draft-ietf-keyprov-symmetrickeyformat-06.txt   draft-ietf-keyprov-symmetrickeyformat-07.txt 
KEYPROV Working Group Sean Turner, IECA KEYPROV Working Group Sean Turner, IECA
Internet Draft Russ Housley, Vigil Security Internet Draft Russ Housley, Vigil Security
Intended Status: Standard Track October 20, 2009 Intended Status: Standard Track February 1, 2010
Expires: April 20, 2010 Expires: August 1, 2010
Symmetric Key Package Content Type Symmetric Key Package Content Type
draft-ietf-keyprov-symmetrickeyformat-06.txt draft-ietf-keyprov-symmetrickeyformat-07.txt
Abstract
This document defines the symmetric key format content type. It is
transport independent. The Cryptographic Message Syntax can be used
to digitally sign, digest, authenticate, or encrypt this content
type.
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on April 20, 2010. This Internet-Draft will expire on August 1, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
This document defines the symmetric key format content type. It is described in the Simplified BSD License.
transport independent. The Cryptographic Message Syntax can be used
to digitally sign, digest, authenticate, or encrypt this content
type.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
1.1. Requirements Terminology..................................3 1.1. Requirements Terminology..................................3
1.2. ASN.1 Syntax Notation.....................................3 1.2. ASN.1 Syntax Notation.....................................3
2. Symmetric Key Package Content Type.............................3 2. Symmetric Key Package Content Type.............................3
3. PSKC Attributes................................................4 3. PSKC Attributes................................................5
3.1. PSKC Key Package Attributes...............................5 3.1. PSKC Key Package Attributes...............................5
3.1.1. Device Information Attributes........................5 3.1.1. Device Information Attributes........................5
3.1.2. Cryptographic Module Information Attributes..........7 3.1.2. Cryptographic Module Information Attributes..........7
3.2. PSKC Key Attributes.......................................7 3.2. PSKC Key Attributes.......................................8
3.2.1. Key Identifier.......................................7 3.2.1. Key Identifier.......................................8
3.2.2. Algorithm............................................8 3.2.2. Algorithm............................................8
3.2.3. Issuer...............................................8 3.2.3. Issuer...............................................8
3.2.4. Key Profile Identifier...............................8 3.2.4. Key Profile Identifier...............................8
3.2.5. Friendly Name........................................8 3.2.5. Key Reference Identifier.............................9
3.2.6. Algorithm Parameters.................................9 3.2.6. Friendly Name........................................9
3.2.7. Counter.............................................11 3.2.7. Algorithm Parameters.................................9
3.2.8. Time................................................11 3.2.8. Counter.............................................11
3.2.9. Time Interval.......................................11 3.2.9. Time................................................11
3.2.10. Time Drift.........................................11 3.2.10. Time Interval......................................12
3.2.11. Value MAC..........................................12 3.2.11. Time Drift.........................................12
3.3. Key Policy Attributes....................................12 3.2.12. Value MAC..........................................12
3.3.1. Start Date..........................................12 3.3. Key Policy Attributes....................................13
3.3.2. Expiry Date.........................................12 3.3.1. Start Date..........................................13
3.3.2. Expiry Date.........................................13
3.3.3. Number of Transactions..............................13 3.3.3. Number of Transactions..............................13
3.3.4. Key Usage...........................................13 3.3.4. Key Usage...........................................13
3.3.5. PIN Policy..........................................14 3.3.5. PIN Policy..........................................14
4. Key Encoding..................................................15 4. Key Encoding..................................................16
4.1. AES Key Encoding.........................................16 4.1. AES Key Encoding.........................................16
4.2. Triple DES Key Encoding..................................16 4.2. Triple DES Key Encoding..................................16
5. Security Considerations.......................................17 5. Security Considerations.......................................17
6. IANA Considerations...........................................17 6. IANA Considerations...........................................17
7. References....................................................17 7. References....................................................17
7.1. Normative References.....................................17 7.1. Normative References.....................................17
7.2. Non-Normative References.................................18 7.2. Non-Normative References.................................18
APPENDIX A: ASN.1 Modules........................................18 APPENDIX A: ASN.1 Module.........................................19
A.1. Symmetric Key Package ASN.1 Module.......................19
A.2. PSKC ASN.1 Module........................................21
1. Introduction 1. Introduction
This document defines the symmetric key format content type. It is This document defines the symmetric key format content type. It is
transport independent. The Cryptographic Message Syntax (CMS) transport independent. The Cryptographic Message Syntax (CMS)
[RFC5652] can be used to digitally sign, digest, authenticate, or [RFC5652] can be used to digitally sign, digest, authenticate, or
encrypt this content type. encrypt this content type.
The uses cases that motivated this work are elaborated in [PSKC]. The uses cases that motivated the attributes in this work are
They are omitted to avoid duplication. elaborated in [PSKC]. They are omitted to avoid duplication.
This document also includes Abstract Syntax Notation One (ASN.1) This document also includes Abstract Syntax Notation One (ASN.1)
definitions of the Extensile Markup Language (XML) element and definitions of the Extensible Markup Language (XML) element and
attributes defined in [PSKC]. attributes defined in [PSKC].
1.1. Requirements Terminology 1.1. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.2. ASN.1 Syntax Notation 1.2. ASN.1 Syntax Notation
skipping to change at page 3, line 42 skipping to change at page 3, line 44
2. Symmetric Key Package Content Type 2. Symmetric Key Package Content Type
The symmetric key package content type is used to transfer one or The symmetric key package content type is used to transfer one or
more plaintext symmetric keys from one party to another. A symmetric more plaintext symmetric keys from one party to another. A symmetric
key package MAY be encapsulated in one or more CMS protecting content key package MAY be encapsulated in one or more CMS protecting content
types. This content type must be Distinguished Encoding Rules (DER) types. This content type must be Distinguished Encoding Rules (DER)
encoded [X.690]. encoded [X.690].
The symmetric key package content type has the following syntax: The symmetric key package content type has the following syntax:
PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER ct-symmetric-key-package CONTENT-TYPE ::=
symmetric-key-package PKCS7-CONTENT-TYPE ::=
{ SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage } { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage }
id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 25 } smime(16) ct(1) 25 }
SymmetricKeyPackage ::= SEQUENCE { SymmetricKeyPackage ::= SEQUENCE {
version KeyPkgVersion DEFAULT v1, version KeyPkgVersion DEFAULT v1,
sKeyPkgAttrs [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeyPkgAttrs [0] SEQUENCE SIZE (1..MAX) OF Attribute
sKeys SymmetricKeys } {{ SKeyPkgAttributes }} OPTIONAL,
sKeys SymmetricKeys,
... }
SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey
OneSymmetricKey ::= SEQUENCE { OneSymmetricKey ::= SEQUENCE {
sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute
{{ SKeyAttributes }} OPTIONAL,
sKey OCTET STRING OPTIONAL } sKey OCTET STRING OPTIONAL }
-- At least sKeyAttrs or sKey MUST be present. ( WITH COMPONENTS { ..., sKeyAttrs PRESENT } |
WITH COMPONENTS { ..., sKey PRESENT } )
KeyPkgVersion ::= INTEGER { v1(1), ... } KeyPkgVersion ::= INTEGER { v1(1) } ( v1, ... )
The SymmetricKeyPackage fields are used as follows: The SymmetricKeyPackage fields are used as follows:
- version identifies version of the symmetric key package content - version identifies version of the symmetric key package content
structure. For this version of the specification, the default structure. For this version of the specification, the default
value, v1, MUST be used. value, v1, MUST be used.
- sKeyPkgAttrs optionally provides attributes that apply to all of - sKeyPkgAttrs optionally provides attributes that apply to all of
the symmetric keys in the package. If an attribute appears here it the symmetric keys in the package. The SKeyPkgAttributes
MUST NOT also be included in sKeyAttrs. information object set restricts the attributes allowed in
sKeyPkgAttrs. If an attribute appears here, then it MUST NOT also
be included in sKeyAttrs.
- sKeys contains a sequence of OneSymmetricKey values. This - sKeys contains a sequence of OneSymmetricKey values. This
structure is discussed below. structure is discussed below.
The OneSymmetricKey fields are used as follows: The OneSymmetricKey fields are used as follows:
- sKeyAttrs optionally provides attributes that apply to one - sKeyAttrs optionally provides attributes that apply to one
symmetric key. If an attribute appears here it MUST NOT also be symmetric key. The SKeyAttributes information object set
included in sKeyPkgAttrs. restricts the attributes permitted in sKeyAttrs. If an attribute
appears here, then it MUST NOT also be included in sKeyPkgAttrs.
- sKey optionally contains the key value encoded as an OCTET STRING. - sKey optionally contains the key value encoded as an OCTET STRING.
The OneSymmetricKey field MUST include either sKeyAttrs, or sKey, or The OneSymmetricKey field MUST include either sKeyAttrs, or sKey, or
sKeyAttrs and sKey. sKeyAttrs and sKey.
3. PSKC Attributes 3. PSKC Attributes
The following attributes are defined to assist those using the The following attributes are defined to assist those using the
symmetric key package defined in this document as part of a Portable symmetric key package defined in this document as part of a Portable
Symmetric Key Container protocol [PSKC]. [PSKC] should be consulted Symmetric Key Container protocol [PSKC]. [PSKC] should be consulted
for the definitive attribute descriptions. The attributes fall in to for the definitive attribute descriptions. The attributes fall in to
three categories. The first category includes attributes that apply three categories. The first category includes attributes that apply
to a key package, and these attributes will generally appear in to a key package, and these attributes will generally appear in
sKeyPkgAttrs. The second category includes attributes that apply to sKeyPkgAttrs. The second category includes attributes that apply to
a particular key, and these attributes will generally appear in a particular key, and these attributes will generally appear in
sKeyAttrs. The third category includes attributes that apply to a key sKeyAttrs. The third category includes attributes that apply to a key
policy. Of the attributes defined next, only the Key Identifier policy. Of the attributes defined, only the Key Identifier (Section
(Section 3.2.1) and Algorithm (Section 3.2.2) key attributes MUST be 3.2.1) and Algorithm (Section 3.2.2) key attributes MUST be included.
included. All other attributes are OPTIONAL. All other attributes are OPTIONAL.
Like PSKC, the Symmetric Key Content Type supports extensibility. Like PSKC, the Symmetric Key Content Type supports extensibility.
Primarily this is accomplished through the definition and inclusion Primarily this is accomplished through the definition and inclusion
of new attributes, but in some instances where the attribute contains of new attributes, but in some instances where the attribute contains
more than one type the ASN.1 "..." extensibility mechanism is more than one type the ASN.1 "..." extensibility mechanism is
employed. employed.
A straightforward approach to conversion from XML types to ASN.1 is A straightforward approach to conversion from XML types to ASN.1 is
employed. The <xs:string> type converts to UTF8String; the XML employed. The <xs:string> type converts to UTF8String; the XML
<xs:dateTime> type converts to GeneralizedTime; and the XML integer <xs:dateTime> type converts to GeneralizedTime; and the XML integer
skipping to change at page 8, line 39 skipping to change at page 9, line 5
between the sending and receiving parties to establish a set of key between the sending and receiving parties to establish a set of key
attribute values that are not transmitted within the container but attribute values that are not transmitted within the container but
agreed between the two parties out of band. This attribute will then agreed between the two parties out of band. This attribute will then
represent the unique reference to a set of key attribute values. represent the unique reference to a set of key attribute values.
at-pskc-keyProfileId ATTRIBUTE ::= { at-pskc-keyProfileId ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-keyProfileId } TYPE UTF8String IDENTIFIED BY id-pskc-keyProfileId }
id-pskc-keyProfileId OBJECT IDENTIFIER ::= { TBD } id-pskc-keyProfileId OBJECT IDENTIFIER ::= { TBD }
3.2.5. Friendly Name 3.2.5. Key Reference Identifier
The Key Reference attribute refers to an external key to be used with
a key derivation scheme and no specific key value (secret) is
transported but only the reference to the external master key is used
(e.g., the PKCS#11 key label).
at-pskc-keyReference ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-keyReference }
id-pskc-keyReference OBJECT IDENTIFIER ::= { TBD }
3.2.6. Friendly Name
The Friendly Name attribute contains a human readable name for the The Friendly Name attribute contains a human readable name for the
secret key. The attribute definition is as follows: secret key. The attribute definition is as follows:
at-pskc-friendlyName ATTRIBUTE ::= { at-pskc-friendlyName ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-friendlyName } TYPE UTF8String IDENTIFIED BY id-pskc-friendlyName }
id-pskc-friendlyName OBJECT IDENTIFIER ::= { TBD } id-pskc-friendlyName OBJECT IDENTIFIER ::= { TBD }
3.2.6. Algorithm Parameters 3.2.7. Algorithm Parameters
The Algorithm Parameters attribute contains parameters that influence The Algorithm Parameters attribute contains parameters that influence
the result of the algorithmic computation, for example response the result of the algorithmic computation, for example response
truncation and format in One-Time Password (OTP) and Challenge- truncation and format in One-Time Password (OTP) and Challenge-
Response (CR) algorithms. Response (CR) algorithms.
at-pskc-algorithmParameters ATTRIBUTE ::= { at-pskc-algorithmParameters ATTRIBUTE ::= {
TYPE PSKCAlgorithmParameters TYPE PSKCAlgorithmParameters
IDENTIFIED BY id-pskc-algorithmParameters } IDENTIFIED BY id-pskc-algorithmParameters }
skipping to change at page 9, line 27 skipping to change at page 10, line 7
The Algorithm Parameters attribute has the following syntax: The Algorithm Parameters attribute has the following syntax:
PSKCAlgorithmParameters ::= CHOICE { PSKCAlgorithmParameters ::= CHOICE {
challengeFormat [0] ChallengeFormat, challengeFormat [0] ChallengeFormat,
responseFormat [1] ResponseFormat, responseFormat [1] ResponseFormat,
... } ... }
ChallengeFormat ::= SEQUENCE { ChallengeFormat ::= SEQUENCE {
encoding Encoding, encoding Encoding,
checkDigit BOOLEAN OPTIONAL, checkDigit BOOLEAN DEFAULT FALSE,
min INTEGER, min INTEGER (0..MAX),
max INTEGER, max INTEGER (0..MAX),
... } ... }
Encoding ::= CHOICE { Encoding ::= UTF8STRING ("DECIMAL" | "HEXADECIMAL" |
decimal [0] UTF8String ("DECIMAL"), "ALPHANUMERIC" |"BASE64" |"BINARY")
hexidecimal [1] UTF8String ("HEXIDECIMAL"),
alphanumeric [2] UTF8String ("ALPHANUMERIC"),
base64 [3] UTF8String ("BASE64"),
binary [4] UTF8String ("BINARY") }
ResponseFormat ::= SEQUENCE { ResponseFormat ::= SEQUENCE {
encoding Encoding, encoding Encoding,
length INTEGER, length INTEGER (0..MAX),
checkDigit BOOLEAN OPTIONAL, checkDigit BOOLEAN DEFAULT FALSE,
... } ... }
The fields in PSKCAlgorithmParameters have the following meanings: The fields in PSKCAlgorithmParameters have the following meanings:
o ChallengeFormat defines the characteristics of the challenge in a o ChallengeFormat defines the characteristics of the challenge in a
CR usage scenario whereby the following fields are defined: CR usage scenario whereby the following fields are defined:
o encoding specifies the encoding of the challenge accepted by o encoding specifies the encoding of the challenge accepted by
the device and MUST be one of the following values: DECIMAL, the device and MUST be one of the following values: DECIMAL,
HEXIDECIMAL, ALPHANUMERIC, BASE64, or BINARY. HEXADECIMAL, ALPHANUMERIC, BASE64, or BINARY.
o checkDigit indicates whether a device needs to check the o checkDigit indicates whether a device needs to check the
appended Luhn check digit, as defined in [LUHN], contained in a appended Luhn check digit, as defined in [LUHN], contained in a
challenge. The checkDigit MUST NOT be present if the encoding challenge. The checkDigit MUST NOT be present if the encoding
value is anything other than 'DECIMAL'. A value of TRUE value is anything other than 'DECIMAL'. A value of TRUE
indicates that the device will check the appended Luhn check indicates that the device will check the appended Luhn check
digit in a provided challenge. A value of FALSE indicates that digit in a provided challenge. A value of FALSE indicates that
the device will not check the appended Luhn check digit in the the device will not check the appended Luhn check digit in the
challenge. challenge.
skipping to change at page 11, line 8 skipping to change at page 11, line 29
digits/characters. If encoding is 'BASE64' or 'BINARY', this digits/characters. If encoding is 'BASE64' or 'BINARY', this
value indicates the number of bytes of the unencoded value. value indicates the number of bytes of the unencoded value.
o checkDigit indicates whether the device needs to append a Luhn o checkDigit indicates whether the device needs to append a Luhn
check digit, as defined in [LUHN], to the response. This is check digit, as defined in [LUHN], to the response. This is
only valid if encoding attribute is 'DECIMAL'. If the value is only valid if encoding attribute is 'DECIMAL'. If the value is
TRUE then the device will append a Luhn check digit to the TRUE then the device will append a Luhn check digit to the
response. If the value is FALSE, then the device will not response. If the value is FALSE, then the device will not
append a Luhn check digit to the response. append a Luhn check digit to the response.
3.2.7. Counter 3.2.8. Counter
The Counter attribute contains the event counter for event-based OTP The Counter attribute contains the event counter for event-based OTP
algorithms. The attribute definition is as follows: algorithms. The attribute definition is as follows:
at-pskc-counter ATTRIBUTE ::= { at-pskc-counter ATTRIBUTE ::= {
TYPE INTEGER IDENTIFIED BY id-pskc-counter } TYPE INTEGER(0..MAX) IDENTIFIED BY id-pskc-counter }
id-pskc-counter OBJECT IDENTIFIER ::= { TBD } id-pskc-counter OBJECT IDENTIFIER ::= { TBD }
3.2.8. Time 3.2.9. Time
The Time attribute conveys the time for time-based OTP algorithms. The Time attribute conveys the time for time-based OTP algorithms.
If the Time Interval attribute is included, then this element carries If the Time Interval attribute is included, then this element carries
the number of time intervals passed for a specific start point. It the number of time intervals passed for a specific start point. It
uses the BinaryTime syntax from [RFC4049]. The attribute definition uses the BinaryTime syntax from [RFC4049]. The attribute definition
is as follows: is as follows:
at-pskc-time ATTRIBUTE ::= { at-pskc-time ATTRIBUTE ::= {
TYPE BinaryTime IDENTIFIED BY id-pskc-time } TYPE BinaryTime IDENTIFIED BY id-pskc-time }
id-pskc-time OBJECT IDENTIFIER ::= { TBD } id-pskc-time OBJECT IDENTIFIER ::= { TBD }
3.2.9. Time Interval 3.2.10. Time Interval
The Time Interval attribute conveys the time interval value for time- The Time Interval attribute conveys the time interval value for time-
based OTP algorithms. It uses the BinaryTime syntax from [RFC4049]. based OTP algorithms. It is an integer. The attribute definition is
The attribute definition is as follows: as follows:
at-pskc-timeInterval ATTRIBUTE ::= { at-pskc-timeInterval ATTRIBUTE ::= {
TYPE BinaryTime IDENTIFIED BY id-pskc-time } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-time }
id-pskc-timeInterval OBJECT IDENTIFIER ::= { TBD } id-pskc-timeInterval OBJECT IDENTIFIER ::= { TBD }
3.2.10. Time Drift 3.2.11. Time Drift
The Time Drift attribute contains the device clock drift value, the The Time Drift attribute contains the device clock drift value, the
number of seconds per day the device clocks drifts, for time-based number of seconds per day the device clocks drifts, for time-based
OTP algorithms. It uses the BinaryTime syntax from [RFC4049]. The OTP algorithms. It is an integer. The attribute definition is as
attribute definition is as follows: follows:
at-pskc-timeDrift ATTRIBUTE ::= { at-pskc-timeDrift ATTRIBUTE ::= {
TYPE BinaryTime IDENTIFIED BY id-pskc-time } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-time }
id-pskc-timeDrift OBJECT IDENTIFIER ::= { TBD } id-pskc-timeDrift OBJECT IDENTIFIER ::= { TBD }
3.2.11. Value MAC 3.2.12. Value MAC
The Value MAC attribute is a Message Authentication Code (MAC) The Value MAC attribute is a Message Authentication Code (MAC)
generated from the encrypted value in case the encryption algorithm generated from the encrypted value in case the encryption algorithm
does not support integrity checks (e.g., AES-CBC does not provide does not support integrity checks (e.g., AES-CBC does not provide
integrity while AES Key Wrap with MLI does). The attribute definition integrity while AES Key Wrap with MLI does). The attribute definition
is as follows: is as follows:
at-pskc-valueMAC ATTRIBUTE ::= { at-pskc-valueMAC ATTRIBUTE ::= {
TYPE ValueMac IDENTIFIED BY id-pskc-valueMAC } TYPE ValueMac IDENTIFIED BY id-pskc-valueMAC }
skipping to change at page 12, line 30 skipping to change at page 12, line 51
ValueMac ::= SEQUENCE { ValueMac ::= SEQUENCE {
macAlgorithm UTF8String, macAlgorithm UTF8String,
mac UTF8String } mac UTF8String }
The fields in ValueMac have the following meanings: The fields in ValueMac have the following meanings:
o macAlgorithm identifies the MAC algorithm used to generate the o macAlgorithm identifies the MAC algorithm used to generate the
value placed in digest. Values may be taken from [PSKC-ALGORITHM- value placed in digest. Values may be taken from [PSKC-ALGORITHM-
PROFILES]. PROFILES].
o mac is the mac value. o mac is the base64 encoded [RFC4648] mac value.
3.3. Key Policy Attributes 3.3. Key Policy Attributes
Key policy attributes indicate a policy that can be attached to a Key policy attributes indicate a policy that can be attached to a
key. These attributes are defined in the subsections that follow. key. These attributes are defined in the subsections that follow.
3.3.1. Start Date 3.3.1. Start Date
When included in sKeyPkgAttrs, the Start Date attribute indicates the When included in sKeyAttrs, the Start Date attribute indicates the
start of the keys validity. The date MUST be expressed in UTC form start of the keys validity. The date MUST be expressed in UTC form
with no time zone component. Implementations SHOULD NOT rely on time with no time zone component. Implementations SHOULD NOT rely on time
resolution finer than milliseconds and MUST NOT generate time resolution finer than milliseconds and MUST NOT generate time
instants that specify leap seconds. The attribute definition is as instants that specify leap seconds. The attribute definition is as
in Section 3.1.1.6. in Section 3.1.1.6.
3.3.2. Expiry Date 3.3.2. Expiry Date
When included in sKeyAttrs, the Expiry Date attribute indicates the When included in sKeyAttrs, the Expiry Date attribute indicates the
end of the key's validity period. The date MUST be expressed in UTC end of the key's validity period. The date MUST be expressed in UTC
skipping to change at page 13, line 15 skipping to change at page 13, line 36
Section 3.1.1.7. Section 3.1.1.7.
3.3.3. Number of Transactions 3.3.3. Number of Transactions
The Number of Transactions attribute indicates the maximum number of The Number of Transactions attribute indicates the maximum number of
times a key carried within the package can be used. When this times a key carried within the package can be used. When this
element is omitted there is no restriction regarding the number of element is omitted there is no restriction regarding the number of
times a key can be used. The attribute definition is as follows: times a key can be used. The attribute definition is as follows:
at-pskc-numberOfTransactions ATTRIBUTE ::= { at-pskc-numberOfTransactions ATTRIBUTE ::= {
TYPE INTEGER IDENTIFIED BY id-pskc-numberOfTransactions } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-numberOfTransactions }
id-pskc-numberOfTransactions OBJECT IDENTIFIER ::= { TBD } id-pskc-numberOfTransactions OBJECT IDENTIFIER ::= { TBD }
3.3.4. Key Usage 3.3.4. Key Usage
The Key Usage attribute constrains the intended usage of the key. The Key Usage attribute constrains the intended usage of the key.
The recipient MUST enforce the key usage. The attribute definition The recipient MUST enforce the key usage. The attribute definition
is as follows: is as follows:
at-pskc-keyUsage ATTRIBUTE ::= { at-pskc-keyUsage ATTRIBUTE ::= {
TYPE PSKCKeyUsages IDENTIFIED BY id-pskc-keyUsages } TYPE PSKCKeyUsages IDENTIFIED BY id-pskc-keyUsages }
id-pskc-keyUsages OBJECT IDENTIFIER ::= { TBD } id-pskc-keyUsages OBJECT IDENTIFIER ::= { TBD }
PSKCKeyUsages ::= SEQUENCE OF PSKCKeyUsage PSKCKeyUsages ::= SEQUENCE OF PSKCKeyUsage
PSKCKeyUsage ::= UTF8String ("OTP" | "CR" | "Encrypt" |
PSKCKeyUsage ::= CHOICE { "Integrity" | "Verify" | "Unlock" | "Decrypt" |
otp [0] UTF8String ("OTP"), "KeyWrap" | "Unwrap" | "Derive" | "Generate")
cr [1] UTF8String ("CR"),
encrypt [2] UTF8String ("Encrypt"),
integrity [3] UTF8String ("Integrity"),
verify [4] UTF8String ("Verify"),
unlock [5] UTF8String ("Unlock"),
decrypt [6] UTF8String ("Decrypt"),
keyWrap [7] UTF8String ("KeyWrap"),
unwrap [8] UTF8String ("Unwrap"),
derive [9] UTF8String ("Derive"),
generate [10] UTF8String ("Generate") }
The fields in PSKCKeyUsage have the following meanings: The fields in PSKCKeyUsage have the following meanings:
o OTP: The key MUST only be used for OTP generation. o OTP: The key MUST only be used for OTP generation.
o CR: The key MUST only be used for Challenge/Response purposes. o CR: The key MUST only be used for Challenge/Response purposes.
o Encrypt: The key MUST only be used for data encryption purposes. o Encrypt: The key MUST only be used for data encryption purposes.
o Integrity: The key MUST only be used to generate a keyed message o Integrity: The key MUST only be used to generate a keyed message
skipping to change at page 14, line 41 skipping to change at page 15, line 4
3.3.5. PIN Policy 3.3.5. PIN Policy
The PIN Policy attribute allows policy about the PIN usage to be The PIN Policy attribute allows policy about the PIN usage to be
associated with the key. The attribute definition is as follows: associated with the key. The attribute definition is as follows:
at-pskc-pinPolicy ATTRIBUTE ::= { at-pskc-pinPolicy ATTRIBUTE ::= {
TYPE PINPolicy IDENTIFIED BY id-pskc-pinPolicy } TYPE PINPolicy IDENTIFIED BY id-pskc-pinPolicy }
id-pskc-pinPolicy OBJECT IDENTIFIER ::= { TBD } id-pskc-pinPolicy OBJECT IDENTIFIER ::= { TBD }
PINPolicy ::= SEQUENCE { PINPolicy ::= SEQUENCE {
pinKeyId [0] UTF8String OPTIONAL, pinKeyId [0] UTF8String OPTIONAL,
pinUsageMode [1] PINUsageMode, pinUsageMode [1] PINUsageMode,
maxFailedAttempts [2] INTEGER OPTIONAL, maxFailedAttempts [2] INTEGER (0..MAX) OPTIONAL,
minLength [3] INTEGER OPTIONAL, minLength [3] INTEGER (0..MAX) OPTIONAL,
maxLength [4] INTEGER OPTIONAL, maxLength [4] INTEGER (0..MAX) OPTIONAL,
pinEncoding [4] Encoding OPTIONAL } pinEncoding [5] Encoding OPTIONAL }
PINUsageMode ::= CHOICE { PINUsageMode ::= UTF8String ("Local" | "Prepend" | "Append" |
local [0] UTF8String ("Local"), "Algorithmic")
prepend [1] UTF8String ("Prepend"),
append [2] UTF8String ("Append"),
algorithmic [3] UTF8String ("Algorithmic") }
The fields in PIN Policy have the following meanings: The fields in PIN Policy have the following meanings:
o pinKeyId uniquely identifies the key held within this container o pinKeyId uniquely identifies the key held within this container
that contains the value of the PIN that protects the key. that contains the value of the PIN that protects the key.
o pinUsageMode indicates the way the PIN is used during the usage of o pinUsageMode indicates the way the PIN is used during the usage of
the key. The following values are defined: Local, Prepend, the key. The following values are defined: Local, Prepend,
Append, Algorithmic. Append, Algorithmic.
skipping to change at page 17, line 4 skipping to change at page 17, line 12
Proper parsing and key load of the contents of sKey for Triple-DES Proper parsing and key load of the contents of sKey for Triple-DES
SHALL be determined by using the following sKey octet string to SHALL be determined by using the following sKey octet string to
generate and match the key expansion test vectors in [SP800-67] generate and match the key expansion test vectors in [SP800-67]
appendix B for the key bundle: appendix B for the key bundle:
Key1 = 0123456789ABCDEF Key1 = 0123456789ABCDEF
Key2 = 23456789ABCDEF01 Key2 = 23456789ABCDEF01
Key3 = 456789ABCDEF0123 Key3 = 456789ABCDEF0123
Tag Length Value Tag Length Value
04 24 0123456789ABCDEF 23456789ABCDEF01 456789ABCDEF0123 04 24 0123456789ABCDEF 23456789ABCDEF01 456789ABCDEF0123
5. Security Considerations 5. Security Considerations
The symmetric key package contents are not protected. This content The symmetric key package contents are not protected. This content
type can be combined with a security protocol to protect the contents type can be combined with a security protocol to protect the contents
of the package. of the package. One possibility is to include this content type in
place of a PSKC package in Dynamic Symmetric Key Provisioning
Protocol (DSKPP) [DSKPP] exchanges. In this case, the algorithm
requirements are found in those documents. Another possibility is to
encapsulate this content type in a CMS [CMS] protecting content type.
6. IANA Considerations 6. IANA Considerations
None: All identifiers are already registered. Please remove this None: All identifiers are already registered. Please remove this
section prior to publication as an RFC. section prior to publication as an RFC.
7. References 7. References
7.1. Normative References 7.1. Normative References
[FIPS197] National Institute of Standards. "FIPS Pub 197: Advanced [FIPS197] National Institute of Standards. "FIPS Pub 197: Advanced
Encryption Standard (AES)", 26 November 2001. Encryption Standard (AES)", 26 November 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4049] Housley, R., "BinaryTime: An Alternate Format for [RFC4049] Housley, R., "BinaryTime: An Alternate Format for
Representing Date and Time in ASN.1", RFC 4049, April 2005. Representing Date and Time in ASN.1", RFC 4049, April 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFCTBD1] Schaad, J., and P. Hoffman, "New ASN.1 Modules for PKIX",
draft-ietf-pkix-new-asn1-07.txt, work-in-progress.
//** RFC EDITOR: Please replace [DSKPP] with [RFCXXXX] where XXXX is
the draft-ietf-pkix-new-asn1's RFC #. Make the replacements here and
elsewhere in the document. **//
[RFCTBD2] Schaad, J., and P. Hoffman, "New ASN.1 Modules for
SMIME", draft-ietf-smime-new-asn1-07.txt, work-in-progress.
//** RFC EDITOR: Please replace [DSKPP] with [RFCXXXX] where XXXX is
the draft-ietf-smime-new-asn1's RFC #. Make the replacements here
and elsewhere in the document. **//
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002.
Information Technology - Abstract Syntax Notation One. Information Technology - Abstract Syntax Notation One.
[X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002.
Information Technology - Abstract Syntax Notation One: Information Information Technology - Abstract Syntax Notation One: Information
Object Specification. Object Specification.
[X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002.
Information Technology - Abstract Syntax Notation One: Constraint Information Technology - Abstract Syntax Notation One: Constraint
Specification. Specification.
skipping to change at page 18, line 12 skipping to change at page 18, line 43
Encoding Rules (BER), Canonical Encoding Rules (CER) and Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER). Distinguished Encoding Rules (DER).
[SP800-67] National Institute of Standards and Technology, "NIST [SP800-67] National Institute of Standards and Technology, "NIST
Special Publication 800-67 Version 1.1: Recommendation for the Triple Special Publication 800-67 Version 1.1: Recommendation for the Triple
Data Encryption Algorithm (TDEA) Block Cipher", NIST Special Data Encryption Algorithm (TDEA) Block Cipher", NIST Special
Publication 800-67, May 2008. Publication 800-67, May 2008.
7.2. Non-Normative References 7.2. Non-Normative References
[DSKPP] Doherty, A., Pei, M., Machani, S., and M. Nystrom, "Dynamic
Symmetric Key Provisioning Protocol", Internet Draft Informational,
URL: http://www.ietf.org/internet-drafts/draft-ietf-keyprov-dskpp-
09.txt, work in progress.
//** RFC EDITOR: Please replace [DSKPP] with [RFCXXXX] where XXXX is
the draft-ietf-keyprov-dskpp's RFC #. Make the replacements here and
elsewhere in the document. **//
[LUHN] Luhn, H., "Luhn algorithm", US Patent 2950048, August 1960, [LUHN] Luhn, H., "Luhn algorithm", US Patent 2950048, August 1960,
http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=2950048. http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=2950048.
[PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key [PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key
Container (PSKC), draft-ietf-keyprov-pskc-03.txt, work-in-progress. Container (PSKC), draft-ietf-keyprov-pskc-05.txt, work-in-progress.
//** RFC EDITOR: Please replace [PSKC] with [RFCXXXX] where XXXX is //** RFC EDITOR: Please replace [PSKC] with [RFCXXXX] where XXXX is
the draft-ietf-keyprov-pskc's RFC #. Make the replacements here and the draft-ietf-keyprov-pskc's RFC #. Make the replacements here and
elsewhere in the document. **// elsewhere in the document. **//
[PSKC-ALGORITHM-PROFILES] Hoyer, P., Pei, M., Machani, S., and A. [PSKC-ALGORITHM-PROFILES] Hoyer, P., Pei, M., Machani, S., and A.
Doherty, "Additional Portable Symmetric Key Container (PSKC) Doherty, "Additional Portable Symmetric Key Container (PSKC)
Algorithm Profiles", Internet Draft Informational, URL: Algorithm Profiles", Internet Draft Informational, URL:
http://tools.ietf.org/html/draft-hoyer-keyprov-pskc-algorithm- http://tools.ietf.org/html/draft-hoyer-keyprov-pskc-algorithm-
profiles-00, December 2008. profiles-00, December 2008.
skipping to change at page 18, line 45 skipping to change at page 19, line 38
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
5652, September 2009. 5652, September 2009.
APPENDIX A: ASN.1 Module APPENDIX A: ASN.1 Module
This appendix provides the normative ASN.1 definitions for the This appendix provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in structures described in this specification using ASN.1 as defined in
[X.680] through [X.683]. [X.680] through [X.683].
A.1. Symmetric Key Package ASN.1 Module
SymmetricKeyPackageModulev1 SymmetricKeyPackageModulev1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) 33 } smime(16) modules(0) id-mod-symmetricKeyPkgV1(33) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS ALL -- EXPORTS ALL
-- IMPORTS NOTHING IMPORTS
-- From New PKIX ASN.1 [RFCTBD1]
PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER ATTRIBUTE
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
KeyPackageContentTypes PKCS7-CONTENT-TYPE ::= { -- From New SMIME ASN.1 [RFCTBD2]
symmetric-key-package |
CONTENT-TYPE, Attribute{}
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41) }
;
KeyPackageContentTypes CONTENT-TYPE ::= {
ct-symmetric-key-package,
... -- Expect additional content types -- ... -- Expect additional content types --
} }
symmetric-key-package PKCS7-CONTENT-TYPE ::= ct-symmetric-key-package CONTENT-TYPE ::=
{ SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage } { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage }
id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) ct(1) 25 } smime(16) ct(1) 25 }
SymmetricKeyPackage ::= SEQUENCE { SymmetricKeyPackage ::= SEQUENCE {
version KeyPkgVersion DEFAULT v1, version KeyPkgVersion DEFAULT v1,
sKeyPkgAttrs [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeyPkgAttrs [0] SEQUENCE SIZE (1..MAX) OF Attribute
sKeys SymmetricKeys } {{ SKeyPkgAttributes }} OPTIONAL,
sKeys SymmetricKeys,
... }
SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey
OneSymmetricKey ::= SEQUENCE { OneSymmetricKey ::= SEQUENCE {
sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute
sKey OCTET STRING OPTIONAL {{ SKeyAttributes }} OPTIONAL,
-- At least sKeyAttrs or sKey MUST be present. sKey OCTET STRING OPTIONAL }
} ( WITH COMPONENTS { ..., sKeyAttrs PRESENT } |
WITH COMPONENTS { ..., sKey PRESENT } )
KeyPkgVersion ::= INTEGER { v1(1), ... }
Attribute ::= SEQUENCE {
type ATTRIBUTE.&id ({SupportedAttributes}),
values SET SIZE (1..MAX) OF ATTRIBUTE.&Type
({SupportedAttributes}{@type}) }
SupportedAttributes ATTRIBUTE ::= { ... }
ATTRIBUTE ::= CLASS {
&derivation ATTRIBUTE OPTIONAL,
&Type OPTIONAL,
-- either &Type or &derivation required
&equality-match MATCHING-RULE OPTIONAL,
&ordering-match MATCHING-RULE OPTIONAL,
&substrings-match MATCHING-RULE OPTIONAL,
&single-valued BOOLEAN DEFAULT FALSE,
&collective BOOLEAN DEFAULT FALSE,
-- operational extensions
&no-user-modification BOOLEAN DEFAULT FALSE,
&usage AttributeUsage DEFAULT userApplications,
&id OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
[ SUBTYPE OF &derivation ]
[ WITH SYNTAX &Type ]
[ EQUALITY MATCHING RULE &equality-match ]
[ ORDERING MATCHING RULE &ordering-match ]
[ SUBSTRINGS MATCHING RULE &substrings-match ]
[ SINGLE VALUE &single-valued ]
[ COLLECTIVE &collective ]
[ NO USER MODIFICATION &no-user-modification ]
[ USAGE &usage ]
ID &id }
MATCHING-RULE ::= CLASS {
&AssertionType OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE }
WITH SYNTAX {
[ SYNTAX &AssertionType ]
ID &id }
AttributeType ::= ATTRIBUTE.&id
AttributeValue ::= ATTRIBUTE.&Type
AttributeUsage ::= ENUMERATED { KeyPkgVersion ::= INTEGER { v1(1) } ( v1, ... )
userApplications (0), SKeyPkgAttributes ATTRIBUTE ::= { ... }
directoryOperation (1),
distributedOperation (2),
dSAOperation (3) }
SupportAttributes ATTRIBUTE ::= { ... } SKeyAttributes ATTRIBUTE ::= { ... }
END END
A.2. PSKC ASN.1 Module
PSKCAttributesModule PSKCAttributesModule
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) TBD } smime(16) modules(0) TBD }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS ALL -- EXPORTS ALL
IMPORTS IMPORTS
-- From SymmetricKeyModulev1 -- From New PKIX ASN.1 [RFCTBD1]
ATTRIBUTE ATTRIBUTE
FROM SymmetricKeyPackageModulev1 FROM PKIX-CommonTypes-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) identified-organization(3) dod(6) internet(1)
smime(16) modules(0) 33 } security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
-- From BinaryTime [RFC4049] -- From BinaryTime [RFC4049]
BinaryTime BinaryTime
FROM BinarySigningTimeModule FROM BinarySigningTimeModule
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) 27 } smime(16) modules(0) 27 }
; ;
SupportedAttributes ATTRIBUTE ::= { --
at-pskc-manufacturer | at-pskc-serialNo | at-pskc-issueNo | -- Merge SKeyPKGAttributes to the set of attributes for sKeyPkgAttrs
at-pskc-deviceBinding | at-pskc-startDate | at-pskc-expiryDate | --
SKeyPkgAttributes ATTRIBUTE ::= {
at-pskc-manufacturer | at-pskc-serialNo | at-pskc-model |
at-pskc-issueNo | at-pskc-deviceBinding | at-pskc-startDate |
at-pskc-expiryDate, ... }
--
-- Merge SKeyAttributes to the set of attributes for sKeyAttrs
--
SKeyAttributes ATTRIBUTE ::= {
at-pskc-startDate | at-pskc-expiryDate |
at-pskc-id | at-pskc-algorithm | at-pskc-issuer | at-pskc-id | at-pskc-algorithm | at-pskc-issuer |
at-pskc-keyProfileId | at-pskc-friendlyName | at-pskc-keyProfileId | at-pskc-keyReference |
at-pskc-algorithmParameters | at-pskc-counter | at-pskc-time | at-pskc-friendlyName | at-pskc-algorithmParameters |
at-pskc-timeInterval | at-pskc-timeDrift | at-pskc-valueMAC | at-pskc-counter | at-pskc-time | at-pskc-timeInterval |
at-pskc-timeDrift | at-pskc-valueMAC |
at-pskc-numberOfTransactions | at-pskc-keyUsage | at-pskc-numberOfTransactions | at-pskc-keyUsage |
at-pskc-pinPolicy, ... } at-pskc-pinPolicy, ... }
at-pskc-manufacturer ATTRIBUTE ::= { at-pskc-manufacturer ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-manufacturer } TYPE UTF8String IDENTIFIED BY id-pskc-manufacturer }
id-pskc-manufacturer OBJECT IDENTIFIER ::= { TBD } id-pskc-manufacturer OBJECT IDENTIFIER ::= { TBD }
at-pskc-serialNo ATTRIBUTE ::= { at-pskc-serialNo ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-serialNo } TYPE UTF8String IDENTIFIED BY id-pskc-serialNo }
skipping to change at page 22, line 42 skipping to change at page 23, line 27
at-pskc-issuer ATTRIBUTE ::= { at-pskc-issuer ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-issuer } TYPE UTF8String IDENTIFIED BY id-pskc-issuer }
id-pskc-issuer OBJECT IDENTIFIER ::= { TBD } id-pskc-issuer OBJECT IDENTIFIER ::= { TBD }
at-pskc-keyProfileId ATTRIBUTE ::= { at-pskc-keyProfileId ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-keyProfileId } TYPE UTF8String IDENTIFIED BY id-pskc-keyProfileId }
id-pskc-keyProfileId OBJECT IDENTIFIER ::= { TBD } id-pskc-keyProfileId OBJECT IDENTIFIER ::= { TBD }
at-pskc-keyReference ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-keyReference }
id-pskc-keyReference OBJECT IDENTIFIER ::= { TBD }
at-pskc-friendlyName ATTRIBUTE ::= { at-pskc-friendlyName ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-friendlyName } TYPE UTF8String IDENTIFIED BY id-pskc-friendlyName }
id-pskc-friendlyName OBJECT IDENTIFIER ::= { TBD } id-pskc-friendlyName OBJECT IDENTIFIER ::= { TBD }
at-pskc-algorithmParameters ATTRIBUTE ::= { at-pskc-algorithmParameters ATTRIBUTE ::= {
TYPE PSKCAlgorithmParameters TYPE PSKCAlgorithmParameters
IDENTIFIED BY id-pskc-algorithmParameters } IDENTIFIED BY id-pskc-algorithmParameters }
id-pskc-algorithmParameters OBJECT IDENTIFIER ::= { TBD } id-pskc-algorithmParameters OBJECT IDENTIFIER ::= { TBD }
skipping to change at page 23, line 4 skipping to change at page 23, line 42
at-pskc-friendlyName ATTRIBUTE ::= { at-pskc-friendlyName ATTRIBUTE ::= {
TYPE UTF8String IDENTIFIED BY id-pskc-friendlyName } TYPE UTF8String IDENTIFIED BY id-pskc-friendlyName }
id-pskc-friendlyName OBJECT IDENTIFIER ::= { TBD } id-pskc-friendlyName OBJECT IDENTIFIER ::= { TBD }
at-pskc-algorithmParameters ATTRIBUTE ::= { at-pskc-algorithmParameters ATTRIBUTE ::= {
TYPE PSKCAlgorithmParameters TYPE PSKCAlgorithmParameters
IDENTIFIED BY id-pskc-algorithmParameters } IDENTIFIED BY id-pskc-algorithmParameters }
id-pskc-algorithmParameters OBJECT IDENTIFIER ::= { TBD } id-pskc-algorithmParameters OBJECT IDENTIFIER ::= { TBD }
PSKCAlgorithmParameters ::= CHOICE { PSKCAlgorithmParameters ::= CHOICE {
challengeFormat [0] ChallengeFormat, challengeFormat [0] ChallengeFormat,
responseFormat [1] ResponseFormat, responseFormat [1] ResponseFormat,
... } ... }
ChallengeFormat ::= SEQUENCE { ChallengeFormat ::= SEQUENCE {
encoding Encoding, encoding Encoding,
checkDigit BOOLEAN OPTIONAL, checkDigit BOOLEAN DEFAULT FALSE,
min INTEGER, min INTEGER (0..MAX),
max INTEGER, max INTEGER (0..MAX),
... } ... }
Encoding ::= CHOICE { Encoding ::= UTF8String ("DECIMAL" | "HEXADECIMAL" |
decimal [0] UTF8String ("DECIMAL"), "ALPHANUMERIC" | "BASE64" | "BINARY" )
hexidecimal [1] UTF8String ("HEXIDECIMAL"),
alphanumeric [2] UTF8String ("ALPHANUMERIC"),
base64 [3] UTF8String ("BASE64"),
binary [4] UTF8String ("BINARY") }
ResponseFormat ::= SEQUENCE { ResponseFormat ::= SEQUENCE {
encoding Encoding, encoding Encoding,
length INTEGER, length INTEGER (0..MAX),
checkDigit BOOLEAN OPTIONAL, checkDigit BOOLEAN DEFAULT FALSE,
... } ... }
at-pskc-counter ATTRIBUTE ::= { at-pskc-counter ATTRIBUTE ::= {
TYPE INTEGER IDENTIFIED BY id-pskc-counter } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-counter }
id-pskc-counter OBJECT IDENTIFIER ::= { TBD } id-pskc-counter OBJECT IDENTIFIER ::= { TBD }
at-pskc-time ATTRIBUTE ::= { at-pskc-time ATTRIBUTE ::= {
TYPE BinaryTime IDENTIFIED BY id-pskc-time } TYPE BinaryTime IDENTIFIED BY id-pskc-time }
id-pskc-time OBJECT IDENTIFIER ::= { TBD } id-pskc-time OBJECT IDENTIFIER ::= { TBD }
at-pskc-timeInterval ATTRIBUTE ::= { at-pskc-timeInterval ATTRIBUTE ::= {
TYPE BinaryTime IDENTIFIED BY id-pskc-time } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-time }
id-pskc-timeInterval OBJECT IDENTIFIER ::= { TBD } id-pskc-timeInterval OBJECT IDENTIFIER ::= { TBD }
at-pskc-timeDrift ATTRIBUTE ::= { at-pskc-timeDrift ATTRIBUTE ::= {
TYPE BinaryTime IDENTIFIED BY id-pskc-time } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-time }
id-pskc-timeDrift OBJECT IDENTIFIER ::= { TBD } id-pskc-timeDrift OBJECT IDENTIFIER ::= { TBD }
at-pskc-valueMAC ATTRIBUTE ::= { at-pskc-valueMAC ATTRIBUTE ::= {
TYPE ValueMac IDENTIFIED BY id-pskc-valueMAC } TYPE ValueMac IDENTIFIED BY id-pskc-valueMAC }
id-pskc-valueMAC OBJECT IDENTIFIER ::= { TBD } id-pskc-valueMAC OBJECT IDENTIFIER ::= { TBD }
ValueMac ::= SEQUENCE { ValueMac ::= SEQUENCE {
macAlgorithm UTF8String, macAlgorithm UTF8String,
mac UTF8String } mac UTF8String }
at-pskc-numberOfTransactions ATTRIBUTE ::= { at-pskc-numberOfTransactions ATTRIBUTE ::= {
TYPE INTEGER IDENTIFIED BY id-pskc-numberOfTransactions } TYPE INTEGER (0..MAX) IDENTIFIED BY id-pskc-numberOfTransactions }
id-pskc-numberOfTransactions OBJECT IDENTIFIER ::= { TBD } id-pskc-numberOfTransactions OBJECT IDENTIFIER ::= { TBD }
at-pskc-keyUsage ATTRIBUTE ::= { at-pskc-keyUsage ATTRIBUTE ::= {
TYPE PSKCKeyUsages IDENTIFIED BY id-pskc-keyUsages } TYPE PSKCKeyUsages IDENTIFIED BY id-pskc-keyUsages }
id-pskc-keyUsages OBJECT IDENTIFIER ::= { TBD } id-pskc-keyUsages OBJECT IDENTIFIER ::= { TBD }
PSKCKeyUsages ::= SEQUENCE OF PSKCKeyUsage PSKCKeyUsages ::= SEQUENCE OF PSKCKeyUsage
PSKCKeyUsage ::= CHOICE { PSKCKeyUsage ::= UTF8String ("OTP" | "CR" | "Encrypt" |
otp [0] UTF8String ("OTP"), "Integrity" | "Verify" | "Unlock" | "Decrypt" |
cr [1] UTF8String ("CR"), "KeyWrap" | "Unwrap" | "Derive" | "Generate")
encrypt [2] UTF8String ("Encrypt"),
integrity [3] UTF8String ("Integrity"),
verify [4] UTF8String ("Verify"),
unlock [5] UTF8String ("Unlock"),
decrypt [6] UTF8String ("Decrypt"),
keyWrap [7] UTF8String ("KeyWrap"),
unwrap [8] UTF8String ("Unwrap"),
derive [9] UTF8String ("Derive"),
generate [10] UTF8String ("Generate") }
at-pskc-pinPolicy ATTRIBUTE ::= { at-pskc-pinPolicy ATTRIBUTE ::= {
TYPE PINPolicy IDENTIFIED BY id-pskc-pinPolicy } TYPE PINPolicy IDENTIFIED BY id-pskc-pinPolicy }
id-pskc-pinPolicy OBJECT IDENTIFIER ::= { TBD } id-pskc-pinPolicy OBJECT IDENTIFIER ::= { TBD }
PINPolicy ::= SEQUENCE { PINPolicy ::= SEQUENCE {
pinKeyId [0] UTF8String OPTIONAL, pinKeyId [0] UTF8String OPTIONAL,
pinUsageMode [1] PINUsageMode, pinUsageMode [1] PINUsageMode,
maxFailedAttempts [2] INTEGER OPTIONAL, maxFailedAttempts [2] INTEGER (0..MAX) OPTIONAL,
minLength [3] INTEGER OPTIONAL, minLength [3] INTEGER (0..MAX) OPTIONAL,
maxLength [4] INTEGER OPTIONAL, maxLength [4] INTEGER (0..MAX) OPTIONAL,
pinEncoding [4] Encoding OPTIONAL } pinEncoding [5] Encoding OPTIONAL }
PINUsageMode ::= CHOICE { PINUsageMode ::= UTF8String ("Local" | "Prepend" | "Append"|
local [0] UTF8String ("Local"), "Algorithmic")
prepend [1] UTF8String ("Prepend"),
append [2] UTF8String ("Append"),
algorithmic [3] UTF8String ("Algorithmic") }
END END
Authors' Address Authors' Addresses
Sean Turner Sean Turner
IECA, Inc. IECA, Inc.
3057 Nutley Street, Suite 106 3057 Nutley Street, Suite 106
Fairfax, VA 22031 Fairfax, VA 22031
USA USA
Email: turners@ieca.com Email: turners@ieca.com
Russ Housley Russ Housley
 End of changes. 78 change blocks. 
213 lines changed or deleted 229 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/