| < draft-housley-lamps-crmf-update-algs-00.txt | draft-housley-lamps-crmf-update-algs-01.txt > | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Network Working Group R. Housley | |||
| Internet-Draft Vigil Security | Internet-Draft Vigil Security | |||
| Updates: 4211 (if approved) 23 October 2020 | Updates: 4211 (if approved) 31 October 2020 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 26 April 2021 | Expires: 4 May 2021 | |||
| Algorithm Requirements Update to the Internet X.509 Public Key | Algorithm Requirements Update to the Internet X.509 Public Key | |||
| Infrastructure Certificate Request Message Format (CRMF) | Infrastructure Certificate Request Message Format (CRMF) | |||
| draft-housley-lamps-crmf-update-algs-00 | draft-housley-lamps-crmf-update-algs-01 | |||
| Abstract | Abstract | |||
| This document updates the cryptographic algorithm requirements for | This document updates the cryptographic algorithm requirements for | |||
| the Password-Based Message Authentication Code in the Internet X.509 | the Password-Based Message Authentication Code in the Internet X.509 | |||
| Public Key Infrastructure Certificate Request Message Format (CRMF) | Public Key Infrastructure Certificate Request Message Format (CRMF) | |||
| specified in RFC 4211. | specified in RFC 4211. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 26 April 2021. | This Internet-Draft will expire on 4 May 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 3, line 24 ¶ | skipping to change at page 3, line 24 ¶ | |||
| mac identifies the algorithm and associated parameters of the MAC | mac identifies the algorithm and associated parameters of the MAC | |||
| function to be used. All implementations MUST support HMAC-SHA1 | function to be used. All implementations MUST support HMAC-SHA1 | |||
| [HMAC]. All implementations SHOULD support DES-MAC and Triple- | [HMAC]. All implementations SHOULD support DES-MAC and Triple- | |||
| DES-MAC [PKCS11]. | DES-MAC [PKCS11]. | |||
| NEW: | NEW: | |||
| mac identifies the algorithm and associated parameters of the MAC | mac identifies the algorithm and associated parameters of the MAC | |||
| function to be used. All implementations MUST support HMAC-SHA256 | function to be used. All implementations MUST support HMAC-SHA256 | |||
| [HMAC]. All implementations SHOULD support AES-CMAC [CMAC] with a | [HMAC]. All implementations SHOULD support AES-GMAC [GMAC] with a | |||
| 128 bit key. | 128 bit key. | |||
| {{{ Note: Has an OID already been assigned for AES-GMAC? If not, we | ||||
| will need to do that too. }}} | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document makes no requests of the IANA. | This document makes no requests of the IANA. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| Cryptographic algorithms age; they become weaker with time. As new | Cryptographic algorithms age; they become weaker with time. As new | |||
| cryptanalysis techniques are developed and computing capabilities | cryptanalysis techniques are developed and computing capabilities | |||
| improve, the work required to break a particular cryptographic | improve, the work required to break a particular cryptographic | |||
| algorithm will reduce, making an attack on the algorithm more | algorithm will reduce, making an attack on the algorithm more | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 9 ¶ | |||
| password and the MAC key. Compromise of either the password or the | password and the MAC key. Compromise of either the password or the | |||
| MAC key may result in the ability of an attacker to undermine | MAC key may result in the ability of an attacker to undermine | |||
| authentication. | authentication. | |||
| 6. Normative References | 6. Normative References | |||
| [AES] National Institute of Standards and Technology (NIST), | [AES] National Institute of Standards and Technology (NIST), | |||
| "Advanced Encryption Standard (AES)", FIPS | "Advanced Encryption Standard (AES)", FIPS | |||
| Publication 197, November 2001. | Publication 197, November 2001. | |||
| [CMAC] M., D., "Recommendation for Block Cipher Modes of | [GMAC] M., D., "Recommendation for Block Cipher Modes of | |||
| Operation: The CMAC Mode for Authentication", NIST Special | Operation: Galois/Counter Mode (GCM) and GMAC", NIST | |||
| Publication 800-38B, May 2005. | Special Publication 800-38D, November 2007. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | |||
| Certificate Request Message Format (CRMF)", RFC 4211, | Certificate Request Message Format (CRMF)", RFC 4211, | |||
| DOI 10.17487/RFC4211, September 2005, | DOI 10.17487/RFC4211, September 2005, | |||
| <https://www.rfc-editor.org/info/rfc4211>. | <https://www.rfc-editor.org/info/rfc4211>. | |||
| End of changes. 7 change blocks. | ||||
| 8 lines changed or deleted | 11 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||