idnits 2.17.1 

draft-ietf-keyprov-pskc-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** You're using the IETF Trust Provisions' Section 6.b License Notice from
     12 Sep 2009 rather than the newer Notice from 28 Dec 2009.  (See
     https://trustee.ietf.org/license-info/)


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
     or 'RECOMMENDED' is not an accepted usage according to RFC 2119.  Please
     use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
     mean).
     
     Found 'SHOULD not' in this paragraph:
     
     Deprecated:  TRUE if based on expert approval this entry has been
     deprecated and SHOULD not be used in any new implementations. Otherwise
     FALSE.

  -- The document date (May 14, 2010) is 5095 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-04) exists of
     draft-housley-aes-key-wrap-with-pad-02

  ** Downref: Normative reference to an Informational draft:
     draft-housley-aes-key-wrap-with-pad (ref. 'AESKWPAD')

  ** Downref: Normative reference to an Informational RFC: RFC 4226 (ref.
     'HOTP')

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ISOIEC7812'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'OATHMAN'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'PKCS5'

  ** Obsolete normative reference: RFC 3023 (Obsoleted by RFC 7303)

  ** Obsolete normative reference: RFC 4288 (Obsoleted by RFC 6838)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLDSIG'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'XMLENC11'

  -- Obsolete informational reference (is this intentional?): RFC 5226
     (Obsoleted by RFC 8126)


     Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	keyprov                                                         P. Hoyer
3	Internet-Draft                                             ActivIdentity
4	Intended status: Standards Track                                  M. Pei
5	Expires: November 15, 2010                                      VeriSign
6	                                                              S. Machani
7	                                                              Diversinet
8	                                                            May 14, 2010

10	                Portable Symmetric Key Container (PSKC)
11	                       draft-ietf-keyprov-pskc-06

13	Abstract

15	   This document specifies a symmetric key format for transport and
16	   provisioning of symmetric keys to different types of crypto modules.
17	   For example, One Time Password (OTP) shared secrets or symmetric
18	   cryptographic keys to strong authentication devices.  A standard key
19	   transport format enables enterprises to deploy best-of-breed
20	   solutions combining components from different vendors into the same
21	   infrastructure.

23	Status of this Memo

25	   This Internet-Draft is submitted to IETF in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF), its areas, and its working groups.  Note that
30	   other groups may also distribute working documents as Internet-
31	   Drafts.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   The list of current Internet-Drafts can be accessed at
39	   http://www.ietf.org/ietf/1id-abstracts.txt.

41	   The list of Internet-Draft Shadow Directories can be accessed at
42	   http://www.ietf.org/shadow.html.

44	   This Internet-Draft will expire on November 15, 2010.

46	Copyright Notice

48	   Copyright (c) 2010 IETF Trust and the persons identified as the
49	   document authors.  All rights reserved.

51	   This document is subject to BCP 78 and the IETF Trust's Legal
52	   Provisions Relating to IETF Documents
53	   (http://trustee.ietf.org/license-info) in effect on the date of
54	   publication of this document.  Please review these documents
55	   carefully, as they describe your rights and restrictions with respect
56	   to this document.  Code Components extracted from this document must
57	   include Simplified BSD License text as described in Section 4.e of
58	   the Trust Legal Provisions and are provided without warranty as
59	   described in the BSD License.

61	Table of Contents

63	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
64	     1.1.  Key Words  . . . . . . . . . . . . . . . . . . . . . . . .  4
65	     1.2.  Versions . . . . . . . . . . . . . . . . . . . . . . . . .  4
66	     1.3.  Namespace Identifiers  . . . . . . . . . . . . . . . . . .  4
67	       1.3.1.  Defined Identifiers  . . . . . . . . . . . . . . . . .  4
68	       1.3.2.  Referenced Identifiers . . . . . . . . . . . . . . . .  5
69	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
70	   3.  Portable Key Container Entities Overview and Relationships . .  7
71	   4.  <KeyContainer> Element: The Basics . . . . . . . . . . . . . .  9
72	     4.1.  <Key>: Embedding Keying Material and Key Related
73	           Information  . . . . . . . . . . . . . . . . . . . . . . .  9
74	     4.2.  Transmission of supplementary Information  . . . . . . . . 11
75	       4.2.1.  <DeviceInfo> Element: Unique Device Identification . . 12
76	       4.2.2.  <CryptoModuleInfo> Element: CryptoModule
77	               Identification . . . . . . . . . . . . . . . . . . . . 13
78	       4.2.3.  <UserId> Element: User Identification  . . . . . . . . 14
79	       4.2.4.  <AlgorithmParameters> Element: Supplementary
80	               Information for OTP and CR Algorithms  . . . . . . . . 14
81	     4.3.  Transmission of Key Derivation Values  . . . . . . . . . . 16
82	   5.  Key Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 18
83	   6.  Key Protection Methods . . . . . . . . . . . . . . . . . . . . 23
84	     6.1.  Encryption based on Pre-Shared Keys  . . . . . . . . . . . 23
85	       6.1.1.  MAC Method . . . . . . . . . . . . . . . . . . . . . . 25
86	     6.2.  Encryption based on Passphrase-based Keys  . . . . . . . . 26
87	     6.3.  Encryption based on Asymmetric Keys  . . . . . . . . . . . 29
88	     6.4.  Padding of Encrypted Values for Non-Padded Encryption
89	           Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 30
90	   7.  Digital Signature  . . . . . . . . . . . . . . . . . . . . . . 31
91	   8.  Bulk Provisioning  . . . . . . . . . . . . . . . . . . . . . . 33
92	   9.  Extensibility  . . . . . . . . . . . . . . . . . . . . . . . . 36
93	   10. PSKC Algorithm Profile . . . . . . . . . . . . . . . . . . . . 37
94	     10.1. HOTP . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
95	     10.2. KEYPROV-PIN  . . . . . . . . . . . . . . . . . . . . . . . 37

97	   11. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 39
98	   12. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 46
99	     12.1. Content-type registration for 'application/pskc+xml' . . . 46
100	     12.2. XML Schema Registration  . . . . . . . . . . . . . . . . . 47
101	     12.3. URN Sub-Namespace Registration . . . . . . . . . . . . . . 47
102	     12.4. PSKC Algorithm Profile Registry  . . . . . . . . . . . . . 48
103	     12.5. PSKC Version Registry  . . . . . . . . . . . . . . . . . . 49
104	     12.6. Key Usage Registry . . . . . . . . . . . . . . . . . . . . 49
105	   13. Security Considerations  . . . . . . . . . . . . . . . . . . . 51
106	     13.1. PSKC Confidentiality . . . . . . . . . . . . . . . . . . . 51
107	     13.2. PSKC Integrity . . . . . . . . . . . . . . . . . . . . . . 52
108	     13.3. PSKC Authenticity  . . . . . . . . . . . . . . . . . . . . 52
109	   14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 53
110	   15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 54
111	   16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 55
112	     16.1. Normative References . . . . . . . . . . . . . . . . . . . 55
113	     16.2. Informative References . . . . . . . . . . . . . . . . . . 56
114	   Appendix A.  Use Cases . . . . . . . . . . . . . . . . . . . . . . 58
115	     A.1.  Online Use Cases . . . . . . . . . . . . . . . . . . . . . 58
116	       A.1.1.  Transport of keys from Server to Cryptographic
117	               Module . . . . . . . . . . . . . . . . . . . . . . . . 58
118	       A.1.2.  Transport of keys from Cryptographic Module to
119	               Cryptographic Module . . . . . . . . . . . . . . . . . 58
120	       A.1.3.  Transport of keys from Cryptographic Module to
121	               Server . . . . . . . . . . . . . . . . . . . . . . . . 59
122	       A.1.4.  Server to server Bulk import/export of keys  . . . . . 59
123	     A.2.  Offline Use Cases  . . . . . . . . . . . . . . . . . . . . 59
124	       A.2.1.  Server to server Bulk import/export of keys  . . . . . 59
125	   Appendix B.  Requirements  . . . . . . . . . . . . . . . . . . . . 61
126	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 63

128	1.  Introduction

130	   With increasing use of symmetric key based systems, such as
131	   encryption of data at rest, or systems used for strong
132	   authentication, such as those based on one-time-password (OTP) and
133	   challenge response (CR) mechanisms, there is a need for vendor
134	   interoperability and a standard format for importing and exporting
135	   (provisioning) symmetric keys.  For instance, traditionally, vendors
136	   of authentication servers and service providers have used proprietary
137	   formats for importing and exporting these keys into their systems,
138	   thus making it hard to use tokens from two different vendors.

140	   This document defines a standardized XML-based key container, called
141	   Portable Symmetric Key Container (PSKC), for transporting symmetric
142	   keys and key related meta data.  The document also specifies the
143	   information elements that are required when the symmetric key is
144	   utilized for specific purposes, such as the initial counter in the
145	   HMAC-Based One Time Password (HOTP) [HOTP] algorithm.  It also
146	   requests the creation of an IANA registry for algorithm profiles
147	   where algorithms, their meta-data and PSKC transmission profile can
148	   be recorded for centralised standardised reference.

150	1.1.  Key Words

152	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
153	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
154	   document are to be interpreted as described in [RFC2119].

156	1.2.  Versions

158	   There is a provision made in the syntax for an explicit version
159	   number.  Only version "1.0" is currently specified.

161	1.3.  Namespace Identifiers

163	   This document uses Uniform Resource Identifiers [RFC3986] to identify
164	   resources, algorithms, and semantics.

166	1.3.1.  Defined Identifiers

168	   The XML namespace [XMLNS] URI for Version 1.0 of PSKC is:

170	   "urn:ietf:params:xml:ns:keyprov:pskc"

172	   References to qualified elements in the PSKC schema defined in this
173	   specification and used in the example use the prefix "pskc" (defined
174	   as xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc") .  It is
175	   RECOMMENDED to use this namespace in implementations.

177	1.3.2.  Referenced Identifiers

179	   The PSKC syntax presented in this document relies on algorithm
180	   identifiers and elements defined in the XML Signature [XMLDSIG]
181	   namespace:

183	   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"

185	   References to the XML Signature namespace are represented by the
186	   prefix "ds".

188	   PSKC also relies on algorithm identifiers and elements defined in the
189	   XML Encryption [XMLENC] namespace:

191	   xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"

193	   References to the XML Encryption namespace are represented by the
194	   prefix "xenc".

196	   When protecting keys in transport with passphrase-based keys, PSKC
197	   also relies on the derived key element defined in the XML Encryption
198	   Version 1.1 [XMLENC11] namespace:

200	   xmlns:xenc11="http://www.w3.org/2009/xmlenc11#""

202	   References to the XML Encryption Version 1.1 namespace are
203	   represented by the prefix "xenc11".

205	   When protecting keys in transport with passphrase-based keys, PSKC
206	   also relies on algorithm identifiers and elements defined in the
207	   PKCS#5 [PKCS5] namespace:

209	   xmlns:pkcs5=
210	   "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"

212	   References to the PKCS#5 namespace are represented by the prefix
213	   "pkcs5".

215	2.  Terminology

217	   NOTE: In subsequent sections of the document we highlight
218	   **mandatory** XML elements and attributes.  Optional elements and
219	   attributes are not explicitly indicated, i.e., if it does not say
220	   mandatory it is optional.

222	3.  Portable Key Container Entities Overview and Relationships

224	   The portable key container is based on an XML schema definition and
225	   contains the following main conceptual entities:

227	   1.  KeyContainer entity - representing the container that carries a
228	       number of KeyPackages.  A valid container MUST carry at least 1
229	       KeyPackage.

231	   2.  KeyPackage entity - representing the package of at most one key
232	       and its related provisioning endpoint or current usage endpoint,
233	       such as a physical or virtual device and a specific CryptoModule

235	   3.  DeviceInfo entity - representing the information about the device
236	       and criteria to uniquely identify the device

238	   4.  CryptoModuleInfo entity - representing the information about the
239	       CryptoModule where the keys reside or are provisioned to

241	   5.  Key entity - representing the key transported or provisioned

243	   6.  Data entity - representing a list of meta-data related to the
244	       key, where the element name is the name of the meta-data and its
245	       associated value is either in encrypted form (for example for
246	       Data element <Secret>) or plaintext (for example the Data element
247	       <Counter>)

249	   Figure 1 shows the high-level structure of the PSKC data elements.

251	      -----------------
252	      | KeyContainer  |
253	      |---------------|
254	      | EncryptionKey |
255	      | Signature     |
256	      | ...           |
257	      -----------------
258	              |
259	              |
260	             /|\ 1..n
261	      ----------------        ----------------
262	      | KeyPackage   |    0..1| DeviceInfo   |
263	      |--------------|--------|--------------|
264	      |              |--      | SerialNumber |
265	      ----------------  |     | Manufacturer |
266	              |         |     | ....         |
267	              |         |     ----------------
268	             /|\ 0..1   |
269	      ----------------  |     --------------------
270	      | Key          |  | 0..1| CryptoModuleInfo |
271	      |--------------|   -----|------------------|
272	      | Id           |        | Id               |
273	      | Algorithm    |        |....              |
274	      | UserId       |        --------------------
275	      | Policy       |
276	      | ....         |
277	      ----------------
278	              |
279	              |
280	             /|\ 0..n
281	          --------------------------------------- -  -
282	          |                     |              |
283	      ------------------  ----------------  -------- - -
284	      | Data:Secret    |  | Data:Counter |  | Data:other
285	      |----------------|  |--------------|  |-- - -
286	      | EncryptedValue |  | PlainValue   |
287	      | ValueMAC       |  ----------------
288	      ------------------

290	             Figure 1: PSKC data elements relationship diagram

292	   The following sections describe in detail all the entities and
293	   related XML schema elements and attributes.

295	4.  <KeyContainer> Element: The Basics

297	   In its most basic form, a PSKC document uses the top-level element
298	   <KeyContainer> and a single <KeyPackage> element to carry key
299	   information.

301	   The following example shows such a simple PSKC document.  We will use
302	   it to describe the structure of the <KeyContainer> element and its
303	   child elements.

305	   <?xml version="1.0" encoding="UTF-8"?>
306	   <KeyContainer Version="1.0"
307	       Id="exampleID1"
308	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
309	       <KeyPackage>
310	           <Key Id="12345678"
311	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
312	               <Issuer>Issuer-A</Issuer>
313	               <Data>
314	                   <Secret>
315	                       <PlainValue>MTIzNA==
316	                       </PlainValue>
317	                   </Secret>
318	               </Data>
319	           </Key>
320	       </KeyPackage>
321	   </KeyContainer>

323	                Figure 2: Basic PSKC Key Container Example

325	   The attributes of the <KeyContainer> element have the following
326	   semantics:

328	   'Version:'  The 'Version' attribute is used to identify the version
329	      of the PSKC schema version.  This specification defines the
330	      initial version ("1.0") of the PSKC schema.  This attribute MUST
331	      be included.

333	   'Id:'  The 'Id' attribute carries a unique identifier for the
334	      container.  As such, it helps to identify a specific key container
335	      in cases when multiple containers are embedded in larger xml
336	      documents.

338	4.1.  <Key>: Embedding Keying Material and Key Related Information

340	   The following attributes of the <Key> element MUST be included at a
341	   minimum:

343	   'Id':  This attribute carries a globally unique identifier for the
344	      symmetric key.  The identifier is defined as a string of
345	      alphanumeric characters.

347	   'Algorithm':  This attribute contains a unique identifier for the
348	      PSKC algorithm profile.  This profile associates specific
349	      semantics to the elements and attributes contained in the <Key>
350	      element.  This document describes profiles for open standards
351	      algorithms in Section 10.  Additional profiles are defined in the
352	      following information draft [PSKC-ALGORITHM-PROFILES].

354	   The <Key> element has a number of optional child elements.  An
355	   initial set is described below:

357	   <Issuer>:  This element represents the name of the party that issued
358	      the key.  For example, a bank "Foobar Bank Inc." issuing hardware
359	      tokens to their retail banking users may set this element to
360	      "Foobar Bank Inc.".

362	   <FriendlyName>:  A human readable name for the secret key for easier
363	      reference.  This element serves informational purposes only.

365	   <AlgorithmParameters>:  This element carries parameters that
366	      influence the result of the algorithmic computation, for example
367	      response truncation and format in OTP and CR algorithms.  A more
368	      detailed discussion of the element can be found in Section 4.2.4.

370	   <Data>:  This element carries data about and related to the key.  The
371	      following child elements are defined for the <Data> element:

373	      <Secret>:  This element carries the value of the key itself in a
374	         binary representation.

376	      <Counter>:  This element contains the event counter for event
377	         based OTP algorithms.

379	      <Time>:  This element contains the time for time based OTP
380	         algorithms.  (If time interval is used, this element carries
381	         the number of time intervals passed from a specific start
382	         point, normally algorithm dependent).

384	      <TimeInterval>:  This element carries the time interval value for
385	         time based OTP algorithms in seconds (typical value for this
386	         would be 30 indicating a time interval of 30 seconds).

388	      <TimeDrift>:  This element contains the device clock drift value
389	         for time-based OTP algorithms.  The integer value (positive or
390	         negative drift) that indicates the number of time intervals
391	         that a validation server has established the device clock
392	         drifted after the last succssful authentication.  So for
393	         example if the last successful authentication established a
394	         device time value of 8 intervals from a specific start date but
395	         the validation server determines the time value at 9 intervals,
396	         the server SHOULD record the drift as -1.

398	      All the elements listed above (and those defined in the future)
399	      obey a simple structure in that they MUST support child elements
400	      to convey the data value in either plaintext or encrypted format:

402	      Plaintext:  The <PlainValue> element carries plaintext value that
403	         is typed, for example to xs:integer.

405	      Encrypted:  The <EncryptedValue> element carries encrypted value.

407	      ValueMAC:  The <ValueMAC> element is populated with a MAC
408	         generated from the encrypted value in case the encryption
409	         algorithm does not support integrity checks.  The example shown
410	         at Figure 2 illustrates the usage of the <Data> element with
411	         two child elements, namely <Secret> and <Counter>.  Both
412	         elements carry plaintext value within the <PlainValue> child
413	         element.

415	4.2.  Transmission of supplementary Information

417	   A PSKC document can contain a number of additional information
418	   regarding device identification, cryptomodule identification, user
419	   identification and parameters for usage with OTP and CR algorithms.
420	   The following example, see Figure 3, is used as a reference for the
421	   subsequent sub-sections.

423	   <?xml version="1.0" encoding="UTF-8"?>
424	   <KeyContainer Version="1.0"
425	       Id="exampleID1"
426	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
427	       <KeyPackage>
428	           <DeviceInfo>
429	               <Manufacturer>Manufacturer</Manufacturer>
430	               <SerialNo>987654321</SerialNo>
431	               <UserId>DC=example-bank,DC=net</UserId>
432	           </DeviceInfo>
433	           <CryptoModuleInfo>
434	               <Id>CM_ID_001</Id>
435	           </CryptoModuleInfo>
436	           <Key Id="12345678"
437	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
438	               <Issuer>Issuer</Issuer>
439	               <AlgorithmParameters>
440	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
441	               </AlgorithmParameters>
442	               <Data>
443	                   <Secret>
444	                       <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
445	                       </PlainValue>
446	                   </Secret>
447	                   <Counter>
448	                       <PlainValue>0</PlainValue>
449	                   </Counter>
450	               </Data>
451	               <UserId>UID=jsmith,DC=example-bank,DC=net</UserId>
452	           </Key>
453	       </KeyPackage>
454	   </KeyContainer>

456	       Figure 3: PSKC Key Container Example with Supplementary Data

458	4.2.1.  <DeviceInfo> Element: Unique Device Identification

460	   The <DeviceInfo> element uniquely identifies the device the
461	   <KeyPackage> is provisioned to.  Since devices can come in different
462	   form factors, such as hardware tokens, smart-cards, soft tokens in a
463	   mobile phone or as a PC, this element allows different child element
464	   combinations to be used.  When combined, the values of the child
465	   elements MUST uniquely identify the device.  For example, for
466	   hardware tokens the combination of <SerialNo> and <Manufacturer>
467	   elements uniquely identifies a device but the <SerialNo> element
468	   alone is insufficient since two different token manufacturers might
469	   issue devices with the same serial number (similar to the Issuer
470	   Distinguished Name and serial number of a certificate).

472	   The <DeviceInfo> element has the following child elements:

474	   <Manufacturer>:  This element indicates the manufacturer of the
475	      device.  Values for Manufacturer SHOULD be taken from [OATHMAN]

477	   <SerialNo>:  This element contains the serial number of the device.

479	   <Model>:  This element describes the model of the device (e.g., one-
480	      button-HOTP-token-V1).

482	   <IssueNo>:  This element contains the issue number in case devices
483	      with the same serial number that are distinguished by different
484	      issue numbers.

486	   <DeviceBinding>:  This element allows a provisioning server to ensure
487	      that the key is going to be loaded into the device for which the
488	      key provisioning request was approved.  The device is bound to the
489	      request using a device identifier, e.g., an International Mobile
490	      Equipment Identity (IMEI) for the phone, or an identifier for a
491	      class of identifiers, e.g., those for which the keys are protected
492	      by a Trusted Platform Module (TPM).

494	   <StartDate>: and <ExpiryDate>:  These two elements indicate the start
495	      and end date of a device (such as the one on a payment card, used
496	      when issue numbers are not printed on cards).  The date MUST be
497	      expressed in UTC form with no timezone component.  Implementations
498	      SHOULD NOT rely on time resolution finer than milliseconds and
499	      MUST NOT generate time instants that specify leap seconds.  Keys
500	      that reside on the device SHOULD only be used when the current
501	      date is after the <StartDate> and before the <ExpiryDate>.  Note
502	      that usage enforcement of the keys with respective to the dates
503	      MAY only happen on the validation server as some devices such as
504	      smart cards do not have an internal clock.  Systems thus SHOULD
505	      NOT rely upon the device to enforce key usage date restrictions.

507	   Depending on the device type certain child elements of the
508	   <DeviceInfo> element MUST be included in order to uniquely identify a
509	   device.  This document does not enumerate the different device types
510	   and therefore does not list the elements that are mandatory for each
511	   type of device.

513	4.2.2.  <CryptoModuleInfo> Element: CryptoModule Identification

515	   The <CryptoModuleInfo> element identifies the cryptographic module to
516	   which the symmetric keys are or have been provisioned to.  This
517	   allows the identification of the specific cases where a device MAY
518	   contain more than one crypto module (e.g. a PC hosting a TPM and a
519	   connected token).

521	   The <CryptoModuleInfo> element has a single child element that MUST
522	   be included:

524	   <Id>:  This element carries a unique identifier for the CryptoModule
525	      and is implementation specific.  As such, it helps to identify a
526	      specific CryptoModule to which the key is being or was
527	      proivisioned.

529	4.2.3.  <UserId> Element: User Identification

531	   The <UserId> element identifies the user using a distinguished name,
532	   as defined in [RFC4514].  For example: UID=jsmith,DC=example,DC=net.

534	   Although the syntax of the user identifier is defined, there are no
535	   semantics associated with this element, i.e., there are no checks
536	   enforcing that only a specific user can use this key.  As such, this
537	   element is for informational purposes only.

539	   This element may appear in two places, namely as a child element of
540	   the <Key> element where it indicates the user with whom the key is
541	   associated with and as a child element of the <DeviceInfo> element
542	   where it indicates the user the device is associated with.

544	4.2.4.  <AlgorithmParameters> Element: Supplementary Information for OTP
545	        and CR Algorithms

547	   The <AlgorithmParameters> element is a child element of the <Key>
548	   element and this document defines two child elements:
549	   <ChallengeFormat> and <ResponseFormat>

551	   <ChallengeFormat>:

553	      The <ChallengeFormat> element defines the characteristics of the
554	      challenge in a CR usage scenario whereby the following attributes
555	      are defined:

557	      'Encoding':  This attribute, which MUST be included, defines the
558	         encoding of the challenge accepted by the device and MUST be
559	         one of the following values:

561	         DECIMAL  Only numerical digits

563	         HEXADECIMAL  Hexadecimal response

565	         ALPHANUMERIC  All letters and numbers (case sensitive)
566	         BASE64  Base 64 encoded as defined in Section 4 of [RFC4648].

568	         BINARY  Binary data

570	      'CheckDigit':  This attribute indicates whether a device needs to
571	         check the appended Luhn check digit, as defined in
572	         [ISOIEC7812], contained in a challenge.  This is only valid if
573	         the 'Encoding' attribute is 'DECIMAL'.  A value of TRUE
574	         indicates that the device will check the appended Luhn check
575	         digit in a provided challenge.  A value of FALSE indicates that
576	         the device will not check the appended Luhn check digit in the
577	         challenge.

579	      'Min':  This attribute defines the minimum size of the challenge
580	         accepted by the device for CR mode and MUST be included.  If
581	         the 'Encoding' attribute is 'DECIMAL', 'HEXADECIMAL' or
582	         'ALPHANUMERIC' this value indicates the minimum number of
583	         digits/characters.  If the 'Encoding' attribute is 'BASE64' or
584	         'BINARY', this value indicates the minimum number of bytes of
585	         the unencoded value.

587	      'Max':  This attribute defines the maximum size of the challenge
588	         accepted by the device for CR mode and MUST be included.  If
589	         the 'Encoding' attribute is 'DECIMAL', 'HEXADECIMAL' or
590	         'ALPHANUMERIC' this value indicates the maximum number of
591	         digits/characters.  If the 'Encoding' attribute is 'BASE64' or
592	         'BINARY', this value indicates the maximum number of bytes of
593	         the unencoded value.

595	   <ResponseFormat>:

597	      The <ResponseFormat> element defines the characteristics of the
598	      result of a computation and defines the format of the OTP or the
599	      response to a challenge.  For cases where the key is a PIN value,
600	      this element contains the format of the PIN itself (e.g., DECIMAL,
601	      length 4 for a 4 digit PIN).  The following attributes are
602	      defined:

604	      'Encoding':  This attribute defines the encoding of the response
605	         generated by the device, it MUST be included and MUST be one of
606	         the following values: DECIMAL, HEXADECIMAL, ALPHANUMERIC,
607	         BASE64, or BINARY.

609	      'CheckDigit':  This attribute indicates whether the device needs
610	         to append a Luhn check digit, as defined in [ISOIEC7812], to
611	         the response.  This is only valid if the 'Encoding' attribute
612	         is 'DECIMAL'.  If the value is TRUE then the device will append
613	         a Luhn check digit to the response.  If the value is FALSE,
614	         then the device will not append a Luhn check digit to the
615	         response.

617	      'Length':  This attribute defines the length of the response
618	         generated by the device and MUST be included.  If the
619	         'Encoding' attribute is 'DECIMAL', 'HEXADECIMAL' or
620	         'ALPHANUMERIC' this value indicates the number of digits/
621	         characters.  If the 'Encoding' attribute is 'BASE64' or
622	         'BINARY', this value indicates the number of bytes of the
623	         unencoded value.

625	4.3.  Transmission of Key Derivation Values

627	   <KeyProfileId> element, which is a child element of the <Key>
628	   element, carries a unique identifier used between the sending and
629	   receiving parties to establish a set of key attribute values that are
630	   not transmitted within the container but agreed between the two
631	   parties out of band.  This element will then represent the unique
632	   reference to a set of key attribute values.  (For example, a smart
633	   card application personalisation profile id related to specific
634	   attribute values present on a smart card application, that have
635	   influence when computing a response.).

637	   For example, in the case of MasterCard's Chip Authentication Program
638	   [CAP], the sending and the receiving party would agree that
639	   KeyProfileId='1' represents a certain set of values (e.g., Internet
640	   Authentication Flag IAF set to a specific value).  During
641	   transmission of the KeyContainer, these values would not be
642	   transmitted as key attributes but only referred to via the
643	   <KeyProfileId> element set to the specific agreed profile (in this
644	   case '1').  The receiving party can then associate all relevant key
645	   attributes contained in the out of band agreed profile with the
646	   imported keys.  Often this methodology is used between a
647	   manufacturing service, run by company A and the validation service
648	   run by company B, to avoid repeated transmission of the same set of
649	   key attribute values.

651	   The <KeyReference> element contains a reference to an external key to
652	   be used with a key derivation scheme and no specific key value
653	   (secret) is transported but only the reference to the external master
654	   key is used (e.g., the PKCS#11 key label).

656	   <?xml version="1.0" encoding="UTF-8"?>
657	   <KeyContainer Version="1.0" Id="exampleID1"
658	        xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
659	       <KeyPackage>
660	           <DeviceInfo>
661	               <Manufacturer>Manufacturer</Manufacturer>
662	               <SerialNo>987654321</SerialNo>
663	           </DeviceInfo>
664	           <CryptoModuleInfo>
665	               <Id>CM_ID_001</Id>
666	           </CryptoModuleInfo>
667	           <Key Id="12345678"
668	            Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
669	               <Issuer>Issuer</Issuer>
670	               <AlgorithmParameters>
671	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
672	               </AlgorithmParameters>
673	               <KeyProfileId>keyProfile1</KeyProfileId>
674	               <KeyReference>MasterKeyLabel
675	               </KeyReference>
676	               <Data>
677	                   <Counter>
678	                       <PlainValue>0</PlainValue>
679	                   </Counter>
680	               </Data>
681	               <Policy>
682	                   <KeyUsage>OTP</KeyUsage>
683	               </Policy>
684	           </Key>
685	       </KeyPackage>
686	   </KeyContainer>

688	   Figure 4: Example of a PSKC Document transmitting a HOTP key via key
689	                             derivation values

691	   The key value will be derived using the value of the <SerialNo>
692	   element, values agreed between the sending and the receiving parties
693	   and identified by the KeyProfile 'keyProfile1' and an externally
694	   agreed key referenced by the label 'MasterKeyLabel'.

696	5.  Key Policy

698	   This section illustrates the functionality of the <Policy> element
699	   within PSKC that allows a key usage and key PIN protection policy to
700	   be attached to a specific key and its related meta data.  This
701	   element is a child element of the <Key> element.

703	   If the <Policy> element contains child elements or values within
704	   elements/attributes that are not understood by the recipient of the
705	   PSKC document then the recipient MUST assume that key usage is not
706	   permitted.  This statement ensures that the lack of understanding of
707	   certain extensions does not lead to unintended key usage.

709	   We will start our description with an example that expands the
710	   example shown in Figure 3.

712	   <?xml version="1.0" encoding="UTF-8"?>
713	   <KeyContainer
714	       Version="1.0" Id="exampleID1"
715	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
716	       <KeyPackage>
717	           <DeviceInfo>
718	               <Manufacturer>Manufacturer</Manufacturer>
719	               <SerialNo>987654321</SerialNo>
720	           </DeviceInfo>
721	           <CryptoModuleInfo>
722	               <Id>CM_ID_001</Id>
723	           </CryptoModuleInfo>
724	           <Key Id="12345678"
725	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
726	               <Issuer>Issuer</Issuer>
727	               <AlgorithmParameters>
728	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
729	               </AlgorithmParameters>
730	               <Data>
731	                   <Secret>
732	                       <PlainValue>MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
733	                       </PlainValue>
734	                   </Secret>
735	                   <Counter>
736	                       <PlainValue>0</PlainValue>
737	                   </Counter>
738	               </Data>
739	               <Policy>
740	                   <PINPolicy MinLength="4" MaxLength="4"
741	                       PINKeyId="123456781" PINEncoding="DECIMAL"
742	                       PINUsageMode="Local"/>
743	                   <KeyUsage>OTP</KeyUsage>

745	               </Policy>
746	           </Key>
747	       </KeyPackage>
748	       <KeyPackage>
749	           <DeviceInfo>
750	               <Manufacturer>Manufacturer</Manufacturer>
751	               <SerialNo>987654321</SerialNo>
752	           </DeviceInfo>
753	           <CryptoModuleInfo>
754	               <Id>CM_ID_001</Id>
755	           </CryptoModuleInfo>
756	           <Key Id="123456781"
757	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#pin">
758	               <Issuer>Issuer</Issuer>
759	               <AlgorithmParameters>
760	                   <ResponseFormat Length="4" Encoding="DECIMAL"/>
761	               </AlgorithmParameters>
762	               <Data>
763	                   <Secret>
764	                       <PlainValue>MTIzNA==</PlainValue>
765	                   </Secret>
766	               </Data>
767	           </Key>
768	       </KeyPackage>
769	   </KeyContainer>

771	         Figure 5: Non-Encrypted HOTP Secret Key protected by PIN

773	   This document defines the following Policy child elements:

775	   <StartDate> and <ExpiryDate>:  These two elements denote the validity
776	      period of a key.  It MUST be ensured that the key is only used
777	      between the start and the end date (inclusive).  The value MUST be
778	      expressed in UTC form, with no time zone component.
779	      Implementations SHOULD NOT rely on time resolution finer than
780	      milliseconds and MUST NOT generate time instants that specify leap
781	      seconds.  When this element is absent the current time is assumed
782	      as the start time.

784	   <NumberOfTransactions>:  The value in this element indicates the
785	      maximum number of times a key carried within the PSKC document can
786	      be used by an application after having received it..  When this
787	      element is omitted then there is no restriction regarding the
788	      number of times a key can be used.

790	   <KeyUsage>:  The <KeyUsage> element puts constraints on the intended
791	      usage of the key.  The recipient of the PSKC document MUST enforce
792	      the key usage.  Currently, the following tokens are registered by
793	      this document:

795	      OTP:  The key MUST only be used for OTP generation.

797	      CR:  The key MUST only be used for Challenge/Response purposes.

799	      Encrypt:  The key MUST only be used for data encryption purposes.

801	      Integrity:  The key MUST only be used to generate a keyed message
802	         digest for data integrity or authentication purposes.

804	      Verify:  The key MUST only be used to verify a keyed message
805	         digest for data integrity or authentication purposes. (this is
806	         the vice versa of Integrity)

808	      Unlock:  The key MUST only be used for an inverse challenge
809	         response in the case where a user has locked the device by
810	         entering a wrong PIN too many times (for devices with PIN-input
811	         capability).

813	      Decrypt:  The key MUST only be used for data decryption purposes.

815	      KeyWrap:  The key MUST only be used for key wrap purposes.

817	      Unwrap:  The key MUST only be used for key unwrap purposes.

819	      Derive:  The key MUST only be used with a key derivation function
820	         to derive a new key (see also Section 8.2.4 of [NIST800-57]).

822	      Generate:  The key MUST only be used to generate a new key based
823	         on a random number and the previous value of the key (see also
824	         Section 8.1.5.2.1 of[NIST800-57]).

826	      The element MAY also be repeated to allow several key usages to be
827	      expressed.  When this element is absent then no key usage
828	      constraint is assumed, i.e., the key MAY be utilized for every
829	      usage.

831	   <PINPolicy>:  The <PINPolicy> element allows policy about the PIN
832	      usage to be associated with the key.  The following attributes are
833	      specified:

835	      'PINKeyId':  This attribute contains the unique key id of the key
836	         held within this container that contains the value of the PIN
837	         that protects the key.

839	      'PINUsageMode':  This mandatory attribute indicates the way the
840	         PIN is used during the usage of the key.  The following values
841	         are defined:

843	         Local:  This value indicates that the PIN is checked locally on
844	            the device before allowing the key to be used in executing
845	            the algorithm.

847	         Prepend:  This value indicates that the PIN is prepended to the
848	            algorithm response hence it MUST be checked by the party
849	            validating the response.

851	         Append:  This value indicates that the PIN is appended to the
852	            algorithm response hence it MUST be checked by the party
853	            validating the response.

855	         Algorithmic:  This value indicates that the PIN is used as part
856	            of the algorithm computation.

858	      'MaxFailedAttempts':  This attribute indicates the maximum number
859	         of times the PIN may be entered wrongly before it MUST NOT be
860	         possible to use the key anymore (typical reasonable values are
861	         in the positive integer range of at least 2 and no more than
862	         10).

864	      'MinLength':  This attribute indicates the minimum length of a PIN
865	         that can be set to protect the associated key.  It MUST NOT be
866	         possible to set a PIN shorter than this value.  If the
867	         'PINFormat' attribute is 'DECIMAL', 'HEXADECIMAL' or
868	         'ALPHANUMERIC' this value indicates the number of digits/
869	         characters.  If the 'PINFormat' attribute is 'BASE64' or
870	         'BINARY', this value indicates the number of bytes of the
871	         unencoded value.

873	      'MaxLength':  This attribute indicates the maximum length of a PIN
874	         that can be set to protect this key.  It MUST NOT be possible
875	         to set a PIN longer than this value.  If the 'PINFormat'
876	         attribute is 'DECIMAL', 'HEXADECIMAL' or 'ALPHANUMERIC' this
877	         value indicates the number of digits/characters.  If the
878	         'PINFormat' attribute is 'BASE64' or 'BINARY', this value
879	         indicates the number of bytes of the unencoded value.

881	      'PINEncoding':  This attribute indicates the encoding of the PIN
882	         and MUST be one of the values: DECIMAL, HEXADECIMAL,
883	         ALPHANUMERIC, BASE64, or BINARY.

885	      If the 'PinUsageMode' attribute is set to "Local" then the device
886	      MUST enforce the restriction indicated in the 'MaxFailedAttempts',
887	      'MinLength', 'MaxLength' and 'PINEncoding' attribute, otherwise it
888	      MUST be enforced on the server side.

890	6.  Key Protection Methods

892	   With the functionality described in the previous sections,
893	   information related to keys had to be transmitted in clear text.
894	   With the help of the <EncryptionKey> element, which is a child
895	   element of the <KeyContainer> element, it is possible to encrypt keys
896	   and associated information.  The level of encryption is applied to
897	   the value of individual elements and the applied encryption algorithm
898	   MUST be the same for all encrypted elements.  Keys are protected
899	   using the following methods: pre-shared keys, passphrase-based keys,
900	   and asymmetric keys.  When encryption algorithms are used that make
901	   use of Initialisation Vectors (IV), for example AES128-CBC, then a
902	   random IV value MUST be generated for each value to be encrypted and
903	   it MUST be prepended to the resulting encrypted value as specified in
904	   [XMLENC].

906	6.1.  Encryption based on Pre-Shared Keys

908	   Figure 6 shows an example that illustrates the encryption of the
909	   content of the <Secret> element using AES128-CBC and PKCS5 Padding.
910	   The plaintext value of <Secret> is
911	   '3132333435363738393031323334353637383930'.  The name of the pre-
912	   shared secret is "Pre-shared-key", as set in the <KeyName> element
913	   (which is a child element of the <EncryptionKey> element).  The value
914	   of the encryption key used is '12345678901234567890123456789012'.

916	   The IV for the MAC key is '11223344556677889900112233445566' and the
917	   IV for the HOTP key is '000102030405060708090a0b0c0d0e0f'.

919	   As AES128-CBC does not provide integrity checks a keyed MAC is
920	   applied to the encrypted value using a MAC key and a MAC algorithm as
921	   declared in the <MACMethod> element (in our example
922	   "http://www.w3.org/2000/09/xmldsig#hmac-sha1" is used as the
923	   algorithm and the value of the MAC key is randomly generated, in our
924	   case '1122334455667788990011223344556677889900', and encrypted with
925	   the above encryption key).  The result of the keyed MAC computation
926	   is placed in the <ValueMAC> child element of <Secret>.

928	 <?xml version="1.0" encoding="UTF-8"?>
929	 <KeyContainer Version="1.0"
930	     xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
931	     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
932	     xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
933	     <EncryptionKey>
934	         <ds:KeyName>Pre-shared-key</ds:KeyName>
935	     </EncryptionKey>
936	     <MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
937	         <MACKey>
938	             <xenc:EncryptionMethod
939	             Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
940	             <xenc:CipherData>
941	                 <xenc:CipherValue>
942	     ESIzRFVmd4iZABEiM0RVZgKn6WjLaTC1sbeBMSvIhRejN9vJa2BOlSaMrR7I5wSX
943	                 </xenc:CipherValue>
944	             </xenc:CipherData>
945	         </MACKey>
946	     </MACMethod>
947	     <KeyPackage>
948	         <DeviceInfo>
949	             <Manufacturer>Manufacturer</Manufacturer>
950	             <SerialNo>987654321</SerialNo>
951	         </DeviceInfo>
952	         <CryptoModuleInfo>
953	             <Id>CM_ID_001</Id>
954	         </CryptoModuleInfo>
955	         <Key Id="12345678"
956	             Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
957	             <Issuer>Issuer</Issuer>
958	             <AlgorithmParameters>
959	                 <ResponseFormat Length="8" Encoding="DECIMAL"/>
960	             </AlgorithmParameters>
961	             <Data>
962	                 <Secret>
963	                     <EncryptedValue>
964	                         <xenc:EncryptionMethod
965	             Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
966	                         <xenc:CipherData>
967	                             <xenc:CipherValue>
968	     AAECAwQFBgcICQoLDA0OD+cIHItlB3Wra1DUpxVvOx2lef1VmNPCMl8jwZqIUqGv
969	                             </xenc:CipherValue>
970	                         </xenc:CipherData>
971	                     </EncryptedValue>
972	                     <ValueMAC>Su+NvtQfmvfJzF6bmQiJqoLRExc=
973	                     </ValueMAC>
974	                 </Secret>
975	                 <Counter>
976	                     <PlainValue>0</PlainValue>
977	                 </Counter>
978	             </Data>
979	         </Key>
980	     </KeyPackage>
981	 </KeyContainer>

983	   Figure 6: AES-128-CBC Encrypted Pre-Shared Secret Key with HMAC-SHA1
984	   When protecting the payload with pre-shared keys implementations MUST
985	   set the name of the specific pre-shared key in the <KeyName> element
986	   inside the <EncryptionKey> element.  When the encryption method uses
987	   a CBC mode that requires an explicit initialization vector (IV), the
988	   IV MUST be passed by prepending it to the encrypted value.

990	   For systems implementing PSKC it is RECOMMENDED to support AES-128-
991	   CBC (with the URI of http://www.w3.org/2001/04/xmlenc#aes128-cbc) and
992	   KW-AES128 (with the URI of
993	   http://www.w3.org/2001/04/xmlenc#kw-aes128).  Please note that KW-
994	   AES128 requires that the key to be protected must be a multiple of 8
995	   bytes in length.  Hence, if keys of a different length have to be
996	   protected then the usage of the key wrap algorithm with padding, as
997	   described in [AESKWPAD] is RECOMMENDED.  Some of the encryption
998	   algorithms that can optionally be implemented are:

1000	 Algorithm      | Uniform Resource Locator (URL)
1001	 ---------------+-------------------------------------------------------
1002	 AES192-CBC     | http://www.w3.org/2001/04/xmlenc#aes192-cbc
1003	 AES256-CBC     | http://www.w3.org/2001/04/xmlenc#aes256-cbc
1004	 TripleDES-CBC  | http://www.w3.org/2001/04/xmlenc#tripledes-cbc
1005	 Camellia128    | http://www.w3.org/2001/04/xmldsig-more#camellia128
1006	 Camellia192    | http://www.w3.org/2001/04/xmldsig-more#camellia192
1007	 Camellia256    | http://www.w3.org/2001/04/xmldsig-more#camellia256
1008	 KW-AES128      | http://www.w3.org/2001/04/xmlenc#kw-aes128
1009	 KW-AES192      | http://www.w3.org/2001/04/xmlenc#kw-aes192
1010	 KW-AES256      | http://www.w3.org/2001/04/xmlenc#kw-aes256
1011	 KW-TripleDES   | http://www.w3.org/2001/04/xmlenc#kw-tripledes
1012	 KW-Camellia128 | http://www.w3.org/2001/04/xmldsig-more#kw-camellia128
1013	 KW-Camellia192 | http://www.w3.org/2001/04/xmldsig-more#kw-camellia192
1014	 KW-Camellia256 | http://www.w3.org/2001/04/xmldsig-more#kw-camellia256

1016	6.1.1.  MAC Method

1018	   When algorithms without integrity checks are used, such as AES-128-
1019	   CBC, a keyed MAC value MUST be placed in the <ValueMAC> element of
1020	   the <Data> element.  In this case the MAC algorithm type MUST be set
1021	   in the <MACMethod> element of the <KeyContainer> element.  The MAC
1022	   key MUST be a randomly generated key by the sender, be pre-agreed
1023	   between the receiver and the sender, or be set by the application
1024	   protocol that carries the PSKC document.  It is RECOMMENDED that the
1025	   sender generates a random MAC key.  When the sender generates such a
1026	   random MAC key, the MAC key material MUST be encrypted with the same
1027	   encryption key specified in <EncryptionKey> element of the key
1028	   container.  The encryption method and encrypted value MUST be set
1029	   respectively in the <EncryptionMethod> element and the <CipherData>
1030	   element of the <MACKey> element in the <MACMethod> element.  The
1031	   <MACKeyReference> element of the <MACMethod> element MAY be used to
1032	   indicate a pre-shared MAC key or a provisioning protocol derived MAC
1033	   key.  For systems implementing PSKC it is RECOMMENDED to implement
1034	   the HMAC-SHA1 (with the URI of
1035	   'http://www.w3.org/2000/09/xmldsig#hmac-sha1').  Some of the MAC
1036	   algorithms that can optionally be implemented are:

1038	   Algorithm      | Uniform Resource Locator (URL)
1039	   ---------------+-----------------------------------------------------
1040	   HMAC-SHA224    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha224
1041	   HMAC-SHA256    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha256
1042	   HMAC-SHA384    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha384
1043	   HMAC-SHA512    | http://www.w3.org/2001/04/xmldsig-more#hmac-sha512

1045	6.2.  Encryption based on Passphrase-based Keys

1047	   Figure 7 shows an example that illustrates the encryption of the
1048	   content of the <Secret> element using passphrase based key derivation
1049	   (PBKDF2) to derive the encryption key as defined in [PKCS5].  When
1050	   using passphrase based key derivation, the <DerivedKey> element
1051	   defined in XML Encryption v1.1 [XMLENC11] MUST be used to specify the
1052	   passphrased-based key.  A <DerivedKey> element is set as the child
1053	   element of <EncryptionKey> element of the key container.

1055	   The <DerivedKey> element is used to specify the key derivation
1056	   function and related parameters.  The encryption algorithm, in this
1057	   example AES-128-CBC ( URI
1058	   'http://www.w3.org/2001/04/xmlenc#aes128-cbc'), MUST be set in the
1059	   'Algorithm' attribute of <EncryptionMethod> element used inside the
1060	   encrypted data elements.

1062	   When PBKDF2 is used, the 'Algorithm' attribute of the <xenc11:
1063	   KeyDerivationMethod> element MUST be set to the URI
1064	   'http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2'.  The
1065	   <xenc11:KeyDerivationMethod> element MUST include the <PBKDF2-params>
1066	   child element to indicate the PBKDF2 parameters, such as salt and
1067	   iteration count.

1069	   When the encryption method uses a CBC mode that uses an explicit
1070	   initialization vector (IV) other than a derived one, the IV MUST be
1071	   passed by prepending it to the encrypted value.

1073	   In the example below, the following data is used.

1075	   Password:   qwerty

1077	   Salt:   0x123eff3c4a72129c

1079	   Iteration Count:  1000

1081	   MAC Key:   0xbdaab8d648e850d25a3289364f7d7eaaf53ce581

1083	   OTP Secret:   12345678901234567890

1085	   The derived encryption key is "0x651e63cd57008476af1ff6422cd02e41".
1086	   The initialization vector (IV) is
1087	   "0xa13be8f92db69ec992d99fd1b5ca05f0".  This key is also used to
1088	   encrypt the randomly chosen MAC key.  A different IV can be used,
1089	   say, "0xd864d39cbc0cdc8e1ee483b9164b9fa0" in the example.  The
1090	   encryption with algorithm "AES-128-CBC" follows the specification
1091	   defined in [XMLENC].

1093	  <?xml version="1.0" encoding="UTF-8"?>
1094	  <pskc:KeyContainer
1095	    xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
1096	    xmlns:xenc11="http://www.w3.org/2009/xmlenc11#"
1097	    xmlns:pkcs5=
1098	    "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#"
1099	    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Version="1.0">
1100	      <pskc:EncryptionKey>
1101	          <xenc11:DerivedKey>
1102	              <xenc11:KeyDerivationMethod
1103	                Algorithm=
1104	   "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2">
1105	                  <pkcs5:PBKDF2-params>
1106	                      <Salt>
1107	                          <Specified>Ej7/PEpyEpw=</Specified>
1108	                      </Salt>
1109	                      <IterationCount>1000</IterationCount>
1110	                      <KeyLength>16</KeyLength>
1111	                      <PRF/>
1112	                  </pkcs5:PBKDF2-params>
1113	              </xenc11:KeyDerivationMethod>
1114	              <xenc:ReferenceList>
1115	                  <xenc:DataReference URI="#ED"/>
1116	              </xenc:ReferenceList>
1117	              <xenc11:MasterKeyName>My Password 1</xenc11:MasterKeyName>
1118	          </xenc11:DerivedKey>
1119	      </pskc:EncryptionKey>
1120	      <pskc:MACMethod
1121	          Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
1122	          <pskc:MACKey>
1123	              <xenc:EncryptionMethod
1124	              Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
1125	              <xenc:CipherData>
1126	                  <xenc:CipherValue>
1127	  2GTTnLwM3I4e5IO5FkufoOEiOhNj91fhKRQBtBJYluUDsPOLTfUvoU2dStyOwYZx
1128	                  </xenc:CipherValue>
1129	              </xenc:CipherData>
1130	          </pskc:MACKey>
1131	      </pskc:MACMethod>
1132	      <pskc:KeyPackage>
1133	          <pskc:DeviceInfo>
1134	              <pskc:Manufacturer>TokenVendorAcme</pskc:Manufacturer>
1135	              <pskc:SerialNo>987654321</pskc:SerialNo>
1136	          </pskc:DeviceInfo>
1137	          <pskc:CryptoModuleInfo>
1138	              <pskc:Id>CM_ID_001</pskc:Id>
1139	          </pskc:CryptoModuleInfo>
1140	          <pskc:Key Algorithm=
1141	          "urn:ietf:params:xml:ns:keyprov:pskc#hotp" Id="123456">
1142	              <pskc:Issuer>Example-Issuer</pskc:Issuer>
1143	              <pskc:AlgorithmParameters>
1144	                  <pskc:ResponseFormat Length="8" Encoding="DECIMAL"/>
1145	              </pskc:AlgorithmParameters>
1146	              <pskc:Data>
1147	                  <pskc:Secret>
1148	                  <pskc:EncryptedValue Id="ED">
1149	                      <xenc:EncryptionMethod
1150	                          Algorithm=
1151	  "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
1152	                          <xenc:CipherData>
1153	                              <xenc:CipherValue>
1154	        oTvo+S22nsmS2Z/RtcoF8Hfh+jzMe0RkiafpoDpnoZTjPYZu6V+A4aEn032yCr4f
1155	                          </xenc:CipherValue>
1156	                      </xenc:CipherData>
1157	                      </pskc:EncryptedValue>
1158	                      <pskc:ValueMAC>LP6xMvjtypbfT9PdkJhBZ+D6O4w=
1159	                      </pskc:ValueMAC>
1160	                  </pskc:Secret>
1161	              </pskc:Data>
1162	          </pskc:Key>
1163	      </pskc:KeyPackage>
1164	  </pskc:KeyContainer>

1166	      Figure 7: Example of a PSKC Document using Encryption based on
1167	                           Passphrase-based Keys

1169	6.3.  Encryption based on Asymmetric Keys

1171	   When using asymmetric keys to encrypt child elements of the <Data>
1172	   element, information about the certificate being used MUST be stated
1173	   in the <X509Data> element, which is a child element of the
1174	   <EncryptionKey> element.  The encryption algorithm MUST be indicated
1175	   in the 'Algorithm' attribute of the <EncryptionMethod> element.  In
1176	   the example shown in Figure 8 the algorithm is set to
1177	   "http://www.w3.org/2001/04/xmlenc#rsa_1_5".

1179	   <?xml version="1.0" encoding="UTF-8" ?>
1180	   <KeyContainer
1181	       xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1182	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
1183	       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
1184	       id="KC0001"
1185	       Version="1.0">
1186	       <EncryptionKey>
1187	           <ds:X509Data>
1188	   <ds:X509Certificate>MIIB5zCCAVCgAwIBAgIESZp/vDANBgkqhkiG9w0BAQUFADA4M
1189	   Q0wCwYDVQQKEwRJRVRGMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIF
1190	   Rlc3QwHhcNMDkwMjE3MDkxMzMyWhcNMTEwMjE3MDkxMzMyWjA4MQ0wCwYDVQQKEwRJRVR
1191	   GMRMwEQYDVQQLEwpLZXlQcm92IFdHMRIwEAYDVQQDEwlQU0tDIFRlc3QwgZ8wDQYJKoZI
1192	   hvcNAQEBBQADgY0AMIGJAoGBALCWLDa2ItYJ6su80hd1gL4cggQYdyyKK17btt/aS6Q/e
1193	   DsKjsPyFIODsxeKVV/uA3wLT4jQJM5euKJXkDajzGGOy92+ypfzTX4zDJMkh61SZwlHNJ
1194	   xBKilAM5aW7C+BQ0RvCxvdYtzx2LTdB+X/KMEBA7uIYxLfXH2Mnub3WIh1AgMBAAEwDQY
1195	   JKoZIhvcNAQEFBQADgYEAe875m84sYUJ8qPeZ+NG7REgTvlHTmoCdoByU0LBBLotUKuqf
1196	   rnRuXJRMeZXaaEGmzY1kLonVjQGzjAkU4dJ+RPmiDlYuHLZS41Pg6VMwY+03lhk6I5A/w
1197	   4rnqdkmwZX/NgXg06alnc2pBsXWhL4O7nk0S2ZrLMsQZ6HcsXgdmHo=
1198	   </ds:X509Certificate>
1199	           </ds:X509Data>
1200	       </EncryptionKey>
1201	       <KeyPackage>
1202	           <DeviceInfo>
1203	               <Manufacturer>TokenVendorAcme</Manufacturer>
1204	               <SerialNo>987654321</SerialNo>
1205	           </DeviceInfo>
1206	           <Key
1207	               Id="MBK000000001"
1208	               Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
1209	               <Issuer>Example-Issuer</Issuer>
1210	               <AlgorithmParameters>
1211	                   <ResponseFormat Length="6" Encoding="DECIMAL"/>
1212	               </AlgorithmParameters>
1213	               <Data>
1214	                   <Secret>
1215	                       <EncryptedValue>
1216	                           <xenc:EncryptionMethod
1217	                Algorithm="http://www.w3.org/2001/04/xmlenc#rsa_1_5"/>
1218	                           <xenc:CipherData>
1219	   <xenc:CipherValue>hJ+fvpoMPMO9BYpK2rdyQYGIxiATYHTHC7e/sPLKYo5/r1v+4
1220	   xTYG3gJolCWuVMydJ7Ta0GaiBPHcWa8ctCVYmHKfSz5fdeV5nqbZApe6dofTqhRwZK6
1221	   Yx4ufevi91cjN2vBpSxYafvN3c3+xIgk0EnTV4iVPRCR0rBwyfFrPc4=
1222	   </xenc:CipherValue>
1223	                           </xenc:CipherData>
1224	                       </EncryptedValue>
1225	                   </Secret>
1226	                   <Counter>
1227	                       <PlainValue>0</PlainValue>
1228	                   </Counter>
1229	               </Data>
1230	           </Key>
1231	       </KeyPackage>
1232	   </KeyContainer>

1234	      Figure 8: Example of a PSKC Document using Encryption based on
1235	                              Asymmetric Keys

1237	   For systems implementing PSKC it is RECOMMENDED to implement the
1238	   RSA-1.5 algorithm, identified by the URI
1239	   'http://www.w3.org/2001/04/xmlenc#rsa-1_5'.

1241	   Some of the asymmetric encryption algorithms that can optionally be
1242	   implemented are:

1244	   Algorithm         | Uniform Resource Locator (URL)
1245	   ------------------+-------------------------------------------------
1246	   RSA-OAEP-MGF1P    | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p

1248	6.4.  Padding of Encrypted Values for Non-Padded Encryption Algorithms

1250	   Padding of encrypted values (for example the key secret value) is
1251	   required when key protection algorithms are used that do not support
1252	   embedded padding and the value to be encrypted is not a multiple of
1253	   the encryption algorithm cypher block length.

1255	   For example, when transmitting a HOTP key (20 bytes long) protected
1256	   with the AES algorithm in CBC mode (8 byte block cypher), padding is
1257	   required since 20 bytes are not a multiple of the 8 byte block
1258	   length.

1260	   In these cases, for systems implementing PSKC it is RECOMMENDED to
1261	   pad the value before encryption using PKCS5 padding as described in
1262	   [PKCS5].

1264	7.  Digital Signature

1266	   PSKC allows a digital signature to be added to the XML document, as a
1267	   child element of the <KeyContainer> element.  The description of the
1268	   XML digital signature can be found in [XMLDSIG].

1270	   <?xml version="1.0" encoding="UTF-8"?>
1271	   <KeyContainer
1272	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
1273	       xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1274	       xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
1275	       Version="1.0">
1276	       <KeyPackage>
1277	           <DeviceInfo>
1278	               <Manufacturer>TokenVendorAcme</Manufacturer>
1279	               <SerialNo>0755225266</SerialNo>
1280	           </DeviceInfo>
1281	           <Key Id="123"
1282	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
1283	               <Issuer>Example-Issuer</Issuer>
1284	               <AlgorithmParameters>
1285	                   <ResponseFormat Length="6" Encoding="DECIMAL"/>
1286	               </AlgorithmParameters>
1287	               <Data>
1288	                   <Secret>
1289	                       <PlainValue>
1290	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1291	                       </PlainValue>
1292	                   </Secret>
1293	                   <Counter>
1294	                       <PlainValue>0</PlainValue>
1295	                   </Counter>
1296	               </Data>
1297	           </Key>
1298	       </KeyPackage>
1299	       <Signature>
1300	           <ds:SignedInfo>
1301	               <ds:CanonicalizationMethod
1302	                Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
1303	               <ds:SignatureMethod
1304	                Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
1305	               <ds:Reference URI="#Device">
1306	                   <ds:DigestMethod
1307	                Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
1308	                   <ds:DigestValue>
1309	                       j6lwx3rvEPO0vKtMup4NbeVu8nk=
1310	                   </ds:DigestValue>

1312	               </ds:Reference>
1313	           </ds:SignedInfo>
1314	           <ds:SignatureValue>
1315	               j6lwx3rvEPO0vKtMup4NbeVu8nk=
1316	           </ds:SignatureValue>
1317	           <ds:KeyInfo>
1318	               <ds:X509Data>
1319	                   <ds:X509IssuerSerial>
1320	                       <ds:X509IssuerName>
1321	                           CN=Example.com,C=US
1322	                       </ds:X509IssuerName>
1323	                       <ds:X509SerialNumber>
1324	                           12345678
1325	                       </ds:X509SerialNumber>
1326	                   </ds:X509IssuerSerial>
1327	               </ds:X509Data>
1328	           </ds:KeyInfo>
1329	       </Signature>
1330	   </KeyContainer>

1332	                    Figure 9: Digital Signature Example

1334	8.  Bulk Provisioning

1336	   The functionality of bulk provisioning can be accomplished by
1337	   repeating the <KeyPackage> element multiple times within the
1338	   <KeyContainer> element indicating that multiple keys are provided to
1339	   different devices or cryptomodules.  The <EncryptionKey> element then
1340	   applies to all <KeyPackage> elements.  When provisioning multiple
1341	   keys to the same device the <KeyPackage> element is repeated but the
1342	   enclosed <DeviceInfo> element will contain the same sub-elements that
1343	   uniquely identify the single device (for example the keys for the
1344	   device identified by SerialNo='9999999' in the example below).

1346	   Figure 10 shows an example utilizing these capabilities.

1348	   <?xml version="1.0" encoding="UTF-8"?>
1349	   <KeyContainer Version="1.0"
1350	       xmlns="urn:ietf:params:xml:ns:keyprov:pskc">
1351	       <KeyPackage>
1352	           <DeviceInfo>
1353	               <Manufacturer>TokenVendorAcme</Manufacturer>
1354	               <SerialNo>654321</SerialNo>
1355	           </DeviceInfo>
1356	           <Key Id="1"
1357	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
1358	               <Issuer>Issuer</Issuer>
1359	               <AlgorithmParameters>
1360	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1361	               </AlgorithmParameters>
1362	               <Data>
1363	                   <Secret>
1364	                       <PlainValue>
1365	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1366	                       </PlainValue>
1367	                   </Secret>
1368	                   <Counter>
1369	                       <PlainValue>0</PlainValue>
1370	                   </Counter>
1371	               </Data>
1372	               <Policy>
1373	                   <StartDate>2006-05-01T00:00:00Z</StartDate>
1374	                   <ExpiryDate>2006-05-31T00:00:00Z</ExpiryDate>
1375	               </Policy>
1376	           </Key>
1377	       </KeyPackage>
1378	       <KeyPackage>
1379	           <DeviceInfo>
1380	               <Manufacturer>TokenVendorAcme</Manufacturer>
1381	               <SerialNo>123456</SerialNo>
1382	           </DeviceInfo>
1383	           <Key Id="2"
1384	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
1385	               <Issuer>Issuer</Issuer>
1386	               <AlgorithmParameters>
1387	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1388	               </AlgorithmParameters>
1389	               <Data>
1390	                   <Secret>
1391	                       <PlainValue>
1392	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1393	                       </PlainValue>
1394	                   </Secret>
1395	                   <Counter>
1396	                       <PlainValue>0</PlainValue>
1397	                   </Counter>
1398	               </Data>
1399	               <Policy>
1400	                   <StartDate>2006-05-01T00:00:00Z</StartDate>
1401	                   <ExpiryDate>2006-05-31T00:00:00Z</ExpiryDate>
1402	               </Policy>
1403	           </Key>
1404	       </KeyPackage>
1405	       <KeyPackage>
1406	           <DeviceInfo>
1407	               <Manufacturer>TokenVendorAcme</Manufacturer>
1408	               <SerialNo>9999999</SerialNo>
1409	           </DeviceInfo>
1410	           <Key Id="3"
1411	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
1412	               <Issuer>Issuer</Issuer>
1413	               <AlgorithmParameters>
1414	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1415	               </AlgorithmParameters>
1416	               <Data>
1417	                   <Secret>
1418	                       <PlainValue>
1419	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1420	                       </PlainValue>
1421	                   </Secret>
1422	                   <Counter>
1423	                       <PlainValue>0</PlainValue>
1424	                   </Counter>
1425	               </Data>
1426	               <Policy>
1427	                   <StartDate>2006-03-01T00:00:00Z</StartDate>
1428	                   <ExpiryDate>2006-03-31T00:00:00Z</ExpiryDate>

1430	               </Policy>
1431	           </Key>
1432	       </KeyPackage>
1433	       <KeyPackage>
1434	           <DeviceInfo>
1435	               <Manufacturer>TokenVendorAcme</Manufacturer>
1436	               <SerialNo>9999999</SerialNo>
1437	           </DeviceInfo>
1438	           <Key Id="4"
1439	           Algorithm="urn:ietf:params:xml:ns:keyprov:pskc#hotp">
1440	               <Issuer>Issuer</Issuer>
1441	               <AlgorithmParameters>
1442	                   <ResponseFormat Length="8" Encoding="DECIMAL"/>
1443	               </AlgorithmParameters>
1444	               <Data>
1445	                   <Secret>
1446	                       <PlainValue>
1447	                           MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
1448	                       </PlainValue>
1449	                   </Secret>
1450	                   <Counter>
1451	                       <PlainValue>0</PlainValue>
1452	                   </Counter>
1453	               </Data>
1454	               <Policy>
1455	                   <StartDate>2006-04-01T00:00:00Z</StartDate>
1456	                   <ExpiryDate>2006-04-30T00:00:00Z</ExpiryDate>
1457	               </Policy>
1458	           </Key>
1459	       </KeyPackage>
1460	   </KeyContainer>

1462	                   Figure 10: Bulk Provisioning Example

1464	9.  Extensibility

1466	   This section lists a few common extension points provided by PSKC:

1468	   New PSKC Version:  Whenever it is necessary to define a new version
1469	      of this document then a new version number has to be allocated to
1470	      refer to the new specification version.  The version number is
1471	      carried inside the 'Version' attribute, as described in Section 4,
1472	      and rules for extensibililty are defined in Section 12.

1474	   New XML Elements:  The usage of the XML schema and the available
1475	      extension points allows new XML elements to be added.  Depending
1476	      of type of XML elements different ways for extensibility are
1477	      offered.  In some places the <Extensions> element can be used and
1478	      elsewhere the "<xs:any namespace="##other" processContents="lax"
1479	      minOccurs="0" maxOccurs="unbounded"/>" XML extension point is
1480	      utilized.

1482	   New XML Attributes:  The XML schema allows new XML attributes to be
1483	      added where XML extension points have been defined (see "<xs:
1484	      anyAttribute namespace="##other"/>" in Section 11).

1486	   New PSKC Algorithm Profiles:  This document defines two PSKC
1487	      algorithm profiles, see Section 10.  The following informational
1488	      document describes additional profiles [PSKC-ALGORITHM-PROFILES].
1489	      Further PSKC algorithm profiles can be registered as described in
1490	      Section 12.4.

1492	   Algorithm URIs:  Section 6 defines how keys and related data can be
1493	      protected.  A number of algorithms can be used.  The use of new
1494	      algorithms can be used by pointing to a new algorithm URI.

1496	   Policy:  Section 5 defines policies that can be attached to a key and
1497	      keying related data.  The <Policy> element is one such item that
1498	      allows to restrict the use of the key to certain functions, such
1499	      as "OTP usage only".  Further values may be registered as
1500	      described in Section 12.

1502	10.  PSKC Algorithm Profile

1504	10.1.  HOTP

1506	   Common Name:  HOTP

1508	   Class:  OTP

1510	   URI:  urn:ietf:params:xml:ns:keyprov:pskc#hotp

1512	   Algorithm Definition:  [HOTP]

1514	   Identifier Definition:  (this RFC)

1516	   Registrant Contact:  IESG

1518	   Deprectaed:  FALSE

1520	   Profiling:

1522	         The <KeyPackage> element MUST be present and the
1523	         <ResponseFormat> element, which is a child element of the
1524	         <AlgorithmParameters> element, MUST be used to indicate the OTP
1525	         length and the value format.

1527	         The <Counter> element (see Section 4.1) MUST be provided as
1528	         meta-data for the key.

1530	         The following additional constraints apply:

1532	         +  The value of the <Secret> element MUST contain key material
1533	            with a length of at least 16 octets (128 bits), if it is
1534	            present.

1536	         +  The <ResponseFormat> element MUST have the 'Format'
1537	            attribute set to "DECIMAL", and the 'Length' attribute MUST
1538	            indicate a length value between 6 and 9 (inclusive).

1540	         +  The <PINPolicy> element MAY be present but the
1541	            'PINUsageMode' attribute cannot be set to "Algorithmic".

1543	         An example can be found in Figure 3.

1545	10.2.  KEYPROV-PIN
1546	   Common Name:  KEYPROV-PIN

1548	   Class:  Symmetric static credential comparison

1550	   URI:  urn:ietf:params:xml:ns:keyprov:pskc#pin

1552	   Algorithm Definition:  (this document)

1554	   Identifier Definition  (this document)

1556	   Registrant Contact:  IESG

1558	   Deprectaed:  FALSE

1560	   Profiling:

1562	         The <Usage> element MAY be present but no attribute of the
1563	         <Usage> element is required.  The <ResponseFormat> element MAY
1564	         be used to indicate the PIN value format.

1566	         The <Secret> element (see Section 4.1) MUST be provided.

1568	         See the example in Figure 5

1570	11.  XML Schema

1572	   This section defines the XML schema for PSKC.

1574	 <?xml version="1.0" encoding="UTF-8"?>
1575	 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
1576	      xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc"
1577	      xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
1578	      xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
1579	      targetNamespace="urn:ietf:params:xml:ns:keyprov:pskc"
1580	      elementFormDefault="qualified"
1581	      attributeFormDefault="unqualified">
1582	      <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
1583	           schemaLocation=
1584	 "http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
1585	           xmldsig-core-schema.xsd"/>
1586	      <xs:import namespace="http://www.w3.org/2001/04/xmlenc#"
1587	           schemaLocation=
1588	 "http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd"/>
1589	      <xs:import namespace="http://www.w3.org/XML/1998/namespace"/>
1590	      <xs:complexType name="KeyContainerType">
1591	           <xs:sequence>
1592	                <xs:element name="EncryptionKey"
1593	                     type="ds:KeyInfoType" minOccurs="0"/>
1594	                <xs:element name="MACMethod"
1595	                     type="pskc:MACMethodType" minOccurs="0"/>
1596	                <xs:element name="KeyPackage"
1597	                     type="pskc:KeyPackageType" maxOccurs="unbounded"/>
1598	                <xs:element name="Signature"
1599	                     type="ds:SignatureType" minOccurs="0"/>
1600	                <xs:element name="Extensions"
1601	                     type="pskc:ExtensionsType"
1602	                     minOccurs="0" maxOccurs="unbounded"/>
1603	           </xs:sequence>
1604	           <xs:attribute name="Version"
1605	                type="pskc:VersionType" use="required"/>
1606	           <xs:attribute name="Id"
1607	                type="xs:ID" use="optional"/>
1608	      </xs:complexType>
1609	      <xs:simpleType name="VersionType" final="restriction">
1610	           <xs:restriction base="xs:string">
1611	                <xs:pattern value="\d{1,2}\.\d{1,3}"/>
1612	           </xs:restriction>
1613	      </xs:simpleType>
1614	      <xs:complexType name="KeyType">
1615	           <xs:sequence>
1616	                <xs:element name="Issuer"
1617	                     type="xs:string" minOccurs="0"/>
1618	                <xs:element name="AlgorithmParameters"
1619	                     type="pskc:AlgorithmParametersType"
1620	                     minOccurs="0"/>
1621	                <xs:element name="KeyProfileId"
1622	                     type="xs:string" minOccurs="0"/>
1623	                <xs:element name="KeyReference"
1624	                     type="xs:string" minOccurs="0"/>
1625	                <xs:element name="FriendlyName"
1626	                     type="xs:string" minOccurs="0"/>
1627	                <xs:element name="Data"
1628	                     type="pskc:KeyDataType" minOccurs="0"/>
1629	                <xs:element name="UserId"
1630	                     type="xs:string" minOccurs="0"/>
1631	                <xs:element name="Policy"
1632	                     type="pskc:PolicyType" minOccurs="0"/>
1633	                <xs:element name="Extensions"
1634	                     type="pskc:ExtensionsType" minOccurs="0"
1635	                     maxOccurs="unbounded"/>
1636	           </xs:sequence>
1637	           <xs:attribute name="Id"
1638	                type="xs:string" use="required"/>
1639	           <xs:attribute name="Algorithm"
1640	                type="pskc:KeyAlgorithmType" use="optional"/>
1641	      </xs:complexType>
1642	      <xs:complexType name="PolicyType">
1643	           <xs:sequence>
1644	                <xs:element name="StartDate"
1645	                     type="xs:dateTime" minOccurs="0"/>
1646	                <xs:element name="ExpiryDate"
1647	                     type="xs:dateTime" minOccurs="0"/>
1648	                <xs:element name="PINPolicy"
1649	                     type="pskc:PINPolicyType" minOccurs="0"/>
1650	                <xs:element name="KeyUsage"
1651	                     type="pskc:KeyUsageType"
1652	                     minOccurs="0" maxOccurs="unbounded"/>
1653	                <xs:element name="NumberOfTransactions"
1654	                     type="xs:nonNegativeInteger" minOccurs="0"/>
1655	                <xs:any namespace="##other"
1656	                     minOccurs="0" maxOccurs="unbounded"/>
1657	           </xs:sequence>
1658	      </xs:complexType>
1659	      <xs:complexType name="KeyDataType">
1660	           <xs:sequence>
1661	                <xs:element name="Secret"
1662	                     type="pskc:binaryDataType" minOccurs="0"/>
1663	                <xs:element name="Counter"
1664	                     type="pskc:longDataType" minOccurs="0"/>

1666	                <xs:element name="Time"
1667	                     type="pskc:intDataType" minOccurs="0"/>
1668	                <xs:element name="TimeInterval"
1669	                     type="pskc:intDataType" minOccurs="0"/>
1670	                <xs:element name="TimeDrift"
1671	                     type="pskc:intDataType" minOccurs="0"/>
1672	                <xs:any namespace="##other"
1673	                     processContents="lax"
1674	                     minOccurs="0" maxOccurs="unbounded"/>
1675	           </xs:sequence>
1676	      </xs:complexType>
1677	      <xs:complexType name="binaryDataType">
1678	           <xs:sequence>
1679	                <xs:choice>
1680	                     <xs:element name="PlainValue"
1681	                          type="xs:base64Binary"/>
1682	                     <xs:element name="EncryptedValue"
1683	                          type="xenc:EncryptedDataType"/>
1684	                </xs:choice>
1685	                <xs:element name="ValueMAC"
1686	                     type="xs:base64Binary" minOccurs="0"/>
1687	           </xs:sequence>
1688	      </xs:complexType>
1689	      <xs:complexType name="intDataType">
1690	           <xs:sequence>
1691	                <xs:choice>
1692	                     <xs:element name="PlainValue" type="xs:int"/>
1693	                     <xs:element name="EncryptedValue"
1694	                          type="xenc:EncryptedDataType"/>
1695	                </xs:choice>
1696	                <xs:element name="ValueMAC"
1697	                     type="xs:base64Binary" minOccurs="0"/>
1698	           </xs:sequence>
1699	      </xs:complexType>
1700	      <xs:complexType name="stringDataType">
1701	           <xs:sequence>
1702	                <xs:choice>
1703	                     <xs:element name="PlainValue" type="xs:string"/>
1704	                     <xs:element name="EncryptedValue"
1705	                          type="xenc:EncryptedDataType"/>
1706	                </xs:choice>
1707	                <xs:element name="ValueMAC"
1708	                     type="xs:base64Binary" minOccurs="0"/>
1709	           </xs:sequence>
1710	      </xs:complexType>
1711	      <xs:complexType name="longDataType">
1712	           <xs:sequence>
1713	                <xs:choice>
1714	                     <xs:element name="PlainValue" type="xs:long"/>
1715	                     <xs:element name="EncryptedValue"
1716	                          type="xenc:EncryptedDataType"/>
1717	                </xs:choice>
1718	                <xs:element name="ValueMAC"
1719	                     type="xs:base64Binary" minOccurs="0"/>
1720	           </xs:sequence>
1721	      </xs:complexType>
1722	      <xs:complexType name="PINPolicyType">
1723	           <xs:attribute name="PINKeyId"
1724	                type="xs:string" use="optional"/>
1725	           <xs:attribute name="PINUsageMode"
1726	                type="pskc:PINUsageModeType"/>
1727	           <xs:attribute name="MaxFailedAttempts"
1728	                type="xs:unsignedInt" use="optional"/>
1729	           <xs:attribute name="MinLength"
1730	                type="xs:unsignedInt" use="optional"/>
1731	           <xs:attribute name="MaxLength"
1732	                type="xs:unsignedInt" use="optional"/>
1733	           <xs:attribute name="PINEncoding"
1734	                type="pskc:ValueFormatType" use="optional"/>
1735	           <xs:anyAttribute namespace="##other"/>
1736	      </xs:complexType>
1737	      <xs:simpleType name="PINUsageModeType">
1738	           <xs:restriction base="xs:string">
1739	                <xs:enumeration value="Local"/>
1740	                <xs:enumeration value="Prepend"/>
1741	                <xs:enumeration value="Append"/>
1742	                <xs:enumeration value="Algorithmic"/>
1743	           </xs:restriction>
1744	      </xs:simpleType>
1745	      <xs:simpleType name="KeyUsageType">
1746	           <xs:restriction base="xs:string">
1747	                <xs:enumeration value="OTP"/>
1748	                <xs:enumeration value="CR"/>
1749	                <xs:enumeration value="Encrypt"/>
1750	                <xs:enumeration value="Integrity"/>
1751	                <xs:enumeration value="Verify"/>
1752	                <xs:enumeration value="Unlock"/>
1753	                <xs:enumeration value="Decrypt"/>
1754	                <xs:enumeration value="KeyWrap"/>
1755	                <xs:enumeration value="Unwrap"/>
1756	                <xs:enumeration value="Derive"/>
1757	                <xs:enumeration value="Generate"/>
1758	           </xs:restriction>
1759	      </xs:simpleType>
1760	      <xs:complexType name="DeviceInfoType">
1761	           <xs:sequence>
1762	                <xs:element name="Manufacturer"
1763	                     type="xs:string" minOccurs="0"/>
1764	                <xs:element name="SerialNo"
1765	                     type="xs:string" minOccurs="0"/>
1766	                <xs:element name="Model"
1767	                     type="xs:string" minOccurs="0"/>
1768	                <xs:element name="IssueNo"
1769	                     type="xs:string" minOccurs="0"/>
1770	                <xs:element name="DeviceBinding"
1771	                     type="xs:string" minOccurs="0"/>
1772	                <xs:element name="StartDate"
1773	                     type="xs:dateTime" minOccurs="0"/>
1774	                <xs:element name="ExpiryDate"
1775	                     type="xs:dateTime" minOccurs="0"/>
1776	                <xs:element name="UserId"
1777	                     type="xs:string" minOccurs="0"/>
1778	                <xs:element name="Extensions"
1779	                     type="pskc:ExtensionsType" minOccurs="0"
1780	                     maxOccurs="unbounded"/>
1781	           </xs:sequence>
1782	      </xs:complexType>
1783	      <xs:complexType name="CryptoModuleInfoType">
1784	           <xs:sequence>
1785	                <xs:element name="Id" type="xs:string"/>
1786	                <xs:element name="Extensions"
1787	                     type="pskc:ExtensionsType" minOccurs="0"
1788	                     maxOccurs="unbounded"/>
1789	           </xs:sequence>
1790	      </xs:complexType>
1791	      <xs:complexType name="KeyPackageType">
1792	           <xs:sequence>
1793	                <xs:element name="DeviceInfo"
1794	                     type="pskc:DeviceInfoType" minOccurs="0"/>
1795	                <xs:element name="CryptoModuleInfo"
1796	                     type="pskc:CryptoModuleInfoType" minOccurs="0"/>
1797	                <xs:element name="Key"
1798	                     type="pskc:KeyType" minOccurs="0"/>
1799	                <xs:element name="Extensions"
1800	                     type="pskc:ExtensionsType" minOccurs="0"
1801	                     maxOccurs="unbounded"/>
1802	           </xs:sequence>
1803	      </xs:complexType>
1804	      <xs:complexType name="AlgorithmParametersType">
1805	           <xs:choice>
1806	                <xs:element name="ChallengeFormat" minOccurs="0">
1807	                     <xs:complexType>
1808	                          <xs:attribute name="Encoding"
1809	                               type="pskc:ValueFormatType"
1810	                                                       use="required"/>
1811	                          <xs:attribute name="Min"
1812	                               type="xs:unsignedInt" use="required"/>
1813	                          <xs:attribute name="Max"
1814	                               type="xs:unsignedInt" use="required"/>
1815	                          <xs:attribute name="CheckDigits"
1816	                               type="xs:boolean" default="false"/>
1817	                     </xs:complexType>
1818	                </xs:element>
1819	                <xs:element name="ResponseFormat" minOccurs="0">
1820	                     <xs:complexType>
1821	                          <xs:attribute name="Encoding"
1822	                               type="pskc:ValueFormatType"
1823	                                                       use="required"/>
1824	                          <xs:attribute name="Length"
1825	                               type="xs:unsignedInt" use="required"/>
1826	                          <xs:attribute name="CheckDigits"
1827	                               type="xs:boolean" default="false"/>
1828	                     </xs:complexType>
1829	                </xs:element>
1830	                <xs:element name="Extensions"
1831	                     type="pskc:ExtensionsType" minOccurs="0"
1832	                     maxOccurs="unbounded"/>
1833	           </xs:choice>
1834	      </xs:complexType>
1835	      <xs:complexType name="ExtensionsType">
1836	           <xs:sequence>
1837	                <xs:any namespace="##other"
1838	                     processContents="lax" maxOccurs="unbounded"/>
1839	           </xs:sequence>
1840	           <xs:attribute name="definition"
1841	                type="xs:anyURI" use="optional"/>
1842	      </xs:complexType>
1843	      <xs:simpleType name="KeyAlgorithmType">
1844	           <xs:restriction base="xs:anyURI"/>
1845	      </xs:simpleType>
1846	      <xs:simpleType name="ValueFormatType">
1847	           <xs:restriction base="xs:string">
1848	                <xs:enumeration value="DECIMAL"/>
1849	                <xs:enumeration value="HEXADECIMAL"/>
1850	                <xs:enumeration value="ALPHANUMERIC"/>
1851	                <xs:enumeration value="BASE64"/>
1852	                <xs:enumeration value="BINARY"/>
1853	           </xs:restriction>
1854	      </xs:simpleType>
1855	      <xs:complexType name="MACMethodType">
1856	            <xs:sequence>
1857	                   <xs:choice>
1858	                         <xs:element name="MACKey"
1859	               type="xenc:EncryptedDataType" minOccurs="0"/>
1860	                         <xs:element name="MACKeyReference"
1861	                                 type="xs:string" minOccurs="0"/>
1862	                         </xs:choice>
1863	                         <xs:any namespace="##other"
1864	            processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
1865	        </xs:sequence>
1866	        <xs:attribute name="Algorithm" type="xs:anyURI" use="required"/>
1867	         </xs:complexType>
1868	      <xs:element name="KeyContainer"
1869	           type="pskc:KeyContainerType"/>
1870	 </xs:schema>

1872	12.  IANA Considerations

1874	12.1.  Content-type registration for 'application/pskc+xml'

1876	   This specification requests the registration of a new MIME type
1877	   according to the procedures of RFC 4288 [RFC4288] and guidelines in
1878	   RFC 3023 [RFC3023].

1880	   MIME media type name:  application

1882	   MIME subtype name:  pskc+xml

1884	   Required parameters:  There is no required parameter.

1886	   Optional parameters:  charset

1888	      Indicates the character encoding of enclosed XML.

1890	   Encoding considerations:  Uses XML, which can employ 8-bit
1891	      characters, depending on the character encoding used.  See RFC
1892	      3023 [RFC3023], Section 3.2.

1894	   Security considerations:  Please refer to Section 13 of RFCXXXX [NOTE
1895	      TO IANA/RFC-EDITOR: Please replace XXXX with the RFC number of
1896	      this specification.]

1898	   Interoperability considerations:  None

1900	   Published specification:  RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please
1901	      replace XXXX with the RFC number of this specification.]

1903	   Applications which use this media type:  This MIME type is being used
1904	      as a symmetric key container format for transport and provisioning
1905	      of symmetric keys (One Time Password (OTP) shared secrets or
1906	      symmetric cryptographic keys) to different types of strong
1907	      authentication devices.  As such, it is used for key provisioning
1908	      systems.

1910	   Additional information:

1912	      Magic Number:  None

1914	      File Extension:  .pskcxml

1916	      Macintosh file type code:  'TEXT'

1918	   Personal and email address to contact for further information:
1919	      Philip Hoyer, Philip.Hoyer@actividentity.com

1921	   Intended usage:  LIMITED USE

1923	   Restrictions on usage:  None

1925	   Author:  This specification is a work item of the IETF KEYPROV
1926	      working group, with mailing list address <keyprov@ietf.org>.

1928	   Change controller:  The IESG <iesg@ietf.org>

1930	12.2.  XML Schema Registration

1932	   This section registers an XML schema as per the guidelines in
1933	   [RFC3688].

1935	   URI:  urn:ietf:params:xml:schema:keyprov:pskc

1937	   Registrant Contact:  IETF KEYPROV Working Group, Philip Hoyer
1938	      (Philip.Hoyer@actividentity.com).

1940	   XML Schema:  The XML schema to be registered is contained in
1941	      Section 11.  Its first line is

1943	   <?xml version="1.0" encoding="UTF-8"?>

1945	      and its last line is

1947	   </xs:schema>

1949	12.3.  URN Sub-Namespace Registration

1951	   This section registers a new XML namespace,
1952	   "urn:ietf:params:xml:ns:keyprov:pskc", per the guidelines in
1953	   [RFC3688].

1955	   URI:  urn:ietf:params:xml:ns:keyprov:pskc

1957	   Registrant Contact:  IETF KEYPROV Working Group, Philip Hoyer
1958	      (Philip.Hoyer@actividentity.com).

1960	   XML:

1962	   BEGIN
1963	   <?xml version="1.0"?>
1964	   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
1965	     "http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
1966	   <html xmlns="http://www.w3.org/1999/xhtml">
1967	   <head>
1968	     <meta http-equiv="content-type"
1969	           content="text/html;charset=iso-8859-1"/>
1970	     <title>PSKC Namespace</title>
1971	   </head>
1972	   <body>
1973	     <h1>Namespace for PSKC</h1>
1974	     <h2>urn:ietf:params:xml:ns:keyprov:pskc</h2>
1975	   <p>See <a href="[URL of published RFC]">RFCXXXX
1976	       [NOTE TO IANA/RFC-EDITOR:
1977	        Please replace XXXX with the RFC number of this
1978	       specification.]</a>.</p>
1979	   </body>
1980	   </html>
1981	   END

1983	12.4.  PSKC Algorithm Profile Registry

1985	   This specification requests the creation of a new IANA registry for
1986	   PSKC algorithm profiles in accordance with the principles set out in
1987	   RFC 5226 [RFC5226].

1989	   As part of this registry IANA will maintain the following
1990	   information:

1992	   Common Name:  The name by which the PSKC algorithm profile is
1993	      generally referred.

1995	   Class:  The type of PSKC algorithm profile registry entry being
1996	      created, such as encryption, Message Authentication Code (MAC),
1997	      One Time Password (OTP), Digest.

1999	   URI:  The URI to be used to identify the profile.

2001	   Identifier Definition:  IANA will be asked to add a pointer to the
2002	      specification containing information about the PSKC algorithm
2003	      profile registration.

2005	   Algorithm Definition:  A reference to the stable document in which
2006	      the algorithm being used with the PSKC is defined.

2008	   Registrant Contact:  Contact information about the party submitting
2009	      the registration request.

2011	   Deprecated:  TRUE if based on expert approval this entry has been
2012	      deprecated and SHOULD not be used in any new implementations.
2013	      Otherwise FALSE.

2015	   PSKC Profiling:  Information about PSKC XML elements and attributes
2016	      being used (or not used) with this specific profile of PSKC.

2018	   PSKC algorithm profile identifier registrations are to be subject to
2019	   Expert Review as per RFC 5226 [RFC5226].  Updates can be provided
2020	   based on expert approval only.  Based on expert approval, it is
2021	   possible to mark entries as "deprecated".  A designated expert will
2022	   be appointed by the IESG.

2024	   IANA is asked to add an initial value to the registry based on the
2025	   PSKC HOTP algorithm profile described in Section 10.

2027	12.5.  PSKC Version Registry

2029	   IANA is requested to create a registry for PSKC version numbers.  The
2030	   registry has the following structure:

2032	     PSKC Version              | Specification
2033	   +---------------------------+----------------
2034	   | 1.0                       | [This document]

2036	   Standards action is required to define new versions of PSKC.  It is
2037	   not envisioned to deprecate, delete, or modify existing PSKC
2038	   versions.

2040	12.6.  Key Usage Registry

2042	   IANA is requested to create a registry for key usage.  A description
2043	   of the 'KeyUsage' element can be found in Section 5.  The registry
2044	   has the following structure:

2046	     Key Usage Token           | Specification
2047	   +---------------------------+-------------------------------
2048	   | OTP                       | [Section 5 of this document]
2049	   | CR                        | [Section 5 of this document]
2050	   | Encrypt                   | [Section 5 of this document]
2051	   | Integrity                 | [Section 5 of this document]
2052	   | Verify                    | [Section 5 of this document]
2053	   | Unlock                    | [Section 5 of this document]
2054	   | Decrypt                   | [Section 5 of this document]
2055	   | KeyWrap                   | [Section 5 of this document]
2056	   | Unwrap                    | [Section 5 of this document]
2057	   | Derive                    | [Section 5 of this document]
2058	   | Generate                  | [Section 5 of this document]
2059	   +---------------------------+-------------------------------

2061	   Expert Review is required to define new key usage tokens.  Each
2062	   registration request has to provide a description of the semantic.
2063	   Using the same procedure it is possible to deprecate, delete, or
2064	   modify existing key usage tokens.  A designated expert will be
2065	   appointed by the IESG.

2067	13.  Security Considerations

2069	   The portable symmetric key container (PSKC) carries sensitive
2070	   information (e.g., cryptographic keys) and may be transported across
2071	   the boundaries of one secure perimeter to another.  For example, a
2072	   container residing within the secure perimeter of a back-end
2073	   provisioning server in a secure room may be transported across the
2074	   internet to an end-user device attached to a personal computer.  This
2075	   means that special care MUST be taken to ensure the confidentiality,
2076	   integrity, and authenticity of the information contained within.

2078	13.1.  PSKC Confidentiality

2080	   By design, the container allows two main approaches to guaranteeing
2081	   the confidentiality of the information it contains while transported.

2083	   First, the container key data payload may be encrypted.

2085	   In this case no transport layer security is required.  However,
2086	   standard security best practices apply when selecting the strength of
2087	   the cryptographic algorithm for key data payload encryption.
2088	   Symmetric cryptographic cipher SHOULD be used - the longer the
2089	   cryptographic key, the stronger the protection.  Please see
2090	   Section 6.1 for recommendations of key data payload protection using
2091	   symmetric cryptographic ciphers.  In cases where the exchange of key
2092	   encryption keys between the sender and the receiver is not possible,
2093	   asymmetric encryption of the key data payload may be employed, see
2094	   Section 6.3 .  Similarly to symmetric key cryptography, the stronger
2095	   the asymmetric key, the more secure the protection is.

2097	   If the key data payload is encrypted with a method that uses one of
2098	   the password-based encryption methods (PBE methods) detailed in
2099	   Section 6.2, the key data payload may be subjected to password
2100	   dictionary attacks to break the encryption password and recover the
2101	   information.  Standard security best practices for selection of
2102	   strong encryption passwords apply.

2104	   Additionally, it is strongly RECOMMENDED that practical
2105	   implementations use PBESalt and PBEIterationCount when PBE encryption
2106	   is used.  A different PBESalt value per PSKC SHOULD be used for best
2107	   protection.

2109	   The second approach to protecting the confidentiality of the key data
2110	   payload is based on using transport layer security.  The secure
2111	   channel established between the source secure perimeter (the
2112	   provisioning server from the example above) and the target perimeter
2113	   (the device attached to the end-user computer) utilizes encryption to
2114	   transport the messages that travel across.  No key data payload
2115	   encryption is required in this mode.  Secure channels that encrypt
2116	   and digest each message provide an extra measure of security.

2118	   Because of the fact that the plain text PSKC is protected only by the
2119	   transport layer security, practical implementation MUST ensure
2120	   protection against man-in-the-middle attacks.  Authenticating the
2121	   secure channel end-points is critically important for eliminating
2122	   intruders that may compromise the confidentiality of the PSKC.

2124	13.2.  PSKC Integrity

2126	   The PSKC provides a mean to guarantee the integrity of the
2127	   information it contains through digital signatures.  It is
2128	   RECOMMENDED that for best security practices, the digital signature
2129	   of the container encompasses the entire PSKC.This provides assurances
2130	   for the integrity of all attributes.  It also allows verification of
2131	   the integrity of a given PSKC even after the container is delivered
2132	   through the communication channel to the target perimeter and channel
2133	   message integrity check is no longer possible.

2135	13.3.  PSKC Authenticity

2137	   The digital signature of the PSKC is the primary way of showing its
2138	   authenticity.  The recipient of the container SHOULD use the public
2139	   key associated with the signature to assert the authenticity of the
2140	   sender by tracing it back to a preloaded public key or certificate.
2141	   Note that the digital signature of the PSKC can be checked even after
2142	   the container has been delivered through the secure channel of
2143	   communication.

2145	   A weaker payload authenticity guarantee may be provided by the
2146	   transport layer if it is configured to digest each message it
2147	   transports.  However, no authenticity verification is possible once
2148	   the container is delivered at the recipient end.  This approach may
2149	   be useful in cases where the digital signature of the container does
2150	   not encompass the entire PSKC.

2152	14.  Contributors

2154	   We would like Hannes Tschofenig for his text contributions to this
2155	   document.

2157	15.  Acknowledgements

2159	   The authors of this draft would like to thank the following people
2160	   for their feedback: Apostol Vassilev, Shuh Chang, Jon Martinson,
2161	   Siddhart Bajaj, Stu Vaeth, Kevin Lewis, Philip Hallam-Baker, Andrea
2162	   Doherty, Magnus Nystrom, Tim Moses, Anders Rundgren, Sean Turner and
2163	   especially Robert Philpott.

2165	   We would like to thank Sean Turner for his draft review in January
2166	   2009.  We would also like to thank Anders Rundgren for triggering the
2167	   discussion regarding to the selection of encryption algorithms (KW-
2168	   AES-128 vs. AES-128-CBC) and his input on the keyed message digest
2169	   computation.

2171	   This work is based on earlier work by the members of OATH (Initiative
2172	   for Open AuTHentication), see [OATH], to specify a format that can be
2173	   freely distributed to the technical community.

2175	16.  References

2177	16.1.  Normative References

2179	   [AESKWPAD]
2180	              Housley, R. and M. Dworkin, "Advanced Encryption Standard
2181	              (AES) Key Wrap with Padding Algorithm", March 2009, <http:
2182	              //www.ietf.org/internet-drafts/
2183	              draft-housley-aes-key-wrap-with-pad-02.txt>.

2185	   [HOTP]     MRaihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
2186	              O. Ranen, "HOTP: An HMAC-Based One Time Password
2187	              Algorithm", RFC 4226, December 2005.

2189	   [ISOIEC7812]
2190	              ISO, "ISO/IEC 7812-1:2006 Identification cards --
2191	              Identification of issuers -- Part 1: Numbering system",
2192	              October 2006, <http://www.iso.org/iso/iso_catalogue/
2193	              catalogue_tc/catalogue_detail.htm?csnumber=39698>.

2195	   [OATHMAN]  OATH, "List of OATH Manufacturer Prefixes (omp)",
2196	              April 2009,
2197	              <http://www.openauthentication.org/oath-id/prefixes/>.

2199	   [PKCS5]    RSA Laboratories, "PKCS #5: Password-Based Cryptography
2200	              Standard", Version 2.0,
2201	              URL: http://www.rsasecurity.com/rsalabs/pkcs/, March 1999.

2203	   [RFC2119]  "Key words for use in RFCs to Indicate Requirement
2204	              Levels", BCP 14, RFC 2119, March 1997.

2206	   [RFC3023]  Murata, M., St. Laurent, S., and D. Kohn, "XML Media
2207	              Types", RFC 3023, January 2001.

2209	   [RFC3688]  Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
2210	              January 2004.

2212	   [RFC4288]  Freed, N. and J. Klensin, "Media Type Specifications and
2213	              Registration Procedures", BCP 13, RFC 4288, December 2005.

2215	   [RFC4514]  Zeilenga, K., "Lightweight Directory Access Protocol
2216	              (LDAP): String Representation of Distinguished Names",
2217	              RFC 4514, June 2006.

2219	   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
2220	              Encodings", RFC 4648, October 2006.

2222	   [XMLDSIG]  Eastlake, D., "XML-Signature Syntax and Processing",
2223	              URL: http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/,
2224	              W3C Recommendation, February 2002.

2226	   [XMLENC]   Eastlake, D., "XML Encryption Syntax and Processing.",
2227	              URL: http://www.w3.org/TR/xmlenc-core/,
2228	              W3C Recommendation, December 2002.

2230	   [XMLENC11]
2231	              Eastlake, D., "XML Encryption Syntax and Processing
2232	              Version 1.1.",
2233	              URL: http://www.w3.org/TR/2009/WD-xmlenc-core1-20090730,
2234	              W3C Recommendation, July 2009.

2236	16.2.  Informative References

2238	   [CAP]      MasterCard International, "Chip Authentication Program
2239	              Functional Architecture", September 2004.

2241	   [DSKPP]    Doherty, A., Pei, M., Machani, S., and M. Nystrom,
2242	              "Dynamic Symmetric Key Provisioning Protocol", Internet
2243	              Draft Informational, URL: http://www.ietf.org/
2244	              internet-drafts/draft-ietf-keyprov-dskpp-07.txt,
2245	              February 2009.

2247	   [NIST800-57]
2248	              Barker, E., Barker, W., Burr, W., Polk, W., and M. Smid,
2249	              "NIST Special Publication 800-57, Recommendation for Key
2250	              Management - Part 1: General (Revised)", NIST Special
2251	              Publication 800-57, March 2007.

2253	   [OATH]     "Initiative for Open AuTHentication",
2254	              URL: http://www.openauthentication.org.

2256	   [PSKC-ALGORITHM-PROFILES]
2257	              Hoyer, P., Pei, M., Machani, S., and A. Doherty,
2258	              "Additional Portable Symmetric Key Container (PSKC)
2259	              Algorithm Profiles", Internet Draft Informational, URL:
2260	               http://www.ietf.org/id/
2261	              draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt,
2262	              May 2010.

2264	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
2265	              Resource Identifiers (URI): Generic Syntax", RFC 3986,
2266	              January 2005.

2268	   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
2269	              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
2270	              May 2008.

2272	   [XMLNS]    "Namespaces in XML", W3C Recommendation ,
2273	              URL: http://www.w3.org/TR/1999/REC-xml-names-19990114,
2274	              January 1999.

2276	Appendix A.  Use Cases

2278	   This section describes a comprehensive list of use cases that
2279	   inspired the development of this specification.  These requirements
2280	   were used to derive the primary requirement that drove the design.
2281	   These requirements are covered in the next section.

2283	   These use cases also help in understanding the applicability of this
2284	   specification to real world situations.

2286	A.1.  Online Use Cases

2288	   This section describes the use cases related to provisioning the keys
2289	   using an online provisioning protocol such as [DSKPP].

2291	A.1.1.  Transport of keys from Server to Cryptographic Module

2293	   For example, a mobile device user wants to obtain a symmetric key for
2294	   use with a Cryptographic Module on the device.  The Cryptographic
2295	   Module from vendor A initiates the provisioning process against a
2296	   provisioning system from vendor B using a standards-based
2297	   provisioning protocol such as [DSKPP].  The provisioning entity
2298	   delivers one or more keys in a standard format that can be processed
2299	   by the mobile device.

2301	   For example, in a variation of the above, instead of the user's
2302	   mobile phone, a key is provisioned in the user's soft token
2303	   application on a laptop using a network-based online protocol.  As
2304	   before, the provisioning system delivers a key in a standard format
2305	   that can be processed by the soft token on the PC.

2307	   For example, the end-user or the key issuer wants to update or
2308	   configure an existing key in the Cryptographic Module and requests a
2309	   replacement key container.  The container may or may not include a
2310	   new key and may include new or updated key attributes such as a new
2311	   counter value in HOTP key case, a modified response format or length,
2312	   a new friendly name, etc.

2314	A.1.2.  Transport of keys from Cryptographic Module to Cryptographic
2315	        Module

2317	   For example, a user wants to transport a key from one Cryptographic
2318	   Module to another.  There may be two cryptographic modules, one on a
2319	   computer one on a mobile phone, and the user wants to transport a key
2320	   from the computer to the mobile phone.  The user can export the key
2321	   and related data in a standard format for input into the other
2322	   Cryptographic Module.

2324	A.1.3.  Transport of keys from Cryptographic Module to Server

2326	   For example, a user wants to activate and use a new key and related
2327	   data against a validation system that is not aware of this key.  This
2328	   key may be embedded in the Cryptographic Module (e.g.  SD card, USB
2329	   drive) that the user has purchased at the local electronics retailer.
2330	   Along with the Cryptographic Module, the user may get the key on a CD
2331	   or a floppy in a standard format.  The user can now upload via a
2332	   secure online channel or import this key and related data into the
2333	   new validation system and start using the key.

2335	A.1.4.  Server to server Bulk import/export of keys

2337	   From time to time, a key management system may be required to import
2338	   or export keys in bulk from one entity to another.

2340	   For example, instead of importing keys from a manufacturer using a
2341	   file, a validation server may download the keys using an online
2342	   protocol.  The keys can be downloaded in a standard format that can
2343	   be processed by a validation system.

2345	   For example, in a variation of the above, an Over-The-Air (OTA) key
2346	   provisioning gateway that provisions keys to mobile phones may obtain
2347	   key material from a key issuer using an online protocol.  The keys
2348	   are delivered in a standard format that can be processed by the key
2349	   provisioning gateway and subsequently sent to the end-user's mobile
2350	   phone.

2352	A.2.  Offline Use Cases

2354	   This section describes the use cases relating to offline transport of
2355	   keys from one system to another, using some form of export and import
2356	   model.

2358	A.2.1.  Server to server Bulk import/export of keys

2360	   For example, Cryptographic Modules such as OTP authentication tokens,
2361	   may have their symmetric keys initialized during the manufacturing
2362	   process in bulk, requiring copies of the keys and algorithm data to
2363	   be loaded into the authentication system through a file on portable
2364	   media.  The manufacturer provides the keys and related data in the
2365	   form of a file containing records in standard format, typically on a
2366	   CD.  Note that the token manufacturer and the vendor for the
2367	   validation system may be the same or different.  Some crypto modules
2368	   will allow local PIN management (the device will have a PIN pad)
2369	   hence random initial PINs set at manufacturing should be transmitted
2370	   together with the respective keys they protect.

2372	   For example, an enterprise wants to port keys and related data from
2373	   an existing validation system A into a different validation system B.
2374	   The existing validation system provides the enterprise with a
2375	   functionality that enables export of keys and related data (e.g. for
2376	   OTP authentication tokens) in a standard format.  Since the OTP
2377	   tokens are in the standard format, the enterprise can import the
2378	   token records into the new validation system B and start using the
2379	   existing tokens.  Note that the vendors for the two validation
2380	   systems may be the same or different.

2382	Appendix B.  Requirements

2384	   This section outlines the most relevant requirements that are the
2385	   basis of this work.  Several of the requirements were derived from
2386	   use cases described above.

2388	   R1:   The format MUST support transport of multiple types of
2389	         symmetric keys and related attributes for algorithms including
2390	         HOTP, other OTP, challenge-response, etc.

2392	   R2:   The format MUST handle the symmetric key itself as well of
2393	         attributes that are typically associated with symmetric keys.
2394	         Some of these attributes may be

2396	         *  Unique Key Identifier

2398	         *  Issuer information

2400	         *  Algorithm ID

2402	         *  Algorithm mode

2404	         *  Issuer Name

2406	         *  Key friendly name

2408	         *  Event counter value (moving factor for OTP algorithms)

2410	         *  Time value

2412	   R3:   The format SHOULD support both offline and online scenarios.
2413	         That is it should be serializable to a file as well as it
2414	         should be possible to use this format in online provisioning
2415	         protocols such as [DSKPP]

2417	   R4:   The format SHOULD allow bulk representation of symmetric keys

2419	   R5:   The format SHOULD allow bulk representation of PINs related to
2420	         specific keys

2422	   R6:   The format SHOULD be portable to various platforms.
2423	         Furthermore, it SHOULD be computationally efficient to process.

2425	   R7:   The format MUST provide appropriate level of security in terms
2426	         of data encryption and data integrity.

2428	   R8:   For online scenarios the format SHOULD NOT rely on transport
2429	         level security (e.g., SSL/TLS) for core security requirements.

2431	   R9:   The format SHOULD be extensible.  It SHOULD enable extension
2432	         points allowing vendors to specify additional attributes in the
2433	         future.

2435	   R10:  The format SHOULD allow for distribution of key derivation data
2436	         without the actual symmetric key itself.  This is to support
2437	         symmetric key management schemes that rely on key derivation
2438	         algorithms based on a pre-placed master key.  The key
2439	         derivation data typically consists of a reference to the key,
2440	         rather than the key value itself.

2442	   R11:  The format SHOULD allow for additional lifecycle management
2443	         operations such as counter resynchronization.  Such processes
2444	         require confidentiality between client and server, thus could
2445	         use a common secure container format, without the transfer of
2446	         key material.

2448	   R12:  The format MUST support the use of pre-shared symmetric keys to
2449	         ensure confidentiality of sensitive data elements.

2451	   R13:  The format MUST support a password-based encryption (PBE)
2452	         [PKCS5] scheme to ensure security of sensitive data elements.
2453	         This is a widely used method for various provisioning
2454	         scenarios.

2456	   R14:  The format SHOULD support asymmetric encryption algorithms such
2457	         as RSA to ensure end-to-end security of sensitive data
2458	         elements.  This is to support scenarios where a pre-set shared
2459	         key encryption key is difficult to use.

2461	Authors' Addresses

2463	   Philip Hoyer
2464	   ActivIdentity, Inc.
2465	   117 Waterloo Road
2466	   London, SE1  8UL
2467	   UK

2469	   Phone: +44 (0) 20 7960 0220
2470	   Email: phoyer@actividentity.com

2472	   Mingliang Pei
2473	   VeriSign, Inc.
2474	   487 E. Middlefield Road
2475	   Mountain View, CA  94043
2476	   USA

2478	   Phone: +1 650 426 5173
2479	   Email: mpei@verisign.com

2481	   Salah Machani
2482	   Diversinet, Inc.
2483	   2225 Sheppard Avenue East
2484	   Suite 1801
2485	   Toronto, Ontario  M2J 5C2
2486	   Canada

2488	   Phone: +1 416 756 2324 Ext. 321
2489	   Email: smachani@diversinet.com