Browse Prior Art Database

The NSA (No Secrecy Afforded) Certificate Extension (RFC7169) Disclosure Number: IPCOM000236003D
Original Publication Date: 2014-Apr-01
Included in the Prior Art Database: 2014-Apr-02
Document File: 6 page(s) / 6K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

S. Turner: AUTHOR


Just because the private key has been shared does not mean that the private key holder wants to conceal the fact they have shared their private key with a third party. Overtly indicating that the private key may be or has been shared with a third party is the best way to indicate to relying parties that this sharing has occurred. Knowledge is power, after all. Extensions for certificates [RFC5280] offer an excellent mechanism to indicate that the entities key(s) have been shared, and this document specifies one such certificate extension for use by entities that have shared their private key: the NSA (No Secrecy Afforded) certificate extension.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 50% of the total text.

Independent Submission                                         S. Turner Request for Comments: 7169                                    IECA, Inc. Category: Informational                                     1 April 2014 ISSN: 2070-1721

           The NSA (No Secrecy Afforded) Certificate Extension


   This document defines the NSA (No Secrecy Afforded) certificate    extension appropriate for use in certain PKIX (X.509 Pubic Key    Certificates) digital certificates.  Historically, clients and    servers strived to maintain the privacy of their keys; however, the    secrecy of their private keys cannot always be maintained.  In    certain circumstances, a client or a server might feel that they will    be compelled in the future to share their keys with a third party.    Some clients and servers also have been compelled to share their keys    and wish to indicate to relying parties upon certificate renewal that    their keys have in fact been shared with a third party.

Status of This Memo

   This document is not an Internet Standards Track specification; it is    published for informational purposes.

   This is a contribution to the RFC Series, independently of any other    RFC stream.  The RFC Editor has chosen to publish this document at    its discretion and makes no statement about its value for    implementation or deployment.  Documents approved for publication by    the RFC Editor are not a candidate for any level of Internet    Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,    and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the    document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal    Provisions Relating to IETF Documents    ( in effect on the date of    publication of this document.  Please review these documents    carefully, as they describe your rights and restrictions with respect    to this document.

Turner                        Informational                     [Page 1]
 RFC 7169              The NSA Certificate Extension         1 April 2014

 1.  Introduction

   Insecurity abounds when clients and servers are unable to keep their    private keys private.  Situations exist nonetheless where client and    servers have shared their private keys with a third party.  An    example of over-sharing might be lawful intercept.

   Just because the private key has been shared does not mean that the    private key holder wants to conceal the fact they have shared their ...