idnits 2.17.1 draft-housley-ers-asn1-modules-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 138: '...cryptoInfos [0] CryptoInfos OPTIONAL,...' RFC 2119 keyword, line 139: '...tionInfo [1] EncryptionInfo OPTIONAL,...' RFC 2119 keyword, line 146: '... {DIGEST-ALGORITHM, {...}} OPTIONAL,...' RFC 2119 keyword, line 147: '...tributes [1] Attributes OPTIONAL,...' RFC 2119 keyword, line 148: '... SEQUENCE OF PartialHashtree OPTIONAL,...' (1 more instance...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (26 August 2021) is 964 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'ThisRFC' is mentioned on line 281, but not defined Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Housley 3 Internet-Draft Vigil Security 4 Intended status: Informational C. Wallace 5 Expires: 27 February 2022 Red Hound Software 6 26 August 2021 8 New ASN.1 Modules for the Evidence Record Syntax (ERS) 9 draft-housley-ers-asn1-modules-03 11 Abstract 13 The Evidence Record Syntax (ERS) and the conventions for including 14 these evidence records in the Server-based Certificate Validation 15 Protocol (SCVP) are expressed using ASN.1. This document offers 16 alternative ASN.1 modules that conform to the 2002 version of ASN.1 17 and employ the conventions adopted in RFC 5911, RFC 5912, and RFC 18 6268. There are no bits-on-the-wire changes to any of the formats; 19 this is simply a change to the ASN.1 syntax. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on 27 February 2022. 38 Copyright Notice 40 Copyright (c) 2021 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 45 license-info) in effect on the date of publication of this document. 46 Please review these documents carefully, as they describe your rights 47 and restrictions with respect to this document. Code Components 48 extracted from this document must include Simplified BSD License text 49 as described in Section 4.e of the Trust Legal Provisions and are 50 provided without warranty as described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 3 56 3. ASN.1 Module for RFC 5276 . . . . . . . . . . . . . . . . . . 5 57 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 59 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 60 6.1. Normative References . . . . . . . . . . . . . . . . . . 7 61 6.2. Informative References . . . . . . . . . . . . . . . . . 7 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 64 1. Introduction 66 Some developers would like the IETF to use the latest version of 67 ASN.1 in its standards. This document provides alternative ASN.1 68 modules to assist in that goal. 70 The Evidence Record Syntax (ERS) [RFC4998] provides two ASN.1 71 modules, one using the 1988 syntax [OLD-ASN1], which has been 72 deprecated by the ITU-T, and another one using the newer syntax 73 [NEW-ASN1], which continues to be maintained and enhanced. This 74 document provides an alternative ASN.1 module that follows the 75 conventions established in [RFC5911], [RFC5912], and [RFC6268]. 77 In addition, [RFC5276] specifies the mechanism for conveying Evidence 78 Records in the Server-based Certificate Validation Protocol (SCVP) 79 [RFC5055]. There is only one ASN.1 module in [RFC5276], and it uses 80 the 1988 syntax [OLD-ASN1]. This document provides an alternative 81 ASN.1 module using the newer syntax [NEW-ASN1] and follows the 82 conventions established in [RFC5911], [RFC5912], and [RFC6268]. Note 83 that [RFC5912] already includes an alternative ASN.1 module for SCVP 84 [RFC5055]. 86 The original ASN.1 modules get some of their definitions from places 87 outside the RFC series. Some of the referenced definitions are 88 somewhat difficult to find. The alternative ASN.1 modules offered in 89 this document stand on their own when combined with the modules in 90 [RFC5911], [RFC5912], and [RFC6268]. 92 The alternative ASN.1 modules produce the same bits-on-the wire as 93 the original ones. 95 The alternative ASN.1 modules are informative; the original ones are 96 normative. 98 2. ASN.1 Module for RFC 4998 100 101 ERS-2021 102 { iso(1) identified-organization(3) dod(6) internet(1) 103 security(5) mechanisms(5) ltans(11) id-mod(0) 104 id-mod-ers(1) id-mod-ers-v2(2) } 106 DEFINITIONS IMPLICIT TAGS ::= 107 BEGIN 109 EXPORTS ALL; 111 IMPORTS 113 ContentInfo 114 FROM CryptographicMessageSyntax-2010 -- in [RFC6268] 115 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 116 pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } 118 AlgorithmIdentifier{}, DIGEST-ALGORITHM 119 FROM AlgorithmInformation-2009 -- in [RFC5912] 120 { iso(1) identified-organization(3) dod(6) internet(1) 121 security(5) mechanisms(5) pkix(7) id-mod(0) 122 id-mod-algorithmInformation-02(58) } 124 AttributeSet{}, ATTRIBUTE 125 FROM PKIX-CommonTypes-2009 -- in [RFC5912] 126 { iso(1) identified-organization(3) dod(6) internet(1) 127 security(5) mechanisms(5) pkix(7) id-mod(0) 128 id-mod-pkixCommon-02(57) } 129 ; 131 ltans OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 132 dod(6) internet(1) security(5) mechanisms(5) ltans(11) } 134 EvidenceRecord ::= SEQUENCE { 135 version INTEGER { v1(1) }, 136 digestAlgorithms SEQUENCE OF AlgorithmIdentifier 137 {DIGEST-ALGORITHM, {...}}, 138 cryptoInfos [0] CryptoInfos OPTIONAL, 139 encryptionInfo [1] EncryptionInfo OPTIONAL, 140 archiveTimeStampSequence ArchiveTimeStampSequence } 142 CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF Attribute 144 ArchiveTimeStamp ::= SEQUENCE { 145 digestAlgorithm [0] AlgorithmIdentifier 146 {DIGEST-ALGORITHM, {...}} OPTIONAL, 147 attributes [1] Attributes OPTIONAL, 148 reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, 149 timeStamp ContentInfo } 151 PartialHashtree ::= SEQUENCE OF OCTET STRING 153 Attributes ::= SET SIZE (1..MAX) OF Attribute 155 ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp 157 ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain 159 EncryptionInfo ::= SEQUENCE { 160 encryptionInfoType ENCINFO-TYPE.&id 161 ({SupportedEncryptionAlgorithms}), 162 encryptionInfoValue ENCINFO-TYPE.&Type 163 ({SupportedEncryptionAlgorithms}{@encryptionInfoType}) } 165 ENCINFO-TYPE ::= TYPE-IDENTIFIER 167 SupportedEncryptionAlgorithms ENCINFO-TYPE ::= { ... } 169 aa-er-internal ATTRIBUTE ::= 170 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } 172 id-aa-er-internal OBJECT IDENTIFIER ::= { iso(1) member-body(2) 173 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 49 } 175 aa-er-external ATTRIBUTE ::= 176 { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } 178 id-aa-er-external OBJECT IDENTIFIER ::= { iso(1) member-body(2) 179 us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 50 } 181 ERSAttrSet ATTRIBUTE ::= { aa-er-internal | aa-er-external, ... } 183 Attribute ::= AttributeSet {{ERSAttrSet}} 185 END 186 188 3. ASN.1 Module for RFC 5276 190 191 LTANS-SCVP-EXTENSION-2021 192 { iso(1) identified-organization(3) dod(6) internet(1) 193 security(5) mechanisms(5) ltans(11) id-mod(0) 194 id-mod-ers-scvp(5) id-mod-ers-scvp-v2(2) } 196 DEFINITIONS IMPLICIT TAGS ::= 197 BEGIN 199 EXPORTS ALL; 201 IMPORTS 203 id-swb, CertBundle, WANT-BACK, AllWantBacks 204 FROM SCVP-2009 -- in [RFC5912] 205 { iso(1) identified-organization(3) dod(6) internet(1) 206 security(5) mechanisms(5) pkix(7) id-mod(0) 207 id-mod-scvp-02(52) } 209 EvidenceRecord 210 FROM ERS-2021 -- in [ThisRFC] 211 { iso(1) identified-organization(3) dod(6) internet(1) 212 security(5) mechanisms(5) ltans(11) id-mod(0) 213 id-mod-ers(1) id-mod-ers-v2(2) } 214 ; 216 EvidenceRecordWantBack ::= SEQUENCE { 217 targetWantBack WANT-BACK.&id ({ExpandedWantBacks}), 218 evidenceRecord EvidenceRecord OPTIONAL } 220 EvidenceRecordWantBacks ::= SEQUENCE SIZE (1..MAX) OF 221 EvidenceRecordWantBack 223 EvidenceRecords ::= SEQUENCE SIZE (1..MAX) OF EvidenceRecord 225 ExpandedWantBacks WANT-BACK ::= { AllWantBacks | 226 NewWantBacks | 227 ERSWantBacks, ... } 229 NewWantBacks WANT-BACK ::= { swb-partial-cert-path, ... } 231 swb-partial-cert-path WANT-BACK ::= 232 { CertBundle IDENTIFIED BY id-swb-partial-cert-path } 234 id-swb-partial-cert-path OBJECT IDENTIFIER ::= { id-swb 15 } 235 ERSWantBacks WANT-BACK ::= { swb-ers-pkc-cert | 236 swb-ers-best-cert-path | 237 swb-ers-partial-cert-path | 238 swb-ers-revocation-info | 239 swb-ers-all, ... } 241 swb-ers-pkc-cert WANT-BACK ::= 242 { EvidenceRecord IDENTIFIED BY id-swb-ers-pkc-cert } 244 id-swb-ers-pkc-cert OBJECT IDENTIFIER ::= { id-swb 16 } 246 swb-ers-best-cert-path WANT-BACK ::= 247 { EvidenceRecord IDENTIFIED BY id-swb-ers-best-cert-path } 249 id-swb-ers-best-cert-path OBJECT IDENTIFIER ::= { id-swb 17 } 251 swb-ers-partial-cert-path WANT-BACK ::= 252 { EvidenceRecord IDENTIFIED BY id-swb-ers-partial-cert-path } 254 id-swb-ers-partial-cert-path OBJECT IDENTIFIER ::= { id-swb 18 } 256 swb-ers-revocation-info WANT-BACK ::= 257 { EvidenceRecords IDENTIFIED BY id-swb-ers-revocation-info } 259 id-swb-ers-revocation-info OBJECT IDENTIFIER ::= { id-swb 19 } 261 swb-ers-all WANT-BACK ::= 262 { EvidenceRecordWantBacks IDENTIFIED BY id-swb-ers-all } 264 id-swb-ers-all OBJECT IDENTIFIER ::= { id-swb 20 } 266 END 267 269 4. IANA Considerations 271 IANA is requested to assign two object identifiers from the "SMI 272 Security for LTANS Module Identifier" registry to identify the two 273 ASN.1 modules in this document. 275 The assignment of these object identifiers is requested: 277 1.3.6.1.5.5.11.0.1.2 id-mod-ers-v2 [ThisRFC] 279 1.3.6.1.5.5.11.0.5.2 id-mod-ers-scvp-v2 [ThisRFC] 281 {{{ RFC Editor: Please replace [ThisRFC] with the number 282 assigned to this document. }}} 284 5. Security Considerations 286 Please see the security considerations in [RFC4998] and [RFC5276]. 287 This document makes no changes to the security considerations in 288 those documents. The ASN.1 modules in this document preserve bits- 289 on-the-wire as the ASN.1 modules that they replace. 291 6. References 293 6.1. Normative References 295 [NEW-ASN1] ITU-T, "Information technology -- Abstract Syntax Notation 296 One (ASN.1): Specification of basic notation", ITU-T 297 Recommendation X.680, ISO/IEC 8824-1:2015, August 2015, 298 . 300 [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence 301 Record Syntax (ERS)", RFC 4998, DOI 10.17487/RFC4998, 302 August 2007, . 304 [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. 305 Polk, "Server-Based Certificate Validation Protocol 306 (SCVP)", RFC 5055, DOI 10.17487/RFC5055, December 2007, 307 . 309 [RFC5276] Wallace, C., "Using the Server-Based Certificate 310 Validation Protocol (SCVP) to Convey Long-Term Evidence 311 Records", RFC 5276, DOI 10.17487/RFC5276, August 2008, 312 . 314 [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for 315 Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, 316 DOI 10.17487/RFC5911, June 2010, 317 . 319 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 320 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 321 DOI 10.17487/RFC5912, June 2010, 322 . 324 [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules 325 for the Cryptographic Message Syntax (CMS) and the Public 326 Key Infrastructure Using X.509 (PKIX)", RFC 6268, 327 DOI 10.17487/RFC6268, July 2011, 328 . 330 6.2. Informative References 332 [OLD-ASN1] CCITT, "Specification of Abstract Syntax Notation One 333 (ASN.1)", CCITT Recommendation X.208, November 1988, 334 . 336 Authors' Addresses 338 Russ Housley 339 Vigil Security, LLC 340 516 Dranesville Road 341 Herndon, VA, 20170 342 United States of America 344 Email: housley@vigilsec.com 346 Carl Wallace 347 Red Hound Software, Inc. 348 5112 27th St. N. 349 Arlington, VA, 22207 350 United States of America 352 Email: carl@redhoundsoftware.com