| < draft-ietf-curdle-cms-eddsa-signatures-02.txt | draft-ietf-curdle-cms-eddsa-signatures-03.txt > | |||
|---|---|---|---|---|
| Internet-Draft R. Housley | Internet-Draft R. Housley | |||
| Intended status: Standards Track Vigil Security | Intended status: Standards Track Vigil Security | |||
| Expires: 28 May 2017 28 November 2016 | Expires: 26 July 2017 26 January 2017 | |||
| Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS) | Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-curdle-cms-eddsa-signatures-02.txt> | <draft-ietf-curdle-cms-eddsa-signatures-03.txt> | |||
| Abstract | Abstract | |||
| This document specifies the conventions for using Edwards-curve | This document specifies the conventions for using Edwards-curve | |||
| Digital Signature Algorithm (EdDSA) for Curve25519 and Curve448 in | Digital Signature Algorithm (EdDSA) for Curve25519 and Curve448 in | |||
| the Cryptographic Message Syntax (CMS). For each curve, EdDSA | the Cryptographic Message Syntax (CMS). For each curve, EdDSA | |||
| defines the PureEdDSA and HashEdDSA modes. However, the HashEdDSA | defines the PureEdDSA and HashEdDSA modes. However, the HashEdDSA | |||
| mode is not used with the CMS. In addition, no context string is | mode is not used with the CMS. In addition, no context string is | |||
| used with the CMS. | used with the CMS. | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 28 May 2017. | This Internet-Draft will expire on 26 July 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 17 ¶ | skipping to change at page 3, line 17 ¶ | |||
| ALGORITHM ::= CLASS { | ALGORITHM ::= CLASS { | |||
| &id OBJECT IDENTIFIER UNIQUE, | &id OBJECT IDENTIFIER UNIQUE, | |||
| &Type OPTIONAL } | &Type OPTIONAL } | |||
| WITH SYNTAX { | WITH SYNTAX { | |||
| OID &id [PARMS &Type] } | OID &id [PARMS &Type] } | |||
| 2.2. EdDSA Algorithm Identifiers | 2.2. EdDSA Algorithm Identifiers | |||
| The EdDSA signature algorithm is defined in [EDDSA], and the | The EdDSA signature algorithm is defined in [EDDSA], and the | |||
| conventions for encoding the public key are defined in | conventions for encoding the public key are defined in | |||
| [ID.curdle-pkix]. | [CURDLE-PKIX]. | |||
| The id-Ed25519 and id-Ed448 object identifiers are used to identify | The id-Ed25519 and id-Ed448 object identifiers are used to identify | |||
| EdDSA public keys in certificates. The object identifiers are | EdDSA public keys in certificates. The object identifiers are | |||
| specified in [ID.curdle-pkix], and they are repeated here for | specified in [CURDLE-PKIX], and they are repeated here for | |||
| convenience: | convenience: | |||
| sigAlg-Ed25519 ALGORITHM ::= { OID id-Ed25519 } | sigAlg-Ed25519 ALGORITHM ::= { OID id-Ed25519 } | |||
| sigAlg-Ed448 ALGORITHM ::= { OID id-Ed448 } | sigAlg-Ed448 ALGORITHM ::= { OID id-Ed448 } | |||
| id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 } | id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 } | |||
| id-Ed448 OBJECT IDENTIFIER ::= { 1 3 101 113 } | id-Ed448 OBJECT IDENTIFIER ::= { 1 3 101 113 } | |||
| skipping to change at page 4, line 13 ¶ | skipping to change at page 4, line 13 ¶ | |||
| PARMS ShakeOutputLen } | PARMS ShakeOutputLen } | |||
| hashalgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | hashalgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) | country(16) us(840) organization(1) | |||
| gov(101) csor(3) nistalgorithm(4) 2 } | gov(101) csor(3) nistalgorithm(4) 2 } | |||
| id-sha512 OBJECT IDENTIFIER ::= { hashAlgs 3 } | id-sha512 OBJECT IDENTIFIER ::= { hashAlgs 3 } | |||
| id-shake256 OBJECT IDENTIFIER ::= { hashAlgs 12 } | id-shake256 OBJECT IDENTIFIER ::= { hashAlgs 12 } | |||
| id-shake256-len OBJECT IDENTIFIER ::= { hashAlgs 13 } | id-shake256-len OBJECT IDENTIFIER ::= { hashAlgs 18 } | |||
| ShakeOutputLen ::= INTEGER -- Output length in bits | ShakeOutputLen ::= INTEGER -- Output length in bits | |||
| When using the id-sha512 or id-shake256 algorithm identifier, the | When using the id-sha512 or id-shake256 algorithm identifier, the | |||
| parameters MUST be absent. | parameters MUST be absent. | |||
| When using the id-shake256-len algorithm identifier, the parameters | When using the id-shake256-len algorithm identifier, the parameters | |||
| MUST be present, and the parameter MUST contain 512, encoded as a | MUST be present, and the parameter MUST contain 512, encoded as a | |||
| positive integer value. | positive integer value. | |||
| skipping to change at page 7, line 5 ¶ | skipping to change at page 7, line 5 ¶ | |||
| Using the same private key for different algorithms has the potential | Using the same private key for different algorithms has the potential | |||
| of allowing an attacker to get extra information about the private | of allowing an attacker to get extra information about the private | |||
| key. For this reason, the same private key SHOULD NOT be used with | key. For this reason, the same private key SHOULD NOT be used with | |||
| more than one EdDSA set of parameters. For example, do not use the | more than one EdDSA set of parameters. For example, do not use the | |||
| same private key with PureEdDSA and HashEdDSA. | same private key with PureEdDSA and HashEdDSA. | |||
| When computing signatures, the same hash function should be used for | When computing signatures, the same hash function should be used for | |||
| all operations. This reduces the number of failure points in the | all operations. This reduces the number of failure points in the | |||
| signature process. | signature process. | |||
| 6. Normative References | 6. Acknowledgements | |||
| Many thanks to Jim Schaad for the careful review and comment on the | ||||
| draft document. Thanks to Quynh Dang with the object identifiers | ||||
| that were assigned by NIST. | ||||
| 7. Normative References | ||||
| [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", | [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", | |||
| RFC 5652, September 2009. | RFC 5652, September 2009. | |||
| [CURDLE-PKIX] | ||||
| Josefsson, S., and J. Schaad, "Algorithm Identifiers for | ||||
| Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for | ||||
| use in the Internet X.509 Public Key Infrastructure", | ||||
| draft-ietf-curdle-pkix-02, 31 October 2016, | ||||
| Work-in-progress. | ||||
| [EDDSA] Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | [EDDSA] Josefsson, S. and I. Liusvaara, "Edwards-curve Digital | |||
| Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-08, | Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-08, | |||
| 19 August 2016, Work-in-progress. | 19 August 2016, Work-in-progress. | |||
| [FIPS202] National Institute of Standards and Technology, U.S. | [FIPS202] National Institute of Standards and Technology, U.S. | |||
| Department of Commerce, "SHA-3 Standard: Permutation-Based | Department of Commerce, "SHA-3 Standard: Permutation-Based | |||
| Hash and Extendable-Output Functions", FIPS 202, | Hash and Extendable-Output Functions", FIPS 202, | |||
| August 2015. | August 2015. | |||
| [ID.curdle-pkix] | ||||
| Josefsson, S., and J. Schaad, "Algorithm Identifiers for | ||||
| Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for | ||||
| use in the Internet X.509 Public Key Infrastructure", | ||||
| draft-ietf-curdle-pkix-02, 31 October 2016, | ||||
| Work-in-progress. | ||||
| [RFC4634] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | [RFC4634] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | |||
| (SHA and HMAC-SHA)", RFC 4634, July 2006. | (SHA and HMAC-SHA)", RFC 4634, July 2006. | |||
| [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate | [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [X680] ITU-T, "Information technology -- Abstract Syntax Notation | [X680] ITU-T, "Information technology -- Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, 2015. | Recommendation X.680, 2015. | |||
| [X690] ITU-T, "Information technology -- ASN.1 encoding rules: | [X690] ITU-T, "Information technology -- ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER)", ITU-T Recommendation X.690, 2015. | (DER)", ITU-T Recommendation X.690, 2015. | |||
| 7. Informative References | 8. Informative References | |||
| [RANDOM] Eastlake, D., Schiller, J., and S. Crocker, "Randomness | [RANDOM] Eastlake, D., Schiller, J., and S. Crocker, "Randomness | |||
| Requirements for Security", RFC 4086, June 2005. | Requirements for Security", RFC 4086, June 2005. | |||
| Author Address | Author Address | |||
| Russ Housley | Russ Housley | |||
| 918 Spring Knoll Drive | 918 Spring Knoll Drive | |||
| Herndon, VA 20170 | Herndon, VA 20170 | |||
| USA | USA | |||
| End of changes. 11 change blocks. | ||||
| 16 lines changed or deleted | 22 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||