idnits 2.17.1 draft-ietf-pkix-ecc-subpubkeyinfo-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1498. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1509. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1516. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1522. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC3279, but the abstract doesn't seem to directly say this. It does mention RFC3279 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The first octets (the first characters of the first line) of this draft are 'PK', which can make Internet Explorer erroneously think that it is a zip file. It is recommended that you change this, for instance by inserting a blank line before the line starting with 'PK'. == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3279, updated by this document, for RFC5378 checks: 2000-07-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 11, 2008) is 5705 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS186-3' ** Downref: Normative reference to an Informational draft: draft-ietf-pkix-new-asn1 (ref. 'PKI-ASN') -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC1' -- Possible downref: Non-RFC (?) normative reference: ref. 'SHS' Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 PKIX WG Sean Turner, IECA 2 Internet Draft Daniel Brown, Certicom 3 Intended Status: Standard Track Kelvin Yiu, Microsoft 4 Updates: 3279 (once approved) Russ Housley, Vigil Security 5 Expires: March 11, 2009 Tim Polk, NIST 6 September 11, 2008 8 Elliptic Curve Cryptography Subject Public Key Information 9 draft-ietf-pkix-ecc-subpubkeyinfo-07.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html 34 This Internet-Draft will expire on March 11, 2009. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 This document specifies the syntax and semantics for the Subject 43 Public Key Information field in certificates that support Elliptic 44 Curve Cryptography. This document updates Sections 2.3.5, 3, and 5 45 of RFC 3279. 47 Table of Contents 49 1. Introduction...................................................2 50 1.1. Terminology...............................................3 51 2. Subject Public Key Information Fields..........................3 52 2.1. Elliptic Curve Cryptography Public Key Algorithm 53 Identifiers...............................................4 54 2.1.1. Unrestricted Identifiers and Parameters..............5 55 2.1.2. Restricted Algorithm Identifiers and Parameters......7 56 2.2. Subject Public Key........................................8 57 3. Key Usage Bits.................................................9 58 4. Security Considerations.......................................10 59 5. ASN.1 Considerations..........................................12 60 6. IANA Considerations...........................................12 61 7. Acknowledgements..............................................13 62 8. References....................................................13 63 8.1. Normative References.....................................13 64 8.2. Informative References...................................14 65 Appendix A. ASN.1 Modules........................................15 66 A.1. 1988 ASN.1 Module........................................15 67 A.2. 2004 ASN.1 Module........................................22 69 1. Introduction 71 This document specifies the format of the subjectPublicKeyInfo field 72 in X.509 certificates [PKI] that use Elliptic Curve Cryptography 73 (ECC). It updates [PKI-ALG]. This document specifies the encoding 74 formats for public keys used with the following ECC algorithms: 76 o Elliptic Curve Digital Signature Algorithm (ECDSA); 78 o Elliptic Curve Diffie-Hellman (ECDH) family schemes; and, 80 o Elliptic Curve Menezes-Qu-Vanstone (ECMQV) family schemes. 82 Two methods for specifying the algorithms that can be used with the 83 subjectPublicKey are defined. One method does not restrict the 84 algorithms the key can be used with while the other method does 85 restrict the algorithms the key can be used with. To promote 86 interoperability, this document indicates which is required to 87 implement. 89 Two methods for specifying the algorithm's parameters are also 90 defined. One allows for the EC to be identified by an object 91 identifier and one allows for the EC to be inherited from the 92 issuer's certificate. To promote interoperability, this document 93 indicates which options are required to implement. 95 1.1. Terminology 97 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 98 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 99 document are to be interpreted as described in [RFC2119]. 101 2. Subject Public Key Information Fields 103 In the X.509 certificate, the subjectPublicKeyInfo field has the 104 SubjectPublicKeyInfo type, which has the following ASN.1 syntax: 106 SubjectPublicKeyInfo ::= SEQUENCE { 107 algorithm AlgorithmIdentifier {{ PKIXAlgs-PublicKeys }}, 108 subjectPublicKey BIT STRING 109 } 111 The fields in SubjectPublicKeyInfo have the following meanings: 113 o algorithm is the algorithm identifier and algorithm parameters 114 for the ECC public key. See Section 2.1. 116 o subjectPublicKey is the ECC public key. See Section 2.2. 118 The class PUBLIC-KEY parameterizes the AlgorithmIdentifier type with 119 sets of legal values, which is defined in [PKI-ASN]: 121 PUBLIC-KEY ::= CLASS { 122 &id OBJECT IDENTIFIER, 123 &Params OPTIONAL, 124 ¶mPresence ParamOptions DEFAULT required, 125 &KeyValue, 126 &PrivateKey OPTIONAL 127 } 128 WITH SYNTAX { 129 IDENTIFIER &id 130 KEY &KeyValue 131 [PARAMS TYPE [&Params] ARE ¶mPresence] 132 [PRIVATE KEY &PrivateKey] 133 } 135 ParamOptions ::= ENUMERATED { 136 required, -- Parameters MUST be encoded in structure 137 preferedPresent, -- Parameters SHOULD be encoded in structure 138 preferedAbsent, -- Parameters SHOULD NOT be encoded in structure 139 absent, -- Parameters MUST NOT be encoded in structure 140 notPresent, 141 inheritable -- Parameters are inherited if not present 142 } 144 The type AlgorithmIdentifier is parameterized to allow legal sets of 145 values to be specified by constraining the type with an information 146 object set. 148 When defining a PUBLIC-KEY type: 150 o &id is the object identifier assigned to the public-key type. 152 o &Params, which is optional, is the parameters for the public- 153 key type. 155 o ¶mPresence parameter presence requirement 157 o &KeyValue contains the type for the public key value 159 o &PrivateKey is the associated private key format. 161 2.1. Elliptic Curve Cryptography Public Key Algorithm Identifiers 163 The algorithm field in the SubjectPublicKeyInfo structure indicates 164 the algorithms and any associated parameters for the ECC public key 165 (see Section 2.2). The algorithms are restricted to the 166 PKIXAlgs-PublicKeys parameterized type, which uses the following 167 ASN.1 structure: 169 PKIXAlgs-PublicKeys PUBLIC-KEY ::= { 170 pk-ec | 171 pk-ecDH | 172 pk-ecMQV, 173 ... -- Extensible 174 } 176 The algorithms defined are as follows: 178 o pk-ec indicates that the algorithms that can be used with the 179 subject public key are not restricted (i.e., they are 180 unrestricted). The key is only restricted by the values 181 indicated in the key usage certificate extension. The pk-ec 182 CHOICE MUST be supported. See Section 2.1.1. This value is 183 also used when a key is used with ECDSA. 185 o pk-ecDH and pk-ecMQV MAY be supported. See Section 2.1.2. 187 2.1.1. Unrestricted Identifiers and Parameters 189 The "unrestricted" algorithm is defined as follows: 191 pk-ec PUBLIC-KEY ::= { 192 IDENTIFIER id-ecPublicKey 193 KEY ECPoint 194 PARAMS TYPE ECParameters ARE required 195 } 197 The algorithm identifier is: 199 id-ecPublicKey OBJECT IDENTIFIER ::= { 200 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 202 The public key syntax is described in Section 2.2. 204 The parameters for id-ecPublicKey are as follows and they MUST always 205 be present: 207 ECParameters ::= CHOICE { 208 namedCurve CURVE.&id({NamedCurve}), 209 implicitCurve NULL 210 -- specifiedCurve SpecifiedCurve 211 -- specifiedCurve MUST NOT be used in PKIX 212 -- Details for specifiedCurve can be found in [X9.62] 213 -- Any future additions to this CHOICE should be coordinated 214 -- with ASNI X.9. 215 } 217 The fields in ECParameters have the following meanings: 219 o namedCurve allows all the required values for a particular set 220 of elliptic curve domain parameters to be represented by an 221 object identifier. This choice MUST be supported. See Section 222 2.1.1.1. 224 o implicitCurve allows the elliptic curve parameters to be 225 inherited. This choice MAY be supported, but if subordinate 226 certificates use the same namedCurve as their superior, then 227 the subordinate certificate MUST use the namedCurve option. 229 That is, implicitCurve is only supported if the superior 230 doesn't use the namedCurve option. 232 o specifedCuve, which is defined in [X9.62], allows all of the 233 curve parameters to be explicitly specified. This choice MUST 234 NOT be used. See the ASN.1 Considerations section. 236 The addition of any new choices in ECParameters ought to be 237 coordinated with ANSI X9. 239 2.1.1.1. Named Curve 241 The namedCurve field in ECParameters uses the class CURVE to 242 constrain the set of legal values from NamedCurve, which are object 243 identifiers: 245 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 246 WITH SYNTAX { ID &id } 248 The NamedCurve parameterized type is defined as follows: 250 NamedCurve CURVE ::= { 251 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 252 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 253 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 254 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 255 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 256 ... -- Extensible 257 } 259 The curve identifiers are the fifteen NIST recommended curves 260 [FIPS186-3]: 262 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 263 -- opposed to 'sec'. For example secp192r1 is the same curve as 264 -- ansix9p192r1. 266 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 267 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 269 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 270 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 272 secp192r1 OBJECT IDENTIFIER ::= { 273 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 274 prime(1) 1 } 276 sect163k1 OBJECT IDENTIFIER ::= { 277 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 279 sect163r2 OBJECT IDENTIFIER ::= { 280 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 282 secp224r1 OBJECT IDENTIFIER ::= { 283 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 285 sect233k1 OBJECT IDENTIFIER ::= { 286 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 288 sect233r1 OBJECT IDENTIFIER ::= { 289 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 291 secp256r1 OBJECT IDENTIFIER ::= { 292 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 293 prime(1) 7 } 295 sect283k1 OBJECT IDENTIFIER ::= { 296 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 298 sect283r1 OBJECT IDENTIFIER ::= { 299 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 301 secp384r1 OBJECT IDENTIFIER ::= { 302 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 304 sect409k1 OBJECT IDENTIFIER ::= { 305 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 307 sect409r1 OBJECT IDENTIFIER ::= { 308 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 310 secp521r1 OBJECT IDENTIFIER ::= { 311 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 313 sect571k1 OBJECT IDENTIFIER ::= { 314 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 316 sect571r1 OBJECT IDENTIFIER ::= { 317 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 319 2.1.2. Restricted Algorithm Identifiers and Parameters 321 Algorithms used with elliptic curve cryptography fall in to different 322 categories: signature and key agreement algorithms. ECDSA uses the 323 pk-ec described in 2.1.1. Two sets of key agreement algorithms are 324 identified herein: the Elliptic Curve Diffie-Hellman (ECDH) key 325 agreement scheme and the Elliptic Curve Menezes-Qu-Vanstone (ECMQV) 326 key agreement scheme. All algorithms are identified by an object 327 identifier and have parameters. The object identifier varies based 328 on the algorithm but the parameters are always ECParameters and they 329 MUST always be present (see Section 2.1.1). 331 The ECDH is defined as follows: 333 pk-ecDH PUBLIC-KEY ::= { 334 IDENTIFIER id-ecDH 335 KEY ECPoint 336 PARAMS TYPE ECParameters ARE required 337 } 339 The algorithm identifier is: 341 id-ecDH OBJECT IDENTIFIER ::= { 342 iso(1) identified-organization(3) certicom(132) schemes(1) 343 ecdh(12) } 345 The ECMQV is defined as follows: 347 pk-ecMQV PUBLIC-KEY ::= { 348 IDENTIFIER id-ecMQV 349 KEY ECPoint 350 PARAMS TYPE ECParameters ARE required 351 } 353 The algorithm identifier is: 355 id-ecMQV OBJECT IDENTIFIER ::= { 356 iso(1) identified-organization(3) certicom(132) schemes(1) 357 ecmqv(13) } 359 2.2. Subject Public Key 361 The subjectPublicKey from SubjectPublicKeyInfo is the ECC public key. 362 ECC public keys have the following syntax: 364 ECPoint ::= OCTET STRING 366 Implementations of elliptic curve cryptography according to this 367 document MUST support the uncompressed form and MAY support the 368 compressed form of the ECC public key. As specified in [SEC1]: 370 o The elliptic curve public key (a value of type ECPoint which is 371 an OCTET STRING) is mapped to a subjectPublicKey (a value of 372 type BIT STRING) as follows: the most significant bit of the 373 OCTET STRING value becomes the most significant bit of the BIT 374 STRING value, and so on; the least significant bit of the OCTET 375 STRING becomes the least significant bit of the BIT STRING. 376 Conversion routines are found in Sections 2.3.1 and 2.3.2 of 377 [SEC1]. 379 o The first octet of the OCTET STRING indicates whether the key 380 is compressed or uncompressed. The uncompressed form is 381 indicated by 0x04 and the compressed form is indicated by 382 either 0x02 or 0x03 (see 2.3.3 in [SEC1]). 384 3. Key Usage Bits 386 If the keyUsage extension is present in a CA certificate that 387 indicates id-ecPublicKey in subjectPublicKeyInfo, any combination of 388 the following values MAY be present: 390 digitalSignature; 391 nonRepudiation; 392 keyAgreement; 393 keyCertSign; and 394 cRLSign. 396 If the CA certificate keyUsage extension asserts keyAgreement then it 397 MAY assert either encipherOnly or decipherOnly. However, this 398 specification RECOMMENDS that if keyCertSign or cRLSign is present, 399 keyAgreement, encipherOnly, and decipherOnly SHOULD NOT be present. 401 If the keyUsage extension is present in an EE certificate that 402 indicates id-ecPublicKey in subjectPublicKeyInfo, any combination of 403 the following values MAY be present: 405 digitalSignature; 406 nonRepudiation; and 407 keyAgreement. 409 If the EE certificate keyUsage extension asserts keyAgreement then it 410 MAY assert either encipherOnly or decipherOnly. 412 If the keyUsage extension is present in a certificate that indicates 413 ecDH or ecMQV in subjectPublicKeyInfo, keyAgreement MUST be present 414 and digitalSignature, nonRepudiation, keyTransport, keyCertSign, and 415 cRLSign MUST NOT be present. If this certificate keyUsage extension 416 asserts keyAgreement then it MAY assert either encipherOnly or 417 decipherOnly. 419 4. Security Considerations 421 The security considerations in [PKI-ALG] apply. 423 When implementing ECC in X.509 Certificates, there are three 424 algorithm related choices that need to be made: 426 1) What is the public key size? 428 2) What is the hash algorithm [SHS]? 430 3) What is the curve? 432 Consideration must be given to the strength of the security provided 433 by each of these choices. Security is measured in bits, where a 434 strong symmetric cipher with a key of X bits is said to provide X 435 bits of security. It is recommended that the bits of security 436 provided by each choice are roughly equivalent. The following table 437 provides comparable minimum bits of security [SP800-57] for the ECDSA 438 key sizes and message digest algorithms. It also lists curves (see 439 Section 2.1.1.1) for the key sizes. 441 Minimum | ECDSA | Message | Curves 442 Bits of | Key Size | Digest | 443 Security | | Algorithms | 444 ---------+----------+------------+----------- 445 80 | 160-223 | SHA1 | sect163k1 446 | | SHA224 | secp163r2 447 | | SHA256 | secp192r1 448 | | SHA384 | 449 | | SHA512 | 450 ---------+----------+------------+----------- 451 112 | 224-255 | SHA224 | secp224r1 452 | | SHA256 | sect233k1 453 | | SHA384 | sect233r1 454 | | SHA512 | 455 ---------+----------+------------+----------- 456 128 | 256-383 | SHA256 | secp256r1 457 | | SHA384 | sect283k1 458 | | SHA512 | sect283r1 459 ---------+----------+------------+----------- 460 192 | 384-511 | SHA384 | secp384r1 461 | | SHA512 | sect409k1 462 | | | sect409r1 463 ---------+----------+------------+----------- 464 256 | 512+ | SHA512 | secp521r1 465 | | | sect571k1 466 | | | sect571r1 467 ---------+----------+------------+----------- 469 To promote interoperability, the following choices are RECOMMENDED: 471 Minimum | ECDSA | Message | Curves 472 Bits of | Key Size | Digest | 473 Security | | Algorithms | 474 ---------+----------+------------+----------- 475 80 | 192 | SHA256 | secp192r1 476 ---------+----------+------------+----------- 477 112 | 224 | SHA256 | secp224r1 478 ---------+----------+------------+----------- 479 128 | 256 | SHA256 | secp256r1 480 ---------+----------+------------+----------- 481 192 | 384 | SHA384 | secp384r1 482 ---------+----------+------------+----------- 483 256 | 512 | SHA512 | secp521r1 484 ---------+----------+------------+----------- 486 Using a larger hash value and then truncating it, consumes more 487 processing power than is necessary. This is more important on 488 constrained devices. Since the signer does not know the environment 489 that the recipient will use to validate the signature, it is better 490 to use a hash function that provides the desired have value output 491 size, and no more. 493 There are security risks with using keys not associated with well 494 known and widely reviewed curves. For example, the curve may not 495 satisfy the MOV condition or the curve may be vulnerable to the 496 Anomalous attack [X9.62]. Additionally, either a) all of the 497 arithmetic properties of a candidate ECC public key must be validated 498 to ensure that it has the unique correct representation in the 499 correct (additive) subgroup (and therefore is also in the correct EC 500 group) specified by the associated ECC domain parameters or b) some 501 of the of the arithmetic properties of a candidate ECC public key 502 must be validated to ensure that it is in the correct group (but not 503 necessarily the correct subgroup) specified by the associated ECC 504 domain parameters [SP800-56A]. 506 5. ASN.1 Considerations 508 [X9.62] defines additional options for ECParameters and ECDSA-Sig- 509 Value. If an implementation needs to use these options, then use 510 the [X9.62] ASN.1 module. This RFC contains a conformant subset of 511 the ASN.1 module defined in [X9.62]. 513 If an implementations generates a PER [X.691] encoding using the 514 ASN.1 module found in this specification it might not achieve the 515 same encoded output as one that uses the [X9.62] module. PER is not 516 required by either the PKIX or S/MIME environments. If an 517 implementation environment requires PER, then implementation concerns 518 are less likely with the use of the [X9.62] module. 520 6. IANA Considerations 522 This document makes extensive use of object identifiers to register 523 public key types, elliptic curves, field types, and algorithms. Most 524 are registered in the ANSI X9.62 arc with exception of the hash 525 algorithms, which are in NIST's arc, and many of the curves, which 526 are in the Certicom Inc. arc (these curves have adopted by ANSI and 527 NIST). Additionally, object identifiers are used to identify the 528 ASN.1 modules found in Appendix A. These are defined in an arc 529 delegated by IANA to the PKIX Working Group. No further action by 530 IANA is necessary for this document or any anticipated updates. 532 7. Acknowledgements 534 The authors wish to thank Alfred Hoenes, Johannes Merkle, and Jim 535 Schaad for their valued input. 537 8. References 539 8.1. Normative References 541 [FIPS186-3] National Institute of Standards and Technology (NIST), 542 FIPS Publication 186-3: Digital Signature Standard, 543 (draft) March 2006. 545 [PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. 546 Housley, R., and W. Polk, "Internet X.509 Public Key 547 Infrastructure Certificate and Certificate Revocation 548 List (CRL) Profile", RFC 5280, May 2008. 550 [PKI-ASN] Hoffman, P., and J. Schaad, "New ASN.1 Modules for PKIX", 551 draft-ietf-pkix-new-asn1, work-in-progress. 553 [PKI-ADALG] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. 554 Polk, "Internet X.509 Public Key Infrastructure: 555 Additional Algorithms and Identifiers for DSA and ECDSA", 556 draft-ietf-pkix-sha2-dsa-ecdsa, work-in-progress. 558 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 559 Requirement Levels", BCP 14, RFC 2119, March 1997. 561 [RSAOAEP] Schaad, J., Kaliski, B., and R. Housley, "Additional 562 Algorithms and Identifiers for RSA Cryptography for use 563 in the Internet X.509 Public Key Infrastructure 564 Certificate and Certificate Revocation List (CRL) 565 Profile", RFC 4055, June 2005. 567 [SEC1] Standards for Efficient Cryptography, "SEC 1: Elliptic 568 Curve Cryptography", Version 1.0, September 2000. 570 [SHS] National Institute of Standards and Technology (NIST), 571 FIPS Publication 180-3: Secure Hash Standard, (draft) 572 June 2007. 574 [X9.62] American National Standards Institute (ANSI), ANS X9.62- 575 2005: The Elliptic Curve Digital Signature Algorithm 576 (ECDSA), 2005. 578 [X.208] ITU-T Recommendation X.208 (1988) | ISO/IEC 8824-1:1988. 579 Specification of Abstract Syntax Notation One (ASN.1). 581 [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. 582 Information Technology - Abstract Syntax Notation One. 584 [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. 585 Information Technology - Abstract Syntax Notation One: 586 Information Object Specification. 588 [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. 589 Information Technology - Abstract Syntax Notation One: 590 Constraint Specification. 592 [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002. 593 Information Technology - Abstract Syntax Notation One: 594 Parameterization of ASN.1 Specifications. 596 8.2. Informative References 598 [PKI-ALG] Polk, W., Housley, R. and L. Bassham, "Algorithm 599 Identifiers for the Internet X.509 Public Key 600 Infrastructure", RFC 3279, April 2002. 602 [SP800-56A] National Institute of Standards and Technology (NIST), 603 Special Publication 800-56A: Recommendation Pair-Wise Key 604 Establishment Schemes Using Discrete Logarithm 605 Cryptography (Revised), March 2007. 607 [SP800-57] National Institute of Standards and Technology (NIST), 608 Special Publication 800-57: Recommendation for Key 609 Management, August 2005. 611 [X.691] ITU-T Recommendation X.691 (2002) | ISO/IEC 8825-2:2002. 612 Information Technology - ASN.1 Encoding Rules: 613 Specification of Packed Encoding Rules. 615 Appendix A. ASN.1 Modules 617 Appendix A.1 provides the normative ASN.1 definitions for the 618 structures described in this specification using ASN.1 as defined in 619 [X.208]. 621 Appendix A.2 provides an informative ASN.1 definitions for the 622 structures described in this specification using ASN.1 as defined in 623 [X.680], [X.681], [X.682], and [X.683]. This appendix contains the 624 same information as Appendix A.1 in a more recent (and precise) ASN.1 625 notation, however Appendix A.1 takes precedence in case of conflict. 627 These modules include more than the ASN.1 updates described in the 628 text of this document. They also include additional ASN.1 from [PKI- 629 ALG] because this document updates the entire ASN.1 module. 630 Additionally, it includes ASN.1 for DSA with SHA-224 and SHA-256 631 [PKI-ADALG]. 633 A.1. 1988 ASN.1 Module 635 PKIXAlgs-1988 { iso(1) identified-organization(3) dod(6) 636 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 638 DEFINITIONS EXPLICIT TAGS ::= 640 BEGIN 642 -- EXPORTS ALL 644 IMPORTS 646 -- From [RSAOAEP] 648 id-sha224, id-sha256, id-sha384, id-sha512 649 FROM PKIX1-PSS-OAEP-Algorithms 650 { iso(1) identified-organization(3) dod(6) internet(1) 651 security(5) mechanisms(5) pkix(7) id-mod(0) 652 id-mod-pkix1-rsa-pkalgs(33) } 654 ; 655 -- 656 -- Public Key (pk) Algorithms 657 -- 659 -- RSA PK Algorithm, Parameters, and Keys 661 rsaEncryption OBJECT IDENTIFIER ::= { 662 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 664 RSAPublicKey ::= SEQUENCE { 665 modulus INTEGER, -- n 666 publicExponent INTEGER -- e 667 } 669 -- DSA PK Algorithm and Parameters 671 id-dsa OBJECT IDENTIFIER ::= { 672 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 674 DSAPublicKey ::= INTEGER -- public key, y 676 DSS-Parms ::= SEQUENCE { 677 p INTEGER, 678 q INTEGER, 679 g INTEGER 680 } 682 -- Diffie-Hellman PK Algorithm, Keys, and Parameters 684 dhpublicnumber OBJECT IDENTIFIER ::= { 685 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 687 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 689 DomainParameters ::= SEQUENCE { 690 p INTEGER, -- odd prime, p=jq +1 691 g INTEGER, -- generator, g 692 q INTEGER, -- factor of p-1 693 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 694 validationParms ValidationParms OPTIONAL 695 } 697 ValidationParms ::= SEQUENCE { 698 seed BIT STRING, 699 pgenCounter INTEGER 700 } 701 -- KEA PK Algorithm and Parameters 703 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 704 2 16 840 1 101 2 1 1 22 } 706 KEA-Parms-Id ::= OCTET STRING 708 -- Sec 2.1.1 Unrestricted Algorithm IDs, Parameters, and Keys 709 -- (ECDSA keys use id-ecPublicKey) 711 id-ecPublicKey OBJECT IDENTIFIER ::= { 712 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 714 ECPoint ::= OCTET STRING 716 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 718 id-ecDH OBJECT IDENTIFIER ::= { 719 iso(1) identified-organization(3) certicom(132) schemes(1) 720 ecdh(12) } 722 -- ECPoint ::= OCTET STRING 724 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 726 id-ecMQV OBJECT IDENTIFIER ::= { 727 iso(1) identified-organization(3) certicom(132) schemes(1) 728 ecmqv(13) } 730 -- ECPoint ::= OCTET STRING 732 -- Parameters for both Restricted and Unrestricted 734 ECParameters ::= CHOICE { 735 namedCurve OBJECT IDENTIFIER, 736 implicitCurve NULL 737 -- specifiedCurve SpecifiedCurve 738 -- specifiedCurve MUST NOT be used in PKIX 739 -- Details for specifiedCurve can be found in [X9.62] 740 -- Any future additions to this CHOICE should be coordinated 741 -- with ANSI X.9. 742 } 743 -- Sec 2.1.1.1 Named Curves 745 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 746 -- opposed to 'sec'. For example secp192r1 is the same curve as 747 -- ansix9p192r1. 749 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 750 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 752 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 753 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 755 secp192r1 OBJECT IDENTIFIER ::= { 756 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 757 prime(1) 1 } 759 sect163k1 OBJECT IDENTIFIER ::= { 760 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 762 sect163r2 OBJECT IDENTIFIER ::= { 763 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 765 secp224r1 OBJECT IDENTIFIER ::= { 766 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 768 sect233k1 OBJECT IDENTIFIER ::= { 769 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 771 sect233r1 OBJECT IDENTIFIER ::= { 772 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 774 secp256r1 OBJECT IDENTIFIER ::= { 775 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 776 prime(1) 7 } 778 sect283k1 OBJECT IDENTIFIER ::= { 779 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 781 sect283r1 OBJECT IDENTIFIER ::= { 782 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 784 secp384r1 OBJECT IDENTIFIER ::= { 785 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 787 sect409k1 OBJECT IDENTIFIER ::= { 788 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 790 sect409r1 OBJECT IDENTIFIER ::= { 791 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 793 secp521r1 OBJECT IDENTIFIER ::= { 794 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 796 sect571k1 OBJECT IDENTIFIER ::= { 797 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 799 sect571r1 OBJECT IDENTIFIER ::= { 800 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 802 -- 803 -- Signature Algorithms (sa) 804 -- 806 -- RSA with MD-2 807 -- Parameters are NULL 809 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 810 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 812 -- RSA with MD-5 813 -- Parameters are NULL 815 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 816 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 818 -- RSA with SHA-1 819 -- Parameters are NULL 821 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 822 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 824 -- DSA with SHA-1 825 -- Parameters are ABSENT 827 dsa-with-sha1 OBJECT IDENTIFIER ::= { 828 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 830 -- DSA with SHA-224 831 -- Parameters are ABSENT 833 dsa-with-sha224 OBJECT IDENTIFIER ::= { 834 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 835 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 837 -- DSA with SHA-256 838 -- Parameters are ABSENT 840 dsa-with-sha256 OBJECT IDENTIFIER ::= { 841 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 842 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 844 -- ECDSA with SHA-1 845 -- Parameters are ABSENT 847 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 848 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 850 -- ECDSA with SHA-224 851 -- Parameters are ABSENT 853 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 854 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 855 ecdsa-with-SHA2(3) 1 } 857 -- ECDSA with SHA-256 858 -- Parameters are ABSENT 860 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 861 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 862 ecdsa-with-SHA2(3) 2 } 864 -- ECDSA with SHA-384 865 -- Parameters are ABSENT 867 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 868 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 869 ecdsa-with-SHA2(3) 3 } 871 -- ECDSA with SHA-512 872 -- Parameters are ABSENT 874 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 875 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 876 ecdsa-with-SHA2(3) 4 } 878 -- 879 -- Signature Values 880 -- 882 -- DSA 884 DSA-Sig-Value ::= SEQUENCE { 885 r INTEGER, 886 s INTEGER 887 } 889 -- ECDSA 891 ECDSA-Sig-Value ::= SEQUENCE { 892 r INTEGER, 893 s INTEGER 894 } 896 -- 897 -- One-way (ow) Hash Algorithms 898 -- 900 -- MD-2 901 -- Parameters are NULL 903 id-md2 OBJECT IDENTIFIER ::= { 904 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 906 -- MD-5 907 -- Parameters are NULL 909 id-md5 OBJECT IDENTIFIER ::= { 910 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 912 -- SHA-1 913 -- Parameters are preferred ABSENT 915 id-sha1 OBJECT IDENTIFIER ::= { 916 iso(1) identified-organization(3) oiw(14) secsig(3) 917 algorithm(2) 26 } 919 -- SHA-224 920 -- Parameters are preferred ABSENT 922 -- id-sha224 923 -- SHA-256 924 -- Parameters are preferred ABSENT 926 -- id-sha256 928 -- SHA-384 929 -- Parameters are preferred ABSENT 931 -- id-sha384 933 -- SHA-512 934 -- Parameters are preferred ABSENT 936 -- id-sha512 938 END 940 A.2. 2004 ASN.1 Module 942 PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 943 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 945 DEFINITIONS EXPLICIT TAGS ::= 947 BEGIN 949 -- EXPORTS ALL 951 IMPORTS 953 -- FROM [PKI-ASN] 955 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM 956 FROM AlgorithmInformation 957 { iso(1) identified-organization(3) dod(6) internet(1) 958 security(5) mechanisms(5) pkix(7) id-mod(0) 959 id-mod-algorithInformation(TBD) } 961 -- From [PKI-ASN] 963 mda-sha224, mda-sha256, mda-sha384, mda-sha512 964 FROM PKIX1-PSS-OAEP-Algorithms 965 { iso(1) identified-organization(3) dod(6) internet(1) 966 security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 968 ; 969 -- 970 -- Public Key (pk-) Algorithms 971 -- 973 PKIXAlgs-PublicKeys PUBLIC-KEY ::= { 974 pk-rsa | 975 pk-dsa | 976 pk-dh | 977 pk-kea | 978 pk-ec | 979 pk-ecDH | 980 pk-ecMQV, 981 ... -- Extensible 982 } 984 -- RSA PK Algorithm, Parameters, and Keys 986 pk-rsa PUBLIC-KEY ::= { 987 IDENTIFIER rsaEncryption 988 KEY RSAPublicKey 989 PARAMS TYPE NULL ARE absent 990 -- Private key format not in this document -- 991 } 993 rsaEncryption OBJECT IDENTIFIER ::= { 994 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 996 RSAPublicKey ::= SEQUENCE { 997 modulus INTEGER, -- n 998 publicExponent INTEGER -- e 999 } 1001 -- DSA PK Algorithm, Parameters, and Keys 1003 pk-dsa PUBLIC-KEY ::= { 1004 IDENTIFIER id-dsa 1005 KEY DSAPublicKey 1006 PARAMS TYPE DSS-Parms ARE inheritable 1007 -- Private key format not in this document -- 1008 } 1010 id-dsa OBJECT IDENTIFIER ::= { 1011 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 1013 DSS-Parms ::= SEQUENCE { 1014 p INTEGER, 1015 q INTEGER, 1016 g INTEGER 1017 } 1019 DSAPublicKey ::= INTEGER -- public key, y 1021 -- Diffie-Hellman PK Algorithm, Parameters, and Keys 1023 pk-dh PUBLIC-KEY ::= { 1024 IDENTIFIER dhpublicnumber 1025 KEY DHPublicKey 1026 PARAMS TYPE DomainParameters ARE inheritable 1027 -- Private key format not in this document -- 1028 } 1030 dhpublicnumber OBJECT IDENTIFIER ::= { 1031 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 1033 DomainParameters ::= SEQUENCE { 1034 p INTEGER, -- odd prime, p=jq +1 1035 g INTEGER, -- generator, g 1036 q INTEGER, -- factor of p-1 1037 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 1038 validationParms ValidationParms OPTIONAL 1039 } 1041 ValidationParms ::= SEQUENCE { 1042 seed BIT STRING, 1043 pgenCounter INTEGER 1044 } 1046 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 1048 -- KEA PK Algorithm and Parameters 1050 pk-kea PUBLIC-KEY ::= { 1051 IDENTIFIER id-keyExchangeAlgorithm 1052 -- key is not encoded -- 1053 PARAMS TYPE KEA-Parms-Id ARE required 1054 -- Private key format not in this document -- 1055 } 1057 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 1058 2 16 840 1 101 2 1 1 22 } 1060 KEA-Parms-Id ::= OCTET STRING 1062 -- Sec 2.1.1 Unrestricted Algorithms IDs, Parameters, and Keys 1063 -- (ECDSA uses pk-ec) 1065 pk-ec PUBLIC-KEY ::= { 1066 IDENTIFIER id-ecPublicKey 1067 KEY ECPoint 1068 PARAMS TYPE ECParameters ARE required 1069 -- Private key format not in this document -- 1070 } 1072 id-ecPublicKey OBJECT IDENTIFIER ::= { 1073 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 1075 ECPoint ::= OCTET STRING 1077 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 1079 pk-ecDH PUBLIC-KEY ::= { 1080 IDENTIFIER id-ecDH 1081 KEY ECPoint 1082 PARAMS TYPE ECParameters ARE required 1083 -- Private key format not in this document -- 1084 } 1086 id-ecDH OBJECT IDENTIFIER ::= { 1087 iso(1) identified-organization(3) certicom(132) schemes(1) 1088 ecdh(12) } 1090 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 1092 pk-ecMQV PUBLIC-KEY ::= { 1093 IDENTIFIER id-ecMQV 1094 KEY ECPoint 1095 PARAMS TYPE ECParameters ARE required 1096 -- Private key format not in this document -- 1097 } 1099 id-ecMQV OBJECT IDENTIFIER ::= { 1100 iso(1) identified-organization(3) certicom(132) schemes(1) 1101 ecmqv(13) } 1103 -- Parameters for both Restricted and Unrestricted 1105 ECParameters ::= CHOICE { 1106 namedCurve CURVE.&id({NamedCurve}), 1107 implicitCurve NULL, 1108 -- specifiedCurve SpecifiedCurve 1109 -- specifiedCurve MUST NOT be used in PKIX 1110 -- Details for specifiedCurve can be found in [X9.62] 1111 -- Any future additions to this CHOICE should be coordinated 1112 -- with ANSI X.9. 1113 } 1115 -- Sec 2.1.1.1 Named Curve 1117 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 1118 WITH SYNTAX { ID &id } 1120 NamedCurve CURVE ::= { 1121 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 1122 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 1123 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 1124 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 1125 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 1126 ... -- Extensible 1127 } 1129 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 1130 -- opposed to 'sec'. For example secp192r1 is the same curve as 1131 -- ansix9p192r1. 1133 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 1134 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 1136 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 1137 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 1139 secp192r1 OBJECT IDENTIFIER ::= { 1140 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1141 prime(1) 1 } 1143 sect163k1 OBJECT IDENTIFIER ::= { 1144 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 1146 sect163r2 OBJECT IDENTIFIER ::= { 1147 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 1149 secp224r1 OBJECT IDENTIFIER ::= { 1150 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 1152 sect233k1 OBJECT IDENTIFIER ::= { 1153 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 1155 sect233r1 OBJECT IDENTIFIER ::= { 1156 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 1158 secp256r1 OBJECT IDENTIFIER ::= { 1159 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1160 prime(1) 7 } 1162 sect283k1 OBJECT IDENTIFIER ::= { 1163 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 1165 sect283r1 OBJECT IDENTIFIER ::= { 1166 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 1168 secp384r1 OBJECT IDENTIFIER ::= { 1169 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 1171 sect409k1 OBJECT IDENTIFIER ::= { 1172 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 1174 sect409r1 OBJECT IDENTIFIER ::= { 1175 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 1177 secp521r1 OBJECT IDENTIFIER ::= { 1178 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 1180 sect571k1 OBJECT IDENTIFIER ::= { 1181 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 1183 sect571r1 OBJECT IDENTIFIER ::= { 1184 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 1186 -- 1187 -- Signature Algorithms (sa-) 1188 -- 1190 PKIXAlgs-Signature SIGNATURE-ALGORITHM ::= { 1191 sa-rsaWithMD2 | 1192 sa-rsaWithMD5 | 1193 sa-rsaWithSHA1 | 1194 sa-dsawithSHA1 | 1195 sa-dsawithSHA224 | 1196 sa-dsawithSHA256 | 1197 sa-ecdsaWithSHA1 | 1198 sa-ecdsaWithSHA224 | 1199 sa-ecdsaWithSHA256 | 1200 sa-ecdsaWithSHA384 | 1201 sa-ecdsaWithSHA512, 1202 ... -- Extensible 1203 } 1205 -- RSA with MD-2 1207 sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { 1208 IDENTIFIER md2WithRSAEncryption 1209 PARAMS TYPE NULL ARE present 1210 USES { mda-md2 } 1211 PUBKEYS { pk-rsa } 1212 } 1214 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 1215 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 1217 -- RSA with MD-5 1219 sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { 1220 IDENTIFIER md5WithRSAEncryption 1221 PARAMS TYPE NULL ARE present 1222 USES { mda-md5 } 1223 PUBKEYS { pk-rsa } 1224 } 1226 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 1227 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 1229 -- RSA with SHA-1 1231 sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1232 IDENTIFIER sha1WithRSAEncryption 1233 PARAMS TYPE NULL ARE present 1234 USES { mda-sha1 } 1235 PUBKEYS { pk-rsa } 1236 } 1238 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 1239 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 1241 -- DSA with SHA-1 1243 sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1244 IDENTIFIER dsa-with-sha1 1245 VALUE DSA-Sig-Value 1246 PARAMS TYPE NULL ARE absent 1247 USES { mda-sha1 } 1248 PUBKEYS { pk-dsa } 1249 } 1251 dsa-with-sha1 OBJECT IDENTIFIER ::= { 1252 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 1254 -- DSA with SHA-224 1256 sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1257 IDENTIFIER dsa-with-sha224 1258 VALUE DSA-Sig-Value 1259 PARAMS TYPE NULL ARE absent 1260 USES { mda-sha224 } 1261 PUBKEYS { pk-dsa } 1262 } 1264 dsa-with-sha224 OBJECT IDENTIFIER ::= { 1265 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1266 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 1268 -- DSA with SHA-256 1270 sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1271 IDENTIFIER dsa-with-sha256 1272 VALUE DSA-Sig-Value 1273 PARAMS TYPE NULL ARE absent 1274 USES { mda-sha256 } 1275 PUBKEYS { pk-dsa } 1276 } 1278 dsa-with-sha256 OBJECT IDENTIFIER ::= { 1279 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1280 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 1282 -- ECDSA with SHA-1 1284 sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1285 IDENTIFIER ecdsa-with-SHA1 1286 VALUE ECDSA-Sig-Value 1287 PARAMS TYPE NULL ARE absent 1288 USES { mda-sha1 } 1289 PUBKEYS { pk-ec } 1290 } 1292 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 1293 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 1295 -- ECDSA with SHA-224 1297 sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1298 IDENTIFIER ecdsa-with-SHA224 1299 VALUE ECDSA-Sig-Value 1300 PARAMS TYPE NULL ARE absent 1301 USES { mda-sha224 } 1302 PUBKEYS { pk-ec } 1303 } 1305 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 1306 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1307 ecdsa-with-SHA2(3) 1 } 1309 -- ECDSA with SHA-256 1311 sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1312 IDENTIFIER ecdsa-with-SHA256 1313 VALUE ECDSA-Sig-Value 1314 PARAMS TYPE NULL ARE absent 1315 USES { mda-sha256 } 1316 PUBKEYS { pk-ec } 1317 } 1319 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 1320 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1321 ecdsa-with-SHA2(3) 2 } 1323 -- ECDSA with SHA-384 1325 sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { 1326 IDENTIFIER ecdsa-with-SHA384 1327 VALUE ECDSA-Sig-Value 1328 PARAMS TYPE NULL ARE absent 1329 USES { mda-sha384 } 1330 PUBKEYS { pk-ec } 1331 } 1333 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 1334 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1335 ecdsa-with-SHA2(3) 3 } 1337 -- ECDSA with SHA-512 1339 sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { 1340 IDENTIFIER ecdsa-with-SHA512 1341 VALUE ECDSA-Sig-Value 1342 PARAMS TYPE NULL ARE absent 1343 USES { mda-sha512 } 1344 PUBKEYS { pk-ec } 1345 } 1347 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 1348 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1349 ecdsa-with-SHA2(3) 4 } 1351 -- 1352 -- Signature Values 1353 -- 1355 -- DSA 1357 DSA-Sig-Value ::= SEQUENCE { 1358 r INTEGER, 1359 s INTEGER 1360 } 1362 -- ECDSA 1364 ECDSA-Sig-Value ::= SEQUENCE { 1365 r INTEGER, 1366 s INTEGER 1367 } 1369 -- 1370 -- Message Digest Algorthms (mda-) 1371 -- 1373 HashAlgorithms DIGEST-ALGORITHM ::= { 1374 mda-md2 | 1375 mda-md5 | 1376 mda-sha1 | 1377 mda-sha224 | 1378 mda-sha256 | 1379 mda-sha384 | 1380 mda-sha512, 1381 ... -- Extensible 1382 } 1384 -- MD-2 1386 mda-md2 DIGEST-ALGORITHM ::= { 1387 IDENTIFIER id-md2 1388 PARAMS TYPE NULL ARE preferredAbsent 1389 } 1391 id-md2 OBJECT IDENTIFIER ::= { 1392 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 1394 -- MD-5 1396 mda-md5 DIGEST-ALGORITHM ::= { 1397 IDENTIFIER id-md5 1398 PARAMS TYPE NULL ARE preferredAbsent 1399 } 1401 id-md5 OBJECT IDENTIFIER ::= { 1402 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 1404 -- SHA-1 1406 mda-sha1 DIGEST-ALGORITHM ::= { 1407 IDENTIFIER id-sha1 1408 PARAMS TYPE NULL ARE preferredAbsent 1409 } 1411 id-sha1 OBJECT IDENTIFIER ::= { 1412 iso(1) identified-organization(3) oiw(14) secsig(3) 1413 algorithm(2) 26 } 1415 -- SHA-224 1416 -- Parameters are preferred ABSENT 1418 -- mda-sha224 1420 -- SHA-256 1421 -- Parameters are preferred ABSENT 1423 -- mda-sha256 1425 -- SHA-384 1426 -- Parameters are preferred ABSENT 1428 -- mda-sha384 1429 -- Parameters are preferred ABSENT 1431 -- SHA-512 1432 -- Parameters are preferred ABSENT 1434 -- mda-sha512 1436 END 1437 Authors' Addresses 1439 Sean Turner 1441 IECA, Inc. 1442 3057 Nutley Street, Suite 106 1443 Fairfax, VA 22031 1444 USA 1446 EMail: turners@ieca.com 1448 Kelvin Yiu 1450 Microsoft 1451 One Microsoft Way 1452 Redmond, WA 98052-6399 1453 USA 1455 Email: kelviny@microsoft.com 1457 Daniel R. L. Brown 1459 Certicom Corp 1460 5520 Explorer Drive #400 1461 Mississauga, ON L4W 5L1 1462 CANADA 1464 EMail: dbrown@certicom.com 1466 Russ Housley 1468 Vigil Security, LLC 1469 918 Spring Knoll Drive 1470 Herndon, VA 20170 1471 USA 1473 EMail: housley@vigilsec.com 1475 Tim Polk 1477 NIST 1478 Building 820, Room 426 1479 Gaithersburg, MD 20899 1480 USA 1482 EMail: wpolk@nist.gov 1484 Full Copyright Statement 1486 Copyright (C) The IETF Trust (2008). 1488 This document is subject to the rights, licenses and restrictions 1489 contained in BCP 78, and except as set forth therein, the authors 1490 retain all their rights. 1492 This document and the information contained herein are provided on an 1493 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1494 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1495 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1496 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1497 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1498 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1500 Intellectual Property 1502 The IETF takes no position regarding the validity or scope of any 1503 Intellectual Property Rights or other rights that might be claimed to 1504 pertain to the implementation or use of the technology described in 1505 this document or the extent to which any license under such rights 1506 might or might not be available; nor does it represent that it has 1507 made any independent effort to identify any such rights. Information 1508 on the procedures with respect to rights in RFC documents can be 1509 found in BCP 78 and BCP 79. 1511 Copies of IPR disclosures made to the IETF Secretariat and any 1512 assurances of licenses to be made available, or the result of an 1513 attempt made to obtain a general license or permission for the use of 1514 such proprietary rights by implementers or users of this 1515 specification can be obtained from the IETF on-line IPR repository at 1516 http://www.ietf.org/ipr. 1518 The IETF invites any interested party to bring to its attention any 1519 copyrights, patents or patent applications, or other proprietary 1520 rights that may cover technology that may be required to implement 1521 this standard. Please address the information to the IETF at 1522 ietf-ipr@ietf.org. 1524 Acknowledgment 1526 Funding for the RFC Editor function is provided by the IETF 1527 Administrative Support Activity (IASA).