< draft-housley-binarytime-01.txt   draft-housley-binarytime-02.txt >
Network Working Group R. Housley Network Working Group R. Housley
Internet Draft Vigil Security Internet Draft Vigil Security
expires in six months September 2004 expires in six months September 2004
BinaryTime: BinaryTime:
An alternate format for representing date and time in ASN.1 An alternate format for representing date and time in ASN.1
<draft-housley-binarytime-01.txt> <draft-housley-binarytime-02.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668. disclosed, in accordance with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than a "work in progress." material or to cite them other than a "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft is expected to be published as an Experimental This Internet-Draft is intended to be published as an Experimental
RFC. RFC.
Abstract Abstract
This document specifies a new ASN.1 type for representing time: This document specifies a new ASN.1 type for representing time:
BinaryTime. This document also specifies an alternate signing-time BinaryTime. This document also specifies an alternate to the
attribute for use with the Cryptographic Message Syntax (CMS) signing-time attribute for use with the Cryptographic Message Syntax
SignedData content type that permits the use of BinaryTime. CMS and (CMS) SignedData and AuthenticatedData content types; the binary-
the signing-time attribute are defined in RFC 3852. signing-time attribute uses BinaryTime. CMS and the signing-time
attribute are defined in RFC 3852.
1 Introduction 1 Introduction
This document specifies a new ASN.1 [ASN1] type for representing This document specifies a new ASN.1 [ASN1] type for representing
time: BinaryTime. This ASN.1 type can be used to represent date and time: BinaryTime. This ASN.1 type can be used to represent date and
time values. time values.
This document also updates signing-time attribute used with the This document also specifies an alternative to the signing-time
Cryptographic Message Syntax (CMS) [CMS] SignedData content type, attribute used with the Cryptographic Message Syntax (CMS) [CMS]
allowing BinaryTime to be used. SignedData and AuthenticatedData content types, allowing the
BinaryTime type to be used instead of the traditional UTCTime and
GeneralizedTime types.
1.1 BinaryTime 1.1 BinaryTime
Many operating systems represent date and time as an integer. This Many operating systems represent date and time as an integer. This
document specifies an ASN.1 type for representing a date and time in document specifies an ASN.1 type for representing a date and time in
a manner that is compatible with these operating systems. This a manner that is also an integer. While some conversion may be
approach has several advantages over the UTCTime and GeneralizedTime necessary due to the selection of different epoch or a different
types. granularity, an integer representation has several advantages over
the UTCTime and GeneralizedTime types.
First, a BinaryTime value is smaller than either a UTCTime or a First, a BinaryTime value is smaller than either a UTCTime or a
GeneralizedTime value. GeneralizedTime value.
Second, in many operating systems, the value can be used without Second, in some operating systems, the value can be used with little
conversion. The operating systems that do require conversion can do or no conversion. Conversion, when it is needed, requires only
so with straightforward computation. straightforward computation. If the endian ordering is different
than the ASN.1 representation of an INTEGER, then straightforward
manipulation is needed to obtain an equivalent integer value. If the
epoch is different than the one chosen for BinaryTime, addition or
subtraction is needed to compensate. If the granularity is something
other than seconds, then multiplication or division is needed to
compensate. Also, padding may be needed convert the variable length
ASN.1 encoding of INTEGER to a fixed length value used in the
operating system.
Third, date comparison is very easy with BinaryTime. Integer Third, date comparison is very easy with BinaryTime. Integer
comparison is easy, even when multi-precision integers are involved. comparison is easy, even when multi-precision integers are involved.
Date comparison with UTCTime or GeneralizedTime can be complex when Date comparison with UTCTime or GeneralizedTime can be complex when
the two values to be compared are provided in different time zones. the two values to be compared are provided in different time zones.
This is a rare instance where both memory and processor cycles are This is a rare instance where both memory and processor cycles can be
saved. saved.
1.2 Binary Signing Time Attribute 1.2 Binary Signing Time Attribute
The signing-time attribute is defined in [CMS]. The updated signing- The signing-time attribute is defined in [CMS]. The alternative
time attribute is defined in this document to obtain the benefits of binary-signing-time attribute is defined in this document to obtain
the BinaryTime type, while maintaining backward compatibility with the benefits of the BinaryTime type.
the original signing-time attribute specification.
1.3 Terminology 1.3 Terminology
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL are to be interpreted as
described in [STDWORDS]. described in [STDWORDS].
2 BinaryTime Definition 2 BinaryTime Definition
The BinaryTime ASN.1 type is used to represent an absolute time and The BinaryTime ASN.1 type is used to represent an absolute time and
date. A positive integer value is used to represent time values date. A positive integer value is used to represent time values
based on coordinated universal time (UTC), which is also called based on coordinated universal time (UTC), which is also called
Greenwich Mean Time (GMT) and ZULU clock time. Greenwich Mean Time (GMT) and ZULU clock time.
The syntax for BinaryTime is: The syntax for BinaryTime is:
BinaryTime ::= INTEGER BinaryTime ::= INTEGER
The integer value is the number of seconds after midnight, January 1, The integer value is the number of seconds after midnight UTC,
1970. This time format cannot represent time values prior to January January 1, 1970. This time format cannot represent time values prior
1, 1970. The latest UTC time value that can be represented by a to January 1, 1970. The latest UTC time value that can be
four-octet integer value is 03:14:07 on January 19, 2038, which is represented by a four-octet integer value is 03:14:07 on January 19,
represented by the hexadecimal value 7FFFFFFF. Time values beyond 2038, which is represented by the hexadecimal value 7FFFFFFF. Time
03:14:07 on January 19, 2038 are represented by integer values that values beyond 03:14:07 on January 19, 2038 are represented by integer
are longer than four octets. values that are longer than four octets, and a five-octet integer
value is sufficient to represent dates covering the next seventeen
millennia.
This specification uses a variable length encoding of INTEGER. This This specification uses a variable length encoding of INTEGER. This
permits any time value after midnight, January 1, 1970 to be permits any time value after midnight UTC, January 1, 1970 to be
represented. represented.
When encoding of an integer value that consists of more than one When encoding of an integer value that consists of more than one
octet, which includes almost all of the time values of interest, the octet, which includes almost all of the time values of interest, the
bits of the first octet and bit 8 of the second octet MUST NOT all be bits of the first octet and bit 8 of the second octet MUST NOT all be
ones or all zeros. This rule ensures that an integer value is always ones or all zeros. This rule ensures that an integer value is always
encoded in the smallest possible number of octets. However, it means encoded in the smallest possible number of octets. However, it means
that implementations cannot assume a fixed length for the integer that implementations cannot assume a fixed length for the integer
value. value.
3 Revised Signing Time Attribute Definition 3 Binary Signing Time Attribute Definition
A new object identifier is assigned to the revised signing-time
attribute. In this way, an implementation that supports the signing-
time attribute but does not support this revision will not encounter
any difficulty since unrecognized CMS attributes are ignored.
Like the original signing-time attribute, the updated signing-time The binary-signing-time attribute type specifies the time at which
attribute type specifies the time at which the signer (purportedly) the signer (purportedly) performed the signing process. The binary-
performed the signing process. The updated signing-time attribute signing-time attribute type is intended for use in the CMS SignedData
type is intended for use in the CMS SignedData content type. The content type; however, the attribute can also be used with the
attribute can also be used with the AuthenticatedData content type. AuthenticatedData content type.
The updated signing-time attribute MUST be a signed attribute or an The binary-signing-time attribute MUST be a signed attribute or an
authenticated attribute; it MUST NOT be an unsigned attribute, authenticated attribute; it MUST NOT be an unsigned attribute,
unauthenticated attribute, or unprotected attribute. unauthenticated attribute, or unprotected attribute.
The following object identifier identifies the updated signing-time The following object identifier identifies the binary-signing-time
attribute: attribute:
id-aa-signingTime2 OBJECT IDENTIFIER ::= { iso(1) id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 } smime(16) aa(2) 46 }
The updated signing-time attribute values have ASN.1 type The binary-signing-time attribute values have ASN.1 type
SigningTime2: BinarySigningTime:
SigningTime2 ::= CHOICE { BinarySigningTime ::= BinaryTime
utcTime UTCTime,
generalizedTime GeneralizedTime,
binaryTime BinaryTime }
In [CMS], the SignedAttributes syntax and the AuthAttributes syntax In [CMS], the SignedAttributes syntax and the AuthAttributes syntax
are each defined as a SET OF Attributes. However, the updated are each defined as a SET OF Attributes. However, the binary-
signing-time attribute MUST have a single attribute value, even signing-time attribute MUST have a single attribute value, even
though the syntax is defined as a SET OF AttributeValue. There MUST though the syntax is defined as a SET OF AttributeValue. There MUST
NOT be zero or multiple instances of AttributeValue present. NOT be zero or multiple instances of AttributeValue present.
The SignedAttributes contained in the signerInfo structure within The SignedAttributes contained in the signerInfo structure within
SignedData MUST NOT include multiple instances of the updated SignedData MUST NOT include multiple instances of the binary-signing-
signing-time attribute. Similarly, the AuthAttributes in an time attribute. Similarly, the AuthAttributes in an
AuthenticatedData MUST NOT include multiple instances of the updated AuthenticatedData MUST NOT include multiple instances of the binary-
signing-time attribute. signing-time attribute.
No requirement is imposed concerning the correctness of the signing No requirement is imposed concerning the correctness of the signing
time, and acceptance of a purported signing time is a matter of a time itself, and acceptance of a purported signing time is a matter
recipient's discretion. It is expected, however, that some signers, of a recipient's discretion. It is expected, however, that some
such as time-stamp servers, will be trusted implicitly. signers, such as time-stamp servers, will be trusted implicitly.
3.1 utcTime
Dates between January 1, 1950 and December 31, 2049 (inclusive) can
be represented using the utcTime alternative. Any dates with year
values before 1950 or after 2049 MUST be encoded using either
generalizedTime or binaryTime, and they MUST NOT be encoded using the
utcTime alternative.
Date and time values encoded using the utcTime alternative MUST be
expressed in Coordinated Universal Time (UTC) and MUST include
seconds (i.e., times are YYMMDDHHMMSSZ), even where the number of
seconds is zero. Midnight MUST be represented as "YYMMDD000000Z".
Century information is implicit, and the century MUST be determined
as follows:
Where YY is greater than or equal to 50, the year MUST be
interpreted as 19YY; and
Where YY is less than 50, the year MUST be interpreted as 20YY.
3.2 generalizedTime
Date and time values encoded using the generalizedTime alternative
MUST be expressed in Coordinated Universal Time (UTC) and MUST
include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the
number of seconds is zero. The GeneralizedTime value MUST NOT
include fractional seconds.
3.2 binaryTime
When the binaryTime alternative is used, date and time values MUST be
expressed in Coordinated Universal Time (UTC), and the granularity of
the time is seconds. It is not possible to represent a finer
granularity.
4 References 4 References
This section provides normative and informative references. This section provides normative and informative references.
4.1 Normative References 4.1 Normative References
ASN1 CCITT. Recommendation X.208: Specification of Abstract ASN1 CCITT. Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1). 1988. Syntax Notation One (ASN.1). 1988.
skipping to change at page 6, line 7 skipping to change at page 5, line 13
Requirement Levels. RFC 2119. March 1997. Requirement Levels. RFC 2119. March 1997.
4.2 Informative References 4.2 Informative References
TSP Adams, C., P. Cain, D. Pinkas, and R. Zuccherato. TSP Adams, C., P. Cain, D. Pinkas, and R. Zuccherato.
Internet X.509 Public Key Infrastructure Time-Stamp Internet X.509 Public Key Infrastructure Time-Stamp
Protocol (TSP). RFC 3161. August 2001. Protocol (TSP). RFC 3161. August 2001.
5 Security Considerations 5 Security Considerations
This specification does not introduce any new security considerations Use of the binary-signing-time attribute does not necessarily provide
beyond those already discussed in [CMS]. confidence in the time that the signature value was produced.
Use of the updated signing-time attribute does not necessarily
provide confidence in the time that the signature value was produced.
Therefore, acceptance of a purported signing time is a matter of a Therefore, acceptance of a purported signing time is a matter of a
recipient's discretion. RFC 3161 [TSP] specifies a protocol for recipient's discretion. RFC 3161 [TSP] specifies a protocol for
obtaining time stamps from a trusted entity. obtaining time stamps from a trusted entity.
The original signing-time attribute defined in [CMS] has the same The original signing-time attribute defined in [CMS] has the same
semantics as the updated signing-time attribute specified in this semantics as the binary-signing-time attribute specified in this
document. If both of these attributes are present, they SHOULD document. Therefore, only one of these attributes SHOULD be present
provide the same date and time. in the signedAttrs of a SignerInfo object or in the authAttrs of an
AuthenticatedData object. However, if both of these attributes are
present, they MUST provide the same date and time.
6 IANA Considerations 6 IANA Considerations
No IANA actions are needed. No IANA actions are needed.
7 IPR Considerations 7 IPR Considerations
By submitting this Internet-Draft, I certify that any applicable By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed, patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be or will be disclosed, and any of which I become aware will be
skipping to change at page 7, line 34 skipping to change at page 6, line 40
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- BinaryTime Definition -- BinaryTime Definition
BinaryTime ::= INTEGER BinaryTime ::= INTEGER
-- Signing Binary Time Attribute -- Signing Binary Time Attribute
id-aa-signingTime2 OBJECT IDENTIFIER ::= { iso(1) id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 } smime(16) aa(2) 46 }
SigningTime2 ::= CHOICE { BinarySigningTime ::= BinaryTime
utcTime UTCTime,
generalizedTime GeneralizedTime,
binaryTime BinaryTime }
END END
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
 End of changes. 24 change blocks. 
103 lines changed or deleted 69 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/