idnits 2.17.1 

draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Line 358 has weird spacing: '...inition  http:...'

  == Line 502 has weird spacing: '...inition  http:...'

  == Line 606 has weird spacing: '...inition  http:...'

  == Line 710 has weird spacing: '...inition  http:...'

  == Line 813 has weird spacing: '...inition  http:...'

  -- The document date (May 2, 2010) is 5101 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Unused Reference: 'PSKC' is defined on line 909, but no explicit
     reference was found in the text

  == Outdated reference: A later version (-09) exists of
     draft-ietf-keyprov-pskc-05


     Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	keyprov                                                         P. Hoyer
3	Internet-Draft                                             ActivIdentity
4	Intended status: Informational                                    M. Pei
5	Expires: November 3, 2010                                       VeriSign
6	                                                              S. Machani
7	                                                              Diversinet
8	                                                              A. Doherty
9	                                       RSA, The Security Division of EMC
10	                                                             May 2, 2010

12	 Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles
13	           draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt

15	Abstract

17	   The Portable Symmetric Key Container (PSKC) contains a number of XML
18	   elements and XML attributes carrying keys and related information.
19	   Not all algorithms, however, are able to use all elements and for
20	   other algorithm certain information is mandatory.  This lead to the
21	   introduction of PSKC algorithm profiles that provide further
22	   description about the mandatory and optional information elements and
23	   their semantic, including extensions that may be needed.  The main
24	   PSKC specification defines two PSKC algorithm profiles, namely "HOTP"
25	   and "PIN".  This document extends the initial set and specifies nine
26	   further algorithm profiles for PKSC.

28	Status of this Memo

30	   This Internet-Draft is submitted in full conformance with the
31	   provisions of BCP 78 and BCP 79.

33	   Internet-Drafts are working documents of the Internet Engineering
34	   Task Force (IETF).  Note that other groups may also distribute
35	   working documents as Internet-Drafts.  The list of current Internet-
36	   Drafts is at http://datatracker.ietf.org/drafts/current/.

38	   Internet-Drafts are draft documents valid for a maximum of six months
39	   and may be updated, replaced, or obsoleted by other documents at any
40	   time.  It is inappropriate to use Internet-Drafts as reference
41	   material or to cite them other than as "work in progress."

43	   This Internet-Draft will expire on November 3, 2010.

45	Copyright Notice

47	   Copyright (c) 2010 IETF Trust and the persons identified as the
48	   document authors.  All rights reserved.

50	   This document is subject to BCP 78 and the IETF Trust's Legal
51	   Provisions Relating to IETF Documents
52	   (http://trustee.ietf.org/license-info) in effect on the date of
53	   publication of this document.  Please review these documents
54	   carefully, as they describe your rights and restrictions with respect
55	   to this document.  Code Components extracted from this document must
56	   include Simplified BSD License text as described in Section 4.e of
57	   the Trust Legal Provisions and are provided without warranty as
58	   described in the Simplified BSD License.

60	Table of Contents

62	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
63	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
64	   3.  OCRA (OATH Challenge Response Algorithm) . . . . . . . . . . .  5
65	   4.  TOTP (OATH Time based OTP) . . . . . . . . . . . . . . . . . .  7
66	   5.  SecurID-AES  . . . . . . . . . . . . . . . . . . . . . . . . .  9
67	   6.  SecurID-AES-Counter  . . . . . . . . . . . . . . . . . . . . . 11
68	   7.  SecurID-ALGOR  . . . . . . . . . . . . . . . . . . . . . . . . 13
69	   8.  ActivIdentity-3DES . . . . . . . . . . . . . . . . . . . . . . 15
70	   9.  ActivIdentity-AES  . . . . . . . . . . . . . . . . . . . . . . 18
71	   10. ActivIdentity-DES  . . . . . . . . . . . . . . . . . . . . . . 21
72	   11. ActivIdentity-EVENT  . . . . . . . . . . . . . . . . . . . . . 24
73	   12. Security Considerations  . . . . . . . . . . . . . . . . . . . 26
74	   13. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 27
75	   14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
76	   15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
77	     15.1.  Normative References  . . . . . . . . . . . . . . . . . . 29
78	     15.2.  Informative References  . . . . . . . . . . . . . . . . . 29
79	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30

81	1.  Introduction

83	   This document specifies a set of algorithm profiles for PKSC, namely

85	      OCRA (OATH Challenge Response Algorithm)

87	      TOTP (OATH Time based OTP)

89	      SecurID-AES

91	      SecurID-AES-Counter

93	      SecurID-ALGOR

95	      ActivIdentity-3DES

97	      ActivIdentity-AES

99	      ActivIdentity-DES

101	      ActivIdentity-EVENT

103	   [Editor's Note: The content of this document was created by moving a
104	   number of PSKC algorithm profiles from
105	   draft-ietf-keyprov-portable-symmetric-key-container-06.txt into this
106	   document.  Since
107	   draft-ietf-keyprov-portable-symmetric-key-container-07.txt had
108	   experienced a number of changes the description and the examples in
109	   this document are likely to be out-of-sync.  Re-alignment will be
110	   provided in a future version.]

112	2.  Terminology

114	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
115	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
116	   document are to be interpreted as described in [RFC2119].

118	3.  OCRA (OATH Challenge Response Algorithm)

120	   Common Name:  OCRA

122	   Class:  OTP

124	   URI:
125	      urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:(ocra_suite_parameters)
126	      - e.g.
127	      urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08

129	   Algorithm Definition:  http://tools.ietf.org/id/
130	      draft-mraihi-mutual-oath-hotp-variants-11.txt

132	   Identifier Definition  (this RFC)

134	   Registrant Contact:  IESG

136	   Profile of XML attributes and subelements of the <Key> entity:

138	      For a <Key> of this algorithm, the <Usage> subelements MUST be
139	      present.  The "CR" attribute of the <Usage> MUST be set "true" and
140	      it MUST be the only attribute set.  The element <ChallengeFormat>
141	      and <ResponseFormat> of the <Usage> MUST be present.

143	      For the <Data> elements of a <Key> of this algorithm, the
144	      following subelements MUST be present in either the <Key> element
145	      itself or an commonly shared <KeyProperties> element.

147	      *  Counter

149	      *  Time

151	      If the element <Time> is present, the following elements MUST be
152	      also present.

154	      *  TimeInterval

156	      The following additional constraints apply:

158	         - The value of the <Secret> element MUST contain key material
159	         with a lengthy of at least 16 octets (128 bits) if it is
160	         present.

162	         - The <ResponseFormat> element MUST have the 'Format' attribute
163	         set to "DECIMAL", and the 'Length' attribute MUST be between 6
164	         and 9.

166	         - The <PINPolicy> element MAY be present but the <Format> child
167	         element of the <PINPolicy> element cannot be set to
168	         "Algorithmic".

170	      An example of a <Key> of this algorithm is as follows.

172	  <?xml version="1.0" encoding="UTF-8"?>
173	  <KeyContainer Version="1.0"
174	  xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
175	      <Device>
176	          <DeviceInfo>
177	              <Manufacturer>TokenVendorAcme</Manufacturer>
178	              <SerialNo>987654322</SerialNo>
179	          </DeviceInfo>
180	          <Key KeyId="12345678"
181	          KeyAlgorithm=
182	      "urn:ietf:params:xml:ns:keyprov:pskc#OCRA-1:HOTP-SHA512-8:C-QN08">
183	              <Issuer>Issuer</Issuer>
184	              <Usage CR="true">
185	                <ChallengeFormat Min="8" Max="8" Format="DECIMAL"/>
186	                <ResponseFormat Length="8" Format="DECIMAL"/>
187	              </Usage>
188	              <Data>
189	                <Secret>
190	                   <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=</PlainValue>
191	                </Secret>
192	                <Counter>
193	                  <PlainValue>0</PlainValue>
194	                </Counter>
195	              </Data>
196	          </Key>
197	      </Device>
198	  </KeyContainer>

200	4.  TOTP (OATH Time based OTP)

202	   Common Name:  TOTP

204	   Class:  OTP

206	   URI:  urn:ietf:params:xml:ns:keyprov:pskc#totp

208	   Algorithm Definition:
209	      http://tools.ietf.org/id/draft-mraihi-totp-timebased-05.txt

211	   Identifier Definition  (this RFC)

213	   Registrant Contact:  IESG

215	   Profile of XML attributes and subelements of the <Key> entity:

217	      For a <Key> of this algorithm, the <Usage> subelements MUST be
218	      present.  The "OTP" attribute of the <Usage> MUST be set "true"
219	      and it MUST be the only attribute set.  The element
220	      <ResponseFormat> of the <Usage> MUST be used to indicate the OTP
221	      length and the value format.

223	      For the <Data> elements of a <Key> of this algorithm, the
224	      following subelements MUST be present in either the <Key> element
225	      itself or an commonly shared <KeyProperties> element.

227	      *  Time

229	      *  TimeInterval

231	      The following additional constraints apply:

233	         - The value of the <Secret> element MUST contain key material
234	         with a lengthy of at least 16 octets (128 bits) if it is
235	         present.

237	         - The <ResponseFormat> element MUST have the 'Format' attribute
238	         set to "DECIMAL", and the 'Length' attribute MUST be between 6
239	         and 9.

241	         - The <PINPolicy> element MAY be present but the <Format> child
242	         element of the <PINPolicy> element cannot be set to
243	         "Algorithmic".

245	      An example of a <Key> of this algorithm is as follows.

247	   <?xml version="1.0" encoding="UTF-8"?>
248	   <KeyContainer Version="1.0"
249	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
250	       <Device>
251	           <DeviceInfo>
252	               <Manufacturer>TokenVendorAcme</Manufacturer>
253	               <SerialNo>987654323</SerialNo>
254	           </DeviceInfo>
255	           <Key KeyAlgorithm="urn:ietf:params:xml:ns:keyprov:pskc#totp"
256	           KeyId="987654323">
257	               <Issuer>Issuer</Issuer>
258	               <Usage OTP="true">
259	                   <ResponseFormat Length="6" Format="DECIMAL"/>
260	               </Usage>
261	               <Data>
262	                   <Secret>
263	                       <PlainValue>
264	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
265	                       </PlainValue>
266	                   </Secret>
267	                   <Time>
268	                       <PlainValue>0</PlainValue>
269	                   </Time>
270	                   <TimeInterval>
271	                       <PlainValue>30</PlainValue>
272	                   </TimeInterval>
273	                   <TimeDrift>
274	                       <PlainValue>4</PlainValue>
275	                   </TimeDrift>
276	               </Data>
277	           </Key>
278	       </Device>
279	   </KeyContainer>

281	5.  SecurID-AES

283	   Common Name:  SecurID-AES

285	   Class:  OTP

287	   URI:  http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/
288	      otps-wst#SecurID-AES

290	   Algorithm Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

292	   Identifier Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

294	   Registrant Contact:  Andrea Doherty, RSA the Security Division of
295	      EMC, <andrea.doherty@rsa.com>

297	   Profile of XML attributes and subelements of the <Key> entity:

299	      For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
300	      <Usage> sub-elements MUST be present.  The "OTP" attribute of
301	      <Usage> MUST be set to "true" and it MUST be the only attribute
302	      set.  The <ResponseFormat> sub-element of <Usage> MUST be used to
303	      indicate the OTP length and the value format.

305	      The following additional constraints apply:

307	         - The value of the <Secret> element MUST contain key material
308	         with a lengthy of at least 16 octets (128 bits) if it is
309	         present.

311	         - The <ResponseFormat> element MUST have the 'Format' attribute
312	         set to "DECIMAL", and the 'Length' attribute MUST be set to a
313	         minimum value of 6.

315	         - The <StartDate> and <ExpiryDate> elements MUST be of type
316	         <xs:dateTime>.

318	         - The <PINPolicy> element MAY be present but the <Format> child
319	         element of the <PINPolicy> element cannot be set to
320	         "Algorithmic".

322	      An example of a <Key> of this algorithm is as follows.

324	 <?xml version="1.0" encoding="UTF-8"?>
325	 <KeyContainer Version="1.0"
326	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
327	   <Device>
328	     <DeviceInfo>
329	       <Manufacturer>RSA, The Security Division of EMC</Manufacturer>
330	       <SerialNo>123456798</SerialNo>
331	     </DeviceInfo>
332	     <Key
333	       KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/2005
334	       /09/otps-wst#SecurID-AES
335	       KeyId="23456789">
336	       <Issuer>Issuer</Issuer>
337	       <Usage OTP="true>
338	         <ResponseFormat Length="6" Format="DECIMAL"/>
339	       </Usage>
340	       <StartDate>2006-04-14T00:00:00Z</StartDate>
341	       <ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
342	     </Key>
343	   </Device>
344	 </KeyContainer>

346	6.  SecurID-AES-Counter

348	   Common Name:  SecurID-AES-Counter

350	   Class:  OTP

352	   URI:  http://www.rsa.com/names/2008/04/algorithms/SecurID/
353	      SecurID-AES128-Counter

355	   Algorithm Definition:  http://www.rsa.com/names/2008/04/algorithms/
356	      SecurID/SecurID-AES128-Counter

358	   Identifier Definition  http://www.rsa.com/names/2008/04/algorithms/
359	      SecurID/SecurID-AES128-Counter

361	   Registrant Contact:  Andrea Doherty, RSA the Security Division of
362	      EMC, <andrea.doherty@rsa.com>

364	   Profile of XML attributes and subelements of the <Key> entity:

366	      For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
367	      <Usage> sub-elements MUST be present.  The "OTP" attribute of
368	      <Usage> MUST be set to "true" and it MUST be the only attribute
369	      set.  The <ResponseFormat> sub-element of <Usage> MUST be used to
370	      indicate the OTP length and the value format.

372	      For the Data elements of a <Key> of this algorithm, the following
373	      subelements MUST be present in either the <Key> element itself or
374	      an commonly shared <KeyProperties> element.

376	      *  Counter

378	      The following additional constraints apply:

380	         - The value of the <Secret> element MUST contain key material
381	         with a lengthy of at least 16 octets (128 bits) if it is
382	         present.

384	         - The <ResponseFormat> element MUST have the 'Format' attribute
385	         set to "DECIMAL", and the 'Length' attribute MUST be set to a
386	         minimum value of 6.

388	         - The <StartDate> and <ExpiryDate> elements MUST be of type
389	         <xs:dateTime>.

391	         - The <PINPolicy> element MAY be present but the <Format> child
392	         element of the <PINPolicy> element cannot be set to
393	         "Algorithmic".

395	      An example of a <Key> of this algorithm is as follows.

397	<?xml version="1.0" encoding="UTF-8"?>
398	<KeyContainer Version="1.0"
399	  xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
400	    <Device>
401	       <DeviceInfo>
402	          <Manufacturer>RSA, The Security Division of EMC</Manufacturer>
403	          <SerialNo>123456798</SerialNo>
404	       </DeviceInfo>
405	       <Key
406	          KeyAlgorithm=http://www.rsa.com/names/2008/04/algorithms/
407	          SecurID/SecurID-AES128-Counter
408	          KeyId="23456789">
409	          <Issuer>Issuer</Issuer>
410	          <Usage OTP="true>
411	            <ResponseFormat Length="6" Format="DECIMAL"/>
412	          </Usage>
413	          <StartDate>2006-04-14T00:00:00Z</StartDate>
414	          <ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
415	          <Data>
416	            <Secret>
417	              <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
418	              </PlainValue>
419	            </Secret>
420	            <Counter>
421	              <PlainValue>0</PlainValue>
422	            </Counter>
423	          </Data>
424	        </Key>
425	    </Device>
426	</KeyContainer>
427	7.  SecurID-ALGOR

429	   Common Name:  SecurID-ALGOR

431	   Class:  OTP

433	   URI:  http://www.rsasecurity.com/rsalabs/otps/schemas/2005/09/
434	      otps-wst#SecurID-ALGOR

436	   Algorithm Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

438	   Identifier Definition:  http://www.rsa.com/rsalabs/node.asp?id=2821

440	   Registrant Contact:  Andrea Doherty, RSA the Security Division of
441	      EMC, <andrea.doherty@rsa.com>

443	   Profile of XML attributes and subelements of the <Key> entity:

445	      For a <Key> of this algorithm, the <StartDate>, <ExpiryDate>, and
446	      <Usage> sub-elements MUST be present.  The "OTP" attribute of
447	      <Usage> MUST be set to "true" and it MUST be the only attribute
448	      set.  The <ResponseFormat> sub-element of <Usage> MUST be used to
449	      indicate the OTP length and the value format.

451	      The following additional constraints apply:

453	         - The value of the <Secret> element MUST contain key material
454	         with a lengthy of at least 8 octets (64 bits) if it is present.

456	         - The <ResponseFormat> element MUST have the 'Format' attribute
457	         set to "DECIMAL", and the 'Length' attribute MUST be set to a
458	         value of 6 through 8.

460	         - The <StartDate> and <ExpiryDate> elements MUST be of type
461	         <xs:dateTime>.

463	         - The <PINPolicy> element MAY be present but the <Format> child
464	         element of the <PINPolicy> element cannot be set to
465	         "Algorithmic".

467	      An example of a <Key> of this algorithm is as follows.

469	   <?xml version="1.0" encoding="UTF-8"?>
470	   <KeyContainer Version="1.0"
471	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0"
472	     <Device>
473	       <DeviceInfo>
474	         <Manufacturer>RSA, The Security Division of EMC</Manufacturer>
475	         <SerialNo>123456798</SerialNo>
476	       </DeviceInfo>
477	       <Key
478	           KeyAlgorithm=http://www.rsasecurity.com/rsalabs/otps/schemas/
479	           2005/09/otps-wst#SecurID-ALGOR KeyId="23456789">
480	         <Issuer>Issuer</Issuer>
481	         <Usage OTP="true>
482	            <ResponseFormat Length="6" Format="DECIMAL"/>
483	         </Usage>
484	         <StartDate>2006-04-14T00:00:00Z</StartDate>
485	         <ExpiryDate>2010-09-30T00:00:00Z</ExpiryDate>
486	       </Key>
487	     </Device>
488	   </KeyContainer>

490	8.  ActivIdentity-3DES

492	   Common Name:  ActivIdentity-3DES

494	   Class:  OTP

496	   URI:  http://www.actividentity.com/2008/04/algorithms/
497	      algorithms#ActivIdentity-3DES

499	   Algorithm Definition:  http://www.actividentity.com/2008/04/
500	      algorithms/algorithms#ActivIdentity-3DES

502	   Identifier Definition  http://www.actividentity.com/2008/04/
503	      algorithms/algorithms#ActivIdentity-3DES

505	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
506	      <philip.hoyer@actividentity.com>

508	   Profile of XML attributes and subelements of the <Key> entity:

510	      For a <Key> of this algorithm, the <Usage> subelements MUST be
511	      present.  This algorithm can be used for otp, challenge response,
512	      parameter based MACing (integrity) and to generate a device unlock
513	      code (n case of devices where there is local PIN management and
514	      the devce has been locked after a specific amount of wrong PIN
515	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
516	      attribute of the <Usage> can be set to "true", but at least one of
517	      the above MUST be set to true.  The element <ResponseFormat> of
518	      the <Usage> MUST be used to indicate the OTP length, the value
519	      format and optionally if a check digit is being used.  If the use
520	      is challenge-response then the <ChallengeFormat> of the <Usage>
521	      MUST be used to indicate the challenge minimum and maximum length,
522	      its format and optionally if a check digit is being used.

524	      For the <Data> elements of a <Key> of this algorithm, the
525	      following subelements MUST be present in either the <Key> element
526	      itself or an commonly shared <KeyProperties> element.

528	      *  Secret

530	      *  Counter

532	      *  Time

534	      *  TimeInterval
535	      The following additional constraints apply:

537	         - The value of the <Secret> element MUST contain key material
538	         with a length of at least 16 octets (Double DES keys 128 bits
539	         including parity) if it is present.

541	         - The <ResponseFormat> element MUST have the 'Format' attribute
542	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
543	         MUST be between 6 and 16.

545	         - The <ChallengeFormat> element MUST have the 'Format'
546	         attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
547	         be between 4 and 16 (The Min attribute MUST be equal or less
548	         than the Max).

550	         - The <PINPolicy> element MAY be present but the <Format> child
551	         element of the <PINPolicy> element cannot be set to
552	         "Algorithmic".

554	      An example of a Key of this algorithm is as follows.

556	   <?xml version="1.0" encoding="UTF-8"?>
557	   <KeyContainer Version="1.0"
558	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
559	       <Device>
560	           <DeviceInfo>
561	               <Manufacturer>ActivIdentity</Manufacturer>
562	               <SerialNo>34567890</SerialNo>
563	           </DeviceInfo>
564	           <Key KeyAlgorithm="http://www.actividentity.com/
565	           2008/04/algorithms/algorithms#ActivIdentity-3DES"
566	           KeyId="12345677">
567	               <Issuer>Issuer</Issuer>
568	               <Usage OTP="true">
569	                   <ResponseFormat Length="8" Format="DECIMAL"/>
570	               </Usage>
571	               <Data>
572	                   <Secret>
573	                       <PlainValue>
574	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
575	                       </PlainValue>
576	                   </Secret>
577	                   <Counter>
578	                       <PlainValue>0</PlainValue>
579	                   </Counter>
580	                   <Time>
581	                       <PlainValue>0</PlainValue>
582	                   </Time>
583	                   <TimeInterval>
584	                       <PlainValue>32</PlainValue>
585	                   </TimeInterval>
586	                   <TimeDrift>
587	                       <PlainValue>0</PlainValue>
588	                   </TimeDrift>
589	               </Data>
590	           </Key>
591	       </Device>
592	   </KeyContainer>

594	9.  ActivIdentity-AES

596	   Common Name:  ActivIdentity-AES

598	   Class:  OTP

600	   URI:  http://www.actividentity.com/2008/04/algorithms/
601	      algorithms#ActivIdentity-AES

603	   Algorithm Definition:  http://www.actividentity.com/2008/04/
604	      algorithms/algorithms#ActivIdentity-AES

606	   Identifier Definition  http://www.actividentity.com/2008/04/
607	      algorithms/algorithms#ActivIdentity-AES

609	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
610	      <philip.hoyer@actividentity.com>

612	   Profile of XML attributes and subelements of the <Key> entity:

614	      For a <Key> of this algorithm, the <Usage> subelements MUST be
615	      present.  This algorithm can be used for otp, challenge response,
616	      parameter based MACing (integrity) and to generate a device unlock
617	      code (n case of devices where there is local PIN management and
618	      the devce has been locked after a specific amount of wrong PIN
619	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
620	      attribute of the <Usage> can be set to "true", but at least one of
621	      the above MUST be set to true.  The element <ResponseFormat> of
622	      the <Usage> MUST be used to indicate the OTP length, the value
623	      format and optionally if a check digit is being used.  If the use
624	      is challenge-response then the <ChallengeFormat> of the <Usage>
625	      MUST be used to indicate the challenge minimum and maximum length,
626	      its format and optionally if a check digit is being used.

628	      For the <Data> elements of a key of this algorithm, the following
629	      subelements MUST be present in either the <Key> element itself or
630	      an commonly shared <KeyProperties> element.

632	      *  Secret

634	      *  Counter

636	      *  Time

638	      *  TimeInterval
639	      The following additional constraints apply:

641	         - The value of the <Secret> element MUST contain key material
642	         with a length of at least 16 octets (128 bits) if it is
643	         present.

645	         - The <ResponseFormat> element MUST have the 'Format' attribute
646	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
647	         MUST be between 6 and 16.

649	         - The <ChallengeFormat> element MUST have the 'Format'
650	         attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
651	         be between 4 and 16 (The Min attribute MUST be equal or less
652	         than the Max).

654	         - The <PINPolicy> element MAY be present but the <Format> child
655	         element of the <PINPolicy> element cannot be set to
656	         "Algorithmic".

658	      An example of a <Key> of this algorithm is as follows.

660	   <?xml version="1.0" encoding="UTF-8"?>
661	   <KeyContainer Version="1.0"
662	     xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
663	       <Device>
664	           <DeviceInfo>
665	               <Manufacturer>ActivIdentity</Manufacturer>
666	               <SerialNo>34567890</SerialNo>
667	           </DeviceInfo>
668	           <Key KeyAlgorithm="http://www.actividentity.com/
669	           2008/04/algorithms/algorithms#ActivIdentity-AES"
670	           KeyId="12345677">
671	               <Issuer>Issuer</Issuer>
672	               <Usage OTP="true">
673	                   <ResponseFormat Length="8" Format="DECIMAL"/>
674	               </Usage>
675	               <Data>
676	                   <Secret>
677	                       <PlainValue>
678	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
679	                       </PlainValue>
680	                   </Secret>
681	                   <Counter>
682	                       <PlainValue>0</PlainValue>
683	                   </Counter>
684	                   <Time>
685	                       <PlainValue>0</PlainValue>
686	                   </Time>
687	                   <TimeInterval>
688	                       <PlainValue>32</PlainValue>
689	                   </TimeInterval>
690	                   <TimeDrift>
691	                       <PlainValue>0</PlainValue>
692	                   </TimeDrift>
693	               </Data>
694	           </Key>
695	       </Device>
696	   </KeyContainer>

698	10.  ActivIdentity-DES

700	   Common Name:  ActivIdentity-DES

702	   Class:  OTP

704	   URI:  http://www.actividentity.com/2008/04/algorithms/
705	      algorithms#ActivIdentity-DES

707	   Algorithm Definition:  http://www.actividentity.com/2008/04/
708	      algorithms/algorithms#ActivIdentity-DES

710	   Identifier Definition  http://www.actividentity.com/2008/04/
711	      algorithms/algorithms#ActivIdentity-DES

713	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
714	      <philip.hoyer@actividentity.com>

716	   Profile of XML attributes and subelements of the <Key> entity:

718	      For a <Key> of this algorithm, the <Usage> subelements MUST be
719	      present.  This algorithm can be used for otp, challenge response,
720	      parameter based MACing (integrity) and to generate a device unlock
721	      code (n case of devices where there is local PIN management and
722	      the devce has been locked after a specific amount of wrong PIN
723	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
724	      attribute of the <Usage> can be set to "true", but at least one of
725	      the above MUST be set to true.  The element <ResponseFormat> of
726	      the <Usage> MUST be used to indicate the OTP length, the value
727	      format and optionally if a check digit is being used.  If the use
728	      is challenge-response then the <ChallengeFormat> of the <Usage>
729	      MUST be used to indicate the challenge minimum and maximum length,
730	      its format and optionally if a check digit is being used.

732	      For the <Data> elements of a key of this algorithm, the following
733	      subelements MUST be present in either the <Key> element itself or
734	      an commonly shared <KeyProperties> element.

736	      *  Counter

738	      *  Time

740	      *  TimeInterval

742	      The following additional constraints apply:

744	         - The value of the <Secret> element MUST contain key material
745	         with a length of at least 8 octets (56 bits + parity) if it is
746	         present.

748	         - The <ResponseFormat> element MUST have the 'Format' attribute
749	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
750	         MUST be between 6 and 16.

752	         - The <ChallengeFormat> element MUST have the 'Format'
753	         attribute set to "DECIMAL", and the 'Min' and 'Max' attributes
754	         be between 4 and 16 (The Min attribute MUST be equal or less
755	         than the Max).

757	         - The <PINPolicy> element MAY be present but the <Format> child
758	         element of the <PINPolicy> element cannot be set to
759	         "Algorithmic".

761	      An example of a <Key> of this algorithm is as follows.

763	   <?xml version="1.0" encoding="UTF-8"?>
764	   <KeyContainer Version="1.0"
765	   xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
766	       <Device>
767	           <DeviceInfo>
768	               <Manufacturer>ActivIdentity</Manufacturer>
769	               <SerialNo>34567890</SerialNo>
770	           </DeviceInfo>
771	           <Key KeyAlgorithm="http://www.actividentity.com/
772	           2008/04/algorithms/algorithms#ActivIdentity-DES"
773	           KeyId="12345677">
774	               <Issuer>Issuer</Issuer>
775	               <Usage OTP="true">
776	                   <ResponseFormat Length="8" Format="DECIMAL"/>
777	               </Usage>
778	               <Data>
779	                   <Secret>
780	                       <PlainValue>
781	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
782	                       </PlainValue>
783	                   </Secret>
784	                   <Counter>
785	                       <PlainValue>0</PlainValue>
786	                   </Counter>
787	                   <Time>
788	                       <PlainValue>0</PlainValue>
789	                   </Time>
790	                   <TimeInterval>
791	                       <PlainValue>32</PlainValue>
792	                   </TimeInterval>
793	                   <TimeDrift>
794	                       <PlainValue>0</PlainValue>
795	                   </TimeDrift>
796	               </Data>
797	           </Key>
798	       </Device>
799	   </KeyContainer>

801	11.  ActivIdentity-EVENT

803	   Common Name:  ActivIdentity-EVENT

805	   Class:  OTP

807	   URI:  http://www.actividentity.com/2008/04/algorithms/
808	      algorithms#ActivIdentity-EVENT

810	   Algorithm Definition:  http://www.actividentity.com/2008/04/
811	      algorithms/algorithms#ActivIdentity-EVENT

813	   Identifier Definition  http://www.actividentity.com/2008/04/
814	      algorithms/algorithms#ActivIdentity-EVENT

816	   Registrant Contact:  Philip Hoyer, ActivIdentity Inc,
817	      <philip.hoyer@actividentity.com>

819	   Profile of XML attributes and subelements of the <Key> entity:

821	      For a <Key> of this algorithm, the <Usage> subelements MUST be
822	      present.  This algorithm can be used for otp, challenge response,
823	      parameter based MACing (integrity) and to generate a device unlock
824	      code (n case of devices where there is local PIN management and
825	      the device has been locked after a specific amount of wrong PIN
826	      entry attempts).  Hence the "OTP", "CR","Integrity" and "Unlock"
827	      attribute of the <Usage> can be set to "true", but at least one of
828	      the above MUST be set to true.  The element <ResponseFormat> of
829	      the <Usage> MUST be used to indicate the OTP length, the value
830	      format and optionally if a check digit is being used.  If the use
831	      is challenge-response then the <ChallengeFormat> of the <Usage>
832	      MUST be used to indicate the challenge minimum and maximum length,
833	      its format and optionally if a check digit is being used.

835	      For the <Data> elements of a key of this algorithm, the following
836	      subelements MUST be present in either the <Key> element itself or
837	      an commonly shared <KeyProperties> element.

839	      *  Counter

841	      The following additional constraints apply:

843	         - The value of the <Secret> element MUST contain key material
844	         with a length of at least 8 octets (56 bits + parity) if it is
845	         present.

847	         - The <ResponseFormat> element MUST have the 'Format' attribute
848	         set to "DECIMAL" or "HEXADECIMAL", and the 'Length' attribute
849	         MUST be between 6 and 16.

851	         - The <PINPolicy> element MAY be present but the <Format> child
852	         element of the <PINPolicy> element cannot be set to
853	         "Algorithmic".

855	      An example of a <Key> of this algorithm is as follows.

857	   <?xml version="1.0" encoding="UTF-8"?>
858	   <KeyContainer Version="1.0"
859	     xmlns="urn:ietf:params:xml:ns:keyprov:pskc:1.0">
860	       <Device>
861	           <DeviceInfo>
862	               <Manufacturer>ActivIdentity</Manufacturer>
863	               <SerialNo>34567890</SerialNo>
864	           </DeviceInfo>
865	           <Key KeyAlgorithm="http://www.actividentity.com/
866	           2008/04/algorithms/algorithms#ActivIdentity-EVENT"
867	           KeyId="12345677">
868	               <Issuer>Issuer</Issuer>
869	               <Usage OTP="true">
870	                   <ResponseFormat Length="8" Format="DECIMAL"/>
871	               </Usage>
872	               <Data>
873	                   <Secret>
874	                       <PlainValue>
875	                       MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
876	                       </PlainValue>
877	                   </Secret>
878	                   <Counter>
879	                       <PlainValue>0</PlainValue>
880	                   </Counter>
881	               </Data>
882	           </Key>
883	       </Device>
884	   </KeyContainer>

886	12.  Security Considerations

888	   [Editor's Note: Security considerations regarding the algorithms go
889	   in here.]

891	13.  IANA Considerations

893	   [Editor's Note: The registration of the algorithm profiles goes in
894	   here.]

896	14.  Acknowledgements

898	   Add your name here.

900	15.  References

902	15.1.  Normative References

904	   [RFC2119]  "Key words for use in RFCs to Indicate Requirement
905	              Levels", BCP 14, RFC 2119, March 1997.

907	15.2.  Informative References

909	   [PSKC]     Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
910	              Key Container", Internet Draft Informational,
911	              URL: http://tools.ietf.org/html/
912	              draft-ietf-keyprov-pskc-05, January 2010.

914	Authors' Addresses

916	   Philip Hoyer
917	   ActivIdentity, Inc.
918	   117 Waterloo Road
919	   London, SE1  8UL
920	   UK

922	   Phone: +44 (0) 20 7744 6455
923	   Email: Philip.Hoyer@actividentity.com

925	   Mingliang Pei
926	   VeriSign, Inc.
927	   487 E. Middlefield Road
928	   Mountain View, CA  94043
929	   USA

931	   Phone: +1 650 426 5173
932	   Email: mpei@verisign.com

934	   Salah Machani
935	   Diversinet, Inc.
936	   2225 Sheppard Avenue East
937	   Suite 1801
938	   Toronto, Ontario  M2J 5C2
939	   Canada

941	   Phone: +1 416 756 2324 Ext. 321
942	   Email: smachani@diversinet.com

944	   Andrea Doherty
945	   RSA, The Security Division of EMC
946	   174 Middlesex Tpk.
947	   Bedford, MA  01730
948	   USA

950	   Email: adoherty@rsa.com