| < draft-ietf-kitten-pkinit-alg-agility-01.txt | draft-ietf-kitten-pkinit-alg-agility-02.txt > | |||
|---|---|---|---|---|
| Kitten Working Group L. Hornquist Astrand | Kitten Working Group L. Hornquist Astrand | |||
| Internet-Draft Apple, Inc | Internet-Draft Apple, Inc | |||
| Updates: 4556 (if approved) L. Zhu | Updates: 4556 (if approved) L. Zhu | |||
| Intended status: Standards Track Microsoft Corporation | Intended status: Standards Track Microsoft Corporation | |||
| Expires: October 1, 2017 M. Wasserman | Expires: February 27, 2019 M. Wasserman | |||
| Painless Security | Painless Security | |||
| B. Kaduk, Ed. | B. Kaduk, Ed. | |||
| Akamai Technologies | Akamai Technologies | |||
| March 30, 2017 | August 26, 2018 | |||
| PKINIT Algorithm Agility | PKINIT Algorithm Agility | |||
| draft-ietf-kitten-pkinit-alg-agility-01.txt | draft-ietf-kitten-pkinit-alg-agility-02 | |||
| Abstract | Abstract | |||
| This document updates PKINIT, as defined in RFC 4556, to remove | This document updates PKINIT, as defined in RFC 4556, to remove | |||
| protocol structures tied to specific cryptographic algorithms. The | protocol structures tied to specific cryptographic algorithms. The | |||
| PKINIT key derivation function is made negotiable, the digest | PKINIT key derivation function is made negotiable, the digest | |||
| algorithms for signing the pre-authentication data and the client's | algorithms for signing the pre-authentication data and the client's | |||
| X.509 certificates are made discoverable. | X.509 certificates are made discoverable. | |||
| These changes provide preemptive protection against vulnerabilities | These changes provide preemptive protection against vulnerabilities | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| algorithm, and allow incremental deployment of newer algorithms. | algorithm, and allow incremental deployment of newer algorithms. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 1, 2017. | This Internet-Draft will expire on February 27, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| This document may contain material from IETF Documents or IETF | This document may contain material from IETF Documents or IETF | |||
| Contributions published or made publicly available before November | Contributions published or made publicly available before November | |||
| 10, 2008. The person(s) controlling the copyright in some of this | 10, 2008. The person(s) controlling the copyright in some of this | |||
| skipping to change at page 13, line 45 ¶ | skipping to change at page 13, line 45 ¶ | |||
| TD-CMS-DIGEST-ALGORITHMS 111 [ALG-AGILITY] | TD-CMS-DIGEST-ALGORITHMS 111 [ALG-AGILITY] | |||
| TD-CERT-DIGEST-ALGORITHMS 112 [ALG-AGILITY] | TD-CERT-DIGEST-ALGORITHMS 112 [ALG-AGILITY] | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | |||
| Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February | Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February | |||
| 2005, <http://www.rfc-editor.org/info/rfc3961>. | 2005, <https://www.rfc-editor.org/info/rfc3961>. | |||
| [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | |||
| Kerberos Network Authentication Service (V5)", RFC 4120, | Kerberos Network Authentication Service (V5)", RFC 4120, | |||
| DOI 10.17487/RFC4120, July 2005, | DOI 10.17487/RFC4120, July 2005, | |||
| <http://www.rfc-editor.org/info/rfc4120>. | <https://www.rfc-editor.org/info/rfc4120>. | |||
| [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial | [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial | |||
| Authentication in Kerberos (PKINIT)", RFC 4556, | Authentication in Kerberos (PKINIT)", RFC 4556, | |||
| DOI 10.17487/RFC4556, June 2006, | DOI 10.17487/RFC4556, June 2006, | |||
| <http://www.rfc-editor.org/info/rfc4556>. | <https://www.rfc-editor.org/info/rfc4556>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <http://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
| <http://www.rfc-editor.org/info/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||
| [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | |||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, | (SHA and SHA-based HMAC and HKDF)", RFC 6234, | |||
| DOI 10.17487/RFC6234, May 2011, | DOI 10.17487/RFC6234, May 2011, | |||
| <http://www.rfc-editor.org/info/rfc6234>. | <https://www.rfc-editor.org/info/rfc6234>. | |||
| [SP80056A] | [SP80056A] | |||
| Barker, E., Don, D., and M. Smid, "Recommendation for | Barker, E., Don, D., and M. Smid, "Recommendation for | |||
| Pair-Wise Key Establishment Schemes Using Discrete | Pair-Wise Key Establishment Schemes Using Discrete | |||
| Logarithm Cryptography", March 2006. | Logarithm Cryptography", March 2006. | |||
| [X680] ITU, "ITU-T Recommendation X.680 (2002) | ISO/IEC | [X680] ITU, "ITU-T Recommendation X.680 (2002) | ISO/IEC | |||
| 8824-1:2002, Information technology - Abstract Syntax | 8824-1:2002, Information technology - Abstract Syntax | |||
| Notation One (ASN.1): Specification of basic notation", | Notation One (ASN.1): Specification of basic notation", | |||
| November 2008. | November 2008. | |||
| skipping to change at page 15, line 9 ¶ | skipping to change at page 15, line 9 ¶ | |||
| [X690] ITU, "ITU-T Recommendation X.690 (2002) | ISO/IEC | [X690] ITU, "ITU-T Recommendation X.690 (2002) | ISO/IEC | |||
| 8825-1:2002, Information technology - ASN.1 encoding | 8825-1:2002, Information technology - ASN.1 encoding | |||
| Rules: Specification of Basic Encoding Rules (BER), | Rules: Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished Encoding | Canonical Encoding Rules (CER) and Distinguished Encoding | |||
| Rules (DER)", November 2008. | Rules (DER)", November 2008. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | |||
| DOI 10.17487/RFC1321, April 1992, | DOI 10.17487/RFC1321, April 1992, | |||
| <http://www.rfc-editor.org/info/rfc1321>. | <https://www.rfc-editor.org/info/rfc1321>. | |||
| [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For | [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For | |||
| Public Keys Used For Exchanging Symmetric Keys", BCP 86, | Public Keys Used For Exchanging Symmetric Keys", BCP 86, | |||
| RFC 3766, DOI 10.17487/RFC3766, April 2004, | RFC 3766, DOI 10.17487/RFC3766, April 2004, | |||
| <http://www.rfc-editor.org/info/rfc3766>. | <https://www.rfc-editor.org/info/rfc3766>. | |||
| [RFC6150] Turner, S. and L. Chen, "MD4 to Historic Status", | [RFC6150] Turner, S. and L. Chen, "MD4 to Historic Status", | |||
| RFC 6150, DOI 10.17487/RFC6150, March 2011, | RFC 6150, DOI 10.17487/RFC6150, March 2011, | |||
| <http://www.rfc-editor.org/info/rfc6150>. | <https://www.rfc-editor.org/info/rfc6150>. | |||
| [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | |||
| Considerations for the SHA-0 and SHA-1 Message-Digest | Considerations for the SHA-0 and SHA-1 Message-Digest | |||
| Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | |||
| <http://www.rfc-editor.org/info/rfc6194>. | <https://www.rfc-editor.org/info/rfc6194>. | |||
| [WANG04] Wang, X., Lai, X., Fheg, D., Chen, H., and X. Yu, | [WANG04] Wang, X., Lai, X., Fheg, D., Chen, H., and X. Yu, | |||
| "Cryptanalysis of Hash functions MD4 and RIPEMD", August | "Cryptanalysis of Hash functions MD4 and RIPEMD", August | |||
| 2004. | 2004. | |||
| [X9.42] ANSI, "Public Key Cryptography for the Financial Services | [X9.42] ANSI, "Public Key Cryptography for the Financial Services | |||
| Industry: Agreement of Symmetric Keys Using Discrete | Industry: Agreement of Symmetric Keys Using Discrete | |||
| Logarithm Cryptography", 2003. | Logarithm Cryptography", 2003. | |||
| Appendix A. PKINIT ASN.1 Module | Appendix A. PKINIT ASN.1 Module | |||
| End of changes. 18 change blocks. | ||||
| 18 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||