draft-ietf-keyprov-symmetrickeyformat-01.txt   draft-ietf-keyprov-symmetrickeyformat-02.txt 
KEYPROV Working Group Sean Turner, IECA KEYPROV Working Group Sean Turner, IECA
Internet Draft Russ Housley, Vigil Security Internet Draft Russ Housley, Vigil Security
Intended Status: Standard Track November 18, 2007 Intended Status: Standard Track February 25, 2008
Expires: May 18, 2008 Expires: August 25, 2008
Symmetric Key Package Content Type Symmetric Key Package Content Type
draft-ietf-keyprov-symmetrickeyformat-01.txt draft-ietf-keyprov-symmetrickeyformat-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on May 18, 2008. This Internet-Draft will expire on August 18, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document defines the symmetric key format content type. It is This document defines the symmetric key format content type. It is
transport independent. The Cryptographic Message Syntax [RFC3852] can transport independent. The Cryptographic Message Syntax can be used
be used to digitally sign, digest, authenticate, or encrypt this to digitally sign, digest, authenticate, or encrypt this content
content type. type.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
1.1. Requirements Terminology..................................2 1.1. Requirements Terminology..................................2
1.2. ASN.1 Syntax Notation.....................................2 1.2. ASN.1 Syntax Notation.....................................2
2. Symmetric Key Package Content Type.............................3 2. Use Cases......................................................3
3. Security Considerations........................................4 2.1. Offline Use Cases.........................................3
4. IANA Considerations............................................4 2.1.1. Credential migration by end-user.....................3
5. References.....................................................4 2.1.2. Bulk import of new credentials.......................3
5.1. Normative References......................................4 2.1.3. Bulk migration of existing credentials...............3
5.2. Non-Normative References..................................4 2.1.4. Credential upload case...............................3
APPENDIX A: ASN.1 Module..........................................5 2.2. Online Use Cases..........................................3
2.2.1. Online provisioning a credential to end-user's
authentication token........................................3
2.2.2. Server to server provisioning of credentials.........3
2.2.3. Online update of an existing authentication token
credential..................................................3
3. Symmetric Key Package Content Type.............................4
4. Security Considerations........................................5
5. IANA Considerations............................................5
6. References.....................................................5
6.1. Normative References......................................5
6.2. Non-Normative References..................................5
APPENDIX A: ASN.1 Module..........................................6
1. Introduction 1. Introduction
This document defines the symmetric key format content type. It is This document defines the symmetric key format content type. It is
transport independent. The Cryptographic Message Syntax [RFC3852] can transport independent. The Cryptographic Message Syntax [RFC3852] can
be used to digitally sign, digest, authenticate, or encrypt this be used to digitally sign, digest, authenticate, or encrypt this
content type. content type.
1.1. Requirements Terminology 1.1. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.2. ASN.1 Syntax Notation 1.2. ASN.1 Syntax Notation
The key package is defined using the ASN.1 [X.680,X.681]. The key package is defined using the ASN.1 [X.680,X.681].
2. Symmetric Key Package Content Type 2. Use Cases
2.1. Offline Use Cases
2.1.1. Credential migration by end-user
2.1.2. Bulk import of new credentials
2.1.3. Bulk migration of existing credentials
2.1.4. Credential upload case
2.2. Online Use Cases
2.2.1. Online provisioning a credential to end-user's authentication
token
2.2.2. Server to server provisioning of credentials
2.2.3. Online update of an existing authentication token credential
3. Symmetric Key Package Content Type
The symmetric key package content type is used to transfer one or The symmetric key package content type is used to transfer one or
more plaintext symmetric keys from one party to another. A symmetric more plaintext symmetric keys from one party to another. A symmetric
key package MAY be encapsulated in one or more CMS protecting content key package MAY be encapsulated in one or more CMS protecting content
types. This content type must be DER encoded [X.690]. types. This content type must be DER encoded [X.690].
The symmetric key package content type has the following syntax: The symmetric key package content type has the following syntax:
PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER
skipping to change at page 3, line 32 skipping to change at page 4, line 32
SymmetricKeyPackage ::= SEQUENCE { SymmetricKeyPackage ::= SEQUENCE {
version KeyPkgVersion DEFAULT v1, version KeyPkgVersion DEFAULT v1,
sKeyPkgAtts [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeyPkgAtts [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL,
sKeys SymmetricKeys } sKeys SymmetricKeys }
SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey
OneSymmetricKey ::= SEQUENCE { OneSymmetricKey ::= SEQUENCE {
sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL,
sKey OCTET STRING } sKey OCTET STRING OPTIONAL
-- MUST contain sKeyAttrs, sKey, or sKeyAttrs and sKey
}
KeyPkgVersion ::= INTEGER { v1(1), ... } KeyPkgVersion ::= INTEGER { v1(1), ... }
The SymmetricKeyPackage fields are used as follows: The SymmetricKeyPackage fields are used as follows:
- version identifies version of the symmetric key package content - version identifies version of the symmetric key package content
structure. For this version of the specification, the default structure. For this version of the specification, the default
value, v1, MUST be used. value, v1, MUST be used.
- sKeyPkgAttrs optionally provides attributes that apply to all of - sKeyPkgAttrs optionally provides attributes that apply to all of
skipping to change at page 4, line 11 skipping to change at page 5, line 11
- sKeys contains a sequence of OneSymmetricKey values. This - sKeys contains a sequence of OneSymmetricKey values. This
structure is discussed below. structure is discussed below.
The OneSymmetricKey fields are used as follows: The OneSymmetricKey fields are used as follows:
- sKeyAttrs optionally provides attributes that apply to one - sKeyAttrs optionally provides attributes that apply to one
symmetric key. If an attribute appears here it MUST NOT also be symmetric key. If an attribute appears here it MUST NOT also be
included in sKeyPkgAttrs. included in sKeyPkgAttrs.
- sKey contains the key value encoded as an OCTET STRING. - sKey optionally contains the key value encoded as an OCTET STRING.
3. Security Considerations The OneSymmetricKey field MUST include either sKeyAttrs, sKey, or
sKeyAttrs and sKey.
4. Security Considerations
The symmetric key package contents are not protected. This content The symmetric key package contents are not protected. This content
type can be combined with a security protocol to protect the contents type can be combined with a security protocol to protect the contents
of the package. of the package.
4. IANA Considerations 5. IANA Considerations
None: All identifiers are already registered. Please remove this None: All identifiers are already registered. Please remove this
section prior to publication as an RFC. section prior to publication as an RFC.
5. References 6. References
5.1. Normative References 6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[X.680] ITU-T Recommendation X.680: Information Technology - Abstract [X.680] ITU-T Recommendation X.680: Information Technology - Abstract
Syntax Notation One, 1997. Syntax Notation One, 1997.
[X.681] ITU-T Recommendation X.680: Information Technology - Abstract [X.681] ITU-T Recommendation X.680: Information Technology - Abstract
Syntax Notation One: Information Object Spcification, 1997. Syntax Notation One: Information Object Spcification, 1997.
[X.690] ITU-T Recommendation X.690 Information Technology - ASN.1 [X.690] ITU-T Recommendation X.690 Information Technology - ASN.1
encoding rules: Specification of Basic Encoding Rules (BER), encoding rules: Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Encoding Rules Canonical Encoding Rules (CER) and Distinguished Encoding Rules
(DER), 1997. (DER), 1997.
5.2. Non-Normative References 6.2. Non-Normative References
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC3852, [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC3852,
July 2004. July 2004.
APPENDIX A: ASN.1 Module APPENDIX A: ASN.1 Module
This appendix provides the normative ASN.1 definitions for the This appendix provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in structures described in this specification using ASN.1 as defined in
X.680 and X.681. X.680 and X.681.
skipping to change at page 8, line 7 skipping to change at page 9, line 7
Vigil Security, LLC Vigil Security, LLC
918 Spring Knoll Drive 918 Spring Knoll Drive
Herndon, VA 20170 Herndon, VA 20170
USA USA
EMail: housley@vigilsec.com EMail: housley@vigilsec.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
skipping to change at page 8, line 42 skipping to change at page 9, line 42
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at
ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is provided by the IETF Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA). Administrative Support Activity (IASA).
 End of changes. 16 change blocks. 
26 lines changed or deleted 64 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/