]>
Using EdDSA in the Internet X.509 Public Key Infrastructure
SJD ABsimon@josefsson.orgRed Hat, Inc.nmav@redhat.comElliptic Curve Cryptography, EdDSA, Ed25519, Curve25519,
X.509, PKIX, PKI, OID, ASN.1This document specify algorithm identifiers and ASN.1
encoding formats for EdDSA digital signatures and subject public
keys used in the Internet X.509 Public Key Infrastructure (PKIX)
for Certificates and CRLs. Parameters for Ed25519 are
defined.In , an elliptic curve signature
system EdDSA was introduced, and a recommended choice of curve
Ed25519 is chosen. EdDSA and Ed25519 was designed with
performance and security in mind. Specification, test vectors
and a sample implementation is available in .This RFC defines ASN.1 object identifiers for EdDSA for use
in the Internet X.509 PKI, and
parameters for Ed25519. This document serves a similar role as
does for RSA (and more), for RSA-OAEP/PSS, and for SHA2-based (EC)DSA.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in .In the X.509 certificate, the subjectPublicKeyInfo field has
the SubjectPublicKeyInfo type, which has the following ASN.1
syntax:The fields in SubjectPublicKeyInfo have the following meanings:algorithm is the algorithm identifier and parameters for
the public key (see below).subjectPublicKey is the EdDSA public key.The AlgorithmIdentifier type, which is included for
convenience, is defined as follows:The fields in AlgorithmIdentifier have the following
meanings:algorithm identifies the cryptographic algorithm with an
object identifier. This is the EdDSA OID defined below.parameters, which are optional, are the associated
parameters for the algorithm identifier in the algorithm
field.Certificates conforming to may
convey a public key for any public key algorithm. The
certificate indicates the algorithm through an algorithm
identifier. This algorithm identifier is an OID and optionally
associated parameters.This section identify the OID and parameters for the EdDSA
algorithm. Conforming CAs MUST use the identified OIDs when
issuing certificates containing EdDSA public keys. Conforming
applications supporting EdDSA MUST, at a minimum, recognize the
OID identified in this section.The id-EdDSAPublicKey OID is used for identifying EdDSA
public keys.The id-EdDSAPublicKey OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier.EdDSA public keys use the parameter field to specify the
particular instantiation of EdDSA parameters. The parameters
field have the ASN.1 type EdDSAParameters as follows.The EdDSAParameters enumeration may be extended in the
future.The value 'ed25519' means the set of "pure" EdDSA parameters
associated with Ed25519, including internal hash function
(SHA512) and curve. The value 'sha512-ed25519' means that the
SHA512 algorithm will be used as the prehash parameter and the
hash function for the signature. For the definitions see .The raw binary EdDSA public key is encoded directly in the
subjectPublicKey BIT STRING object. Note that unlike some other
schemes, there is no additional OCTET STRING encoding step.The intended application for the key MAY be indicated in the
keyUsage certificate extension.If the keyUsage extension is present in an end-entity
certificate that conveys an EdDSA public key with the
id-EdDSAPublicKey object identifier, then the keyUsage extension
MUST contain one or both of the following values:If the keyUsage extension is present in a certification
authority certificate that conveys an EdDSA public key with the
id-EdDSAPublicKey object identifier, then the keyUsage extension
MUST contain one or more of the following values:Certificates and CRLs conforming to
may be signed with any public key signature algorithm. The
certificate or CRL indicates the algorithm through an algorithm
identifier which appears in the signatureAlgorithm field within
the Certificate or CertificateList. This algorithm identifier
is an OID and has optionally associated parameters. For
illustration the Certificate structure is reproduced here:Recall the definition of the AlgorithmIdentifier type:This document identify an AlgorithmIdentifier OID for EdDSA
signatures. No parameters are defined. The EdDSA parameters
follow from the public-key parameters.The data to be signed is prepared for EdDSA. Then, a private
key operation is performed to generate the signature value.
This value is the opaque value ENC(R) || ENC'(S) described in
section 4.3 of .
This signature value is then ASN.1 encoded as a BIT STRING and
included in the Certificate or CertificateList in the
signatureValue field.The id-EdDSASignature OID is used for identifying EdDSA
signatures.The id-EdDSASignature OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier. The
parameters field MUST be absent. To further clarify how to
encode the parameters field, due to historical misunderstandings
in this area, it MUST NOT have an ASN.1 type NULL.For the purpose of consistent cross-implementation naming
this section establish human readable names for the algorithms
specified in this document. Implementations SHOULD use these
names when referring to the algorithms. If there is a strong
reason to deviate from these names -- for example, if the
implementation has a different naming convention and wants to
maintain internal consistency -- it is encouraged to deviate as
little as possible from the names given here. For example, if a
naming convention is to not use hyphen ("-") then instead of
"SHA512-Ed25519" the string "SHA512Ed25519" could be used.Use the string "EdDSA" when referring to a public key or
signature when the parameter set is not known or relevant.When the EdDSAParameters value is known, use a more specific
string. For the ed25519(1) value use the string "Ed25519". For
the sha512-ed25519(2) value use the string "SHA512-Ed25519".This section contains illustrations of EdDSA public keys and
certificates, illustrating parameter choices.An example of a SHA512-Ed25519 public key:An example of a PKIX certificate using SHA512-Ed25519 would
be:An example of a SHA512-Ed25519 private key:Text and/or inspiration were drawn from , , , , and .The following people discussed the document and provided
feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick
Andrews, Rob Stradling.A big thank you to Symantec for kindly donating the OIDs used
in this draft.None.The security considerations of and
apply
accordingly.A common misconception may be that a Ed25519 public key can
be used to create SHA512-Ed25519 signatures, or vice versa.
This leads to cross-key attacks, and is not permitted.
&eddsaed25519;
&rfc2119;
&rfc5280;
&rfc3279;
&rfc4055;
&rfc5480;
&rfc5639;
&rfc5758;
Ed25519: High-speed high-security signatures
EdDSA for more curves