idnits 2.17.1 draft-ietf-keyprov-symmetrickeyformat-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 326. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 337. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 344. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 350. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 25, 2008) is 5905 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 232 -- Obsolete informational reference (is this intentional?): RFC 3852 (Obsoleted by RFC 5652) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 KEYPROV Working Group Sean Turner, IECA 2 Internet Draft Russ Housley, Vigil Security 3 Intended Status: Standard Track February 25, 2008 4 Expires: August 25, 2008 6 Symmetric Key Package Content Type 7 draft-ietf-keyprov-symmetrickeyformat-02.txt 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html 32 This Internet-Draft will expire on August 18, 2008. 34 Copyright Notice 36 Copyright (C) The IETF Trust (2008). 38 Abstract 40 This document defines the symmetric key format content type. It is 41 transport independent. The Cryptographic Message Syntax can be used 42 to digitally sign, digest, authenticate, or encrypt this content 43 type. 45 Table of Contents 47 1. Introduction...................................................2 48 1.1. Requirements Terminology..................................2 49 1.2. ASN.1 Syntax Notation.....................................2 50 2. Use Cases......................................................3 51 2.1. Offline Use Cases.........................................3 52 2.1.1. Credential migration by end-user.....................3 53 2.1.2. Bulk import of new credentials.......................3 54 2.1.3. Bulk migration of existing credentials...............3 55 2.1.4. Credential upload case...............................3 56 2.2. Online Use Cases..........................................3 57 2.2.1. Online provisioning a credential to end-user's 58 authentication token........................................3 59 2.2.2. Server to server provisioning of credentials.........3 60 2.2.3. Online update of an existing authentication token 61 credential..................................................3 62 3. Symmetric Key Package Content Type.............................4 63 4. Security Considerations........................................5 64 5. IANA Considerations............................................5 65 6. References.....................................................5 66 6.1. Normative References......................................5 67 6.2. Non-Normative References..................................5 68 APPENDIX A: ASN.1 Module..........................................6 70 1. Introduction 72 This document defines the symmetric key format content type. It is 73 transport independent. The Cryptographic Message Syntax [RFC3852] can 74 be used to digitally sign, digest, authenticate, or encrypt this 75 content type. 77 1.1. Requirements Terminology 79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 81 document are to be interpreted as described in [RFC2119]. 83 1.2. ASN.1 Syntax Notation 85 The key package is defined using the ASN.1 [X.680,X.681]. 87 2. Use Cases 89 2.1. Offline Use Cases 91 2.1.1. Credential migration by end-user 93 2.1.2. Bulk import of new credentials 95 2.1.3. Bulk migration of existing credentials 97 2.1.4. Credential upload case 99 2.2. Online Use Cases 101 2.2.1. Online provisioning a credential to end-user's authentication 102 token 104 2.2.2. Server to server provisioning of credentials 106 2.2.3. Online update of an existing authentication token credential 107 3. Symmetric Key Package Content Type 109 The symmetric key package content type is used to transfer one or 110 more plaintext symmetric keys from one party to another. A symmetric 111 key package MAY be encapsulated in one or more CMS protecting content 112 types. This content type must be DER encoded [X.690]. 114 The symmetric key package content type has the following syntax: 116 PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER 118 symmetric-key-package PKCS7-CONTENT-TYPE ::= 119 { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage } 121 id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= | 122 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 123 smime(16) ct(1) 25 } 125 SymmetricKeyPackage ::= SEQUENCE { 126 version KeyPkgVersion DEFAULT v1, 127 sKeyPkgAtts [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, 128 sKeys SymmetricKeys } 130 SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey 132 OneSymmetricKey ::= SEQUENCE { 133 sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, 134 sKey OCTET STRING OPTIONAL 135 -- MUST contain sKeyAttrs, sKey, or sKeyAttrs and sKey 136 } 138 KeyPkgVersion ::= INTEGER { v1(1), ... } 140 The SymmetricKeyPackage fields are used as follows: 142 - version identifies version of the symmetric key package content 143 structure. For this version of the specification, the default 144 value, v1, MUST be used. 146 - sKeyPkgAttrs optionally provides attributes that apply to all of 147 the symmetric keys in the package. If an attribute appears here it 148 MUST NOT also be included in sKeyAttrs. 150 - sKeys contains a sequence of OneSymmetricKey values. This 151 structure is discussed below. 153 The OneSymmetricKey fields are used as follows: 155 - sKeyAttrs optionally provides attributes that apply to one 156 symmetric key. If an attribute appears here it MUST NOT also be 157 included in sKeyPkgAttrs. 159 - sKey optionally contains the key value encoded as an OCTET STRING. 161 The OneSymmetricKey field MUST include either sKeyAttrs, sKey, or 162 sKeyAttrs and sKey. 164 4. Security Considerations 166 The symmetric key package contents are not protected. This content 167 type can be combined with a security protocol to protect the contents 168 of the package. 170 5. IANA Considerations 172 None: All identifiers are already registered. Please remove this 173 section prior to publication as an RFC. 175 6. References 177 6.1. Normative References 179 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 180 Requirement Levels", BCP 14, RFC 2119, March 1997. 182 [X.680] ITU-T Recommendation X.680: Information Technology - Abstract 183 Syntax Notation One, 1997. 185 [X.681] ITU-T Recommendation X.680: Information Technology - Abstract 186 Syntax Notation One: Information Object Spcification, 1997. 188 [X.690] ITU-T Recommendation X.690 Information Technology - ASN.1 189 encoding rules: Specification of Basic Encoding Rules (BER), 190 Canonical Encoding Rules (CER) and Distinguished Encoding Rules 191 (DER), 1997. 193 6.2. Non-Normative References 195 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC3852, 196 July 2004. 198 APPENDIX A: ASN.1 Module 200 This appendix provides the normative ASN.1 definitions for the 201 structures described in this specification using ASN.1 as defined in 202 X.680 and X.681. 204 SymmetricKeyPackageModulev1 205 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 206 smime(16) modules(0) 33 } 208 DEFINITIONS IMPLICIT TAGS ::= 210 BEGIN 212 -- EXPORTS ALL 214 -- IMPORTS NOTHING 216 PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER 218 KeyPackageContentTypes PKCS7-CONTENT-TYPE ::= { 219 symmetric-key-package | 220 ... -- Expect additional content types -- 221 } 223 symmetric-key-package PKCS7-CONTENT-TYPE ::= 224 { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage } 226 id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= 227 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 228 smime(16) ct(1) 25 } 230 SymmetricKeyPackage ::= SEQUENCE { 231 version KeyPkgVersion DEFAULT v1, 232 sKeyPkgAttrs [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, 233 sKeys SymmetricKeys } 235 SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey 237 OneSymmetricKey ::= SEQUENCE { 238 sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, 239 sKey OCTET STRING } 241 KeyPkgVersion ::= INTEGER { v1(1), ... } 242 Attribute ::= SEQUENCE { 243 type ATTRIBUTE.&id ({SupportedAttributes}), 244 values SET SIZE (1..MAX) OF ATTRIBUTE.&Type 245 ({SupportedAttributes}{@type}) } 247 SupportedAttributes ATTRIBUTE ::= { ... } 249 ATTRIBUTE ::= CLASS { 250 &derivation ATTRIBUTE OPTIONAL, 251 &Type OPTIONAL, 252 -- either &Type or &derivation required 253 &equality-match MATCHING-RULE OPTIONAL, 254 &ordering-match MATCHING-RULE OPTIONAL, 255 &substrings-match MATCHING-RULE OPTIONAL, 256 &single-valued BOOLEAN DEFAULT FALSE, 257 &collective BOOLEAN DEFAULT FALSE, 258 -- operational extensions 259 &no-user-modification BOOLEAN DEFAULT FALSE, 260 &usage AttributeUsage DEFAULT userApplications, 261 &id OBJECT IDENTIFIER UNIQUE } 262 WITH SYNTAX { 263 [ SUBTYPE OF &derivation ] 264 [ WITH SYNTAX &Type ] 265 [ EQUALITY MATCHING RULE &equality-match ] 266 [ ORDERING MATCHING RULE &ordering-match ] 267 [ SUBSTRINGS MATCHING RULE &substrings-match ] 268 [ SINGLE VALUE &single-valued ] 269 [ COLLECTIVE &collective ] 270 [ NO USER MODIFICATION &no-user-modification ] 271 [ USAGE &usage ] 272 ID &id } 274 MATCHING-RULE ::= CLASS { 275 &AssertionType OPTIONAL, 276 &id OBJECT IDENTIFIER UNIQUE } 277 WITH SYNTAX { 278 [ SYNTAX &AssertionType ] 279 ID &id } 281 AttributeType ::= ATTRIBUTE.&id 283 AttributeValue ::= ATTRIBUTE.&Type 284 AttributeUsage ::= ENUMERATED { 285 userApplications (0), 286 directoryOperation (1), 287 distributedOperation (2), 288 dSAOperation (3) } 290 END 292 Author's Address 294 Sean Turner 296 IECA, Inc. 297 3057 Nutley Street, Suite 106 298 Fairfax, VA 22031 299 USA 301 Email: turners@ieca.com 303 Russ Housley 305 Vigil Security, LLC 306 918 Spring Knoll Drive 307 Herndon, VA 20170 308 USA 310 EMail: housley@vigilsec.com 312 Full Copyright Statement 314 Copyright (C) The IETF Trust (2008). 316 This document is subject to the rights, licenses and restrictions 317 contained in BCP 78, and except as set forth therein, the authors 318 retain all their rights. 320 This document and the information contained herein are provided on an 321 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 322 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 323 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 324 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 325 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 326 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 328 Intellectual Property 330 The IETF takes no position regarding the validity or scope of any 331 Intellectual Property Rights or other rights that might be claimed to 332 pertain to the implementation or use of the technology described in 333 this document or the extent to which any license under such rights 334 might or might not be available; nor does it represent that it has 335 made any independent effort to identify any such rights. Information 336 on the procedures with respect to rights in RFC documents can be 337 found in BCP 78 and BCP 79. 339 Copies of IPR disclosures made to the IETF Secretariat and any 340 assurances of licenses to be made available, or the result of an 341 attempt made to obtain a general license or permission for the use of 342 such proprietary rights by implementers or users of this 343 specification can be obtained from the IETF on-line IPR repository at 344 http://www.ietf.org/ipr. 346 The IETF invites any interested party to bring to its attention any 347 copyrights, patents or patent applications, or other proprietary 348 rights that may cover technology that may be required to implement 349 this standard. Please address the information to the IETF at 350 ietf-ipr@ietf.org. 352 Acknowledgment 354 Funding for the RFC Editor function is provided by the IETF 355 Administrative Support Activity (IASA).