idnits 2.17.1 draft-ietf-pkix-ecc-subpubkeyinfo-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1497. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1508. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1515. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1521. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC3279, but the abstract doesn't seem to directly say this. It does mention RFC3279 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The first octets (the first characters of the first line) of this draft are 'PK', which can make Internet Explorer erroneously think that it is a zip file. It is recommended that you change this, for instance by inserting a blank line before the line starting with 'PK'. == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3279, updated by this document, for RFC5378 checks: 2000-07-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 18, 2008) is 5692 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-3' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS186-3' ** Downref: Normative reference to an Informational draft: draft-ietf-pkix-new-asn1 (ref. 'PKI-ASN') -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC1' Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 PKIX WG Sean Turner, IECA 2 Internet Draft Daniel Brown, Certicom 3 Intended Status: Standard Track Kelvin Yiu, Microsoft 4 Updates: 3279 (once approved) Russ Housley, Vigil Security 5 Expires: March 18, 2009 Tim Polk, NIST 6 September 18, 2008 8 Elliptic Curve Cryptography Subject Public Key Information 9 draft-ietf-pkix-ecc-subpubkeyinfo-08.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html 34 This Internet-Draft will expire on March 18, 2009. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 This document specifies the syntax and semantics for the Subject 43 Public Key Information field in certificates that support Elliptic 44 Curve Cryptography. This document updates Sections 2.3.5, 3, and 5 45 of RFC 3279. 47 Table of Contents 49 1. Introduction...................................................2 50 1.1. Terminology...............................................3 51 2. Subject Public Key Information Fields..........................3 52 2.1. Elliptic Curve Cryptography Public Key Algorithm 53 Identifiers...............................................4 54 2.1.1. Unrestricted Identifiers and Parameters..............5 55 2.1.2. Restricted Algorithm Identifiers and Parameters......7 56 2.2. Subject Public Key........................................8 57 3. Key Usage Bits.................................................9 58 4. Security Considerations.......................................10 59 5. ASN.1 Considerations..........................................12 60 6. IANA Considerations...........................................12 61 7. Acknowledgements..............................................13 62 8. References....................................................13 63 8.1. Normative References.....................................13 64 8.2. Informative References...................................14 65 Appendix A. ASN.1 Modules........................................15 66 A.1. 1988 ASN.1 Module........................................15 67 A.2. 2004 ASN.1 Module........................................22 69 1. Introduction 71 This document specifies the format of the subjectPublicKeyInfo field 72 in X.509 certificates [PKI] that use Elliptic Curve Cryptography 73 (ECC). It updates [PKI-ALG]. This document specifies the encoding 74 formats for public keys used with the following ECC algorithms: 76 o Elliptic Curve Digital Signature Algorithm (ECDSA); 78 o Elliptic Curve Diffie-Hellman (ECDH) family schemes; and, 80 o Elliptic Curve Menezes-Qu-Vanstone (ECMQV) family schemes. 82 Two methods for specifying the algorithms that can be used with the 83 subjectPublicKey are defined. One method does not restrict the 84 algorithms the key can be used with while the other method does 85 restrict the algorithms the key can be used with. To promote 86 interoperability, this document indicates which is required to 87 implement. 89 Two methods for specifying the algorithm's parameters are also 90 defined. One allows for the EC to be identified by an object 91 identifier and one allows for the EC to be inherited from the 92 issuer's certificate. To promote interoperability, this document 93 indicates which options are required to implement. 95 1.1. Terminology 97 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 98 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 99 document are to be interpreted as described in [RFC2119]. 101 2. Subject Public Key Information Fields 103 In the X.509 certificate, the subjectPublicKeyInfo field has the 104 SubjectPublicKeyInfo type, which has the following ASN.1 syntax: 106 SubjectPublicKeyInfo ::= SEQUENCE { 107 algorithm AlgorithmIdentifier {{ PKIXAlgs-PublicKeys }}, 108 subjectPublicKey BIT STRING 109 } 111 The fields in SubjectPublicKeyInfo have the following meanings: 113 o algorithm is the algorithm identifier and algorithm parameters 114 for the ECC public key. See Section 2.1. 116 o subjectPublicKey is the ECC public key. See Section 2.2. 118 The class PUBLIC-KEY parameterizes the AlgorithmIdentifier type with 119 sets of legal values, which is defined in [PKI-ASN]: 121 PUBLIC-KEY ::= CLASS { 122 &id OBJECT IDENTIFIER, 123 &Params OPTIONAL, 124 ¶mPresence ParamOptions DEFAULT required, 125 &KeyValue, 126 &PrivateKey OPTIONAL 127 } 128 WITH SYNTAX { 129 IDENTIFIER &id 130 KEY &KeyValue 131 [PARAMS TYPE [&Params] ARE ¶mPresence] 132 [PRIVATE KEY &PrivateKey] 133 } 135 ParamOptions ::= ENUMERATED { 136 required, -- Parameters MUST be encoded in structure 137 preferedPresent, -- Parameters SHOULD be encoded in structure 138 preferedAbsent, -- Parameters SHOULD NOT be encoded in structure 139 absent, -- Parameters MUST NOT be encoded in structure 140 notPresent, 141 inheritable -- Parameters are inherited if not present 142 } 144 The type AlgorithmIdentifier is parameterized to allow legal sets of 145 values to be specified by constraining the type with an information 146 object set. 148 When defining a PUBLIC-KEY type: 150 o &id is the object identifier assigned to the public-key type. 152 o &Params, which is optional, is the parameters for the public- 153 key type. 155 o ¶mPresence parameter presence requirement 157 o &KeyValue contains the type for the public key value 159 o &PrivateKey is the associated private key format. 161 2.1. Elliptic Curve Cryptography Public Key Algorithm Identifiers 163 The algorithm field in the SubjectPublicKeyInfo structure indicates 164 the algorithms and any associated parameters for the ECC public key 165 (see Section 2.2). The algorithms are restricted to the 166 PKIXAlgs-PublicKeys parameterized type, which uses the following 167 ASN.1 structure: 169 PKIXAlgs-PublicKeys PUBLIC-KEY ::= { 170 pk-ec | 171 pk-ecDH | 172 pk-ecMQV, 173 ... -- Extensible 174 } 176 The algorithms defined are as follows: 178 o pk-ec indicates that the algorithms that can be used with the 179 subject public key are not restricted (i.e., they are 180 unrestricted). The key is only restricted by the values 181 indicated in the key usage certificate extension. The pk-ec 182 CHOICE MUST be supported. See Section 2.1.1. This value is 183 also used when a key is used with ECDSA. 185 o pk-ecDH and pk-ecMQV MAY be supported. See Section 2.1.2. 187 2.1.1. Unrestricted Identifiers and Parameters 189 The "unrestricted" algorithm is defined as follows: 191 pk-ec PUBLIC-KEY ::= { 192 IDENTIFIER id-ecPublicKey 193 KEY ECPoint 194 PARAMS TYPE ECParameters ARE required 195 } 197 The algorithm identifier is: 199 id-ecPublicKey OBJECT IDENTIFIER ::= { 200 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 202 The public key syntax is described in Section 2.2. 204 The parameters for id-ecPublicKey are as follows and they MUST always 205 be present: 207 ECParameters ::= CHOICE { 208 namedCurve CURVE.&id({NamedCurve}), 209 implicitCurve NULL 210 -- specifiedCurve SpecifiedCurve 211 -- specifiedCurve MUST NOT be used in PKIX 212 -- Details for specifiedCurve can be found in [X9.62] 213 -- Any future additions to this CHOICE should be coordinated 214 -- with ASNI X.9. 215 } 217 The fields in ECParameters have the following meanings: 219 o namedCurve allows all the required values for a particular set 220 of elliptic curve domain parameters to be represented by an 221 object identifier. This choice MUST be supported. See Section 222 2.1.1.1. 224 o implicitCurve allows the elliptic curve parameters to be 225 inherited. This choice MAY be supported, but if subordinate 226 certificates use the same namedCurve as their superior, then 227 the subordinate certificate MUST use the namedCurve option. 229 That is, implicitCurve is only supported if the superior 230 doesn't use the namedCurve option. 232 o specifedCuve, which is defined in [X9.62], allows all of the 233 curve parameters to be explicitly specified. This choice MUST 234 NOT be used. See the ASN.1 Considerations section. 236 The addition of any new choices in ECParameters ought to be 237 coordinated with ANSI X9. 239 2.1.1.1. Named Curve 241 The namedCurve field in ECParameters uses the class CURVE to 242 constrain the set of legal values from NamedCurve, which are object 243 identifiers: 245 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 246 WITH SYNTAX { ID &id } 248 The NamedCurve parameterized type is defined as follows: 250 NamedCurve CURVE ::= { 251 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 252 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 253 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 254 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 255 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 256 ... -- Extensible 257 } 259 The curve identifiers are the fifteen NIST recommended curves 260 [FIPS186-3]: 262 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 263 -- opposed to 'sec'. For example secp192r1 is the same curve as 264 -- ansix9p192r1. 266 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 267 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 269 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 270 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 272 secp192r1 OBJECT IDENTIFIER ::= { 273 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 274 prime(1) 1 } 276 sect163k1 OBJECT IDENTIFIER ::= { 277 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 279 sect163r2 OBJECT IDENTIFIER ::= { 280 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 282 secp224r1 OBJECT IDENTIFIER ::= { 283 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 285 sect233k1 OBJECT IDENTIFIER ::= { 286 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 288 sect233r1 OBJECT IDENTIFIER ::= { 289 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 291 secp256r1 OBJECT IDENTIFIER ::= { 292 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 293 prime(1) 7 } 295 sect283k1 OBJECT IDENTIFIER ::= { 296 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 298 sect283r1 OBJECT IDENTIFIER ::= { 299 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 301 secp384r1 OBJECT IDENTIFIER ::= { 302 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 304 sect409k1 OBJECT IDENTIFIER ::= { 305 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 307 sect409r1 OBJECT IDENTIFIER ::= { 308 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 310 secp521r1 OBJECT IDENTIFIER ::= { 311 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 313 sect571k1 OBJECT IDENTIFIER ::= { 314 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 316 sect571r1 OBJECT IDENTIFIER ::= { 317 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 319 2.1.2. Restricted Algorithm Identifiers and Parameters 321 Algorithms used with elliptic curve cryptography fall in to different 322 categories: signature and key agreement algorithms. ECDSA uses the 323 pk-ec described in 2.1.1. Two sets of key agreement algorithms are 324 identified herein: the Elliptic Curve Diffie-Hellman (ECDH) key 325 agreement scheme and the Elliptic Curve Menezes-Qu-Vanstone (ECMQV) 326 key agreement scheme. All algorithms are identified by an object 327 identifier and have parameters. The object identifier varies based 328 on the algorithm but the parameters are always ECParameters and they 329 MUST always be present (see Section 2.1.1). 331 The ECDH is defined as follows: 333 pk-ecDH PUBLIC-KEY ::= { 334 IDENTIFIER id-ecDH 335 KEY ECPoint 336 PARAMS TYPE ECParameters ARE required 337 } 339 The algorithm identifier is: 341 id-ecDH OBJECT IDENTIFIER ::= { 342 iso(1) identified-organization(3) certicom(132) schemes(1) 343 ecdh(12) } 345 The ECMQV is defined as follows: 347 pk-ecMQV PUBLIC-KEY ::= { 348 IDENTIFIER id-ecMQV 349 KEY ECPoint 350 PARAMS TYPE ECParameters ARE required 351 } 353 The algorithm identifier is: 355 id-ecMQV OBJECT IDENTIFIER ::= { 356 iso(1) identified-organization(3) certicom(132) schemes(1) 357 ecmqv(13) } 359 2.2. Subject Public Key 361 The subjectPublicKey from SubjectPublicKeyInfo is the ECC public key. 362 ECC public keys have the following syntax: 364 ECPoint ::= OCTET STRING 366 Implementations of elliptic curve cryptography according to this 367 document MUST support the uncompressed form and MAY support the 368 compressed form of the ECC public key. As specified in [SEC1]: 370 o The elliptic curve public key (a value of type ECPoint which is 371 an OCTET STRING) is mapped to a subjectPublicKey (a value of 372 type BIT STRING) as follows: the most significant bit of the 373 OCTET STRING value becomes the most significant bit of the BIT 374 STRING value, and so on; the least significant bit of the OCTET 375 STRING becomes the least significant bit of the BIT STRING. 376 Conversion routines are found in Sections 2.3.1 and 2.3.2 of 377 [SEC1]. 379 o The first octet of the OCTET STRING indicates whether the key 380 is compressed or uncompressed. The uncompressed form is 381 indicated by 0x04 and the compressed form is indicated by 382 either 0x02 or 0x03 (see 2.3.3 in [SEC1]). 384 3. Key Usage Bits 386 If the keyUsage extension is present in a CA certificate that 387 indicates id-ecPublicKey in subjectPublicKeyInfo, any combination of 388 the following values MAY be present: 390 digitalSignature; 391 nonRepudiation; 392 keyAgreement; 393 keyCertSign; and 394 cRLSign. 396 If the CA certificate keyUsage extension asserts keyAgreement then it 397 MAY assert either encipherOnly or decipherOnly. However, this 398 specification RECOMMENDS that if keyCertSign or cRLSign is present, 399 keyAgreement, encipherOnly, and decipherOnly SHOULD NOT be present. 401 If the keyUsage extension is present in an EE certificate that 402 indicates id-ecPublicKey in subjectPublicKeyInfo, any combination of 403 the following values MAY be present: 405 digitalSignature; 406 nonRepudiation; and 407 keyAgreement. 409 If the EE certificate keyUsage extension asserts keyAgreement then it 410 MAY assert either encipherOnly or decipherOnly. 412 If the keyUsage extension is present in a certificate that indicates 413 ecDH or ecMQV in subjectPublicKeyInfo, keyAgreement MUST be present 414 and digitalSignature, nonRepudiation, keyTransport, keyCertSign, and 415 cRLSign MUST NOT be present. If this certificate keyUsage extension 416 asserts keyAgreement then it MAY assert either encipherOnly or 417 decipherOnly. 419 4. Security Considerations 421 The security considerations in [PKI-ALG] apply. 423 When implementing ECC in X.509 Certificates, there are three 424 algorithm related choices that need to be made: 426 1) What is the public key size? 428 2) What is the hash algorithm [FIPS180-3]? 430 3) What is the curve? 432 Consideration must be given to the strength of the security provided 433 by each of these choices. Security is measured in bits, where a 434 strong symmetric cipher with a key of X bits is said to provide X 435 bits of security. It is recommended that the bits of security 436 provided by each choice are roughly equivalent. The following table 437 provides comparable minimum bits of security [SP800-57] for the ECDSA 438 key sizes and message digest algorithms. It also lists curves (see 439 Section 2.1.1.1) for the key sizes. 441 Minimum | ECDSA | Message | Curves 442 Bits of | Key Size | Digest | 443 Security | | Algorithms | 444 ---------+----------+------------+----------- 445 80 | 160-223 | SHA1 | sect163k1 446 | | SHA224 | secp163r2 447 | | SHA256 | secp192r1 448 | | SHA384 | 449 | | SHA512 | 450 ---------+----------+------------+----------- 451 112 | 224-255 | SHA224 | secp224r1 452 | | SHA256 | sect233k1 453 | | SHA384 | sect233r1 454 | | SHA512 | 455 ---------+----------+------------+----------- 456 128 | 256-383 | SHA256 | secp256r1 457 | | SHA384 | sect283k1 458 | | SHA512 | sect283r1 459 ---------+----------+------------+----------- 460 192 | 384-511 | SHA384 | secp384r1 461 | | SHA512 | sect409k1 462 | | | sect409r1 463 ---------+----------+------------+----------- 464 256 | 512+ | SHA512 | secp521r1 465 | | | sect571k1 466 | | | sect571r1 467 ---------+----------+------------+----------- 469 To promote interoperability, the following choices are RECOMMENDED: 471 Minimum | ECDSA | Message | Curves 472 Bits of | Key Size | Digest | 473 Security | | Algorithms | 474 ---------+----------+------------+----------- 475 80 | 192 | SHA256 | secp192r1 476 ---------+----------+------------+----------- 477 112 | 224 | SHA256 | secp224r1 478 ---------+----------+------------+----------- 479 128 | 256 | SHA256 | secp256r1 480 ---------+----------+------------+----------- 481 192 | 384 | SHA384 | secp384r1 482 ---------+----------+------------+----------- 483 256 | 512 | SHA512 | secp521r1 484 ---------+----------+------------+----------- 486 Using a larger hash value and then truncating it, consumes more 487 processing power than is necessary. This is more important on 488 constrained devices. Since the signer does not know the environment 489 that the recipient will use to validate the signature, it is better 490 to use a hash function that provides the desired have value output 491 size, and no more. 493 There are security risks with using keys not associated with well 494 known and widely reviewed curves. For example, the curve may not 495 satisfy the MOV condition or the curve may be vulnerable to the 496 Anomalous attack [X9.62]. Additionally, either a) all of the 497 arithmetic properties of a candidate ECC public key must be validated 498 to ensure that it has the unique correct representation in the 499 correct (additive) subgroup (and therefore is also in the correct EC 500 group) specified by the associated ECC domain parameters or b) some 501 of the of the arithmetic properties of a candidate ECC public key 502 must be validated to ensure that it is in the correct group (but not 503 necessarily the correct subgroup) specified by the associated ECC 504 domain parameters [SP800-56A]. 506 5. ASN.1 Considerations 508 [X9.62] defines additional options for ECParameters and ECDSA-Sig- 509 Value. If an implementation needs to use these options, then use 510 the [X9.62] ASN.1 module. This RFC contains a conformant subset of 511 the ASN.1 module defined in [X9.62]. 513 If an implementations generates a PER [X.691] encoding using the 514 ASN.1 module found in this specification it might not achieve the 515 same encoded output as one that uses the [X9.62] module. PER is not 516 required by either the PKIX or S/MIME environments. If an 517 implementation environment requires PER, then implementation concerns 518 are less likely with the use of the [X9.62] module. 520 6. IANA Considerations 522 This document makes extensive use of object identifiers to register 523 public key types, elliptic curves, field types, and algorithms. Most 524 are registered in the ANSI X9.62 arc with exception of the hash 525 algorithms, which are in NIST's arc, and many of the curves, which 526 are in the Certicom Inc. arc (these curves have adopted by ANSI and 527 NIST). Additionally, object identifiers are used to identify the 528 ASN.1 modules found in Appendix A. These are defined in an arc 529 delegated by IANA to the PKIX Working Group. No further action by 530 IANA is necessary for this document or any anticipated updates. 532 7. Acknowledgements 534 The authors wish to thank Alfred Hoenes, Johannes Merkle, and Jim 535 Schaad for their valued input. 537 8. References 539 8.1. Normative References 541 [FIPS180-3] National Institute of Standards and Technology (NIST), 542 FIPS Publication 180-3: Secure Hash Standard, June 2007. 544 [FIPS186-3] National Institute of Standards and Technology (NIST), 545 FIPS Publication 186-3: Digital Signature Standard, March 546 2006. 548 [PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. 549 Housley, R., and W. Polk, "Internet X.509 Public Key 550 Infrastructure Certificate and Certificate Revocation 551 List (CRL) Profile", RFC 5280, May 2008. 553 [PKI-ASN] Hoffman, P., and J. Schaad, "New ASN.1 Modules for PKIX", 554 draft-ietf-pkix-new-asn1, work-in-progress. 556 [PKI-ADALG] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. 557 Polk, "Internet X.509 Public Key Infrastructure: 558 Additional Algorithms and Identifiers for DSA and ECDSA", 559 draft-ietf-pkix-sha2-dsa-ecdsa, work-in-progress. 561 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 562 Requirement Levels", BCP 14, RFC 2119, March 1997. 564 [RSAOAEP] Schaad, J., Kaliski, B., and R. Housley, "Additional 565 Algorithms and Identifiers for RSA Cryptography for use 566 in the Internet X.509 Public Key Infrastructure 567 Certificate and Certificate Revocation List (CRL) 568 Profile", RFC 4055, June 2005. 570 [SEC1] Standards for Efficient Cryptography, "SEC 1: Elliptic 571 Curve Cryptography", Version 1.0, September 2000. 573 [X9.62] American National Standards Institute (ANSI), ANS X9.62- 574 2005: The Elliptic Curve Digital Signature Algorithm 575 (ECDSA), 2005. 577 [X.208] ITU-T Recommendation X.208 (1988) | ISO/IEC 8824-1:1988. 578 Specification of Abstract Syntax Notation One (ASN.1). 580 [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. 581 Information Technology - Abstract Syntax Notation One. 583 [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. 584 Information Technology - Abstract Syntax Notation One: 585 Information Object Specification. 587 [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. 588 Information Technology - Abstract Syntax Notation One: 589 Constraint Specification. 591 [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002. 592 Information Technology - Abstract Syntax Notation One: 593 Parameterization of ASN.1 Specifications. 595 8.2. Informative References 597 [PKI-ALG] Polk, W., Housley, R. and L. Bassham, "Algorithm 598 Identifiers for the Internet X.509 Public Key 599 Infrastructure", RFC 3279, April 2002. 601 [SP800-56A] National Institute of Standards and Technology (NIST), 602 Special Publication 800-56A: Recommendation Pair-Wise Key 603 Establishment Schemes Using Discrete Logarithm 604 Cryptography (Revised), March 2007. 606 [SP800-57] National Institute of Standards and Technology (NIST), 607 Special Publication 800-57: Recommendation for Key 608 Management, August 2005. 610 [X.691] ITU-T Recommendation X.691 (2002) | ISO/IEC 8825-2:2002. 611 Information Technology - ASN.1 Encoding Rules: 612 Specification of Packed Encoding Rules. 614 Appendix A. ASN.1 Modules 616 Appendix A.1 provides the normative ASN.1 definitions for the 617 structures described in this specification using ASN.1 as defined in 618 [X.208]. 620 Appendix A.2 provides an informative ASN.1 definitions for the 621 structures described in this specification using ASN.1 as defined in 622 [X.680], [X.681], [X.682], and [X.683]. This appendix contains the 623 same information as Appendix A.1 in a more recent (and precise) ASN.1 624 notation, however Appendix A.1 takes precedence in case of conflict. 626 These modules include more than the ASN.1 updates described in the 627 text of this document. They also include additional ASN.1 from [PKI- 628 ALG] because this document updates the entire ASN.1 module. 629 Additionally, it includes ASN.1 for DSA with SHA-224 and SHA-256 630 [PKI-ADALG]. 632 A.1. 1988 ASN.1 Module 634 PKIXAlgs-1988 { iso(1) identified-organization(3) dod(6) 635 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 637 DEFINITIONS EXPLICIT TAGS ::= 639 BEGIN 641 -- EXPORTS ALL 643 IMPORTS 645 -- From [RSAOAEP] 647 id-sha224, id-sha256, id-sha384, id-sha512 648 FROM PKIX1-PSS-OAEP-Algorithms 649 { iso(1) identified-organization(3) dod(6) internet(1) 650 security(5) mechanisms(5) pkix(7) id-mod(0) 651 id-mod-pkix1-rsa-pkalgs(33) } 653 ; 654 -- 655 -- Public Key (pk) Algorithms 656 -- 658 -- RSA PK Algorithm, Parameters, and Keys 660 rsaEncryption OBJECT IDENTIFIER ::= { 661 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 663 RSAPublicKey ::= SEQUENCE { 664 modulus INTEGER, -- n 665 publicExponent INTEGER -- e 666 } 668 -- DSA PK Algorithm and Parameters 670 id-dsa OBJECT IDENTIFIER ::= { 671 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 673 DSAPublicKey ::= INTEGER -- public key, y 675 DSS-Parms ::= SEQUENCE { 676 p INTEGER, 677 q INTEGER, 678 g INTEGER 679 } 681 -- Diffie-Hellman PK Algorithm, Keys, and Parameters 683 dhpublicnumber OBJECT IDENTIFIER ::= { 684 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 686 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 688 DomainParameters ::= SEQUENCE { 689 p INTEGER, -- odd prime, p=jq +1 690 g INTEGER, -- generator, g 691 q INTEGER, -- factor of p-1 692 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 693 validationParms ValidationParms OPTIONAL 694 } 696 ValidationParms ::= SEQUENCE { 697 seed BIT STRING, 698 pgenCounter INTEGER 699 } 700 -- KEA PK Algorithm and Parameters 702 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 703 2 16 840 1 101 2 1 1 22 } 705 KEA-Parms-Id ::= OCTET STRING 707 -- Sec 2.1.1 Unrestricted Algorithm IDs, Parameters, and Keys 708 -- (ECDSA keys use id-ecPublicKey) 710 id-ecPublicKey OBJECT IDENTIFIER ::= { 711 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 713 ECPoint ::= OCTET STRING 715 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 717 id-ecDH OBJECT IDENTIFIER ::= { 718 iso(1) identified-organization(3) certicom(132) schemes(1) 719 ecdh(12) } 721 -- ECPoint ::= OCTET STRING 723 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 725 id-ecMQV OBJECT IDENTIFIER ::= { 726 iso(1) identified-organization(3) certicom(132) schemes(1) 727 ecmqv(13) } 729 -- ECPoint ::= OCTET STRING 731 -- Parameters for both Restricted and Unrestricted 733 ECParameters ::= CHOICE { 734 namedCurve OBJECT IDENTIFIER, 735 implicitCurve NULL 736 -- specifiedCurve SpecifiedCurve 737 -- specifiedCurve MUST NOT be used in PKIX 738 -- Details for specifiedCurve can be found in [X9.62] 739 -- Any future additions to this CHOICE should be coordinated 740 -- with ANSI X.9. 741 } 742 -- Sec 2.1.1.1 Named Curves 744 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 745 -- opposed to 'sec'. For example secp192r1 is the same curve as 746 -- ansix9p192r1. 748 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 749 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 751 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 752 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 754 secp192r1 OBJECT IDENTIFIER ::= { 755 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 756 prime(1) 1 } 758 sect163k1 OBJECT IDENTIFIER ::= { 759 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 761 sect163r2 OBJECT IDENTIFIER ::= { 762 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 764 secp224r1 OBJECT IDENTIFIER ::= { 765 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 767 sect233k1 OBJECT IDENTIFIER ::= { 768 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 770 sect233r1 OBJECT IDENTIFIER ::= { 771 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 773 secp256r1 OBJECT IDENTIFIER ::= { 774 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 775 prime(1) 7 } 777 sect283k1 OBJECT IDENTIFIER ::= { 778 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 780 sect283r1 OBJECT IDENTIFIER ::= { 781 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 783 secp384r1 OBJECT IDENTIFIER ::= { 784 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 786 sect409k1 OBJECT IDENTIFIER ::= { 787 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 789 sect409r1 OBJECT IDENTIFIER ::= { 790 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 792 secp521r1 OBJECT IDENTIFIER ::= { 793 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 795 sect571k1 OBJECT IDENTIFIER ::= { 796 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 798 sect571r1 OBJECT IDENTIFIER ::= { 799 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 801 -- 802 -- Signature Algorithms (sa) 803 -- 805 -- RSA with MD-2 806 -- Parameters are NULL 808 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 809 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 811 -- RSA with MD-5 812 -- Parameters are NULL 814 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 815 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 817 -- RSA with SHA-1 818 -- Parameters are NULL 820 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 821 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 823 -- DSA with SHA-1 824 -- Parameters are ABSENT 826 dsa-with-sha1 OBJECT IDENTIFIER ::= { 827 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 829 -- DSA with SHA-224 830 -- Parameters are ABSENT 832 dsa-with-sha224 OBJECT IDENTIFIER ::= { 833 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 834 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 836 -- DSA with SHA-256 837 -- Parameters are ABSENT 839 dsa-with-sha256 OBJECT IDENTIFIER ::= { 840 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 841 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 843 -- ECDSA with SHA-1 844 -- Parameters are ABSENT 846 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 847 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 849 -- ECDSA with SHA-224 850 -- Parameters are ABSENT 852 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 853 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 854 ecdsa-with-SHA2(3) 1 } 856 -- ECDSA with SHA-256 857 -- Parameters are ABSENT 859 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 860 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 861 ecdsa-with-SHA2(3) 2 } 863 -- ECDSA with SHA-384 864 -- Parameters are ABSENT 866 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 867 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 868 ecdsa-with-SHA2(3) 3 } 870 -- ECDSA with SHA-512 871 -- Parameters are ABSENT 873 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 874 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 875 ecdsa-with-SHA2(3) 4 } 877 -- 878 -- Signature Values 879 -- 881 -- DSA 883 DSA-Sig-Value ::= SEQUENCE { 884 r INTEGER, 885 s INTEGER 886 } 888 -- ECDSA 890 ECDSA-Sig-Value ::= SEQUENCE { 891 r INTEGER, 892 s INTEGER 893 } 895 -- 896 -- One-way (ow) Hash Algorithms 897 -- 899 -- MD-2 900 -- Parameters are NULL 902 id-md2 OBJECT IDENTIFIER ::= { 903 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 905 -- MD-5 906 -- Parameters are NULL 908 id-md5 OBJECT IDENTIFIER ::= { 909 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 911 -- SHA-1 912 -- Parameters are preferred ABSENT 914 id-sha1 OBJECT IDENTIFIER ::= { 915 iso(1) identified-organization(3) oiw(14) secsig(3) 916 algorithm(2) 26 } 918 -- SHA-224 919 -- Parameters are preferred ABSENT 921 -- id-sha224 922 -- SHA-256 923 -- Parameters are preferred ABSENT 925 -- id-sha256 927 -- SHA-384 928 -- Parameters are preferred ABSENT 930 -- id-sha384 932 -- SHA-512 933 -- Parameters are preferred ABSENT 935 -- id-sha512 937 END 939 A.2. 2004 ASN.1 Module 941 PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 942 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 944 DEFINITIONS EXPLICIT TAGS ::= 946 BEGIN 948 -- EXPORTS ALL 950 IMPORTS 952 -- FROM [PKI-ASN] 954 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM 955 FROM AlgorithmInformation 956 { iso(1) identified-organization(3) dod(6) internet(1) 957 security(5) mechanisms(5) pkix(7) id-mod(0) 958 id-mod-algorithInformation(TBD) } 960 -- From [PKI-ASN] 962 mda-sha224, mda-sha256, mda-sha384, mda-sha512 963 FROM PKIX1-PSS-OAEP-Algorithms 964 { iso(1) identified-organization(3) dod(6) internet(1) 965 security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 967 ; 968 -- 969 -- Public Key (pk-) Algorithms 970 -- 972 PKIXAlgs-PublicKeys PUBLIC-KEY ::= { 973 pk-rsa | 974 pk-dsa | 975 pk-dh | 976 pk-kea | 977 pk-ec | 978 pk-ecDH | 979 pk-ecMQV, 980 ... -- Extensible 981 } 983 -- RSA PK Algorithm, Parameters, and Keys 985 pk-rsa PUBLIC-KEY ::= { 986 IDENTIFIER rsaEncryption 987 KEY RSAPublicKey 988 PARAMS TYPE NULL ARE absent 989 -- Private key format not in this document -- 990 } 992 rsaEncryption OBJECT IDENTIFIER ::= { 993 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 995 RSAPublicKey ::= SEQUENCE { 996 modulus INTEGER, -- n 997 publicExponent INTEGER -- e 998 } 1000 -- DSA PK Algorithm, Parameters, and Keys 1002 pk-dsa PUBLIC-KEY ::= { 1003 IDENTIFIER id-dsa 1004 KEY DSAPublicKey 1005 PARAMS TYPE DSS-Parms ARE inheritable 1006 -- Private key format not in this document -- 1007 } 1009 id-dsa OBJECT IDENTIFIER ::= { 1010 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 1012 DSS-Parms ::= SEQUENCE { 1013 p INTEGER, 1014 q INTEGER, 1015 g INTEGER 1016 } 1018 DSAPublicKey ::= INTEGER -- public key, y 1020 -- Diffie-Hellman PK Algorithm, Parameters, and Keys 1022 pk-dh PUBLIC-KEY ::= { 1023 IDENTIFIER dhpublicnumber 1024 KEY DHPublicKey 1025 PARAMS TYPE DomainParameters ARE inheritable 1026 -- Private key format not in this document -- 1027 } 1029 dhpublicnumber OBJECT IDENTIFIER ::= { 1030 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 1032 DomainParameters ::= SEQUENCE { 1033 p INTEGER, -- odd prime, p=jq +1 1034 g INTEGER, -- generator, g 1035 q INTEGER, -- factor of p-1 1036 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 1037 validationParms ValidationParms OPTIONAL 1038 } 1040 ValidationParms ::= SEQUENCE { 1041 seed BIT STRING, 1042 pgenCounter INTEGER 1043 } 1045 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 1047 -- KEA PK Algorithm and Parameters 1049 pk-kea PUBLIC-KEY ::= { 1050 IDENTIFIER id-keyExchangeAlgorithm 1051 -- key is not encoded -- 1052 PARAMS TYPE KEA-Parms-Id ARE required 1053 -- Private key format not in this document -- 1054 } 1056 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 1057 2 16 840 1 101 2 1 1 22 } 1059 KEA-Parms-Id ::= OCTET STRING 1061 -- Sec 2.1.1 Unrestricted Algorithms IDs, Parameters, and Keys 1062 -- (ECDSA uses pk-ec) 1064 pk-ec PUBLIC-KEY ::= { 1065 IDENTIFIER id-ecPublicKey 1066 KEY ECPoint 1067 PARAMS TYPE ECParameters ARE required 1068 -- Private key format not in this document -- 1069 } 1071 id-ecPublicKey OBJECT IDENTIFIER ::= { 1072 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 1074 ECPoint ::= OCTET STRING 1076 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 1078 pk-ecDH PUBLIC-KEY ::= { 1079 IDENTIFIER id-ecDH 1080 KEY ECPoint 1081 PARAMS TYPE ECParameters ARE required 1082 -- Private key format not in this document -- 1083 } 1085 id-ecDH OBJECT IDENTIFIER ::= { 1086 iso(1) identified-organization(3) certicom(132) schemes(1) 1087 ecdh(12) } 1089 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys 1091 pk-ecMQV PUBLIC-KEY ::= { 1092 IDENTIFIER id-ecMQV 1093 KEY ECPoint 1094 PARAMS TYPE ECParameters ARE required 1095 -- Private key format not in this document -- 1096 } 1098 id-ecMQV OBJECT IDENTIFIER ::= { 1099 iso(1) identified-organization(3) certicom(132) schemes(1) 1100 ecmqv(13) } 1102 -- Parameters for both Restricted and Unrestricted 1104 ECParameters ::= CHOICE { 1105 namedCurve CURVE.&id({NamedCurve}), 1106 implicitCurve NULL, 1107 -- specifiedCurve SpecifiedCurve 1108 -- specifiedCurve MUST NOT be used in PKIX 1109 -- Details for specifiedCurve can be found in [X9.62] 1110 -- Any future additions to this CHOICE should be coordinated 1111 -- with ANSI X.9. 1112 } 1114 -- Sec 2.1.1.1 Named Curve 1116 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 1117 WITH SYNTAX { ID &id } 1119 NamedCurve CURVE ::= { 1120 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 1121 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 1122 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 1123 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 1124 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 1125 ... -- Extensible 1126 } 1128 -- Note in [X9.62] the curves are referred to as 'ansiX9' as 1129 -- opposed to 'sec'. For example secp192r1 is the same curve as 1130 -- ansix9p192r1. 1132 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 1133 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 1135 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 1136 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 1138 secp192r1 OBJECT IDENTIFIER ::= { 1139 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1140 prime(1) 1 } 1142 sect163k1 OBJECT IDENTIFIER ::= { 1143 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 1145 sect163r2 OBJECT IDENTIFIER ::= { 1146 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 1148 secp224r1 OBJECT IDENTIFIER ::= { 1149 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 1151 sect233k1 OBJECT IDENTIFIER ::= { 1152 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 1154 sect233r1 OBJECT IDENTIFIER ::= { 1155 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 1157 secp256r1 OBJECT IDENTIFIER ::= { 1158 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1159 prime(1) 7 } 1161 sect283k1 OBJECT IDENTIFIER ::= { 1162 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 1164 sect283r1 OBJECT IDENTIFIER ::= { 1165 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 1167 secp384r1 OBJECT IDENTIFIER ::= { 1168 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 1170 sect409k1 OBJECT IDENTIFIER ::= { 1171 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 1173 sect409r1 OBJECT IDENTIFIER ::= { 1174 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 1176 secp521r1 OBJECT IDENTIFIER ::= { 1177 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 1179 sect571k1 OBJECT IDENTIFIER ::= { 1180 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 1182 sect571r1 OBJECT IDENTIFIER ::= { 1183 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 1185 -- 1186 -- Signature Algorithms (sa-) 1187 -- 1189 PKIXAlgs-Signature SIGNATURE-ALGORITHM ::= { 1190 sa-rsaWithMD2 | 1191 sa-rsaWithMD5 | 1192 sa-rsaWithSHA1 | 1193 sa-dsawithSHA1 | 1194 sa-dsawithSHA224 | 1195 sa-dsawithSHA256 | 1196 sa-ecdsaWithSHA1 | 1197 sa-ecdsaWithSHA224 | 1198 sa-ecdsaWithSHA256 | 1199 sa-ecdsaWithSHA384 | 1200 sa-ecdsaWithSHA512, 1201 ... -- Extensible 1202 } 1204 -- RSA with MD-2 1206 sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { 1207 IDENTIFIER md2WithRSAEncryption 1208 PARAMS TYPE NULL ARE present 1209 HASHES { mda-md2 } 1210 PUBLIC KEYS { pk-rsa } 1211 } 1213 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 1214 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 1216 -- RSA with MD-5 1218 sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { 1219 IDENTIFIER md5WithRSAEncryption 1220 PARAMS TYPE NULL ARE present 1221 HASHES { mda-md5 } 1222 PUBLIC KEYS { pk-rsa } 1223 } 1225 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 1226 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 1228 -- RSA with SHA-1 1230 sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1231 IDENTIFIER sha1WithRSAEncryption 1232 PARAMS TYPE NULL ARE present 1233 HASHES { mda-sha1 } 1234 PUBLIC KEYS { pk-rsa } 1235 } 1237 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 1238 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 1240 -- DSA with SHA-1 1242 sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1243 IDENTIFIER dsa-with-sha1 1244 VALUE DSA-Sig-Value 1245 PARAMS TYPE NULL ARE absent 1246 HASHES { mda-sha1 } 1247 PUBLIC KEYS { pk-dsa } 1248 } 1250 dsa-with-sha1 OBJECT IDENTIFIER ::= { 1251 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 1253 -- DSA with SHA-224 1255 sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1256 IDENTIFIER dsa-with-sha224 1257 VALUE DSA-Sig-Value 1258 PARAMS TYPE NULL ARE absent 1259 HASHES { mda-sha224 } 1260 PUBLIC KEYS { pk-dsa } 1261 } 1263 dsa-with-sha224 OBJECT IDENTIFIER ::= { 1264 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1265 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 1267 -- DSA with SHA-256 1269 sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1270 IDENTIFIER dsa-with-sha256 1271 VALUE DSA-Sig-Value 1272 PARAMS TYPE NULL ARE absent 1273 HASHES { mda-sha256 } 1274 PUBLIC KEYS { pk-dsa } 1275 } 1277 dsa-with-sha256 OBJECT IDENTIFIER ::= { 1278 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 1279 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 1281 -- ECDSA with SHA-1 1283 sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1284 IDENTIFIER ecdsa-with-SHA1 1285 VALUE ECDSA-Sig-Value 1286 PARAMS TYPE NULL ARE absent 1287 HASHES { mda-sha1 } 1288 PUBLIC KEYS { pk-ec } 1289 } 1291 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 1292 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 1294 -- ECDSA with SHA-224 1296 sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1297 IDENTIFIER ecdsa-with-SHA224 1298 VALUE ECDSA-Sig-Value 1299 PARAMS TYPE NULL ARE absent 1300 HASHES { mda-sha224 } 1301 PUBLIC KEYS { pk-ec } 1302 } 1304 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 1305 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1306 ecdsa-with-SHA2(3) 1 } 1308 -- ECDSA with SHA-256 1310 sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1311 IDENTIFIER ecdsa-with-SHA256 1312 VALUE ECDSA-Sig-Value 1313 PARAMS TYPE NULL ARE absent 1314 HASHES { mda-sha256 } 1315 PUBLIC KEYS { pk-ec } 1316 } 1318 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 1319 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1320 ecdsa-with-SHA2(3) 2 } 1322 -- ECDSA with SHA-384 1324 sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { 1325 IDENTIFIER ecdsa-with-SHA384 1326 VALUE ECDSA-Sig-Value 1327 PARAMS TYPE NULL ARE absent 1328 HASHES { mda-sha384 } 1329 PUBLIC KEYS { pk-ec } 1330 } 1332 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 1333 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1334 ecdsa-with-SHA2(3) 3 } 1336 -- ECDSA with SHA-512 1338 sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { 1339 IDENTIFIER ecdsa-with-SHA512 1340 VALUE ECDSA-Sig-Value 1341 PARAMS TYPE NULL ARE absent 1342 HASHES { mda-sha512 } 1343 PUBLIC KEYS { pk-ec } 1344 } 1346 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 1347 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1348 ecdsa-with-SHA2(3) 4 } 1350 -- 1351 -- Signature Values 1352 -- 1354 -- DSA 1356 DSA-Sig-Value ::= SEQUENCE { 1357 r INTEGER, 1358 s INTEGER 1359 } 1361 -- ECDSA 1363 ECDSA-Sig-Value ::= SEQUENCE { 1364 r INTEGER, 1365 s INTEGER 1366 } 1368 -- 1369 -- Message Digest Algorthms (mda-) 1370 -- 1372 HashAlgorithms DIGEST-ALGORITHM ::= { 1373 mda-md2 | 1374 mda-md5 | 1375 mda-sha1 | 1376 mda-sha224 | 1377 mda-sha256 | 1378 mda-sha384 | 1379 mda-sha512, 1380 ... -- Extensible 1381 } 1383 -- MD-2 1385 mda-md2 DIGEST-ALGORITHM ::= { 1386 IDENTIFIER id-md2 1387 PARAMS TYPE NULL ARE preferredAbsent 1388 } 1390 id-md2 OBJECT IDENTIFIER ::= { 1391 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 1393 -- MD-5 1395 mda-md5 DIGEST-ALGORITHM ::= { 1396 IDENTIFIER id-md5 1397 PARAMS TYPE NULL ARE preferredAbsent 1398 } 1400 id-md5 OBJECT IDENTIFIER ::= { 1401 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 1403 -- SHA-1 1405 mda-sha1 DIGEST-ALGORITHM ::= { 1406 IDENTIFIER id-sha1 1407 PARAMS TYPE NULL ARE preferredAbsent 1408 } 1410 id-sha1 OBJECT IDENTIFIER ::= { 1411 iso(1) identified-organization(3) oiw(14) secsig(3) 1412 algorithm(2) 26 } 1414 -- SHA-224 1415 -- Parameters are preferred ABSENT 1417 -- mda-sha224 1419 -- SHA-256 1420 -- Parameters are preferred ABSENT 1422 -- mda-sha256 1424 -- SHA-384 1425 -- Parameters are preferred ABSENT 1427 -- mda-sha384 1428 -- Parameters are preferred ABSENT 1430 -- SHA-512 1431 -- Parameters are preferred ABSENT 1433 -- mda-sha512 1435 END 1436 Authors' Addresses 1438 Sean Turner 1440 IECA, Inc. 1441 3057 Nutley Street, Suite 106 1442 Fairfax, VA 22031 1443 USA 1445 EMail: turners@ieca.com 1447 Kelvin Yiu 1449 Microsoft 1450 One Microsoft Way 1451 Redmond, WA 98052-6399 1452 USA 1454 Email: kelviny@microsoft.com 1456 Daniel R. L. Brown 1458 Certicom Corp 1459 5520 Explorer Drive #400 1460 Mississauga, ON L4W 5L1 1461 CANADA 1463 EMail: dbrown@certicom.com 1465 Russ Housley 1467 Vigil Security, LLC 1468 918 Spring Knoll Drive 1469 Herndon, VA 20170 1470 USA 1472 EMail: housley@vigilsec.com 1474 Tim Polk 1476 NIST 1477 Building 820, Room 426 1478 Gaithersburg, MD 20899 1479 USA 1481 EMail: wpolk@nist.gov 1483 Full Copyright Statement 1485 Copyright (C) The IETF Trust (2008). 1487 This document is subject to the rights, licenses and restrictions 1488 contained in BCP 78, and except as set forth therein, the authors 1489 retain all their rights. 1491 This document and the information contained herein are provided on an 1492 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1493 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1494 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1495 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1496 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1497 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1499 Intellectual Property 1501 The IETF takes no position regarding the validity or scope of any 1502 Intellectual Property Rights or other rights that might be claimed to 1503 pertain to the implementation or use of the technology described in 1504 this document or the extent to which any license under such rights 1505 might or might not be available; nor does it represent that it has 1506 made any independent effort to identify any such rights. Information 1507 on the procedures with respect to rights in RFC documents can be 1508 found in BCP 78 and BCP 79. 1510 Copies of IPR disclosures made to the IETF Secretariat and any 1511 assurances of licenses to be made available, or the result of an 1512 attempt made to obtain a general license or permission for the use of 1513 such proprietary rights by implementers or users of this 1514 specification can be obtained from the IETF on-line IPR repository at 1515 http://www.ietf.org/ipr. 1517 The IETF invites any interested party to bring to its attention any 1518 copyrights, patents or patent applications, or other proprietary 1519 rights that may cover technology that may be required to implement 1520 this standard. Please address the information to the IETF at 1521 ietf-ipr@ietf.org. 1523 Acknowledgment 1525 Funding for the RFC Editor function is provided by the IETF 1526 Administrative Support Activity (IASA).