idnits 2.17.1 draft-ietf-curdle-pkix-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 8 characters in excess of 72. == There are 8 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 8, 2016) is 2933 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 283 -- Looks like a reference, but probably isn't: '1' on line 284 ** Downref: Normative reference to an Informational RFC: RFC 5915 ** Downref: Normative reference to an Informational RFC: RFC 7748 == Outdated reference: A later version (-08) exists of draft-irtf-cfrg-eddsa-00 ** Downref: Normative reference to an Informational draft: draft-irtf-cfrg-eddsa (ref. 'I-D.irtf-cfrg-eddsa') Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Josefsson 3 Internet-Draft SJD AB 4 Intended status: Standards Track April 8, 2016 5 Expires: October 10, 2016 7 EdDSA, Ed25519, Ed448, Curve25519 and Curve448 for X.509 8 draft-ietf-curdle-pkix-00 10 Abstract 12 This document specify algorithm identifiers and ASN.1 encoding 13 formats for EdDSA digital signatures, subject public keys, and a 14 "named curve" object identifier, used in the Internet X.509 Public 15 Key Infrastructure. Parameters for Ed25519, Ed25519ph, Ed448, 16 Ed448ph, Curve25519 and Curve448 are defined. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on October 10, 2016. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Requirements Terminology . . . . . . . . . . . . . . . . . . 3 54 3. Curve25519 and Curve448 Named Curve Identifier . . . . . . . 3 55 4. Subject Public Key Information Fields . . . . . . . . . . . . 3 56 5. EdDSA Public Keys . . . . . . . . . . . . . . . . . . . . . . 4 57 6. Key Usage Bits . . . . . . . . . . . . . . . . . . . . . . . 5 58 7. EdDSA Signatures . . . . . . . . . . . . . . . . . . . . . . 5 59 8. Private Key Format . . . . . . . . . . . . . . . . . . . . . 6 60 9. Human Readable Algorithm Names . . . . . . . . . . . . . . . 7 61 10. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 7 62 11. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 11.1. Example Ed25519ph Public Key . . . . . . . . . . . . . . 8 64 11.2. Example Ed25519ph Certificate . . . . . . . . . . . . . 8 65 11.3. Example Ed25519ph Private Key . . . . . . . . . . . . . 10 66 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 67 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 68 14. Security Considerations . . . . . . . . . . . . . . . . . . . 11 69 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 70 15.1. Normative References . . . . . . . . . . . . . . . . . . 11 71 15.2. Informative References . . . . . . . . . . . . . . . . . 12 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 74 1. Introduction 76 In [RFC7748], the elliptic curves Curve25519 and Curve448 are 77 described. They are designed with performance and security in mind. 78 The curves may be used for Diffie-Hellman and Digital Signature 79 operations. In [I-D.irtf-cfrg-eddsa] the elliptic curve signature 80 system EdDSA is described and the recommended choice of curves 81 Ed25519/Ed448 are chosen. For each curve, two modes are defined, the 82 PureEdDSA mode without pre-hashing (Ed25519 and Ed448), and the 83 HashEdDSA mode with pre-hashing (Ed25519ph and Ed448ph). 85 This RFC defines ASN.1 object identifiers for EdDSA for use in the 86 Internet X.509 PKI [RFC5280], and parameters for Ed25519, Ed25519ph, 87 Ed448 and Ed448ph. This document serves a similar role as [RFC3279] 88 does for RSA (and more), [RFC4055] for RSA-OAEP/PSS, and [RFC5758] 89 for SHA2-based (EC)DSA. This document also specify ASN.1 "named 90 curve" object identifiers for Curve25519 and Curve448, similar to 91 what is done in [RFC5639]. This allows the curves to be used and 92 referenced in PKIX standards and software, in particular enabling re- 93 use of existing constructs already defined for ECDSA/ECDH but for the 94 new curves. Similar to [RFC5639], this document does not describe 95 the cryptographic algorithms to be used with the specified parameters 96 nor their application in other standards. 98 2. Requirements Terminology 100 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 101 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 102 document are to be interpreted as described in [RFC2119]. 104 3. Curve25519 and Curve448 Named Curve Identifier 106 Certificates conforming to [RFC5280] may convey a public key for any 107 public key algorithm. The certificate indicates the algorithm 108 through an algorithm identifier. This algorithm identifier is an OID 109 and optionally associated parameters. Section 2.3.5 of [RFC3279] 110 describe ECDSA/ECDH public keys, specifying the id-ecPublicKey OID. 111 This OID has the associated EcpkParameters parameters structure, 112 which contains the namedCurve CHOICE. Here we introduce two new OIDs 113 for use in the namedCurve field. 115 id-Curve25519 OBJECT IDENTIFIER ::= { 1.3.101.110 } 116 id-Curve448 OBJECT IDENTIFIER ::= { 1.3.101.111 } 117 id-Curve25519ph OBJECT IDENTIFIER ::= { 1.3.101.112 } 118 id-Curve448ph OBJECT IDENTIFIER ::= { 1.3.101.113 } 120 The OID id-Curve25519 refers to Curve25519. The OID id-Curve448 121 refers to Curve448. Both curves are described in [RFC7748]. The 122 OIDs id-Curve25519ph and id-Curve448ph refers to Curve25519 and 123 Curve448 when used with pre-hashing as Ed25519ph and Ed448ph 124 described in [I-D.irtf-cfrg-eddsa]. 126 The public key value encoded into the ECPoint value is the raw binary 127 values described in [RFC7748]. 129 4. Subject Public Key Information Fields 131 In the X.509 certificate, the subjectPublicKeyInfo field has the 132 SubjectPublicKeyInfo type, which has the following ASN.1 syntax: 134 SubjectPublicKeyInfo ::= SEQUENCE { 135 algorithm AlgorithmIdentifier, 136 subjectPublicKey BIT STRING 137 } 139 The fields in SubjectPublicKeyInfo have the following meanings: 141 o algorithm is the algorithm identifier and parameters for the 142 public key (see below). 144 o subjectPublicKey is the EdDSA public key. 146 The AlgorithmIdentifier type, which is included for convenience, is 147 defined as follows: 149 AlgorithmIdentifier ::= SEQUENCE { 150 algorithm OBJECT IDENTIFIER, 151 parameters ANY DEFINED BY algorithm OPTIONAL 152 } 154 The fields in AlgorithmIdentifier have the following meanings: 156 o algorithm identifies the cryptographic algorithm with an object 157 identifier. This is the EdDSA OID defined below. 159 o parameters, which are optional, are the associated parameters for 160 the algorithm identifier in the algorithm field. 162 5. EdDSA Public Keys 164 Certificates conforming to [RFC5280] may convey a public key for any 165 public key algorithm. The certificate indicates the algorithm 166 through an algorithm identifier. This algorithm identifier is an OID 167 and optionally associated parameters. 169 This section identify the OID and parameters for the EdDSA algorithm. 170 Conforming CAs MUST use the identified OIDs when issuing certificates 171 containing EdDSA public keys. Conforming applications supporting 172 EdDSA MUST, at a minimum, recognize the OID identified in this 173 section. 175 The id-EdDSAPublicKey OID is used for identifying EdDSA public keys. 177 id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1 3 101 100 } 179 The id-EdDSAPublicKey OID is intended to be used in the algorithm 180 field of a value of type AlgorithmIdentifier. 182 EdDSA public keys use the parameter field to specify the particular 183 instantiation of EdDSA parameters. The parameters field have the 184 ASN.1 type EdDSAParameters as follows. 186 EdDSAParameters ::= ENUMERATED { ed25519 (1), 187 ed25519ph (2) } 188 ed448 (3) } 189 ed448ph (4) } 191 The EdDSAParameters enumeration may be extended in the future. 193 The "ed25519" and "ed448" values correspond to the PureEdDSA 194 variants, and the "ed25519ph" and "ed448ph" values correspond to the 195 HashEdDSA variants, as discussed in [I-D.irtf-cfrg-eddsa]. 197 The raw binary EdDSA public key is encoded directly in the 198 subjectPublicKey BIT STRING object. Note that unlike some other 199 schemes, there is no additional OCTET STRING encoding step. 201 6. Key Usage Bits 203 The intended application for the key MAY be indicated in the keyUsage 204 certificate extension. 206 If the keyUsage extension is present in an end-entity certificate 207 that conveys an EdDSA public key with the id-EdDSAPublicKey object 208 identifier, then the keyUsage extension MUST contain one or both of 209 the following values: 211 nonRepudiation; and 212 digitalSignature. 214 If the keyUsage extension is present in a certification authority 215 certificate that conveys an EdDSA public key with the id- 216 EdDSAPublicKey object identifier, then the keyUsage extension MUST 217 contain one or more of the following values: 219 nonRepudiation; 220 digitalSignature; 221 keyCertSign; and 222 cRLSign. 224 7. EdDSA Signatures 226 Certificates and CRLs conforming to [RFC5280] may be signed with any 227 public key signature algorithm. The certificate or CRL indicates the 228 algorithm through an algorithm identifier which appears in the 229 signatureAlgorithm field within the Certificate or CertificateList. 230 This algorithm identifier is an OID and has optionally associated 231 parameters. For illustration the Certificate structure is reproduced 232 here: 234 Certificate ::= SEQUENCE { 235 tbsCertificate TBSCertificate, 236 signatureAlgorithm AlgorithmIdentifier, 237 signatureValue BIT STRING } 239 Recall the definition of the AlgorithmIdentifier type: 241 AlgorithmIdentifier ::= SEQUENCE { 242 algorithm OBJECT IDENTIFIER, 243 parameters ANY DEFINED BY algorithm OPTIONAL 244 } 246 This document identify an AlgorithmIdentifier OID for EdDSA 247 signatures. No parameters are defined. The EdDSA parameters follow 248 from the public-key parameters. 250 The data to be signed is prepared for EdDSA. Then, a private key 251 operation is performed to generate the signature value. This value 252 is the opaque value ENC(R) || ENC(S) described in section 3.3 of 253 [I-D.irtf-cfrg-eddsa]. This signature value is then ASN.1 encoded as 254 a BIT STRING and included in the Certificate or CertificateList in 255 the signatureValue field. 257 The id-EdDSASignature OID is used for identifying EdDSA signatures. 259 id-EdDSASignature OBJECT IDENTIFIER ::= { 1 3 101 101 } 261 The id-EdDSASignature OID is intended to be used in the algorithm 262 field of a value of type AlgorithmIdentifier. The parameters field 263 MUST be absent. To further clarify how to encode the parameters 264 field, due to historical misunderstandings in this area, it MUST NOT 265 have an ASN.1 type NULL. 267 8. Private Key Format 269 In Elliptic Curve Private Key Structure [RFC5915] it is described how 270 to encode elliptic curve private keys. Unfortunately, that format is 271 specific to how traditional elliptic curve cryptography works so in 272 order to re-use the format some details has to be modified for EdDSA, 273 Curve25519 and Curve448. In particular, [RFC5915] assumes that EC 274 private keys are unsigned integers, but for EdDSA, Curve25519 and 275 Curve448 private keys are opaque binary byte sequences. 277 For illustration, the ASN.1 structure ECPrivateKey as defined by 278 [RFC5915] is repeated here. 280 ECPrivateKey ::= SEQUENCE { 281 version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), 282 privateKey OCTET STRING, 283 parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, 284 publicKey [1] BIT STRING OPTIONAL 285 } 287 To encode a EdDSA, Curve25519 or Curve448 private key, the 288 "privateKey" field will hold the raw binary private key rather than 289 any I2OSP-converted data as described by [RFC5915]. The ECParameters 290 field "parameters" will hold one of the NamedCurve OIDs described 291 earlier in this document. If present, the "publicKey" field will 292 hold the raw public key. Note that these requirements normatively 293 updates [RFC5915] on how these fields are interpreted, for the OIDs 294 defined in this document. 296 9. Human Readable Algorithm Names 298 For the purpose of consistent cross-implementation naming this 299 section establish human readable names for the algorithms specified 300 in this document. Implementations SHOULD use these names when 301 referring to the algorithms. If there is a strong reason to deviate 302 from these names -- for example, if the implementation has a 303 different naming convention and wants to maintain internal 304 consistency -- it is encouraged to deviate as little as possible from 305 the names given here. 307 Use the string "EdDSA" when referring to a public key or signature 308 when the parameter set is not known or relevant. 310 When the EdDSAParameters value is known, use a more specific string. 311 For the ed25519(1) value use the string "Ed25519". For the 312 ed25519ph(2) value use the string "Ed25519ph". For ed448(3) use 313 "Ed448". For ed448ph(4) use "Ed448ph". 315 10. ASN.1 Module 317 For reference purposes, the ASN.1 syntax is presented as an ASN.1 318 module here. 320 -- ASN.1 Module 322 safecurves-pkix-0 {1 3 101 120} 324 DEFINITIONS ::= BEGIN 326 id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1 3 101 100 } 327 id-EdDSASignature OBJECT IDENTIFIER ::= { 1 3 101 101 } 329 id-Curve25519 OBJECT IDENTIFIER ::= { 1.3.101.110 } 330 id-Curve448 OBJECT IDENTIFIER ::= { 1.3.101.111 } 331 id-Curve25519ph OBJECT IDENTIFIER ::= { 1.3.101.112 } 332 id-Curve448ph OBJECT IDENTIFIER ::= { 1.3.101.113 } 334 EdDSAParameters ::= ENUMERATED { ed25519 (1), 335 ed25519ph (2) } 336 ed448 (3) } 337 ed448ph (4) } 339 END 341 11. Examples 343 This section contains illustrations of EdDSA public keys and 344 certificates, illustrating parameter choices. 346 11.1. Example Ed25519ph Public Key 348 An example of a Ed25519ph public key: 350 Public Key Information: 351 Public Key Algorithm: EdDSA 352 Algorithm Security Level: High 353 Parameters: Ed25519ph 355 Public Key Usage: 357 Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b 359 -----BEGIN PUBLIC KEY----- 360 MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE= 361 -----END PUBLIC KEY----- 363 11.2. Example Ed25519ph Certificate 365 An example of a PKIX certificate using Ed25519ph would be: 367 X.509 Certificate Information: 369 Version: 3 370 Serial Number (hex): 5601474a2a8dc326 371 Issuer: CN=Test Ed25519ph certificate 372 Validity: 373 Not Before: Tue Sep 22 12:19:24 UTC 2015 374 Not After: Fri Dec 31 23:59:59 UTC 9999 375 Subject: CN=Test Ed25519ph certificate 376 Subject Public Key Algorithm: Ed25519ph 377 Algorithm Security Level: High 378 Extensions: 379 Basic Constraints (critical): 380 Certificate Authority (CA): FALSE 381 Key Usage (critical): 382 Digital signature. 383 Subject Key Identifier (not critical): 384 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b 385 Signature Algorithm: Ed25519ph 386 Signature: 387 be:9d:f8:b4:19:07:99:c9:04:12:21:e7:85:33:55:76 388 b0:5f:29:70:77:bd:69:7a:a6:db:33:fe:c4:f5:3d:79 389 d2:ba:77:6d:68:9b:a3:e9:53:bc:a6:56:54:3f:fa:f4 390 1c:37:89:4e:c7:43:c0:3b:77:68:5d:98:f6:19:9d:05 391 Other Information: 392 SHA1 fingerprint: 393 a3b75d83a56e127d0728ed8563233cadf943757e 394 SHA256 fingerprint: 395 cab1d7df29bdf82270d2192997c81f1b333dc37e670d7e88068fbe9dd747da3a 396 Public Key ID: 397 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b 398 Public key's random art: 399 +---[Ed25519ph]---+ 400 | . | 401 | o ..| 402 | o.=| 403 | . . +=| 404 | S o .+oo| 405 | o o.++o| 406 | o ...*.o.| 407 | o Eo.oo | 408 | ooo ..o| 409 +-----------------+ 411 -----BEGIN CERTIFICATE----- 412 MIIBUTCCAQKgAwIBAgIIVgFHSiqNwyYwBgYEK2VkATAqMSgwJgYDVQQDEx9UZXN0 413 IEVkMjU1MTktU0hBNTEyIGNlcnRpZmljYXRlMCAXDTE1MDkyMjEyMTkyNFoYDzk5 414 OTkxMjMxMjM1OTU5WjAqMSgwJgYDVQQDEx9UZXN0IEVkMjU1MTktU0hBNTEyIGNl 415 cnRpZmljYXRlMC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbL 416 DFw4rXAxZuGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADAdBgNV 417 HQ4EFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBgYEK2VkAQNBAL6d+LQZB5nJBBIh 418 54UzVXawXylwd71peqbbM/7E9T150rp3bWibo+lTvKZWVD/69Bw3iU7HQ8A7d2hd 419 mPYZnQU= 420 -----END CERTIFICATE----- 422 11.3. Example Ed25519ph Private Key 424 An example of a Ed25519ph private key: 426 Public Key Info: 427 Public Key Algorithm: EdDSA 428 Key Security Level: High 430 parameters: Ed25519ph 431 private key: 432 d4:ee:72:db:f9:13:58:4a:d5:b6:d8:f1:f7:69:f8:ad 433 3a:fe:7c:28:cb:f1:d4:fb:e0:97:a8:8f:44:75:58:42 435 x: 436 19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b:96 437 c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31:66:e1 439 Public Key ID: 9B:1F:5E:ED:ED:04:33:85:E4:F7:BC:62:3C:59:75:B9:0B:C8:BB:3B 440 Public key's random art: 441 +---[Ed25519ph]---+ 442 | . | 443 | o ..| 444 | o.=| 445 | . . +=| 446 | S o .+oo| 447 | o o.++o| 448 | o ...*.o.| 449 | o Eo.oo | 450 | ooo ..o| 451 +-----------------+ 453 -----BEGIN EDDSA PRIVATE KEY----- 454 MCUKAQEEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC 455 -----END EdDSA PRIVATE KEY----- 457 12. Acknowledgements 459 Text and/or inspiration were drawn from [RFC5280], [RFC3279], 460 [RFC4055], [RFC5480], and [RFC5639]. 462 Several people suggested the utility of specifying NamedCurve OIDs 463 for encoding Curve25519/Curve448 public keys into PKIX certificates. 464 The editor of this document cannot take credit for this idea. 466 The following people discussed the document and provided feedback: 467 Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick Andrews, Rob 468 Stradling, James Manger, Nikos Mavrogiannopoulos, Russ Housley, Jim 469 Schaad. 471 A big thank you to Symantec for kindly donating the OIDs used in this 472 draft. 474 13. IANA Considerations 476 None. 478 14. Security Considerations 480 The security considerations of [RFC5280], [RFC7748], and 481 [I-D.irtf-cfrg-eddsa] apply accordingly. 483 A common misconception may be that a Ed25519 public key can be used 484 to create Ed25519ph signatures, or vice versa. This leads to cross- 485 key attacks, and is not permitted. 487 15. References 489 15.1. Normative References 491 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 492 Requirement Levels", BCP 14, RFC 2119, March 1997. 494 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 495 Housley, R., and W. Polk, "Internet X.509 Public Key 496 Infrastructure Certificate and Certificate Revocation List 497 (CRL) Profile", RFC 5280, May 2008. 499 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 500 "Elliptic Curve Cryptography Subject Public Key 501 Information", RFC 5480, March 2009. 503 [RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key 504 Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010, 505 . 507 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 508 for Security", RFC 7748, DOI 10.17487/RFC7748, January 509 2016, . 511 [I-D.irtf-cfrg-eddsa] 512 Josefsson, S. and I. Liusvaara, "Edwards-curve Digital 513 Signature Algorithm (EdDSA)", draft-irtf-cfrg-eddsa-00 514 (work in progress), October 2015. 516 15.2. Informative References 518 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 519 Identifiers for the Internet X.509 Public Key 520 Infrastructure Certificate and Certificate Revocation List 521 (CRL) Profile", RFC 3279, April 2002. 523 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 524 Algorithms and Identifiers for RSA Cryptography for use in 525 the Internet X.509 Public Key Infrastructure Certificate 526 and Certificate Revocation List (CRL) Profile", RFC 4055, 527 June 2005. 529 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography 530 (ECC) Brainpool Standard Curves and Curve Generation", RFC 531 5639, March 2010. 533 [RFC5758] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. 534 Polk, "Internet X.509 Public Key Infrastructure: 535 Additional Algorithms and Identifiers for DSA and ECDSA", 536 RFC 5758, January 2010. 538 Author's Address 540 Simon Josefsson 541 SJD AB 543 Email: simon@josefsson.org