< draft-turner-additional-new-asn-07.txt   draft-turner-additional-new-asn-08.txt >
Network Working Group J. Schaad Network Working Group J. Schaad
Internet-Draft Soaring Hawk Consulting Internet-Draft Soaring Hawk Consulting
Updates: 5911 (if approved) S. Turner Updates: 5911 (if approved) S. Turner
Intended status: Informational IECA, Inc. Intended status: Informational IECA, Inc.
Expires: August 11, 2011 February 7, 2011 Expires: September 29, 2011 March 28, 2011
Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS)
and the Public Key Infrastructure Using X.509 (PKIX) and the Public Key Infrastructure Using X.509 (PKIX)
draft-turner-additional-new-asn-07 draft-turner-additional-new-asn-08
Abstract Abstract
The Cryptographic Message Syntax (CMS) format, and many associated The Cryptographic Message Syntax (CMS) format, and many associated
formats, are expressed using ASN.1. The current ASN.1 modules formats, are expressed using ASN.1. The current ASN.1 modules
conform to the 1988 version of ASN.1. This document updates some conform to the 1988 version of ASN.1. This document updates some
auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the
1988 ASN.1 modules remain the normative version. There are no bits- 1988 ASN.1 modules remain the normative version. There are no bits-
on-the-wire changes to any of the formats; this is simply a change to on-the-wire changes to any of the formats; this is simply a change to
the syntax. the syntax.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 11, 2011. This Internet-Draft will expire on September 29, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 6, line 11 skipping to change at page 6, line 11
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. ASN.1 Module RFC 3274 2. ASN.1 Module RFC 3274
We have updated the ASN.1 module associated with this document to be We have updated the ASN.1 module associated with this document to be
2008 compliant and to use the set of classes previously defined in 2008 compliant and to use the set of classes previously defined in
[RFC5911]. [RFC5911].
CompressedDataContent CompressedDataContent-2010
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-compressedDataContent(54) } smime(16) modules(0) id-mod-compressedDataContent(54) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
CMSVersion, EncapsulatedContentInfo, CMSVersion, EncapsulatedContentInfo,
CONTENT-TYPE CONTENT-TYPE
FROM CryptographicMessageSyntax-2009 FROM CryptographicMessageSyntax-2009
skipping to change at page 6, line 50 skipping to change at page 6, line 50
ContentTypes CONTENT-TYPE ::= {ct-compressedData} ContentTypes CONTENT-TYPE ::= {ct-compressedData}
-- --
-- SMimeCaps contains the set of S/MIME capabilities that -- SMimeCaps contains the set of S/MIME capabilities that
-- are associated with the algorithms defined in this -- are associated with the algorithms defined in this
-- document. -- document.
-- --
-- SMimeCaps are added to SMimeCapsSet defined in [RFC3851]. -- SMimeCaps are added to SMimeCapsSet defined in [RFC3851].
-- --
SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps} SMimeCaps SMIME-CAPS ::= {cpa-zlibCompress.&smimeCaps, ...}
-- --
-- Define the compressed data content type -- Define the compressed data content type
-- --
ct-compressedData CONTENT-TYPE ::= { ct-compressedData CONTENT-TYPE ::= {
TYPE CompressedData IDENTIFIED BY id-ct-compressedData TYPE CompressedData IDENTIFIED BY id-ct-compressedData
} }
CompressedData ::= SEQUENCE { CompressedData ::= SEQUENCE {
skipping to change at page 9, line 11 skipping to change at page 9, line 11
} }
END END
3. ASN.1 Module RFC 3779 3. ASN.1 Module RFC 3779
We have updated the ASN.1 module associated with RFC 3779 to be ASN.1 We have updated the ASN.1 module associated with RFC 3779 to be ASN.1
2008 compliant and to use the set of classes previously defined in 2008 compliant and to use the set of classes previously defined in
[RFC5912]. [RFC5912].
IPAddrAndASCertExtn { iso(1) identified-organization(3) dod(6) IPAddrAndASCertExtn-2010 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) mod(0) internet(1) security(5) mechanisms(5) pkix(7) mod(0)
id-mod-ip-addr-and-as-ident-2(72) } id-mod-ip-addr-and-as-ident-2(72) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
-- PKIX specific OIDs and arcs -- -- PKIX specific OIDs and arcs --
id-pe id-pe
skipping to change at page 13, line 5 skipping to change at page 13, line 5
ASId ::= INTEGER ASId ::= INTEGER
END END
4. ASN.1 Module RFC 6019 4. ASN.1 Module RFC 6019
We have updated the ASN.1 module associated with this document to be We have updated the ASN.1 module associated with this document to be
2008 compliant and to use the set of classes previously defined in 2008 compliant and to use the set of classes previously defined in
[RFC5911]. [RFC5911].
BinarySigningTimeModule-2009 BinarySigningTimeModule-2010
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) pkcs-9(9) smime(16) modules(0)
id-mod-binSigningTime-2009(55) } id-mod-binSigningTime-2009(55) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
-- From PKIX-CommonTypes-2009 [RFC5912] -- From PKIX-CommonTypes-2009 [RFC5912]
ATTRIBUTE ATTRIBUTE
skipping to change at page 14, line 11 skipping to change at page 14, line 11
BinarySigningTime ::= BinaryTime BinarySigningTime ::= BinaryTime
END END
5. ASN.1 Module RFC 4073 5. ASN.1 Module RFC 4073
We have updated the ASN.1 module associated with this document to be We have updated the ASN.1 module associated with this document to be
2008 compliant and to use the set of classes previously defined in 2008 compliant and to use the set of classes previously defined in
[RFC5911]. [RFC5911].
ContentCollectionModule-2009 ContentCollectionModule-2010
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-context-Collect-2009(56) } pkcs-9(9) smime(16) modules(0) id-mod-context-Collect-2009(56) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
-- From CryptographicMessageSyntax-2009 [RFC5911] -- From CryptographicMessageSyntax-2009 [RFC5911]
CONTENT-TYPE, ContentInfo CONTENT-TYPE, ContentInfo
FROM CryptographicMessageSyntax-2009 FROM CryptographicMessageSyntax-2009
skipping to change at page 16, line 17 skipping to change at page 16, line 17
RFC 4231 does not contain an ASN.1 module to be updated. We have RFC 4231 does not contain an ASN.1 module to be updated. We have
therefore created an ASN.1 module to represent the ASN.1 that is therefore created an ASN.1 module to represent the ASN.1 that is
present in the document. Note that the parameters are defined as present in the document. Note that the parameters are defined as
expecting a parameter for the algorithm identifiers in this module, expecting a parameter for the algorithm identifiers in this module,
this is different from most of the algorithms used in PKIX and this is different from most of the algorithms used in PKIX and
S/MIME. There is no concept of being able to truncate the MAC S/MIME. There is no concept of being able to truncate the MAC
(Message Authentication Code) value in the ASN.1 unlike the XML (Message Authentication Code) value in the ASN.1 unlike the XML
definitions. This is reflected by not having a minimum MAC length definitions. This is reflected by not having a minimum MAC length
defined in the ASN.1. defined in the ASN.1.
HMAC { iso(1) identified-organization(3) dod(6) internet(1) HMAC-2010 { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) } security(5) mechanisms(5) pkix(7) mod(0) id-mod-hmac(74) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
MAC-ALGORITHM, SMIME-CAPS MAC-ALGORITHM, SMIME-CAPS
FROM AlgorithmInformation-2009 FROM AlgorithmInformation-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
skipping to change at page 17, line 5 skipping to change at page 17, line 5
} }
-- --
-- This object set contains all of the S/MIME capabilities that -- This object set contains all of the S/MIME capabilities that
-- have been defined for all the MAC algorithms in this module. -- have been defined for all the MAC algorithms in this module.
-- One would add this to an object set that is used to restrict -- One would add this to an object set that is used to restrict
-- smime capabilities such as the SMimeCapsSet variable in -- smime capabilities such as the SMimeCapsSet variable in
-- the S/MIME message draft -- the S/MIME message draft
-- --
SMimeCaps SMIME-CAPS ::= { SMimeCaps SMIME-CAPS ::= {
maca-hMAC-SHA224.&amp;smimeCaps | maca-hMAC-SHA224.&smimeCaps |
maca-hMAC-SHA256.&amp;smimeCaps | maca-hMAC-SHA256.&smimeCaps |
maca-hMAC-SHA384.&amp;smimeCaps | maca-hMAC-SHA384.&smimeCaps |
maca-hMAC-SHA512.&amp;smimeCaps maca-hMAC-SHA512.&smimeCaps
} }
-- --
-- Define the base OID for the algorithm identifiers -- Define the base OID for the algorithm identifiers
-- --
rsadsi OBJECT IDENTIFIER ::= rsadsi OBJECT IDENTIFIER ::=
{iso(1) member-body(2) us(840) rsadsi(113549)} {iso(1) member-body(2) us(840) rsadsi(113549)}
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2}
skipping to change at page 19, line 11 skipping to change at page 19, line 11
} }
END END
7. ASN.1 Module RFC 4334 7. ASN.1 Module RFC 4334
We have updated the ASN.1 module associated with RFC 4334 to be ASN.1 We have updated the ASN.1 module associated with RFC 4334 to be ASN.1
2008 compliant and to use the set of classes previously defined in 2008 compliant and to use the set of classes previously defined in
[RFC5912]. [RFC5912].
WLANCertExtn WLANCertExtn-2010
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-wlan-extns-2(73) } id-mod-wlan-extns-2(73) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
skipping to change at page 21, line 28 skipping to change at page 21, line 28
type of EncryptedContentInfo to minimize the output changes from type of EncryptedContentInfo to minimize the output changes from
previous versions. previous versions.
Protocol designers can make use of the '08 ASN.1 constraints to Protocol designers can make use of the '08 ASN.1 constraints to
define different sets of attributes for EncryptedData and define different sets of attributes for EncryptedData and
EnvelopedData and for AuthenticatedData and AuthEnvelopedData. EnvelopedData and for AuthenticatedData and AuthEnvelopedData.
Previously, attributes could only be constrained based on whether Previously, attributes could only be constrained based on whether
they were in the clear or unauthenticated not on the encapsulating they were in the clear or unauthenticated not on the encapsulating
content type. content type.
CMS-AuthEnvelopedData-2009 CMS-AuthEnvelopedData-2010
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsAuthEnvData-2009(57) } smime(16) modules(0) id-mod-cmsAuthEnvData-2009(57) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
CMSVersion, EncryptedContentInfoType{}, CMSVersion, EncryptedContentInfoType{},
MessageAuthenticationCode, OriginatorInfo, RecipientInfos, MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION, CONTENT-TYPE, Attributes{}, ATTRIBUTE, CONTENT-ENCRYPTION,
AlgorithmIdentifier{}, AlgorithmIdentifier{},
skipping to change at page 23, line 28 skipping to change at page 23, line 28
type of EncryptedContentInfo to minimize the output changes from type of EncryptedContentInfo to minimize the output changes from
previous versions. previous versions.
We are anticipating the definition of attributes that are going to be We are anticipating the definition of attributes that are going to be
resticted to the use of only EnvelopedData. We are therefore resticted to the use of only EnvelopedData. We are therefore
separating the different attribute sets so that protocol designers separating the different attribute sets so that protocol designers
that need to do this will be able to define attributes that are used that need to do this will be able to define attributes that are used
for EnvelopedData, but not for EncryptedData. The same separation is for EnvelopedData, but not for EncryptedData. The same separation is
also being applied to AuthenticatedData and AuthEnvelopedData. also being applied to AuthenticatedData and AuthEnvelopedData.
CryptographicMessageSyntax-2009 CryptographicMessageSyntax-2010
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier{} AlgorithmIdentifier{}
skipping to change at page 34, line 11 skipping to change at page 34, line 11
SET SIZE (1..MAX) OF Attribute {{ AttrList }} SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END END
10. ASN.1 Module RFC 5752 10. ASN.1 Module RFC 5752
We have updated the ASN.1 module associated with this document to be We have updated the ASN.1 module associated with this document to be
2008 compliant and to use the set of classes previously defined in 2008 compliant and to use the set of classes previously defined in
[RFC5911]. [RFC5911].
MultipleSignatures-2009 MultipleSignatures-2010
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) modules(0) id-mod-multipleSign-2009(59) } smime(16) modules(0) id-mod-multipleSign-2009(59) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All -- EXPORTS All
-- The types and values defined in this module are exported for use -- The types and values defined in this module are exported for use
-- in the other ASN.1 modules. Other applications may use them for -- in the other ASN.1 modules. Other applications may use them for
-- their own purposes. -- their own purposes.
IMPORTS IMPORTS
skipping to change at page 36, line 35 skipping to change at page 36, line 35
This means that when a module is replaced, one can replace the This means that when a module is replaced, one can replace the
previous module, update the module number assignment module and previous module, update the module number assignment module and
recompile without having to modify any other modules. recompile without having to modify any other modules.
A sample module assignment module would be: A sample module assignment module would be:
ModuleNumbers ModuleNumbers
DEFINITIONS TAGS ::= DEFINITIONS TAGS ::=
BEGIN BEGIN
id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549) id-mod-CMS ::= { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) TBD } pkcs(1) pkcs-9(9) smime(16) modules(0) 58 }
id-mod-AlgInfo ::= id-mod-AlgInfo ::=
{iso(1) identified-organization(3) dod(6) internet(1) {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)} id-mod-algorithmInformation-02(58)}
END END
This would be used in the following import statement: This would be used in the following import statement:
IMPORTS IMPORTS
 End of changes. 15 change blocks. 
18 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/