idnits 2.17.1 draft-ietf-pkix-ecc-subpubkeyinfo-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1451. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1462. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1469. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1475. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC3279, but the abstract doesn't seem to directly say this. It does mention RFC3279 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3279, updated by this document, for RFC5378 checks: 2000-07-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 26, 2008) is 5661 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS180-3' -- Possible downref: Non-RFC (?) normative reference: ref. 'FIPS186-3' -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC1' == Outdated reference: A later version (-10) exists of draft-ietf-pkix-sha2-dsa-ecdsa-04 == Outdated reference: A later version (-08) exists of draft-ietf-pkix-new-asn1-01 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 IETF PKIX WG Sean Turner, IECA 2 Internet Draft Daniel Brown, Certicom 3 Intended Status: Standard Track Kelvin Yiu, Microsoft 4 Updates: 3279 (once approved) Russ Housley, Vigil Security 5 Expires: April 26, 2009 Tim Polk, NIST 6 October 26, 2008 8 Elliptic Curve Cryptography Subject Public Key Information 9 draft-ietf-pkix-ecc-subpubkeyinfo-09.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html 34 This Internet-Draft will expire on April 26, 2009. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 This document specifies the syntax and semantics for the Subject 43 Public Key Information field in certificates that support Elliptic 44 Curve Cryptography. This document updates Sections 2.3.5, 3, and 5 45 of RFC 3279. 47 Table of Contents 49 1. Introduction...................................................2 50 1.1. Terminology...............................................3 51 2. Subject Public Key Information Fields..........................3 52 2.1. Elliptic Curve Cryptography Public Key Algorithm 53 Identifiers...............................................4 54 2.1.1. Unrestricted Algorithm Identifier and Parameters.....5 55 2.1.2. Restricted Algorithm Identifiers and Parameters......8 56 2.2. Subject Public Key........................................9 57 3. Key Usage Bits................................................10 58 4. Security Considerations.......................................11 59 5. ASN.1 Considerations..........................................13 60 6. IANA Considerations...........................................13 61 7. Acknowledgements..............................................14 62 8. References....................................................14 63 8.1. Normative References.....................................14 64 8.2. Informative References...................................15 65 Appendix A. ASN.1 Modules........................................15 66 A.1. Curve Object Identifiers.................................16 67 A.2. Algorithm Identifiers....................................18 68 A.3. 1988 ASN.1 Module for ECParameters.......................23 69 A.4. 2004 ASN.1 Module........................................24 71 1. Introduction 73 This document specifies the format of the subjectPublicKeyInfo field 74 in X.509 certificates [PKI] that use Elliptic Curve Cryptography 75 (ECC). It updates [PKI-ALG]. This document specifies the encoding 76 formats for public keys used with the following ECC algorithms: 78 o Elliptic Curve Digital Signature Algorithm (ECDSA); 80 o Elliptic Curve Diffie-Hellman (ECDH) family schemes; and, 82 o Elliptic Curve Menezes-Qu-Vanstone (ECMQV) family schemes. 84 Two methods for specifying the algorithms that can be used with the 85 subjectPublicKey are defined. One method does not restrict the 86 algorithms the key can be used with while the other method does 87 restrict the algorithms the key can be used with. To promote 88 interoperability, this document indicates which is required to 89 implement. 91 Two methods for specifying the algorithm's parameters are also 92 defined. One allows for the Elliptic Curve (EC) to be identified by 93 an object identifier and one allows for the EC to be inherited from 94 the issuer's certificate. To promote interoperability, this document 95 indicates which options are required to implement. 97 1.1. Terminology 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 101 document are to be interpreted as described in [MUSTSHOULD]. 103 2. Subject Public Key Information Fields 105 In the X.509 certificate, the subjectPublicKeyInfo field has the 106 SubjectPublicKeyInfo type, which has the following ASN.1 syntax: 108 SubjectPublicKeyInfo ::= SEQUENCE { 109 algorithm AlgorithmIdentifier 110 { PUBLIC-KEY{ PKIXAlgs-PublicKeys } }, 111 subjectPublicKey BIT STRING 112 } 114 The fields in SubjectPublicKeyInfo have the following meanings: 116 o algorithm is the algorithm identifier and algorithm parameters 117 for the ECC public key. See Section 2.1. 119 o subjectPublicKey is the ECC public key. See Section 2.2. 121 The AlgorithmIdentifier type is parametrized by PKIXAlgs- 122 PublicKeys, a set of instances of the class PUBLIC-KEY. This 123 class is defined in [PKI-ASN]: 125 PUBLIC-KEY ::= CLASS { 126 &id OBJECT IDENTIFIER, 127 &Params OPTIONAL, 128 ¶mPresence ParamOptions DEFAULT required, 129 &KeyValue, 130 &PrivateKey OPTIONAL 131 } 132 WITH SYNTAX { 133 IDENTIFIER &id 134 KEY &KeyValue 135 [PARAMS TYPE [&Params] ARE ¶mPresence] 136 [PRIVATE KEY &PrivateKey] 137 } 139 ParamOptions ::= ENUMERATED { 140 required, -- Parameters MUST be encoded in structure 141 preferedPresent, -- Parameters SHOULD be encoded in structure 142 preferedAbsent, -- Parameters SHOULD NOT be encoded in structure 143 absent, -- Parameters MUST NOT be encoded in structure 144 notPresent, 145 inheritable -- Parameters are inherited if not present 146 } 148 The type AlgorithmIdentifier is parameterized to allow legal sets of 149 values to be specified by constraining the type with an information 150 object set. 152 When defining a PUBLIC-KEY type: 154 o &id is the object identifier assigned to the public-key type. 156 o &Params, which is optional, is the parameters for the public- 157 key type. 159 o ¶mPresence specifies the parameter presence requirements. 161 o &KeyValue contains the type for the public key value. 163 o &PrivateKey is the associated private key format. 165 2.1. Elliptic Curve Cryptography Public Key Algorithm Identifiers 167 The algorithm field in the SubjectPublicKeyInfo structure [PKI] 168 indicates the algorithm and any associated parameters for the ECC 169 public key (see Section 2.2). The algorithms are restricted to the 170 PKIXAlgs-PublicKeys parameterized type with the following ASN.1 171 definition: 173 PKIXAlgs-PublicKeys PUBLIC-KEY ::= { 174 pk-ec | 175 pk-ecDH | 176 pk-ecMQV, 177 ... -- Extensible 178 } 180 The algorithms defined are as follows: 182 o pk-ec indicates that the algorithms that can be used with the 183 subject public key are not restricted (i.e., they are 184 unrestricted). The key is only restricted by the values 185 indicated in the key usage certificate extension. The pk-ec 186 CHOICE MUST be supported. See Section 2.1.1. This value is 187 also used when a key is used with ECDSA. 189 o pk-ecDH indicates that the algorithm that can be used with the 190 subject public key is restricted to the Elliptic Curve Diffie- 191 Hellman algorithm. See Section 2.1.2. This choice MAY be 192 supported. 194 o pk-ecMQV indicates that the algorithm that can be used with the 195 subject public key is restricted to the Elliptic Curve Menezes- 196 Qu-Vanstone key agreement algorithm. See Section 2.1.2. 197 This choice MAY be supported. 199 2.1.1. Unrestricted Algorithm Identifier and Parameters 201 The "unrestricted" algorithm is defined as follows: 203 pk-ec PUBLIC-KEY ::= { 204 IDENTIFIER id-ecPublicKey 205 KEY ECPoint 206 PARAMS TYPE ECParameters ARE required 207 } 209 The algorithm identifier is: 211 id-ecPublicKey OBJECT IDENTIFIER ::= { 212 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 214 The public key (ECPoint) syntax is described in Section 2.2. 216 The parameters for id-ecPublicKey are as follows and they MUST always 217 be present: 219 ECParameters ::= CHOICE { 220 namedCurve CURVE.&id({NamedCurve}), 221 implicitCurve NULL, 222 -- specifiedCurve SpecifiedECDomain 223 ... -- Extensible 224 } 225 -- specifiedCurve MUST NOT be used in PKIX. 226 -- Details for SpecifiedECDomain can be found in [X9.62]. 227 -- Any future additions to this CHOICE should be coordinated 228 -- with ASNI X.9. 230 The fields in ECParameters have the following meanings: 232 o namedCurve allows all the required values for a particular set 233 of elliptic curve domain parameters to be represented by an 234 object identifier. This choice MUST be supported. See Section 235 2.1.1.1. 237 o implicitCurve allows the elliptic curve parameters to be 238 inherited. This choice MAY be used. 240 o specifiedCurve, which is SpecifiedECDomain type is defined in 241 [X9.62], allows all of the curve parameters to be explicitly 242 specified. This choice MUST NOT be used. See the ASN.1 243 Considerations section. 245 The addition of any new choices in ECParameters ought to be 246 coordinated with ANSI X9. 248 The AlgorithmIdentifier within subjectPublicKeyInfo is the only place 249 within a certificate where the domain parameters may be used. If the 250 ECDSA, ECMQV, or ECDH algorithm parameters are omitted from the 251 subjectPublicKeyInfo AlgorithmIdentifier and the CA signed the 252 subject certificate using ECDSA, then the certificate issuer's ECDSA 253 parameters apply to the subject's ECDSA, ECMQV, and ECDH key. If the 254 ECDSA domain parameters are omitted from the subjectPublicKeyInfo 255 AlgorithmIdentifier and the CA signed the subject certificate using a 256 signature algorithm other than ECDSA, then the subject's ECDSA, 257 ECMQV, and ECDH domain parameters are distributed by other means. If 258 the subjectPublicKeyInfo AlgorithmIdentifier field omits the 259 parameters component, the CA signed the subject with a signature 260 algorithm other than ECDSA, and the subject's ECDSA, ECMQV, and ECDH 261 parameters are not available through other means, then clients MUST 262 reject the certificate. 264 2.1.1.1. Named Curve 266 The namedCurve field in ECParameters uses the class CURVE to 267 constrain the set of legal values from NamedCurve, which are object 268 identifiers: 270 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 271 WITH SYNTAX { ID &id } 273 The NamedCurve parameterized type is defined as follows: 275 NamedCurve CURVE ::= { 276 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 277 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 278 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 279 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 280 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 281 ... -- Extensible 282 } 284 The curve identifiers are the fifteen NIST recommended curves 285 [FIPS186-3]: 287 -- Note that in [X9.62] the curves are referred to as 'ansiX9' as 288 -- opposed to 'sec'. For example secp192r1 is the same curve as 289 -- ansix9p192r1. 291 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 292 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 294 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 295 -- P-224, secp256r1 as P-256, secp384r1 as P-384, and secp521r1 as 296 -- P-521. 298 secp192r1 OBJECT IDENTIFIER ::= { 299 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 300 prime(1) 1 } 302 sect163k1 OBJECT IDENTIFIER ::= { 303 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 305 sect163r2 OBJECT IDENTIFIER ::= { 306 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 308 secp224r1 OBJECT IDENTIFIER ::= { 309 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 311 sect233k1 OBJECT IDENTIFIER ::= { 312 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 314 sect233r1 OBJECT IDENTIFIER ::= { 315 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 317 secp256r1 OBJECT IDENTIFIER ::= { 318 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 319 prime(1) 7 } 321 sect283k1 OBJECT IDENTIFIER ::= { 322 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 324 sect283r1 OBJECT IDENTIFIER ::= { 325 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 327 secp384r1 OBJECT IDENTIFIER ::= { 328 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 330 sect409k1 OBJECT IDENTIFIER ::= { 331 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 333 sect409r1 OBJECT IDENTIFIER ::= { 334 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 336 secp521r1 OBJECT IDENTIFIER ::= { 337 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 339 sect571k1 OBJECT IDENTIFIER ::= { 340 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 342 sect571r1 OBJECT IDENTIFIER ::= { 343 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 345 2.1.2. Restricted Algorithm Identifiers and Parameters 347 Algorithms used with elliptic curve cryptography fall in two 348 different categories: signature and key agreement algorithms. ECDSA 349 uses the pk-ec identifier described in 2.1.1. Two sets of key 350 agreement algorithms are identified herein: the Elliptic Curve 351 Diffie-Hellman (ECDH) key agreement scheme and the Elliptic Curve 352 Menezes-Qu-Vanstone (ECMQV) key agreement scheme. All algorithms are 353 identified by an object identifier and have parameters. The object 354 identifier varies based on the algorithm but the parameters are 355 always ECParameters and they MUST always be present (see Section 356 2.1.1). 358 The ECDH is defined as follows: 360 pk-ecDH PUBLIC-KEY ::= { 361 IDENTIFIER id-ecDH 362 KEY ECPoint 363 PARAMS TYPE ECParameters ARE required 364 } 366 The algorithm identifier is: 368 id-ecDH OBJECT IDENTIFIER ::= { 369 iso(1) identified-organization(3) certicom(132) schemes(1) 370 ecdh(12) } 372 The ECMQV is defined as follows: 374 pk-ecMQV PUBLIC-KEY ::= { 375 IDENTIFIER id-ecMQV 376 KEY ECPoint 377 PARAMS TYPE ECParameters ARE required 378 } 380 The algorithm identifier is: 382 id-ecMQV OBJECT IDENTIFIER ::= { 383 iso(1) identified-organization(3) certicom(132) schemes(1) 384 ecmqv(13) } 386 2.2. Subject Public Key 388 The subjectPublicKey from SubjectPublicKeyInfo is the ECC public key. 389 ECC public keys have the following syntax: 391 ECPoint ::= OCTET STRING 393 Implementations of elliptic curve cryptography according to this 394 document MUST support the uncompressed form and MAY support the 395 compressed form of the ECC public key. As specified in [SEC1]: 397 o The elliptic curve public key (a value of type ECPoint which is 398 an OCTET STRING) is mapped to a subjectPublicKey (a value of 399 type BIT STRING) as follows: the most significant bit of the 400 OCTET STRING value becomes the most significant bit of the BIT 401 STRING value, and so on; the least significant bit of the OCTET 402 STRING becomes the least significant bit of the BIT STRING. 403 Conversion routines are found in Sections 2.3.1 and 2.3.2 of 404 [SEC1]. 406 o The first octet of the OCTET STRING indicates whether the key 407 is compressed or uncompressed. The uncompressed form is 408 indicated by 0x04 and the compressed form is indicated by 409 either 0x02 or 0x03 (see 2.3.3 in [SEC1]). 411 3. Key Usage Bits 413 If the keyUsage extension is present in a CA certificate that 414 indicates id-ecPublicKey in subjectPublicKeyInfo, then any 415 combination of the following values MAY be present: 417 digitalSignature; 418 nonRepudiation; 419 keyAgreement; 420 keyCertSign; and 421 cRLSign. 423 If the CA certificate keyUsage extension asserts keyAgreement, then 424 it MAY assert either encipherOnly or decipherOnly. However, this 425 specification RECOMMENDS that if keyCertSign or cRLSign is present, 426 then keyAgreement, encipherOnly, and decipherOnly SHOULD NOT be 427 present. 429 If the keyUsage extension is present in an EE certificate that 430 indicates id-ecPublicKey in subjectPublicKeyInfo, then any 431 combination of the following values MAY be present: 433 digitalSignature; 434 nonRepudiation; and 435 keyAgreement. 437 If the EE certificate keyUsage extension asserts keyAgreement, then 438 it MAY assert either encipherOnly or decipherOnly. 440 If the keyUsage extension is present in a certificate that indicates 441 id-ecDH or id-ecMQV in subjectPublicKeyInfo, then the following MUST 442 be present: 444 keyAgreement; 446 the following MUST NOT be present: 448 digitalSignature; 449 nonRepudiation; 450 keyTransport; 451 keyCertSign; and, 452 cRLSign; 454 the following MAY be present: 456 encipherOnly; or, 457 decipherOnly. 459 4. Security Considerations 461 The security considerations in [PKI-ALG] apply. 463 When implementing ECC in X.509 Certificates, there are three 464 algorithm related choices that need to be made: 466 1) What is the public key size? 468 2) What is the hash algorithm [FIPS180-3]? 470 3) What is the curve? 472 Consideration must be given by the CA to the strength of the security 473 provided by each of these choices. Security is measured in bits, 474 where a strong symmetric cipher with a key of X bits is said to 475 provide X bits of security. It is recommended that the bits of 476 security provided by each choice are roughly equivalent. The 477 following table provides comparable minimum bits of security [SP800- 478 57] for the ECDSA key sizes and message digest algorithms. It also 479 lists curves (see Section 2.1.1.1) for the key sizes. 481 Minimum | ECDSA | Message | Curves 482 Bits of | Key Size | Digest | 483 Security | | Algorithms | 484 ---------+----------+------------+----------- 485 80 | 160-223 | SHA-1 | sect163k1 486 | | SHA-224 | secp163r2 487 | | SHA-256 | secp192r1 488 | | SHA-384 | 489 | | SHA-512 | 490 ---------+----------+------------+----------- 491 112 | 224-255 | SHA-224 | secp224r1 492 | | SHA-256 | sect233k1 493 | | SHA-384 | sect233r1 494 | | SHA-512 | 495 ---------+----------+------------+----------- 496 128 | 256-383 | SHA-256 | secp256r1 497 | | SHA-384 | sect283k1 498 | | SHA-512 | sect283r1 499 ---------+----------+------------+----------- 500 192 | 384-511 | SHA-384 | secp384r1 501 | | SHA-512 | sect409k1 502 | | | sect409r1 503 ---------+----------+------------+----------- 504 256 | 512+ | SHA-512 | secp521r1 505 | | | sect571k1 506 | | | sect571r1 507 ---------+----------+------------+----------- 509 To promote interoperability, the following choices are RECOMMENDED: 511 Minimum | ECDSA | Message | Curves 512 Bits of | Key Size | Digest | 513 Security | | Algorithms | 514 ---------+----------+------------+----------- 515 80 | 192 | SHA-256 | secp192r1 516 ---------+----------+------------+----------- 517 112 | 224 | SHA-256 | secp224r1 518 ---------+----------+------------+----------- 519 128 | 256 | SHA-256 | secp256r1 520 ---------+----------+------------+----------- 521 192 | 384 | SHA-384 | secp384r1 522 ---------+----------+------------+----------- 523 256 | 512 | SHA-512 | secp521r1 524 ---------+----------+------------+----------- 526 Using a larger hash value and then truncating it, consumes more 527 processing power than is necessary. This is more important on 528 constrained devices. Since the signer does not know the environment 529 that the recipient will use to validate the signature, it is better 530 to use a hash function that provides the desired hash value output 531 size, and no more. 533 There are security risks with using keys not associated with well 534 known and widely reviewed curves. For example, the curve may not 535 satisfy the MOV condition or the curve may be vulnerable to the 536 Anomalous attack [X9.62]. Additionally, either a) all of the 537 arithmetic properties of a candidate ECC public key must be validated 538 to ensure that it has the unique correct representation in the 539 correct (additive) subgroup (and therefore is also in the correct EC 540 group) specified by the associated ECC domain parameters or b) some 541 of the arithmetic properties of a candidate ECC public key must be 542 validated to ensure that it is in the correct group (but not 543 necessarily the correct subgroup) specified by the associated ECC 544 domain parameters [SP800-56A]. 546 As noted in [PKI-ALG], the use of MD2 and MD5 for new applications is 547 discouraged. It is still reasonable to use MD2 and MD5 to verify 548 existing signatures. 550 5. ASN.1 Considerations 552 [X9.62] defines additional options for ECParameters and ECDSA-Sig- 553 Value. If an implementation needs to use these options, then use 554 the [X9.62] ASN.1 module. This RFC contains a conformant subset of 555 the ASN.1 module defined in [X9.62]. 557 If an implementation generates a PER [X.691] encoding using the ASN.1 558 module found in this specification it might not achieve the same 559 encoded output as one that uses the [X9.62] module. PER is not 560 required by either the PKIX or S/MIME environments. If an 561 implementation environment requires PER, then implementation concerns 562 are less likely with the use of the [X9.62] module. 564 6. IANA Considerations 566 This document makes extensive use of object identifiers to register 567 public key types, elliptic curves, and algorithms. Most are 568 registered in the ANSI X9.62 arc with the exception of the hash 569 algorithms, which are in NIST's arc, and many of the curves, which 570 are in the Certicom Inc. arc (these curves have been adopted by ANSI 571 and NIST). Additionally, object identifiers are used to identify the 572 ASN.1 modules found in Appendix A. These are defined in an arc 573 delegated by IANA to the PKIX Working Group. No further action by 574 IANA is necessary for this document or any anticipated updates. 576 7. Acknowledgements 578 The authors wish to thank Stephen Farrell, Alfred Hoenes, Johannes 579 Merkle, Jim Schaad, and Carl Wallace for their valued input. 581 8. References 583 8.1. Normative References 585 [FIPS180-3] National Institute of Standards and Technology (NIST), 586 FIPS Publication 180-3: Secure Hash Standard, October 587 2008. 589 [FIPS186-3] National Institute of Standards and Technology (NIST), 590 FIPS Publication 186-3: Digital Signature Standard, 591 (draft) March 2006. 593 [PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. 594 Housley, R., and W. Polk, "Internet X.509 Public Key 595 Infrastructure Certificate and Certificate Revocation 596 List (CRL) Profile", RFC 5280, May 2008. 598 [PKI-ALG] Polk, W., Housley, R. and L. Bassham, "Algorithm 599 Identifiers for the Internet X.509 Public Key 600 Infrastructure", RFC 3279, April 2002. 602 [MUSTSHOULD] Bradner, S., "Key words for use in RFCs to Indicate 603 Requirement Levels", BCP 14, RFC 2119, March 1997. 605 [RSAOAEP] Schaad, J., Kaliski, B., and R. Housley, "Additional 606 Algorithms and Identifiers for RSA Cryptography for use 607 in the Internet X.509 Public Key Infrastructure 608 Certificate and Certificate Revocation List (CRL) 609 Profile", RFC 4055, June 2005. 611 [SEC1] Standards for Efficient Cryptography, "SEC 1: Elliptic 612 Curve Cryptography", Version 1.0, September 2000. 614 [X9.62] American National Standards Institute (ANSI), ANS 615 X9.62-2005: The Elliptic Curve Digital Signature 616 Algorithm (ECDSA), 2005. 618 [X.208] ITU-T Recommendation X.208 (1988) | ISO/IEC 8824- 619 1:1988. Specification of Abstract Syntax Notation One 620 (ASN.1). 622 8.2. Informative References 624 [PKI-ADALG] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and 625 T. Polk, "Internet X.509 Public Key Infrastructure: 626 Additional Algorithms and Identifiers for DSA and 627 ECDSA", draft-ietf-pkix-sha2-dsa-ecdsa-04, work-in- 628 progress, June 2008. 630 [PKI-ASN] Hoffman, P., and J. Schaad, "New ASN.1 Modules for 631 PKIX", draft-ietf-pkix-new-asn1-01, work-in-progress, 632 July 2008. 634 [SP800-56A] National Institute of Standards and Technology (NIST), 635 Special Publication 800-56A: Recommendation for Pair- 636 Wise Key Establishment Schemes Using Discrete Logarithm 637 Cryptography (Revised), March 2007. 639 [SP800-57] National Institute of Standards and Technology (NIST), 640 Special Publication 800-57: Recommendation for Key 641 Management - Part 1 (Revised), March 2007. 643 [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824- 644 1:2002. Information Technology - Abstract Syntax 645 Notation One. 647 [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824- 648 2:2002. Information Technology - Abstract Syntax 649 Notation One: Information Object Specification. 651 [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824- 652 3:2002. Information Technology - Abstract Syntax 653 Notation One: Constraint Specification. 655 [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824- 656 4:2002. Information Technology - Abstract Syntax 657 Notation One: Parameterization of ASN.1 Specifications. 659 [X.691] ITU-T Recommendation X.691 (2002) | ISO/IEC 8825- 660 2:2002. Information Technology - ASN.1 Encoding Rules: 661 Specification of Packed Encoding Rules. 663 Appendix A. ASN.1 Modules 665 Appendix A.1 provides the normative ASN.1 definitions for the named 666 elliptic curves. 668 Appendix A.2 provides the normative ASN.1 definitions for the 669 algorithms, keys, and parameters (minus the ECParameters). This 670 module includes ASN.1 from [PKI-ALG] because this document updates 671 the entire ASN.1 module. Additionally, it includes ASN.1 for DSA with 672 SHA-224 and SHA-256 [PKI-ADALG]. 674 Appendix A.3 provides the normative ASN.1 definitions for the 675 ECParameters structures described in this specification using ASN.1 676 as defined in [X.208]. 678 Appendix A.4 provides informative ASN.1 definitions for the 679 ECParameters structures described in this specification using ASN.1 680 as defined in [X.680], [X.681], [X.682], and [X.683]. This appendix 681 contains the same information as Appendix A.2 and A.3 in a more 682 recent (and precise) ASN.1 notation, however Appendix A.2 and A.3 683 take precedence in case of conflict. 685 A.1. Curve Object Identifiers 687 PKIXCurves-2008 { iso(1) identified-organization(3) dod(6) 688 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 690 DEFINITIONS EXPLICIT TAGS ::= 692 BEGIN 694 -- EXPORTS ALL 696 -- IMPORTS NOTHING 698 -- Note that in [X9.62] the curves are referred to as 'ansiX9' as 699 -- opposed to 'sec'. For example secp192r1 is the same curve as 700 -- ansix9p192r1. 702 -- Note that in [PKI-ALG] the secp192r1 curve was referred to as 703 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 705 -- Note that [FIPS186-3] refers to secp192r1 as P-192, secp224r1 as 706 -- P-224, secp384r1 as P-384, and secp521r1 as P-521. 708 secp192r1 OBJECT IDENTIFIER ::= { 709 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 710 prime(1) 1 } 712 sect163k1 OBJECT IDENTIFIER ::= { 713 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 715 sect163r2 OBJECT IDENTIFIER ::= { 716 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 718 secp224r1 OBJECT IDENTIFIER ::= { 719 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 721 sect233k1 OBJECT IDENTIFIER ::= { 722 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 724 sect233r1 OBJECT IDENTIFIER ::= { 725 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 727 secp256r1 OBJECT IDENTIFIER ::= { 728 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 729 prime(1) 7 } 731 sect283k1 OBJECT IDENTIFIER ::= { 732 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 734 sect283r1 OBJECT IDENTIFIER ::= { 735 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 737 secp384r1 OBJECT IDENTIFIER ::= { 738 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 740 sect409k1 OBJECT IDENTIFIER ::= { 741 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 743 sect409r1 OBJECT IDENTIFIER ::= { 744 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 746 secp521r1 OBJECT IDENTIFIER ::= { 747 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 749 sect571k1 OBJECT IDENTIFIER ::= { 750 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 752 sect571r1 OBJECT IDENTIFIER ::= { 753 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 755 END 757 A.2. Algorithm Identifiers 759 PKIXAlgIDs-2008 { iso(1) identified-organization(3) dod(6) 760 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 762 DEFINITIONS EXPLICIT TAGS ::= 764 BEGIN 766 -- EXPORTS ALL 768 IMPORTS 770 -- From [RSAOAEP] 772 id-sha224, id-sha256, id-sha384, id-sha512 773 FROM PKIX1-PSS-OAEP-Algorithms 774 { iso(1) identified-organization(3) dod(6) internet(1) 775 security(5) mechanisms(5) pkix(7) id-mod(0) 776 id-mod-pkix1-rsa-pkalgs(33) } 778 ; 780 -- 781 -- Public Key (pk-) Algorithms 782 -- 784 -- RSA PK Algorithm, Parameters, and Keys 786 rsaEncryption OBJECT IDENTIFIER ::= { 787 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 789 RSAPublicKey ::= SEQUENCE { 790 modulus INTEGER, -- n 791 publicExponent INTEGER -- e 792 } 794 -- DSA PK Algorithm and Parameters 796 id-dsa OBJECT IDENTIFIER ::= { 797 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 799 DSAPublicKey ::= INTEGER -- public key, y 800 DSS-Parms ::= SEQUENCE { 801 p INTEGER, 802 q INTEGER, 803 g INTEGER 804 } 806 -- Diffie-Hellman PK Algorithm, Keys, and Parameters 808 dhpublicnumber OBJECT IDENTIFIER ::= { 809 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 811 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 813 DomainParameters ::= SEQUENCE { 814 p INTEGER, -- odd prime, p=jq +1 815 g INTEGER, -- generator, g 816 q INTEGER, -- factor of p-1 817 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 818 validationParms ValidationParms OPTIONAL 819 } 821 ValidationParms ::= SEQUENCE { 822 seed BIT STRING, 823 pgenCounter INTEGER 824 } 826 -- KEA PK Algorithm and Parameters 828 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 829 2 16 840 1 101 2 1 1 22 } 831 KEA-Parms-Id ::= OCTET STRING 833 -- Sec 2.1.1 Unrestricted Algorithm ID, Parameters, and Keys 834 -- (ECDSA keys use id-ecPublicKey) 836 id-ecPublicKey OBJECT IDENTIFIER ::= { 837 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 839 -- Parameters are ECParameters. 1988 ASN.1 for ECParameters is found 840 -- in Appendix A.3. 2004 ASN.1 syntax for ECParameters is found in 841 -- Appendix A.4. 843 ECPoint ::= OCTET STRING 844 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys:ECDH 846 id-ecDH OBJECT IDENTIFIER ::= { 847 iso(1) identified-organization(3) certicom(132) schemes(1) 848 ecdh(12) } 850 -- Parameters are ECParameters. 1988 ASN.1 for ECParameters is found 851 -- in Appendix A.3. 2004 ASN.1 syntax for ECParameters is found in 852 -- Appendix A.4. 854 -- ECPoint ::= OCTET STRING 856 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys: ECMQV 858 id-ecMQV OBJECT IDENTIFIER ::= { 859 iso(1) identified-organization(3) certicom(132) schemes(1) 860 ecmqv(13) } 862 -- Parameters are ECParameters. 1988 ASN.1 for ECParameters is found 863 -- in Appendix A.3. 2004 ASN.1 syntax for ECParameters is found in 864 -- Appendix A.4. 866 -- ECPoint ::= OCTET STRING 868 -- 869 -- Signature Algorithms (sa) 870 -- 872 -- RSA with MD-2 873 -- Parameters are NULL 875 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 876 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 878 -- RSA with MD-5 879 -- Parameters are NULL 881 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 882 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 884 -- RSA with SHA-1 885 -- Parameters are NULL 887 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 888 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 890 -- DSA with SHA-1 891 -- Parameters are ABSENT 893 id-dsa-with-sha1 OBJECT IDENTIFIER ::= { 894 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 896 -- DSA with SHA-224 897 -- Parameters are ABSENT 899 id-dsa-with-sha224 OBJECT IDENTIFIER ::= { 900 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 901 csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } 903 -- DSA with SHA-256 904 -- Parameters are ABSENT 906 id-dsa-with-sha256 OBJECT IDENTIFIER ::= { 907 joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) 908 csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } 910 -- ECDSA with SHA-1 911 -- Parameters are ABSENT 913 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 914 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 916 -- ECDSA with SHA-224 917 -- Parameters are ABSENT 919 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { 920 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 921 ecdsa-with-SHA2(3) 1 } 923 -- ECDSA with SHA-256 924 -- Parameters are ABSENT 926 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { 927 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 928 ecdsa-with-SHA2(3) 2 } 930 -- ECDSA with SHA-384 931 -- Parameters are ABSENT 933 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { 934 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 935 ecdsa-with-SHA2(3) 3 } 937 -- ECDSA with SHA-512 938 -- Parameters are ABSENT 940 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { 941 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 942 ecdsa-with-SHA2(3) 4 } 944 -- 945 -- Signature Values 946 -- 948 -- DSA 950 DSA-Sig-Value ::= SEQUENCE { 951 r INTEGER, 952 s INTEGER 953 } 955 -- ECDSA 957 ECDSA-Sig-Value ::= SEQUENCE { 958 r INTEGER, 959 s INTEGER 960 } 962 -- 963 -- Message Digest Algorithms (mda-) 964 -- 966 -- MD-2 967 -- Parameters are NULL 969 id-md2 OBJECT IDENTIFIER ::= { 970 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 972 -- MD-5 973 -- Parameters are NULL 975 id-md5 OBJECT IDENTIFIER ::= { 976 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 978 -- SHA-1 979 -- Parameters are preferred ABSENT 981 id-sha1 OBJECT IDENTIFIER ::= { 982 iso(1) identified-organization(3) oiw(14) secsig(3) 983 algorithm(2) 26 } 985 -- SHA-224 986 -- Parameters are preferred ABSENT 988 -- id-sha224 OBJECT IDENTIFIER ::= { 989 -- joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 990 -- csor(3) nistalgorithm(4) hashalgs(2) 4 } 992 -- SHA-256 993 -- Parameters are preferred ABSENT 995 -- id-sha256 OBJECT IDENTIFIER ::= { 996 -- joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 997 -- csor(3) nistalgorithm(4) hashalgs(2) 1 } 999 -- SHA-384 1000 -- Parameters are preferred ABSENT 1002 -- id-sha384 OBJECT IDENTIFIER ::= { 1003 -- joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1004 -- csor(3) nistalgorithm(4) hashalgs(2) 2 } 1006 -- SHA-512 1007 -- Parameters are preferred ABSENT 1009 -- id-sha512 OBJECT IDENTIFIER ::= { 1010 -- joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1011 -- csor(3) nistalgorithm(4) hashalgs(2) 3 } 1013 END 1015 A.3. 1988 ASN.1 Module for ECParameters 1017 PKIXAlgs-1988ECParams { iso(1) identified-organization(3) dod(6) 1018 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 1020 DEFINITIONS EXPLICIT TAGS ::= 1022 BEGIN 1024 -- EXPORTS ALL 1026 IMPORTS 1027 -- From Appendix A.1 1029 secp192r1, sect163k1, sect163r2, secp224r1, sect233k1, sect233r1, 1030 secp256r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, 1031 secp521r1, sect571k1, sect571r1 1032 FROM PKIXCurves 1033 { iso(1) identified-organization(3) dod(6) internet(1) 1034 security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 1036 ; 1038 -- Parameters for both Restricted and Unrestricted 1040 ECParameters ::= CHOICE { 1041 namedCurve OBJECT IDENTIFIER, 1042 implicitCurve NULL 1043 -- specifiedCurve SpecifiedECDomain 1044 -- Extensible 1045 } 1046 -- specifiedCurve MUST NOT be used in PKIX. 1047 -- Details for SpecifiedECDomain can be found in [X9.62]. 1048 -- Any future additions to this CHOICE should be coordinated 1049 -- with ANSI X9. 1051 END 1053 A.4. 2004 ASN.1 Module 1055 PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 1056 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 1058 DEFINITIONS EXPLICIT TAGS ::= 1060 BEGIN 1062 -- EXPORTS ALL 1064 IMPORTS 1066 -- FROM [PKI-ASN] 1068 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM 1069 FROM AlgorithmInformation 1070 { iso(1) identified-organization(3) dod(6) internet(1) 1071 security(5) mechanisms(5) pkix(7) id-mod(0) 1072 id-mod-algorithInformation(TBA) } 1074 -- From [PKI-ASN] 1076 mda-sha224, mda-sha256, mda-sha384, mda-sha512 1077 FROM PKIX1-PSS-OAEP-Algorithms 1078 { iso(1) identified-organization(3) dod(6) internet(1) 1079 security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 1081 -- From Appendix A.1 1083 secp192r1, sect163k1, sect163r2, secp224r1, sect233k1, sect233r1, 1084 secp256r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, 1085 secp521r1, sect571k1, sect571r1 1086 FROM PKIXCurves 1087 { iso(1) identified-organization(3) dod(6) internet(1) 1088 security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 1090 -- From Appendix A.2 1092 rsaEncryption, RSAPublicKey, id-dsa, DSAPublicKey, DSS-Parms, 1093 dhpublicnumber, DHPublicKey, DomainParameters, 1094 id-keyExchangeAlgorithm, KEA-Parms-Id, id-ecPublicKey, ECPoint, 1095 ECParameters, id-ecDH, id-ecMQV, md2WithRSAEncryption, 1096 md5WithRSAEncryption, sha1WithRSAEncryption, id-dsa-with-sha1, 1097 id-dsa-with-sha224, id-dsa-with-sha256, ecdsa-with-SHA1, 1098 ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, 1099 ecdsa-with-SHA512, DSA-Sig-Value, ECDSA-Sig-Value, id-md2, id-md5, 1100 id-sha1 1101 FROM PKIXAlgKeyParams-2004 1102 { iso(1) identified-organization(3) dod(6) internet(1) 1103 security(5) mechanisms(5) pkix(7) id-mod(0) TBA } 1105 ; 1107 -- 1108 -- Public Key (pk-) Algorithms 1109 -- 1111 PKIXAlgs-PublicKeys PUBLIC-KEY ::= { 1112 pk-rsa | 1113 pk-dsa | 1114 pk-dh | 1115 pk-kea | 1116 pk-ec | 1117 pk-ecDH | 1118 pk-ecMQV, 1119 ... -- Extensible 1120 } 1121 -- RSA PK Algorithm, Parameters, and Keys 1123 pk-rsa PUBLIC-KEY ::= { 1124 IDENTIFIER rsaEncryption 1125 KEY RSAPublicKey 1126 PARAMS TYPE NULL ARE absent 1127 -- Private key format not in this document -- 1128 } 1130 -- DSA PK Algorithm, Parameters, and Keys 1132 pk-dsa PUBLIC-KEY ::= { 1133 IDENTIFIER id-dsa 1134 KEY DSAPublicKey 1135 PARAMS TYPE DSS-Parms ARE inheritable 1136 -- Private key format not in this document -- 1137 } 1139 -- Diffie-Hellman PK Algorithm, Parameters, and Keys 1141 pk-dh PUBLIC-KEY ::= { 1142 IDENTIFIER dhpublicnumber 1143 KEY DHPublicKey 1144 PARAMS TYPE DomainParameters ARE inheritable 1145 -- Private key format not in this document -- 1146 } 1148 -- KEA PK Algorithm and Parameters 1150 pk-kea PUBLIC-KEY ::= { 1151 IDENTIFIER id-keyExchangeAlgorithm 1152 -- key is not encoded -- 1153 PARAMS TYPE KEA-Parms-Id ARE required 1154 -- Private key format not in this document -- 1155 } 1157 -- Sec 2.1.1 Unrestricted Algorithms ID, Parameters, and Keys 1158 -- (ECDSA uses pk-ec) 1160 pk-ec PUBLIC-KEY ::= { 1161 IDENTIFIER id-ecPublicKey 1162 KEY ECPoint 1163 PARAMS TYPE ECParameters ARE required 1164 -- Private key format not in this document -- 1165 } 1166 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys: ecDH 1168 pk-ecDH PUBLIC-KEY ::= { 1169 IDENTIFIER id-ecDH 1170 KEY ECPoint 1171 PARAMS TYPE ECParameters ARE required 1172 -- Private key format not in this document -- 1173 } 1175 -- Sec 2.1.2 Restricted Algorithm IDs, Parameters, and Keys: ecMQV 1177 pk-ecMQV PUBLIC-KEY ::= { 1178 IDENTIFIER id-ecMQV 1179 KEY ECPoint 1180 PARAMS TYPE ECParameters ARE required 1181 -- Private key format not in this document -- 1182 } 1184 -- Parameters for both Restricted and Unrestricted 1186 ECParameters ::= CHOICE { 1187 namedCurve CURVE.&id({NamedCurve}), 1188 implicitCurve NULL, 1189 -- specifiedCurve SpecifiedECDomain 1190 ... -- Extensible 1191 } 1192 -- specifiedCurve MUST NOT be used in PKIX. 1193 -- Details for SpecifiedECDomain can be found in [X9.62]. 1194 -- Any future additions to this CHOICE should be coordinated 1195 -- with ANSI X.9. 1197 -- Sec 2.1.1.1 Named Curve 1199 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 1200 WITH SYNTAX { ID &id } 1202 NamedCurve CURVE ::= { 1203 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 1204 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 1205 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 1206 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 1207 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 1208 ... -- Extensible 1209 } 1210 -- 1211 -- Signature Algorithms (sa-) 1212 -- 1214 PKIXAlgs-Signature SIGNATURE-ALGORITHM ::= { 1215 sa-rsaWithMD2 | 1216 sa-rsaWithMD5 | 1217 sa-rsaWithSHA1 | 1218 sa-dsawithSHA1 | 1219 sa-dsawithSHA224 | 1220 sa-dsawithSHA256 | 1221 sa-ecdsaWithSHA1 | 1222 sa-ecdsaWithSHA224 | 1223 sa-ecdsaWithSHA256 | 1224 sa-ecdsaWithSHA384 | 1225 sa-ecdsaWithSHA512, 1226 ... -- Extensible 1227 } 1229 -- RSA with MD-2 1231 sa-rsaWithMD2 SIGNATURE-ALGORITHM ::= { 1232 IDENTIFIER md2WithRSAEncryption 1233 PARAMS TYPE NULL ARE present 1234 HASHES { mda-md2 } 1235 PUBLIC KEYS { pk-rsa } 1236 } 1238 -- RSA with MD-5 1240 sa-rsaWithMD5 SIGNATURE-ALGORITHM ::= { 1241 IDENTIFIER md5WithRSAEncryption 1242 PARAMS TYPE NULL ARE present 1243 HASHES { mda-md5 } 1244 PUBLIC KEYS { pk-rsa } 1245 } 1247 -- RSA with SHA-1 1249 sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1250 IDENTIFIER sha1WithRSAEncryption 1251 PARAMS TYPE NULL ARE present 1252 HASHES { mda-sha1 } 1253 PUBLIC KEYS { pk-rsa } 1254 } 1255 -- DSA with SHA-1 1257 sa-dsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1258 IDENTIFIER dsa-with-sha1 1259 VALUE DSA-Sig-Value 1260 PARAMS ARE absent 1261 HASHES { mda-sha1 } 1262 PUBLIC KEYS { pk-dsa } 1263 } 1265 -- DSA with SHA-224 1267 sa-dsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1268 IDENTIFIER dsa-with-sha224 1269 VALUE DSA-Sig-Value 1270 PARAMS ARE absent 1271 HASHES { mda-sha224 } 1272 PUBLIC KEYS { pk-dsa } 1273 } 1275 -- DSA with SHA-256 1277 sa-dsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1278 IDENTIFIER dsa-with-sha256 1279 VALUE DSA-Sig-Value 1280 PARAMS ARE absent 1281 HASHES { mda-sha256 } 1282 PUBLIC KEYS { pk-dsa } 1283 } 1285 -- ECDSA with SHA-1 1287 sa-ecdsaWithSHA1 SIGNATURE-ALGORITHM ::= { 1288 IDENTIFIER ecdsa-with-SHA1 1289 VALUE ECDSA-Sig-Value 1290 PARAMS TYPE NULL ARE absent 1291 HASHES { mda-sha1 } 1292 PUBLIC KEYS { pk-ec } 1293 } 1294 -- ECDSA with SHA-224 1296 sa-ecdsaWithSHA224 SIGNATURE-ALGORITHM ::= { 1297 IDENTIFIER ecdsa-with-SHA224 1298 VALUE ECDSA-Sig-Value 1299 PARAMS TYPE NULL ARE absent 1300 HASHES { mda-sha224 } 1301 PUBLIC KEYS { pk-ec } 1302 } 1304 -- ECDSA with SHA-256 1306 sa-ecdsaWithSHA256 SIGNATURE-ALGORITHM ::= { 1307 IDENTIFIER ecdsa-with-SHA256 1308 VALUE ECDSA-Sig-Value 1309 PARAMS TYPE NULL ARE absent 1310 HASHES { mda-sha256 } 1311 PUBLIC KEYS { pk-ec } 1312 } 1314 -- ECDSA with SHA-384 1316 sa-ecdsaWithSHA384 SIGNATURE-ALGORITHM ::= { 1317 IDENTIFIER ecdsa-with-SHA384 1318 VALUE ECDSA-Sig-Value 1319 PARAMS TYPE NULL ARE absent 1320 HASHES { mda-sha384 } 1321 PUBLIC KEYS { pk-ec } 1322 } 1324 -- ECDSA with SHA-512 1326 sa-ecdsaWithSHA512 SIGNATURE-ALGORITHM ::= { 1327 IDENTIFIER ecdsa-with-SHA512 1328 VALUE ECDSA-Sig-Value 1329 PARAMS TYPE NULL ARE absent 1330 HASHES { mda-sha512 } 1331 PUBLIC KEYS { pk-ec } 1332 } 1333 -- 1334 -- Message Digest Algorithms (mda-) 1335 -- 1337 HashAlgorithms DIGEST-ALGORITHM ::= { 1338 mda-md2 | 1339 mda-md5 | 1340 mda-sha1 | 1341 mda-sha224 | 1342 mda-sha256 | 1343 mda-sha384 | 1344 mda-sha512, 1345 ... -- Extensible 1346 } 1348 -- MD-2 1350 mda-md2 DIGEST-ALGORITHM ::= { 1351 IDENTIFIER id-md2 1352 PARAMS TYPE NULL ARE preferredAbsent 1353 } 1355 -- MD-5 1357 mda-md5 DIGEST-ALGORITHM ::= { 1358 IDENTIFIER id-md5 1359 PARAMS TYPE NULL ARE preferredAbsent 1360 } 1362 -- SHA-1 1364 mda-sha1 DIGEST-ALGORITHM ::= { 1365 IDENTIFIER id-sha1 1366 PARAMS TYPE NULL ARE preferredAbsent 1367 } 1369 -- SHA-224 1370 -- Parameters are preferred ABSENT 1372 -- mda-sha224 1373 -- SHA-256 1374 -- Parameters are preferred ABSENT 1376 -- mda-sha256 1378 -- SHA-384 1379 -- Parameters are preferred ABSENT 1381 -- mda-sha384 1382 -- Parameters are preferred ABSENT 1384 -- SHA-512 1385 -- Parameters are preferred ABSENT 1387 -- mda-sha512 1389 END 1390 Authors' Addresses 1392 Sean Turner 1394 IECA, Inc. 1395 3057 Nutley Street, Suite 106 1396 Fairfax, VA 22031 1397 USA 1399 EMail: turners@ieca.com 1401 Kelvin Yiu 1403 Microsoft 1404 One Microsoft Way 1405 Redmond, WA 98052-6399 1406 USA 1408 Email: kelviny@microsoft.com 1410 Daniel R. L. Brown 1412 Certicom Corp 1413 5520 Explorer Drive #400 1414 Mississauga, ON L4W 5L1 1415 CANADA 1417 EMail: dbrown@certicom.com 1419 Russ Housley 1421 Vigil Security, LLC 1422 918 Spring Knoll Drive 1423 Herndon, VA 20170 1424 USA 1426 EMail: housley@vigilsec.com 1428 Tim Polk 1430 NIST 1431 Building 820, Room 426 1432 Gaithersburg, MD 20899 1433 USA 1435 EMail: wpolk@nist.gov 1437 Full Copyright Statement 1439 Copyright (C) The IETF Trust (2008). 1441 This document is subject to the rights, licenses and restrictions 1442 contained in BCP 78, and except as set forth therein, the authors 1443 retain all their rights. 1445 This document and the information contained herein are provided on an 1446 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1447 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1448 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1449 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1450 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1451 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1453 Intellectual Property 1455 The IETF takes no position regarding the validity or scope of any 1456 Intellectual Property Rights or other rights that might be claimed to 1457 pertain to the implementation or use of the technology described in 1458 this document or the extent to which any license under such rights 1459 might or might not be available; nor does it represent that it has 1460 made any independent effort to identify any such rights. Information 1461 on the procedures with respect to rights in RFC documents can be 1462 found in BCP 78 and BCP 79. 1464 Copies of IPR disclosures made to the IETF Secretariat and any 1465 assurances of licenses to be made available, or the result of an 1466 attempt made to obtain a general license or permission for the use of 1467 such proprietary rights by implementers or users of this 1468 specification can be obtained from the IETF on-line IPR repository at 1469 http://www.ietf.org/ipr. 1471 The IETF invites any interested party to bring to its attention any 1472 copyrights, patents or patent applications, or other proprietary 1473 rights that may cover technology that may be required to implement 1474 this standard. Please address the information to the IETF at 1475 ietf-ipr@ietf.org. 1477 Acknowledgment 1479 Funding for the RFC Editor function is provided by the IETF 1480 Administrative Support Activity (IASA).