| < draft-ietf-lamps-documentsigning-eku-00.txt | draft-ietf-lamps-documentsigning-eku-01.txt > | |||
|---|---|---|---|---|
| LAMPS Working Group T. Ito | LAMPS Working Group T. Ito | |||
| Internet-Draft SECOM CO., LTD. | Internet-Draft SECOM CO., LTD. | |||
| Intended status: Standards Track T. Okubo | Intended status: Standards Track T. Okubo | |||
| Expires: 17 July 2022 DigiCert, Inc. | Expires: 3 September 2022 DigiCert, Inc. | |||
| S. Turner | S. Turner | |||
| sn3rd | sn3rd | |||
| 13 January 2022 | 2 March 2022 | |||
| General Purpose Extended Key Usage (EKU) for Document Signing X.509 | General Purpose Extended Key Usage (EKU) for Document Signing X.509 | |||
| Certificates | Certificates | |||
| draft-ietf-lamps-documentsigning-eku-00 | draft-ietf-lamps-documentsigning-eku-01 | |||
| Abstract | Abstract | |||
| [RFC5280] specifies several extended key usages for X.509 | RFC 5280 specifies several extended key usages for X.509 | |||
| certificates. This document defines a general purpose document | certificates. This document defines a general purpose document | |||
| signing extended key usage for X.509 public key certificates which | signing extended key usage for X.509 public key certificates which | |||
| restricts the usage of the certificates for document signing. | restricts the usage of the certificates for document signing. | |||
| About This Document | About This Document | |||
| This note is to be removed before publishing as an RFC. | This note is to be removed before publishing as an RFC. | |||
| Status information for this document may be found at | Status information for this document may be found at | |||
| https://datatracker.ietf.org/doc/draft-ietf-lamps-documentsigning- | https://datatracker.ietf.org/doc/draft-ietf-lamps-documentsigning- | |||
| skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 17 July 2022. | This Internet-Draft will expire on 3 September 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | |||
| 3. Extended Key usage for DocumentSigning . . . . . . . . . . . 3 | 3. Extended Key usage for DocumentSigning . . . . . . . . . . . 3 | |||
| 3.1. Extended Key Usage Values for Document Signing . . . . . 4 | 3.1. Extended Key Usage Values for Document Signing . . . . . 4 | |||
| 4. Using the Document Signing EKU in a Certificate . . . . . . . 4 | 4. Using the Document Signing EKU in a Certificate . . . . . . . 4 | |||
| 5. Implications for a Certification Authority . . . . . . . . . 5 | 5. Implications for a Certification Authority . . . . . . . . . 5 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | ||||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | ||||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 7 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 7 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC5280] specifies several extended key usages for X.509 | [RFC5280] specifies several extended key usages for X.509 | |||
| certificates. In addition, several extended key usage had been | certificates. In addition, several extended key usage had been added | |||
| added[RFC7299] as public OID under the IANA repository. While usage | [RFC7299] as public Object Identifier (OID) under the IANA | |||
| of any extended key usage is bad practice for publicly trusted | repository. While usage of any extended key usage is bad practice | |||
| certificates, there are no public and general extended key usage | for publicly trusted certificates, there are no public and general | |||
| explicitly assigned for Document Signing certificates. The current | extended key usage explicitly assigned for Document Signing | |||
| practice is to use id-kp-emailProtection, id-kp-codeSigning or vendor | certificates. The current practice is to use id-kp-emailProtection, | |||
| defined Object ID for general document signing purposes. | id-kp-codeSigning or vendor defined OID for general document signing | |||
| purposes. | ||||
| In circumstances where code signing and S/MIME certificates are also | In circumstances where code signing and S/MIME certificates are also | |||
| widely used for document signing, the technical or policy changes | widely used for document signing, the technical or policy changes | |||
| that are made to code signing and S/MIME certificates may cause | that are made to code signing and S/MIME certificates may cause | |||
| unexpected behaviors or have an adverse impact such as decreased | unexpected behaviors or have an adverse impact such as decreased | |||
| cryptographic agility on the document signing ecosystem and vice | cryptographic agility on the document signing ecosystem and vice | |||
| versa. | versa. | |||
| There is no issue if the vendor defined OIDs are used in a PKI (or a | There is no issue if the vendor defined OIDs are used in a PKI (or a | |||
| trust program) governed by the vendor. However, if the OID is used | trust program) governed by the vendor. However, if the OID is used | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 27 ¶ | |||
| they might want to ask that vendor about use of the certificate, | they might want to ask that vendor about use of the certificate, | |||
| however, the vendor may not know about the particular use. - If the | however, the vendor may not know about the particular use. - If the | |||
| issuance of the cert is not under the control of the OID owner, there | issuance of the cert is not under the control of the OID owner, there | |||
| is no way for the OID owner to know what the impact will be if any | is no way for the OID owner to know what the impact will be if any | |||
| change is made to the OID in question, and it would restrict vendor's | change is made to the OID in question, and it would restrict vendor's | |||
| choice of OID management. etc.). | choice of OID management. etc.). | |||
| Therefore, it is not favorable to use a vendor defined EKU for | Therefore, it is not favorable to use a vendor defined EKU for | |||
| signing a document that is not governed by the vendor. | signing a document that is not governed by the vendor. | |||
| This document defines a general Document Signing extended key usage. | This document defines a general Document Signing extended key purpose | |||
| identifier. | ||||
| 2. Conventions and Definitions | 2. Conventions and Definitions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Extended Key usage for DocumentSigning | 3. Extended Key usage for DocumentSigning | |||
| skipping to change at page 4, line 16 ¶ | skipping to change at page 4, line 16 ¶ | |||
| [RFC5280] specifies the EKU X.509 certificate extension for use in | [RFC5280] specifies the EKU X.509 certificate extension for use in | |||
| the Internet. The extension indicates one or more purposes for which | the Internet. The extension indicates one or more purposes for which | |||
| the certified public key is valid. The EKU extension can be used in | the certified public key is valid. The EKU extension can be used in | |||
| conjunction with the key usage extension, which indicates how the | conjunction with the key usage extension, which indicates how the | |||
| public key in the certificate is used, in a more basic cryptographic | public key in the certificate is used, in a more basic cryptographic | |||
| way. | way. | |||
| The EKU extension syntax is repeated here for convenience: | The EKU extension syntax is repeated here for convenience: | |||
| ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId | ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId | |||
| KeyPurposeId ::= OBJECT IDENTIFIER | ||||
| KeyPurposeId ::= OBJECT IDENTIFIER | ||||
| This specification defines the KeyPurposeId id-kp-documentSigning. | This specification defines the KeyPurposeId id-kp-documentSigning. | |||
| Inclusion of this KeyPurposeId in a certificate indicates that the | Inclusion of this KeyPurposeId in a certificate indicates that the | |||
| use of any Subject names in the certificate is restricted to use by a | use of any Subject names in the certificate is restricted to use by a | |||
| document signing service or a software (along with any usages allowed | document signing service or a software (along with any usages allowed | |||
| by other EKU values). | by other EKU values). | |||
| id-kp OBJECT IDENTIFIER ::= | id-kp OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) 3 } | security(5) mechanisms(5) pkix(7) 3 } | |||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp XX } | ||||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp XX } | ||||
| 4. Using the Document Signing EKU in a Certificate | 4. Using the Document Signing EKU in a Certificate | |||
| [RFC8358] specifies the conventions for digital signatures on | [RFC8358] specifies the conventions for digital signatures on | |||
| Internet-Drafts. This is one of the intended use cases for the | Internet-Drafts. This is one of the intended use cases for the | |||
| general document signing EKU described in this document. [RFC8358] | general document signing EKU described in this document. [RFC8358] | |||
| uses CMS to digitally sign a wide array of files such as ASCII, PDF, | uses CMS to digitally sign a wide array of files such as ASCII, PDF, | |||
| EPUB, HTML etc. Currently, there are no specification regarding EKU | EPUB, HTML etc. Currently, there are no specification regarding EKU | |||
| for certificates signing those files except those which are defined | for certificates signing those files except those which are defined | |||
| by the software vendor. | by the software vendor. | |||
| The signed contents of Internet-Drafts are primarily intended to be | The signed contents of Internet-Drafts are primarily intended to be | |||
| consumed by human. To be more precise, contents are intended to be | consumed by people. To be more precise, contents are intended to be | |||
| shown to human in a printable or displayable form by means of | shown to a person in a printable or displayable form by means of | |||
| services or software, rather than processed by machines. To validate | services or software, rather than processed by machines. To validate | |||
| the digital signature which is signed to contents intended to be | the digital signature on the contents that is intended to be consumed | |||
| consumed by human, implementations MAY perform the steps below as a | by people, implementations MAY perform the steps below as a | |||
| certificate validation: | certificate validation. | |||
| The implementation MAY examine the Extended Key Usage value(s): | The implementation MAY examine the Extended Key Usage value(s): | |||
| 1. If there are no restrictions set for the relying party and the | 1. If there are no restrictions set for the relying party and the | |||
| relying party software, the certificate is acceptable. | relying party software, the certificate is acceptable. | |||
| 2. If there are restrictions set for the replying party and relying | 2. If there are restrictions set for the replying party and relying | |||
| party software, proceed as following. | party software, proceed as following. | |||
| Each Restriction on the EKUs can be "Excluded EKU" or "Permitted EKU" | Each Restriction on the EKUs can be "Excluded EKU" or "Permitted | |||
| and handled. | EKU" and handled. | |||
| The procedure is intended to permit or prohibit presence of a certain | The procedure is intended to permit or prohibit presence of a | |||
| EKU or complete absence of EKUs. It is outside the scope of this | certain EKU or complete absence of EKUs. It is outside the scope | |||
| document, but the relying party can permit or prohibit conbinations | of this document, but the relying party can permit or exclude | |||
| of EKU. A consideration on prohibiting combination of EKUs is | combinations of EKU. A consideration on prohibiting combination | |||
| described in the security consideration section of this document. | of EKUs is described in the security consideration section of | |||
| this document. | ||||
| 2.1. Excluded EKUs procedure "Excluded EKU" is an EKU which the | Excluded EKUs procedure: "Excluded EKU" is an EKU which the | |||
| relying party or the relying party software prohibits. Examples of | relying party or the relying party software prohibits. | |||
| "Excluded EKU" are, presence of anyEKU or complete absence of EKU | Examples of "Excluded EKU" are, presence of | |||
| extension on a certificate. If an EKU of the certificate meets the | anyExtendedKeyUsage or complete absence of EKU extension on a | |||
| conditions set by the "Excluded EKU" restriction, the relying party | certificate. If an EKU of the certificate meets the | |||
| or the relying party software rejects the certificate. | conditions set by the "Excluded EKU" restriction, the relying | |||
| party or the relying party software rejects the certificate. | ||||
| 2.2. Permitted EKU procedure "Permitted EKU" is an EKU which the | Permitted EKU procedure: "Permitted EKU" is an EKU which the | |||
| relying party or the relying party software accepts. Examples of | relying party or the relying party software accepts. Examples | |||
| "Permitted EKU" are, presence of this general document signing EKU | of "Permitted EKU" are, presence of this general document | |||
| and/or protocol specific document signing-type EKUs. If an EKU of | signing EKU and/or protocol specific document signing-type | |||
| the certificate meets the condition set by a "Permitted EKU" | EKUs. If an EKU of the certificate meets the condition set by | |||
| restriction, the certificate is acceptable. Otherwise, relying party | a "Permitted EKU" restriction, the certificate is acceptable. | |||
| or the relying party software rejects the certificate. | Otherwise, relying party or the relying party software rejects | |||
| the certificate. | ||||
| When a single software has capability to process various data | When a single software has capability to process various data | |||
| formats, the software may choose to make the excluded and permitted | formats, the software may choose to make the excluded and permitted | |||
| decisions separately in accordance with the format it is handling | decisions separately in accordance with the format it is handling | |||
| (e.g. text, pdf, etc). | (e.g. text, pdf, etc). | |||
| 5. Implications for a Certification Authority | 5. Implications for a Certification Authority | |||
| The procedures and practices employed by a certification authority | The procedures and practices employed by a certification authority | |||
| MUST ensure that the correct values for the EKU extension are | MUST ensure that the correct values for the EKU extension are | |||
| skipping to change at page 6, line 8 ¶ | skipping to change at page 6, line 9 ¶ | |||
| governed by a vendor specific PKI (or trust program), certificates | governed by a vendor specific PKI (or trust program), certificates | |||
| that indicate usage for document signing MAY include the id-kp- | that indicate usage for document signing MAY include the id-kp- | |||
| documentSigning EKU extension. This does not encompass the mandatory | documentSigning EKU extension. This does not encompass the mandatory | |||
| usage of the id-kp-documentSigning EKU in conjunction with the vendor | usage of the id-kp-documentSigning EKU in conjunction with the vendor | |||
| specific EKU. However, this does not restrict the CA from including | specific EKU. However, this does not restrict the CA from including | |||
| multiple EKUs related to document signing. | multiple EKUs related to document signing. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The usage of id-kp-documentSigning EKU intends to prevent id-kp- | The usage of id-kp-documentSigning EKU intends to prevent id-kp- | |||
| emailProtection from being used for none-email purposes and id-kp- | emailProtection from being used for purposes other than email and id- | |||
| codeSigning used to sign objects other than binary codes. This EKU | kp-codeSigning used to sign objects other than binary codes. This | |||
| does not introduce new security risks but instead reduces existing | EKU does not introduce new security risks but instead reduces | |||
| security risks by providing means to separate other EKUs used for | existing security risks by providing means to separate other EKUs | |||
| communication protocols namely, TLS or S/MIME etc. in order to | used for communication protocols namely, TLS or S/MIME etc. in order | |||
| minimize the risk of cross protocol attacks. | to minimize the risk of cross protocol attacks. | |||
| To reduce the risk of specific cross protocol attacks, the relying | To reduce the risk of specific cross protocol attacks, the relying | |||
| party or relying party software may additionaly prohibit use of | party or relying party software may additionaly prohibit use of | |||
| specific combination of EKUs. | specific combination of EKUs. | |||
| While a specific protocol or signing scheme may choose to come up | While a specific protocol or signing scheme may choose to come up | |||
| with their own EKU, some may not have significant motive or resource | with their own EKU, some may not have significant motive or resource | |||
| to set up and manage thier own EKU. This general document signing | to set up and manage thier own EKU. This general document signing | |||
| EKU may be used as a stop gap for those that intend to set up their | EKU may be used as a stop gap for those that intend to set up their | |||
| own EKU or those who do not intend to set up an EKU but still would | own EKU or those who do not intend to set up an EKU but still would | |||
| skipping to change at page 6, line 39 ¶ | skipping to change at page 6, line 40 ¶ | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document requests that IANA make two assignments. One for the | This document requests that IANA make two assignments. One for the | |||
| id-kp-documentSigning object identifier (OID), as defined in | id-kp-documentSigning object identifier (OID), as defined in | |||
| Section 3.1, for the EKU from the "SMI Security for PKIX Extended Key | Section 3.1, for the EKU from the "SMI Security for PKIX Extended Key | |||
| Purpose" (1.3.6.1.5.5.7.3) registry. Another for the id-mod-docsign- | Purpose" (1.3.6.1.5.5.7.3) registry. Another for the id-mod-docsign- | |||
| eku, as defined in Appendix A, for the ASN.1 module [X.680] from the | eku, as defined in Appendix A, for the ASN.1 module [X.680] from the | |||
| in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) | in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) | |||
| registry. No further action is necessary by IANA. | registry. No further action is necessary by IANA. | |||
| 8. Normative References | 8. References | |||
| 8.1. Normative References | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/rfc/rfc2119>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/rfc/rfc5280>. | <https://www.rfc-editor.org/rfc/rfc5280>. | |||
| [RFC7299] Housley, R., "Object Identifier Registry for the PKIX | ||||
| Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, | ||||
| <https://www.rfc-editor.org/rfc/rfc7299>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | |||
| [RFC8358] Housley, R., "Update to Digital Signatures on Internet- | ||||
| Draft Documents", RFC 8358, DOI 10.17487/RFC8358, March | ||||
| 2018, <https://www.rfc-editor.org/rfc/rfc8358>. | ||||
| [X.680] ITU-T, "Information technology - Abstract Syntax Notation | [X.680] ITU-T, "Information technology - Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ISO/ | One (ASN.1): Specification of basic notation", ISO/ | |||
| IEC 8824-1:2015, November 2015. | IEC 8824-1:2015, November 2015. | |||
| 8.2. Informative References | ||||
| [RFC7299] Housley, R., "Object Identifier Registry for the PKIX | ||||
| Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, | ||||
| <https://www.rfc-editor.org/rfc/rfc7299>. | ||||
| [RFC8358] Housley, R., "Update to Digital Signatures on Internet- | ||||
| Draft Documents", RFC 8358, DOI 10.17487/RFC8358, March | ||||
| 2018, <https://www.rfc-editor.org/rfc/rfc8358>. | ||||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| The following ASN.1 module provides the complete definition of the | The following ASN.1 module provides the complete definition of the | |||
| Document Signing EKU. | Document Signing EKU. | |||
| DocSignEKU { iso(1) identified-organization(3) dod(6) internet(1) | DocSignEKU { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-docsign-eku(TBD1) } | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-docsign-eku(TBD1) } | ||||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| -- IMPORTS NOTHING -- | -- IMPORTS NOTHING -- | |||
| -- OID Arc -- | -- OID Arc -- | |||
| id-kp OBJECT IDENTIFIER ::= { | id-kp OBJECT IDENTIFIER ::= { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) kp(3) } | security(5) mechanisms(5) pkix(7) kp(3) } | |||
| -- Document Signing Extended Key Usage -- | -- Document Signing Extended Key Usage -- | |||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp TBD2 } | id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp TBD2 } | |||
| END | END | |||
| Acknowledgments | Acknowledgments | |||
| We would like to thank Russ Housley for verifying the ASN.1 module. | We would like to thank Russ Housley for verifying the ASN.1 module. | |||
| Authors' Addresses | Authors' Addresses | |||
| Tadahiko Ito | Tadahiko Ito | |||
| SECOM CO., LTD. | SECOM CO., LTD. | |||
| Email: tadahiko.ito.public@gmail.com | Email: tadahiko.ito.public@gmail.com | |||
| Tomofumi Okubo | Tomofumi Okubo | |||
| DigiCert, Inc. | DigiCert, Inc. | |||
| Email: tomofumi.okubo+ietf@gmail.com | Email: tomofumi.okubo+ietf@gmail.com | |||
| Sean Turner | Sean Turner | |||
| sn3rd | sn3rd | |||
| Email: sean@sn3rd.com | Email: sean@sn3rd.com | |||
| End of changes. 35 change blocks. | ||||
| 77 lines changed or deleted | 88 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||