| < draft-mavrogiannopoulos-pkcs5-passwords-01.txt | draft-mavrogiannopoulos-pkcs5-passwords-02.txt > | |||
|---|---|---|---|---|
| Network Working Group N. Mavrogiannopoulos | Network Working Group N. Mavrogiannopoulos | |||
| Internet-Draft Red Hat | Internet-Draft Red Hat | |||
| Updates: 7292,8018 (if approved) D. Woodhouse | Updates: 7292,8018 (if approved) D. Woodhouse | |||
| Intended status: Informational Amazon Web Services | Intended status: Informational Amazon Web Services | |||
| Expires: February 9, 2018 August 8, 2017 | Expires: November 8, 2018 May 7, 2018 | |||
| Internationalized passwords in Password-Based Cryptography Specification | Internationalized passwords in Password-Based Cryptography Specification | |||
| draft-mavrogiannopoulos-pkcs5-passwords-01 | draft-mavrogiannopoulos-pkcs5-passwords-02 | |||
| Abstract | Abstract | |||
| This memo clarifies the requirements of using internationalized | This memo clarifies the requirements of using internationalized | |||
| strings as passwords in Password-Based Cryptography Specification | strings as passwords in Password-Based Cryptography Specification | |||
| version 2.1 [RFC8018] (PKCS#5) and Personal Information Exchange | version 2.1 [RFC8018] (PKCS#5) and Personal Information Exchange | |||
| Syntax [RFC7292] (PKCS#12). | Syntax [RFC7292] (PKCS#12). | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 9, 2018. | This Internet-Draft will expire on November 8, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 10 ¶ | skipping to change at page 3, line 10 ¶ | |||
| conforming to this document MAY allow empty (zero-length) passwords, | conforming to this document MAY allow empty (zero-length) passwords, | |||
| when they are not they result of the [RFC7613] processing. That is, | when they are not they result of the [RFC7613] processing. That is, | |||
| an empty string generated from any non-empty internationalized input | an empty string generated from any non-empty internationalized input | |||
| MUST NOT be used. | MUST NOT be used. | |||
| 4. Passwords in PKCS#12 | 4. Passwords in PKCS#12 | |||
| The PKCS#12 document [RFC7292] defines the use of BMPString passwords | The PKCS#12 document [RFC7292] defines the use of BMPString passwords | |||
| (a subset of UTF-16), for its defined encryption methods. This | (a subset of UTF-16), for its defined encryption methods. This | |||
| document does not add any further restrictions to the input passwords | document does not add any further restrictions to the input passwords | |||
| of these methods, however it is RECOMMENDED to use of (big-endian) | of these methods, however it is RECOMMENDED to use (big-endian) | |||
| UTF-16 NFC form [NFC] for encoding the password. | UTF-16 NFC form [NFC] when encoding the password. | |||
| Furthermore, when the PKCS#12 container files are combined with | Furthermore, when the PKCS#12 container files are combined with | |||
| methods from PKCS#5 [RFC8018], e.g., AES-CBC-Pad, the passwords | methods from PKCS#5 [RFC8018], e.g., AES-CBC-Pad, the passwords | |||
| SHOULD be adhering to the recommendations in Section 3. In that | SHOULD be adhering to the recommendations in Section 3. In that | |||
| case, since typically the passwords of the MacData field and the | case, since typically the passwords of the MacData field and the | |||
| encrypted data match, applications which restricted the MacData | encrypted data match, applications which restricted the MacData | |||
| password to BMPString set, SHOULD fail when the input password cannot | password to BMPString set, SHOULD fail when the input password cannot | |||
| be expressed in that set. | be expressed in that set. | |||
| 5. Compatibility notes | 5. Compatibility notes | |||
| skipping to change at page 4, line 46 ¶ | skipping to change at page 4, line 46 ¶ | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| None. | None. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, | [RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, | |||
| Enforcement, and Comparison of Internationalized Strings | Enforcement, and Comparison of Internationalized Strings | |||
| Representing Usernames and Passwords", RFC 7613, | Representing Usernames and Passwords", RFC 7613, | |||
| DOI 10.17487/RFC7613, August 2015, | DOI 10.17487/RFC7613, August 2015, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc7613>. | editor.org/info/rfc7613>. | |||
| [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: | [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: | |||
| Password-Based Cryptography Specification Version 2.1", | Password-Based Cryptography Specification Version 2.1", | |||
| RFC 8018, DOI 10.17487/RFC8018, January 2017, | RFC 8018, DOI 10.17487/RFC8018, January 2017, | |||
| <http://www.rfc-editor.org/info/rfc8018>. | <https://www.rfc-editor.org/info/rfc8018>. | |||
| [RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A., | [RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A., | |||
| and M. Scott, "PKCS #12: Personal Information Exchange | and M. Scott, "PKCS #12: Personal Information Exchange | |||
| Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014, | Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014, | |||
| <http://www.rfc-editor.org/info/rfc7292>. | <https://www.rfc-editor.org/info/rfc7292>. | |||
| [NFC] Davis, M. and M. Duerst, "Unicode Standard Annex #15: | [NFC] Davis, M. and M. Duerst, "Unicode Standard Annex #15: | |||
| Unicode Normalization Forms r.44", Unicode , February | Unicode Normalization Forms r.44", Unicode , February | |||
| 2016. | 2016. | |||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
| 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | |||
| 2003, <http://www.rfc-editor.org/info/rfc3629>. | 2003, <https://www.rfc-editor.org/info/rfc3629>. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| The compatibility notes section is based on David Woodhouse's | The authors would like to thank Russ Housley for his comments on this | |||
| compatibility notes on certificate best practices. | document. | |||
| Authors' Addresses | Authors' Addresses | |||
| Nikos Mavrogiannopoulos | Nikos Mavrogiannopoulos | |||
| Red Hat, Inc. | Red Hat, Inc. | |||
| Brno | Brno | |||
| Czech Republic | Czech Republic | |||
| Email: nmav@redhat.com | Email: nmav@redhat.com | |||
| End of changes. 11 change blocks. | ||||
| 15 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||