data to be signed. Verification of this binding is not required for successful cryptographic validation of the signature. A signature can therefore validate correctly even if the binding is not checked.
306
+
307
+
However, a relying party SHOULD verify that the signed content matches the dataTbsHash value in the signedDocumentBinding extension. Performing this check ensures that the certificate is used only with the content for which it was issued and enforces the intended scope of the certificate.
308
+
309
+
The security model of this profile states that the associated private key is generated for, and used in, exactly one signing operation and is then destroyed. This property holds independently of whether the binding is verified by the relying party. Nevertheless, failure to verify the binding weakens the protections provided by this profile and increases the risk of certificate substitution or unintended certificate reuse.
310
+
311
+
When verified, the signedDocumentBinding extension provides an additional safeguard against the use of the certificate for any signature other than the one for which it was issued.
301
312
302
313
# IANA Considerations
303
314
304
-
TBD IANA registry for bindingType identifiers
315
+
## Registry for signedDocumentBinding bindingType Identifiers
316
+
317
+
IANA is requested to create a new registry entitled: “Signed Document Binding Type Identifiers”
318
+
319
+
This registry shall contain identifiers used in the bindingType field of the signedDocumentBinding certificate extension defined in this document.
320
+
321
+
### Registry Contents
322
+
323
+
Each registry entry shall contain the following fields:
324
+
325
+
- Identifier: A UTF-8 string identifying the binding type.
326
+
- Description: A brief description of how the dataTbsHash value is computed.
327
+
- Reference: A reference to the document that defines the binding type.
328
+
329
+
### Registration Policy
330
+
331
+
The registration policy for this registry is Specification Required as defined in {{RFC8174}}.
332
+
333
+
The designated expert(s) SHALL ensure that:
334
+
335
+
- The binding type definition clearly specifies a deterministic and unambiguous procedure for computing the dataTbsHash value.
336
+
- The specification explains how circular dependencies with certificate inclusion are avoided, where applicable.
337
+
- The identifier is unique within the registry.
338
+
339
+
### Initial Registry Contents
340
+
341
+
IANA is requested to populate the registry with the following initial values:
342
+
343
+
- Identifier: (absent)
344
+
- Description: Default binding as defined in this document
0 commit comments