draft-ietf-smime-new-asn1-00.txt   draft-ietf-smime-new-asn1-01.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Updates: 3370, 3565, 3851, 3852, J. Schaad Updates: 3370, 3565, 3851, 3852, J. Schaad
4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting 4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting
(if approved) December 21, 2007 (if approved) July 10, 2008
Expires: June 23, 2008 Intended status: Standards Track
Expires: January 11, 2009
New ASN.1 Modules for CMS and S/MIME New ASN.1 Modules for CMS and S/MIME
draft-ietf-smime-new-asn1-00.txt draft-ietf-smime-new-asn1-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 23, 2008. This Internet-Draft will expire on January 11, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
Abstract Abstract
The Cryptographic Message Syntax (CMS) format, and many associated The Cryptographic Message Syntax (CMS) format, and many associated
formats, are expressed using ASN.1. The current ASN.1 modules formats, are expressed using ASN.1. The current ASN.1 modules
conform to the 1988 version of ASN.1. This document updates those conform to the 1988 version of ASN.1. This document updates those
ASN.1 modules to conform to the 2002 version of ASN.1. There are no ASN.1 modules to conform to the 2002 version of ASN.1. There are no
bits-on-the-wire changes to any of the formats; this is simply a bits-on-the-wire changes to any of the formats; this is simply a
change to the syntax. change to the syntax.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1. More Modules To Be Added . . . . . . . . . . . . . . . 3 1.1.1. More Modules To Be Added . . . . . . . . . . . . . . . 4
1.1.2. Algorithm Structure . . . . . . . . . . . . . . . . . 4 1.1.2. Algorithm Structure . . . . . . . . . . . . . . . . . 4
1.1.3. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 1.1.3. Module OIDs Changing . . . . . . . . . . . . . . . . . 4
2. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 4 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4
3. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 9 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 12
4. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 9 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19
5. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 12 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 19
6. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 21 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 22
7. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 27 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 32
8. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 29 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 37
9. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 35 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 39
10. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 36 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 45
11. Security Considerations . . . . . . . . . . . . . . . . . . . 36 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 46
12. Normative References . . . . . . . . . . . . . . . . . . . . . 37 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 46
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 37 13. Security Considerations . . . . . . . . . . . . . . . . . . . 53
14. Normative References . . . . . . . . . . . . . . . . . . . . . 53
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 54
A.1. Changes between draft-hoffman-cms-new-asn1-00 and A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 38 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 55
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 55
Intellectual Property and Copyright Statements . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 55
Intellectual Property and Copyright Statements . . . . . . . . . . 56
1. Introduction 1. Introduction
Some developers would like the IETF to use the latest version of Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME. to PKIX, CMS, and S/MIME.
This document updates the following RFCs to use ASN.1 modules that This document updates the following RFCs to use ASN.1 modules that
conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all conform to the 2002 version of ASN.1 [ASN1-2002]. Note that not all
the modules are updated; some are included to simply make the set the modules are updated; some are included to simply make the set
compete. complete.
o RFC 3370, CMS Algorithms [RFC3370] o RFC 3370, CMS Algorithms [RFC3370]
o RFC 3565, Use of AES in CMS [RFC3565] o RFC 3565, Use of AES in CMS [RFC3565]
o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851] o RFC 3851, S/MIME Version 3.1 Message Specification [RFC3851]
o RFC 3852, CMS main [RFC3852] o RFC 3852, CMS main [RFC3852]
o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108] o RFC 4108, Using CMS to Protect Firmware Packages [RFC4108]
o RFC 4998, Evidence Record Syntax (ERS) [RFC4998] o RFC 4998, Evidence Record Syntax (ERS) [RFC4998]
o RFC 5035, Enhanced Security Services (ESS) [RFC5035] o RFC 5035, Enhanced Security Services (ESS) [RFC5035]
o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083]
o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in
CMS [RFC5084] CMS [RFC5084]
o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275]
Note that some of the modules in this document get some of their Note that some of the modules in this document get some of their
definitions from places different than the modules in the original definitions from places different than the modules in the original
RFCs. The idea is that these modules, when combined with the modules RFCs. The idea is that these modules, when combined with the modules
in [NEW-PKIX] can stand on their own and do not need to import in [NEW-PKIX] can stand on their own and do not need to import
definitions from anywhere else. Note that some of the modules here definitions from anywhere else.
import definitions from the common definitions module, "PKIX-
CommonTypes", in [NEW-PKIX]. The document also includes a module of common defintions called
"AlgorithmInformation". These definitions are used here and in
[NEW-PKIX].
Note that some of the modules here import definitions from the common
definitions module, "PKIX-CommonTypes", in [NEW-PKIX].
1.1. Issues 1.1. Issues
This section will be removed before final publication. This section will be removed before final publication.
1.1.1. More Modules To Be Added 1.1.1. More Modules To Be Added
There are many modules from standards-track RFCs that are not listed There are many modules from standards-track RFCs that are not listed
in this document or the companion document on PKIX. We will discuss in this document or the companion document on PKIX. We will discuss
with the two communities which modules are appropriate for the two with the two communities which modules are appropriate for the two
skipping to change at page 4, line 25 skipping to change at page 4, line 34
commented out. We will fix this before finishing this project. commented out. We will fix this before finishing this project.
1.1.3. Module OIDs Changing 1.1.3. Module OIDs Changing
The OIDs given in the modules in this version of the document are the The OIDs given in the modules in this version of the document are the
same as the OIDs from the original modules, even though some of the same as the OIDs from the original modules, even though some of the
modules have changed syntax. That is clearly incorrect. In a later modules have changed syntax. That is clearly incorrect. In a later
version of this document, we will change the OIDs for every changed version of this document, we will change the OIDs for every changed
module. module.
2. ASN.1 Module for RFC 3370 2. ASN.1 Module AlgorithmInformation
This section contains a module that is imported by many other modules
in this document and in [NEW-PKIX]. This module does not come from
any existing RFC.
AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
DEFINITIONS ::=
BEGIN
EXPORTS ALL;
IMPORTS ;
-- Suggested prefixes for algorithm objects are:
--
-- mda- Message Digest Algorithms
-- sa- Signature Algorithms
-- kta- Key Transport Algorithms (Asymetric)
-- kaa- Key Agreement Algorithms (Asymetric)
-- kwa- Key Wrap Algorithms (Symetric)
-- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms
-- pk- Public Key
-- sea- Symmetric Encryption Algorithm
ParamOptions ::= ENUMERATED {
required, -- Parameters MUST be encoded in structure
preferedPresent, -- Parameters SHOULD be encoded in structure
preferedAbsent, -- Parameters SHOULD NOT be encoded in structure
absent, -- Parameters MUST NOT be encoded in structure
notPresent,
inheritable -- Parameters are inheritied if not present
}
-- DIGEST-ALGORITHM
--
-- Describes the basic information for ASN.1 and a digest
-- algorithm.
--
-- &id - contains the OID identifying the digest algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- Additional information such as the length of the hash could also
-- be encoded.
--
-- Example:
-- sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1
-- PARAM NULL
-- PARMS ARE preferedAbsent
-- }
DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] [ARE &paramPresence] ]
}
-- SIGNATURE-ALGORITHM
--
-- Describes the basic properities of a signature algorithm
--
-- &id - contains the OID identifying the signature algoithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
-- &HashSet - The set of hash algorithms used with this
-- signature algoirthm
-- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm
-- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS
-- PARAMS RSASSA-PSS-params
-- ARE required
-- HASH SET {sha1 | md5, ... }
-- PUBLIC KEY SET { pk-rsa | pk-rsa-pss }
-- }
SIGNATURE-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER,
&Params OPTIONAL,
&Value OPTIONAL,
&paramPresence ParamOptions DEFAULT required,
&HashSet DIGEST-ALGORITHM OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[VALUE &Value]
[PARAMS [&Params] ARE &paramPresence ]
[USES &HashSet]
[PUBKEYS &PublicKeySet]
}
-- PUBLIC-KEY
--
-- Describes the basic properities of a public key
--
-- &id - contains the OID identifying the public key
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
-- &KeyValue - contains the type for the key value
--
-- Could add information about the keyUsage bits
--
-- Example:
-- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS
-- KEY RSAPublicKey
-- HAS PARAMS RSASSA-PSS-params
-- PARAMS ARE optional
-- }
PUBLIC-KEY ::= CLASS {
&id OBJECT IDENTIFIER,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required,
&KeyValue,
&PrivateKey OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
KEY &KeyValue
[PARAMS [&Params] ARE &paramPresence]
[PRIVATE KEY &PrivateKey]
}
-- KEY-TRANSPORT
--
-- Describes the basic properities of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
-- &PublicKeySet - specify which public keys are used with
-- this algorithm
--
-- Example:
-- rsaTransport KEY-TRANSPORT ::= {
-- &id rsaEncryption
-- &Params NULL
-- &paramPresence required
-- &PublicKeySet { pk-rsa | pk-rsa-pss }
-- }
KEY-TRANSPORT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params,
&paramPresnce ParamOptions,
&PublicKeySet PUBLIC-KEY OPTIONAL
}
-- KEY-AGREE
--
-- Describes the basic properities of a key agreement algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
-- &Ukm - type of user keying material used
-- &PublicKeySet - specify which public keys are used with
-- this algorithm
--
-- Additional items could be a restricted set of key wrap algoithms
--
-- Example:
-- dh-static-ephemerial KEY-TRANSPORT ::= {
-- &id id-alg-ESDH
-- &Params KeyWrapAlgorithm
-- &paramPresence required
-- - - user key material is not ASN.1 encoded.
-- &PublicKeySet {
-- {IDENTIFIER dh-public-number KEY DHPublicKey
-- HASH PARAMS DHDomainParamters PARAMS ARE inheritable }
-- }
-- }
KEY-AGREE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required,
&Ukm OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] ARE &paramPresence]
[PUBLIC KEY &PublicKeySet]
[UKM &Ukm]
}
-- KEY-WRAP
--
-- Describes the basic properities of a key wrap algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- Example:
-- cms3DESwrap KEY-WRAP ::= {
-- &id id-alg-CMS3DESwrap
-- &Params NULL
-- &paramPresence required
-- }
KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] ARE &paramPresence]
}
-- KEY-DERIVATION
--
-- Describes the basic properities of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- Could add information about defaults for the derivation algorithm
-- such as PRFs
--
-- Example:
-- pbkdf2 KEY-DERIVATION ::= {
-- &id id-PBKF2
-- &Params PBKDF2-params
-- &paramPresence required
-- }
KEY-DERIVATION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
PARAMS [&Params] ARE &paramPresence
}
-- BULK-ENCRYPTION
--
-- Describes the basic properities of a bulk encryption algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- Example:
-- aes128 BULK-ENCRYPTION ::= {
-- &id id-aes128-CBC
-- &Params AES-IV
-- &paramPresence required
-- }
BULK-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
OID &id
PARAMS &Params [ARE &paramPresence]
}
-- MAC-ALGORITHM
--
-- Describes the basic properities of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- It would make sense to also add minimum and maximum MAC lengths
--
-- Example:
-- hmac-sha1 MAC-ALGORITHM ::= {
-- &id hMAC-SHA1
-- &Params NULL
-- &paramPresence perferedAbsent
-- }
MAC-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
OID &id
[PARAMS [&Params] [ARE &paramPresence]]
}
-- CONTENT-ENCRYPTION
--
-- Describes the basic properities of a symetric encryption
-- algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
--
-- Example:
-- cms3DESwrap KEY-WRAP ::= {
-- &id id-alg-CMS3DESwrap
-- &Params NULL
-- &paramPresence required
-- }
CONTENT-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT required
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [&Params] ARE &paramPresence]
}
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
}
-- ALGORITHM
--
-- Describes a generic algorithm identifier
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
--
-- This would be used for cases where an unknown algorithm is
-- used. One should consider using TYPE-IDENTIFIER in these cases.
ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id [PARAMS &Params]
}
END
3. ASN.1 Module for RFC 3370
CryptographicMessageSyntaxAlgorithms CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) cmsalg-2001(16) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ALGORITHM ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
FROM PKIX-CommonTypes PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }; mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
--FROM PKIX-CommonTypes
-- {iso(1) identified-organization(3) dod(6) internet(1)
-- security(5) mechanisms(5) pkix(7) id-mod(0)
-- id-mod-pkixCommon(43) }
;
--
-- Create the object sets for each of the different type of signature
-- algorithms defined by this module.
--
-- Philosophy: Sean Turner raised the question about wheither theses
-- object sets should be defined as being extensible. My response is
-- as follows:
--
-- If the working group believes that this document would be updated
-- in the future for the definition of new algorithms, or that
-- this document would be updated to reference (and thus include)
-- new algorithms defined in other documents, then these object
-- sets need to be marked as extensible.
-- If the working group believes that new algorithms will be defined
-- by the creation of new documents, then these object sets do not
-- need to be extensible.
-- In either case, documents that are referencing these objects sets
-- should probably be marked as being extensible in the location
-- they are being used. Thus in the main PKIX document you would
-- have
--
-- SIGNED{ToBeSigned} ::= SEQUENCE {
-- toBeSigned ToBeSigned,
-- algorithm AlgorithmIdentifier
-- {SIGNATURE-ALGORITHM, {Sa-PKIXAlgorithms, ...}},
-- signature BIT STRING
-- }
--
-- Future versions might include additional algorithm drafts and
-- use the line
-- algorithm AlgorithmIdentifier
-- {SIGNATURE-ALGORITHM,
-- {Sa-PKIXAlgorithms, ..., Sa-NewPKIXAlgorithms}},
--
-- Signature algorithms in this document
Sa-CMSAlgorithms SIGNATURE-ALGORITHM ::= {
sa-dsa-with-sha1 |
sa-md5WithRSAEncryption |
sa-sha1WithRSAEncryption }
-- Hash algorthms in this document
Mda-CMSAlgorithms DIGEST-ALGORITHM ::= { mda-md5 |
mda-sha1 }
-- Public Key Algorithms in this document
Pk-CMSAlgorithms PUBLIC-KEY ::= { pk-dsa | pk-rsa | pk-dh }
--
Kta-CMSAlgorithms KEY-TRANSPORT ::= {...}
-- Key Agreement Algorithms
Kaa-CMSAlgorithms KEY-AGREE ::= {kaa-esdh | kaa-ssdh}
-- Key Wrap Algorithms
Kwa-CMSAlgorithms KEY-WRAP ::= { ... }
-- Message Authenticaiton Code Algorithms
Mac-CMSAlgorithms MAC-ALGORITHM ::= {...}
--
Cea-CMSAlgorithms CONTENT-ENCRYPTION ::= {...}
-- Algorithm Identifiers -- Algorithm Identifiers
sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
oiw(14) secsig(3) algorithm(2) 26 } oiw(14) secsig(3) algorithm(2) 26 }
md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) digestAlgorithm(2) 5 } rsadsi(113549) digestAlgorithm(2) 5 }
id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
skipping to change at page 6, line 29 skipping to change at page 15, line 48
g INTEGER, -- generator, g g INTEGER, -- generator, g
q INTEGER, -- factor of p-1 q INTEGER, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL } validationParms ValidationParms OPTIONAL }
ValidationParms ::= SEQUENCE { ValidationParms ::= SEQUENCE {
seed BIT STRING, seed BIT STRING,
pgenCounter INTEGER } pgenCounter INTEGER }
KeyWrapAlgorithm ::= KeyWrapAlgorithm ::=
AlgorithmIdentifier {{SupportedKeyWrapAlgorithms}} AlgorithmIdentifier {KEY-WRAP, {Kwa-CMSAlgorithms }}
SupportedKeyWrapAlgorithms ALGORITHM ::= { ... }
RC2wrapParameter ::= RC2ParameterVersion RC2wrapParameter ::= RC2ParameterVersion
RC2ParameterVersion ::= INTEGER RC2ParameterVersion ::= INTEGER
CBCParameter ::= IV CBCParameter ::= IV
IV ::= OCTET STRING -- exactly 8 octets IV ::= OCTET STRING -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE { RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256), rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets iv OCTET STRING } -- exactly 8 octets
skipping to change at page 6, line 45 skipping to change at page 16, line 14
RC2ParameterVersion ::= INTEGER RC2ParameterVersion ::= INTEGER
CBCParameter ::= IV CBCParameter ::= IV
IV ::= OCTET STRING -- exactly 8 octets IV ::= OCTET STRING -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE { RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256), rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets iv OCTET STRING } -- exactly 8 octets
algid-hMAC-SHA1 ALGORITHM ::= { OID hMAC-SHA1 PARAMS NULL } maca-hMAC-SHA1 MAC-ALGORITHM ::= {
OID hMAC-SHA1
PARAMS NULL ARE required
}
-- Another way to do the following would be: -- Another way to do the following would be:
-- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::= -- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::=
-- { algorithm hMAC-SHA1, parameters NULL:NULL } -- { algorithm hMAC-SHA1, parameters NULL:NULL }
PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{{PBKDF2-PRFs}} PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
alg-hMAC-SHA1 PBKDF2-PRFsAlgorithmIdentifier ::= {PBKDF2-PRFs} }
{ algorithm hMAC-SHA1, parameters NULL:NULL }
alg-hMAC-SHA1 -- PBKDF2-PRFsAlgorithmIdentifier ::=
ALGORITHM ::=
{ IDENTIFIER hMAC-SHA1 PARAMS NULL }
PBKDF2-SaltSources ALGORITHM ::= { ... } PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-PRFs ALGORITHM ::= { algid-hMAC-SHA1, ... } PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
PBKDF2-SaltSourcesAlgorithmIdentifier ::= PBKDF2-SaltSourcesAlgorithmIdentifier ::=
AlgorithmIdentifier {{PBKDF2-SaltSources}} AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
{ algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
PBKDF2-params ::= SEQUENCE { PBKDF2-params ::= SEQUENCE {
salt CHOICE { salt CHOICE {
specified OCTET STRING, specified OCTET STRING,
otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
iterationCount INTEGER (1..MAX), iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL, keyLength INTEGER (1..MAX) OPTIONAL,
prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
alg-hMAC-SHA1 } defaultPBKDF2
}
AlgorithmIdentifier { ALGORITHM:InfoObjectSet } ::= SEQUENCE { mda-sha1 DIGEST-ALGORITHM ::= {
algorithm ALGORITHM.&id({InfoObjectSet}), IDENTIFIER sha-1 PARAMS NULL ARE preferedAbsent }
parameters ALGORITHM.&Type({InfoObjectSet}{@algorithm}) OPTIONAL } mda-md5 DIGEST-ALGORITHM ::= {
IDENTIFIER md5 PARAMS NULL ARE preferedAbsent }
MessageDigestAlgorithms ALGORITHM ::= { pk-dsa PUBLIC-KEY ::= {
alg-sha1-null,... } IDENTIFIER id-dsa
KEY Dss-Pub-Key
PARAMS Dss-Parms ARE inheritable
}
alg-sha1-null ALGORITHM ::= { OID sha-1 PARAMS NULL } sa-dsa-with-sha1 SIGNATURE-ALGORITHM ::= {
alg-sha1-noNull ALGORITHM ::= { OID sha-1 } IDENTIFIER id-dsa-with-sha1
alg-md5 ALGORITHM ::= { OID md5 PARAMS NULL } VALUE Dss-Sig-Value
alg-md5-noNull ALGORITHM ::= { OID md5 } PARAMS Dss-Parms ARE inheritable
USES {mda-sha1}
PUBKEYS {pk-dsa}
}
SignatureAlgorithms ALGORITHM ::= { ... } pk-rsa PUBLIC-KEY ::= {
IDENTIFIER rsaEncryption
KEY RSAPublicKey
PARAMS NULL ARE required
}
param-dsa ALGORITHM ::= { OID id-dsa PARAMS Dss-Parms } sa-rsa SIGNATURE-ALGORITHM ::= {
pubkey-dsa ALGORITHM ::= { OID id-dsa PARAMS Dss-Pub-Key } IDENTIFIER rsaEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-sha1 | mda-md5, ...}
PUBKEYS { pk-rsa}
}
-- sig-dsa-with-sha1 ALGORITHM ::= { OID id-dsa-with-sha1 } sa-sha1WithRSAEncryption SIGNATURE-ALGORITHM ::= {
sigVal-dsa-with-sha1 ALGORITHM ::= { OID id-dsa-with-sha1 IDENTIFIER sha1WithRSAEncryption
PARAMS Dss-Sig-Value } -- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-sha1}
PUBKEYS {pk-rsa}
}
param-rsa ALGORITHM ::= { OID rsaEncryption PARAMS NULL} sa-md5WithRSAEncryption SIGNATURE-ALGORITHM ::= {
pubkey-rsa ALGORITHM ::= { OID rsaEncryption PARAMS RSAPublicKey } IDENTIFIER md5WithRSAEncryption
-- value is not ASN.1 encoded
PARAMS NULL ARE required
USES {mda-md5}
PUBKEYS {pk-rsa}
}
sig-rsa ALGORITHM ::= { OID rsaEncryption PARAMS NULL}
sig-rsa-sha1 ALGORITHM ::= { OID sha1WithRSAEncryption PARAMS NULL}
sig-rsa-md5 ALGORITHM ::= { OID md5WithRSAEncryption PARAMS NULL}
-- No ASN.1 encoding is applied to the signature value -- No ASN.1 encoding is applied to the signature value
-- for these items -- for these items
KeyAgreementAlgorithms ALGORITHM ::= {...}
-- pubkey-dh ALGORITHM ::= { ABSENT OID dh-public-number } pk-dh PUBLIC-KEY ::= {
IDENTIFIER dh-public-number
KEY DHPublicKey
PARAMS DHDomainParameters ARE inheritable
}
kea-esdh ALGORITHM ::= { OID id-alg-ESDH PARAMS KeyWrapAlgorithm } kaa-esdh KEY-AGREE ::= {
kea-ssdh ALGORITHM ::= { OID id-alg-SSDH PARAMS KeyWrapAlgorithm } IDENTIFIER id-alg-ESDH
PARAMS KeyWrapAlgorithm ARE required
PUBLIC KEY { pk-dh }
}
kaa-ssdh KEY-AGREE ::= {
IDENTIFIER id-alg-SSDH
PARAMS KeyWrapAlgorithm ARE required
PUBLIC KEY {pk-dh}
}
KeyTransportAlgorithms ALGORITHM ::= {...} KeyTransportAlgorithms ALGORITHM ::= {...}
SymmetricKeyEncryptionAlgorthms ALGORITHM ::= SymmetricKeyEncryptionAlgorthms KEY-WRAP ::=
{ alg-3DESWrap | alg-RC2Wrap } { kwa-3DESWrap | kwa-RC2Wrap }
alg-3DESWrap ALGORITHM ::= { OID id-alg-CMS3DESwrap PARAMS NULL } kwa-3DESWrap KEY-WRAP ::= {
alg-RC2Wrap ALGORITHM ::= { OID id-alg-CMSRC2wrap IDENTIFIER id-alg-CMS3DESwrap PARAMS NULL ARE required
PARAMS RC2wrapParameter } }
kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap PARAMS RC2wrapParameter ARE required
}
KeyDerivationAlgorithms ALGORITHM ::= {alg-PBKDF2} KeyDerivationAlgorithms KEY-DERIVATION ::= {
kda-PBKDF2}
alg-PBKDF2 ALGORITHM ::= { OID id-PBKDF2 PARAMS PBKDF2-params } kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2
PARAMS PBKDF2-params ARE required
}
ContentEncryptionAlgorthms ALGORITHM ::= {...} ContentEncryptionAlgorthms ALGORITHM ::= {...}
END END
3. ASN.1 Module for RFC 3565 4. ASN.1 Module for RFC 3565
CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549) CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- AES information object identifiers -- -- AES information object identifiers --
aes OBJECT IDENTIFIER ::= aes OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
skipping to change at page 9, line 36 skipping to change at page 19, line 36
AES-IV ::= OCTET STRING (SIZE(16)) AES-IV ::= OCTET STRING (SIZE(16))
-- AES Key Wrap Algorithm Identifiers - Parameter is absent -- AES Key Wrap Algorithm Identifiers - Parameter is absent
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
END END
4. ASN.1 Module for RFC 3851 5. ASN.1 Module for RFC 3851
SecureMimeMessageV3dot1 SecureMimeMessageV3dot1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) msg-v3dot1(21) } smime(16) modules(0) msg-v3dot1(21) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier, SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier,
skipping to change at page 12, line 8 skipping to change at page 22, line 8
-- value. -- value.
cap-RC2CBC SMIME-CAPS ::= cap-RC2CBC SMIME-CAPS ::=
{ TYPE SMIMECapabilitiesParametersForRC2CBC { TYPE SMIMECapabilitiesParametersForRC2CBC
IDENTIFIED BY rc2-cbc} IDENTIFIED BY rc2-cbc}
SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
-- (RC2 Key Length (number of bits)) -- (RC2 Key Length (number of bits))
END END
5. ASN.1 Module for RFC 3852 6. ASN.1 Module for RFC 3852
This module has an ASN.1 idiom for noting in which version of CMS This module has an ASN.1 idiom for noting in which version of CMS
changes were made from the original PKCS #10; that idiom is "[[v:", changes were made from the original PKCS #10; that idiom is "[[v:",
where "v" is an integer. For example: where "v" is an integer. For example:
RevocationInfoChoice ::= CHOICE { RevocationInfoChoice ::= CHOICE {
crl CertificateList, crl CertificateList,
..., ...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
skipping to change at page 12, line 31 skipping to change at page 22, line 31
example above. example above.
CryptographicMessageSyntax2004 CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ALGORITHM, Certificate, CertificateList, CertificateSerialNumber, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier
FROM AlgorithmInformation
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}
Sa-CMSAlgorithms, Mda-CMSAlgorithms, Kaa-CMSAlgorithms,
Mac-CMSAlgorithms, Kwa-CMSAlgorithms, Cea-CMSAlgorithms,
Kta-CMSAlgorithms
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }
Certificate, CertificateList, CertificateSerialNumber,
Name, ATTRIBUTE Name, ATTRIBUTE
FROM PKIX1Explicit88 FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) } id-pkix1-explicit(18) }
AttributeCertificate AttributeCertificate
FROM PKIXAttributeCertificate FROM PKIXAttributeCertificate
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
skipping to change at page 13, line 34 skipping to change at page 23, line 50
ct-AuthenticatedData | ct-DigestedData, ... } ct-AuthenticatedData | ct-DigestedData, ... }
SignedData ::= SEQUENCE { SignedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
digestAlgorithms SET OF DigestAlgorithmIdentifier, digestAlgorithms SET OF DigestAlgorithmIdentifier,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL, certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL, crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos } signerInfos SignerInfos }
DigestAlgorithmList ALGORITHM ::= { -- alg-sha-1 | alg-md5, -- ... }
SignatureAlgorithmList ALGORITHM ::=
{ -- alg-dsa-with-sha1 | alg-md5WithRSAEncryption --
-- | alg-sha1WithRSAEncryption, -- ... }
SignerInfos ::= SET OF SignerInfo SignerInfos ::= SET OF SignerInfo
EncapsulatedContentInfo ::= SEQUENCE { EncapsulatedContentInfo ::= SEQUENCE {
eContentType CONTENT-TYPE.&id({ContentSet}), eContentType CONTENT-TYPE.&id({ContentSet}),
eContent [0] EXPLICIT OCTET STRING eContent [0] EXPLICIT OCTET STRING
( CONTAINING CONTENT-TYPE. ( CONTAINING CONTENT-TYPE.
&Type({ContentSet}{@eContentType})) OPTIONAL } &Type({ContentSet}{@eContentType})) OPTIONAL }
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
version CMSVersion, version CMSVersion,
sid SignerIdentifier, sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier, digestAlgorithm DigestAlgorithmIdentifier,
skipping to change at page 15, line 4 skipping to change at page 25, line 14
encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL } encryptedContent [0] IMPLICIT OCTET STRING OPTIONAL }
-- If you want to do constraints, you might use: -- If you want to do constraints, you might use:
-- EncryptedContentInfo ::= SEQUENCE { -- EncryptedContentInfo ::= SEQUENCE {
-- contentType CONTENT-TYPE.&id({ContentSet}), -- contentType CONTENT-TYPE.&id({ContentSet}),
-- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, -- contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
-- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE. -- encryptedContent [0] IMPLICIT ENCRYPTED {CONTENT-TYPE.
-- &Type({ContentSet}{@contentType}) OPTIONAL } -- &Type({ContentSet}{@contentType}) OPTIONAL }
-- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY -- ENCRYPTED {ToBeEncrypted} ::= OCTET STRING ( CONSTRAINED BY
-- { ToBeEncrypted } ) -- { ToBeEncrypted } )
ContentEncryptionAlgorithmList ALGORITHM ::=
{ -- alg-des-ede3-cbc | alg-rd2-cbc, -- ... }
UnprotectedAttributes CMS-ATTRIBUTE ::= { ... } UnprotectedAttributes CMS-ATTRIBUTE ::= { ... }
RecipientInfo ::= CHOICE { RecipientInfo ::= CHOICE {
ktri KeyTransRecipientInfo, ktri KeyTransRecipientInfo,
..., ...,
[[3: kari [1] KeyAgreeRecipientInfo ]], [[3: kari [1] KeyAgreeRecipientInfo ]],
[[4: kekri [2] KEKRecipientInfo]], [[4: kekri [2] KEKRecipientInfo]],
[[5: pwri [3] PasswordRecipientInfo, [[5: pwri [3] PasswordRecipientInfo,
ori [4] OtherRecipientInfo ]] } ori [4] OtherRecipientInfo ]] }
EncryptedKey ::= OCTET STRING EncryptedKey ::= OCTET STRING
KeyTransRecipientInfo ::= SEQUENCE { KeyTransRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0 or 2 version CMSVersion, -- always set to 0 or 2
rid RecipientIdentifier, rid RecipientIdentifier,
keyEncryptionAlgorithm AlgorithmIdentifier keyEncryptionAlgorithm AlgorithmIdentifier
{{KeyTransportAlgorithmList}}, {KEY-TRANSPORT, {KeyTransportAlgorithmSet}},
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
KeyTransportAlgorithmList ALGORITHM ::= KeyTransportAlgorithmSet KEY-TRANSPORT ::= { Kta-CMSAlgorithms, ... }
{ -- alg-rsaEncryption, -- ... }
RecipientIdentifier ::= CHOICE { RecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
..., ...,
[[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } [[2: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
KeyAgreeRecipientInfo ::= SEQUENCE { KeyAgreeRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 3 version CMSVersion, -- always set to 3
originator [0] EXPLICIT OriginatorIdentifierOrKey, originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
keyEncryptionAlgorithm AlgorithmIdentifier keyEncryptionAlgorithm AlgorithmIdentifier
{{KeyAgreementAlgorithmList}}, {KEY-AGREE, {KeyAgreementAlgorithmSet}},
recipientEncryptedKeys RecipientEncryptedKeys } recipientEncryptedKeys RecipientEncryptedKeys }
KeyAgreementAlgorithmList ALGORITHM ::= KeyAgreementAlgorithmSet KEY-AGREE ::= { Kaa-CMSAlgorithms, ... }
{ -- alg-ESDH | alg-SSDH, -- ... }
OriginatorIdentifierOrKey ::= CHOICE { OriginatorIdentifierOrKey ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier, subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey } originatorKey [1] OriginatorPublicKey }
OriginatorPublicKey ::= SEQUENCE { OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier {{AlgorithmList}}, algorithm AlgorithmIdentifier {PUBLIC-KEY, {...}},
publicKey BIT STRING } publicKey BIT STRING }
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE { RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier, rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
KeyEncryptKeyAlgorithmList ALGORITHM ::=
{ -- alg-CMS3DESwrap | alg-CMSRC2wrap, -- ... }
KeyEncryptionAlgorithmList ALGORITHM ::= { ... }
KeyAgreeRecipientIdentifier ::= CHOICE { KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier } rKeyId [0] IMPLICIT RecipientKeyIdentifier }
RecipientKeyIdentifier ::= SEQUENCE { RecipientKeyIdentifier ::= SEQUENCE {
subjectKeyIdentifier SubjectKeyIdentifier, subjectKeyIdentifier SubjectKeyIdentifier,
date GeneralizedTime OPTIONAL, date GeneralizedTime OPTIONAL,
other OtherKeyAttribute OPTIONAL } other OtherKeyAttribute OPTIONAL }
SubjectKeyIdentifier ::= OCTET STRING SubjectKeyIdentifier ::= OCTET STRING
skipping to change at page 17, line 44 skipping to change at page 27, line 44
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{SupportedAttributes}} {{SupportedAttributes}}
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{SupportedAttributes}} {{SupportedAttributes}}
MessageAuthenticationCode ::= OCTET STRING MessageAuthenticationCode ::= OCTET STRING
DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier
{{DigestAlgorithmList}} {DIGEST-ALGORITHM, {DigestAlgorithmSet}}
DigestAlgorithmSet DIGEST-ALGORITHM ::= { Mda-CMSAlgorithms, ... }
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
{{SignatureAlgorithmList}} {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
{ Sa-CMSAlgorithms, ... }
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{{KeyEncryptionAlgorithmList}} {KEY-WRAP, {KeyEncryptionAlgorithmSet}}
KeyEncryptionAlgorithmSet KEY-WRAP ::= { Kwa-CMSAlgorithms, ... }
ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{{ContentEncryptionAlgorithmList}} {CONTENT-ENCRYPTION, {ContentEncryptionAlgorithmSet}}
ContentEncryptionAlgorithmSet CONTENT-ENCRYPTION ::=
{ Cea-CMSAlgorithms, ... }
MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier MessageAuthenticationCodeAlgorithm ::= AlgorithmIdentifier
{{AlgorithmList}} {MAC-ALGORITHM, {MessageAuthenticationCodeAlgorithmSet}}
KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier MessageAuthenticationCodeAlgorithmSet MAC-ALGORITHM ::=
{{AlgorithmList}} { Mac-CMSAlgorithms, ... }
AlgorithmList ALGORITHM ::= { ... } KeyDerivationAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-DERIVATION, {...}}
RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoices ::= SET OF RevocationInfoChoice
RevocationInfoChoice ::= CHOICE { RevocationInfoChoice ::= CHOICE {
crl CertificateList, crl CertificateList,
..., ...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
OTHER-REVOK-INFO ::= TYPE-IDENTIFIER OTHER-REVOK-INFO ::= TYPE-IDENTIFIER
skipping to change at page 21, line 26 skipping to change at page 31, line 38
ExtendedCertificateInfo ::= SEQUENCE { ExtendedCertificateInfo ::= SEQUENCE {
version CMSVersion, version CMSVersion,
certificate Certificate, certificate Certificate,
attributes UnauthAttributes } attributes UnauthAttributes }
Signature ::= BIT STRING Signature ::= BIT STRING
-- Class definitions used in the module -- Class definitions used in the module
AlgorithmIdentifier { ALGORITHM:IOSet } ::= SEQUENCE {
algorithm ALGORITHM.&id({IOSet}),
parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL }
CMS-ATTRIBUTE ::= ATTRIBUTE CMS-ATTRIBUTE ::= ATTRIBUTE
Attribute{ CMS-ATTRIBUTE:AttrList } ::= SEQUENCE { Attribute{ CMS-ATTRIBUTE:AttrList } ::= SEQUENCE {
attrType CMS-ATTRIBUTE. attrType CMS-ATTRIBUTE.
&id({AttrList}), &id({AttrList}),
attrValues SET OF CMS-ATTRIBUTE. attrValues SET OF CMS-ATTRIBUTE.
&Type({AttrList}{@attrType}) } &Type({AttrList}{@attrType}) }
SupportedAttributes CMS-ATTRIBUTE ::= { ... } SupportedAttributes CMS-ATTRIBUTE ::= { ... }
Attributes { CMS-ATTRIBUTE:AttrList } ::= Attributes { CMS-ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }} SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END END
6. ASN.1 Module for RFC 4108 7. ASN.1 Module for RFC 4108
CMSFirmwareWrapper CMSFirmwareWrapper
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-firmware-wrap(22) } smime(16) modules(0) cms-firmware-wrap(22) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
OTHER-NAME OTHER-NAME
skipping to change at page 27, line 21 skipping to change at page 37, line 27
id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5) iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) on(8) 4 } mechanisms(5) pkix(7) on(8) 4 }
HardwareModuleName ::= SEQUENCE { HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER, hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING } hwSerialNum OCTET STRING }
END END
7. ASN.1 Module for RFC 4998 8. ASN.1 Module for RFC 4998
ERS {iso(1) identified-organization(3) dod(6) internet(1) ERS {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1)
id-mod-ers-v1(1) } id-mod-ers-v1(1) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION, Attribute{}, AlgorithmIdentifier{}, ATTRIBUTE, ALGORITHM
ATTRIBUTE, ALGORITHM
FROM PKIX-CommonTypes FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
ContentInfo, CMS-ATTRIBUTE ContentInfo, CMS-ATTRIBUTE
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ; pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ;
ltans OBJECT IDENTIFIER ::= ltans OBJECT IDENTIFIER ::=
skipping to change at page 28, line 47 skipping to change at page 39, line 4
er-Internal CMS-ATTRIBUTE ::= er-Internal CMS-ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::= id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 } smime(16) id-aa(2) 49 }
er-External CMS-ATTRIBUTE ::= er-External CMS-ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::= id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 } smime(16) id-aa(2) 50 }
END END
8. ASN.1 Module for RFC 5035 9. ASN.1 Module for RFC 5035
ExtendedSecurityServices-2006 ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006(30) } smime(16) modules(0) id-mod-ess-2006(30) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION, Attribute{}, AlgorithmIdentifier{}, ATTRIBUTE, ALGORITHM
ATTRIBUTE, ALGORITHM
FROM PKIX-CommonTypes FROM PKIX-CommonTypes
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
CMS-ATTRIBUTE, CONTENT-TYPE CMS-ATTRIBUTE, CONTENT-TYPE
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) cms-2004(24) }
skipping to change at page 35, line 16 skipping to change at page 45, line 20
Hash ::= OCTET STRING Hash ::= OCTET STRING
IssuerSerial ::= SEQUENCE { IssuerSerial ::= SEQUENCE {
issuer GeneralNames, issuer GeneralNames,
serialNumber CertificateSerialNumber serialNumber CertificateSerialNumber
} }
END END
9. ASN.1 Module for RFC 5083 10. ASN.1 Module for RFC 5083
CMS-AuthEnvelopedData-2007 CMS-AuthEnvelopedData-2007
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) } pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AuthAttributes, CMSVersion, EncryptedContentInfo, AuthAttributes, CMSVersion, EncryptedContentInfo,
skipping to change at page 36, line 5 skipping to change at page 46, line 5
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
authEncryptedContentInfo EncryptedContentInfo, authEncryptedContentInfo EncryptedContentInfo,
authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode, mac MessageAuthenticationCode,
unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL } unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL }
END END
10. ASN.1 Module for RFC 5084 11. ASN.1 Module for RFC 5084
CMS-AES-CCM-and-AES-GCM CMS-AES-CCM-and-AES-GCM
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- Object Identifiers -- Object Identifiers
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
skipping to change at page 36, line 46 skipping to change at page 46, line 46
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE { GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets aes-nonce OCTET STRING, -- recommended size is 12 octets
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
END END
11. Security Considerations 12. ASN.1 Module for RFC 5275
SMIMESymmetricKeyDistribution
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) symkeydist(12) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
Attribute{}, AlgorithmIdentifier{}, Extensions{}, EXTENSION,
ATTRIBUTE, ALGORITHM
FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) }
GeneralName
FROM PKIX1Implicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) }
Certificate
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }
RecipientInfos, KEKIdentifier,CertificateSet
FROM CryptographicMessageSyntax2004
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }
id-alg-CMS3DESwrap
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }
AttributeCertificate
FROM PKIXAttributeCertificate
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) }
CMC-CONTROL
FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(4) internet(1) security(5)
mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002(23) };
-- This defines the GL symmetric key distribution object identifier
-- arc.
id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) }
ControlSet CMC-CONTROL ::= {
skd-glUseKEK | skd-glDelete | skd-glAddMember |
skd-glDeleteMember | skd-glRekey | skd-glAddOwner |
skd-glRemoveOwner | skd-glKeyCompromise |
skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert |
skd-glManageCert | skd-glKey, ... }
-- This defines the GL Use KEK control attribute
skd-glUseKEK CMC-CONTROL ::=
{ GLUseKEK IDENTIFIED BY id-skd-glUseKEK }
id-skd-glUseKEK OBJECT IDENTIFIER ::= { id-skd 1}
GLUseKEK ::= SEQUENCE {
glInfo GLInfo,
glOwnerInfo SEQUENCE SIZE (1..MAX) OF GLOwnerInfo,
glAdministration GLAdministration DEFAULT 1,
glKeyAttributes GLKeyAttributes OPTIONAL
}
GLInfo ::= SEQUENCE {
glName GeneralName,
glAddress GeneralName
}
GLOwnerInfo ::= SEQUENCE {
glOwnerName GeneralName,
glOwnerAddress GeneralName,
certificates Certificates OPTIONAL
}
GLAdministration ::= INTEGER {
unmanaged (0),
managed (1),
closed (2)
}
KeyWrapAlgorithm ::= AlgorithmIdentifier {{...}}
GLKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE,
recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE,
duration [2] INTEGER DEFAULT 0,
generationCounter [3] INTEGER DEFAULT 2,
requestedAlgorithm [4] KeyWrapAlgorithm
DEFAULT {algorithm id-alg-CMS3DESwrap}
}
-- This defines the Delete GL control attribute.
-- It has the simple type GeneralName.
skd-glDelete CMC-CONTROL ::=
{ DeleteGL IDENTIFIED BY id-skd-glDelete }
id-skd-glDelete OBJECT IDENTIFIER ::= { id-skd 2}
DeleteGL ::= GeneralName
-- This defines the Add GL Member control attribute
skd-glAddMember CMC-CONTROL ::=
{ GLAddMember IDENTIFIED BY id-skd-glAddMember }
id-skd-glAddMember OBJECT IDENTIFIER ::= { id-skd 3}
GLAddMember ::= SEQUENCE {
glName GeneralName,
glMember GLMember
}
GLMember ::= SEQUENCE {
glMemberName GeneralName,
glMemberAddress GeneralName OPTIONAL,
certificates Certificates OPTIONAL
}
Certificates ::= SEQUENCE {
pKC [0] Certificate OPTIONAL,
-- See [PROFILE]
aC [1] SEQUENCE SIZE (1.. MAX) OF
AttributeCertificate OPTIONAL,
-- See [ACPROF]
certPath [2] CertificateSet OPTIONAL
-- From [CMS]
}
-- This defines the Delete GL Member control attribute
skd-glDeleteMember CMC-CONTROL ::=
{ GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember }
id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4}
GLDeleteMember ::= SEQUENCE {
glName GeneralName,
glMemberToDelete GeneralName
}
-- This defines the Delete GL Member control attribute
skd-glRekey CMC-CONTROL ::=
{ GLRekey IDENTIFIED BY id-skd-glRekey }
id-skd-glRekey OBJECT IDENTIFIER ::= { id-skd 5}
GLRekey ::= SEQUENCE {
glName GeneralName,
glAdministration GLAdministration OPTIONAL,
glNewKeyAttributes GLNewKeyAttributes OPTIONAL,
glRekeyAllGLKeys BOOLEAN OPTIONAL
}
GLNewKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN OPTIONAL,
recipientsNotMutuallyAware [1] BOOLEAN OPTIONAL,
duration [2] INTEGER OPTIONAL,
generationCounter [3] INTEGER OPTIONAL,
requestedAlgorithm [4] AlgorithmIdentifier{{...}}
OPTIONAL
}
-- This defines the Add and Delete GL Owner control attributes
skd-glAddOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glAddOwner }
id-skd-glAddOwner OBJECT IDENTIFIER ::= { id-skd 6}
skd-glRemoveOwner CMC-CONTROL ::=
{ GLOwnerAdministration IDENTIFIED BY id-skd-glRemoveOwner }
id-skd-glRemoveOwner OBJECT IDENTIFIER ::= { id-skd 7}
GLOwnerAdministration ::= SEQUENCE {
glName GeneralName,
glOwnerInfo GLOwnerInfo
}
-- This defines the GL Key Compromise control attribute.
-- It has the simple type GeneralName.
skd-glKeyCompromise CMC-CONTROL ::=
{ GLKCompromise IDENTIFIED BY id-skd-glKeyCompromise }
id-skd-glKeyCompromise OBJECT IDENTIFIER ::= { id-skd 8}
GLKCompromise ::= GeneralName
-- This defines the GL Key Refresh control attribute.
skd-glkRefresh CMC-CONTROL ::=
{ GLKRefresh IDENTIFIED BY id-skd-glkRefresh }
id-skd-glkRefresh OBJECT IDENTIFIER ::= { id-skd 9}
GLKRefresh ::= SEQUENCE {
glName GeneralName,
dates SEQUENCE SIZE (1..MAX) OF Date
}
Date ::= SEQUENCE {
start GeneralizedTime,
end GeneralizedTime OPTIONAL
}
-- This defines the GLA Query Request control attribute.
skd-glaQueryRequest CMC-CONTROL ::=
{ GLAQueryRequest IDENTIFIED BY id-skd-glaQueryRequest }
id-skd-glaQueryRequest OBJECT IDENTIFIER ::= { id-skd 11}
SKD-QUERY ::= TYPE-IDENTIFIER
SkdQuerySet SKD-QUERY ::= {...}
GLAQueryRequest ::= SEQUENCE {
glaRequestType SKD-QUERY.&id ({SkdQuerySet}),
glaRequestValue SKD-QUERY.
&Type ({SkdQuerySet}{@glaRequestType})
}
-- This defines the GLA Query Response control attribute.
skd-glaQueryResponse CMC-CONTROL ::=
{ GLAQueryResponse IDENTIFIED BY id-skd-glaQueryResponse }
id-skd-glaQueryResponse OBJECT IDENTIFIER ::= { id-skd 12}
SKD-RESPONSE ::= TYPE-IDENTIFIER
SkdResponseSet SKD-RESPONSE ::= {...}
GLAQueryResponse ::= SEQUENCE {
glaResponseType SKD-RESPONSE.
&id({SkdResponseSet}),
glaResponseValue SKD-RESPONSE.
&Type({SkdResponseSet}{@glaResponseType})}
-- This defines the GLA Request/Response (glaRR) arc for
-- glaRequestType/glaResponseType.
id-cmc-glaRR OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cmc(7) glaRR(99) }
-- This defines the Algorithm Request
id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 }
SKDAlgRequest ::= NULL
-- This defines the Algorithm Response
id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 }
-- Note that the response for algorithmSupported request is the
-- smimeCapabilities attribute as defined in MsgSpec [MSG].
-- This defines the control attribute to request an updated
-- certificate to the GLA.
skd-glProvideCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert }
id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13}
GLManageCert ::= SEQUENCE {
glName GeneralName,
glMember GLMember
}
-- This defines the control attribute to return an updated
-- certificate to the GLA. It has the type GLManageCert.
skd-glManageCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glManageCert }
id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14}
-- This defines the control attribute to distribute the GL shared
-- KEK.
skd-glKey CMC-CONTROL ::=
{ GLKey IDENTIFIED BY id-skd-glKey }
id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15}
GLKey ::= SEQUENCE {
glName GeneralName,
glIdentifier KEKIdentifier, -- See [CMS]
glkWrapped RecipientInfos, -- See [CMS]
glkAlgorithm AlgorithmIdentifier{{...}},
glkNotBefore GeneralizedTime,
glkNotAfter GeneralizedTime
}
-- This defines the CMC error types
id-cet-skdFailInfo OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cet(15) skdFailInfo(1) }
SKDFailInfo ::= INTEGER {
unspecified (0),
closedGL (1),
unsupportedDuration (2),
noGLACertificate (3),
invalidCert (4),
unsupportedAlgorithm (5),
noGLONameMatch (6),
invalidGLName (7),
nameAlreadyInUse (8),
noSpam (9),
deniedAccess (10),
alreadyAMember (11),
notAMember (12),
alreadyAnOwner (13),
notAnOwner (14) }
END
13. Security Considerations
Even though all the RFCs in this document are security-related, the Even though all the RFCs in this document are security-related, the
document itself does not have any security considerations. The ASN.1 document itself does not have any security considerations. The ASN.1
modules keep the same bits-on-the-wire as the modules that they modules keep the same bits-on-the-wire as the modules that they
replace. replace.
12. Normative References 14. Normative References
[ASN1-2002] [ASN1-2002]
ITU-T, "ITU-T Recommendation X.680 Information technology ITU-T, "ITU-T Recommendation X.680 Information technology
[ETH] Abstract Syntax Notation One (ASN.1): Specification [ETH] Abstract Syntax Notation One (ASN.1): Specification
of basic notation", ITU-T X.680, 2002. of basic notation", ITU-T X.680, 2002.
[NEW-PKIX] [NEW-PKIX]
Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX",
draft-ietf-pkix-new-asn1 (work in progress), draft-ietf-pkix-new-asn1 (work in progress),
December 2007. December 2007.
skipping to change at page 37, line 48 skipping to change at page 54, line 44
Adding CertID Algorithm Agility", RFC 5035, August 2007. Adding CertID Algorithm Agility", RFC 5035, August 2007.
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083, Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007. November 2007.
[RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated
Encryption in the Cryptographic Message Syntax (CMS)", Encryption in the Cryptographic Message Syntax (CMS)",
RFC 5084, November 2007. RFC 5084, November 2007.
[RFC5275] Turner, S., "CMS Symmetric Key Management and
Distribution", RFC 5275, June 2008.
Appendix A. Change History Appendix A. Change History
[[ This entire section is to be removed upon publication. ]] [[ This entire section is to be removed upon publication. ]]
A.1. Changes between draft-hoffman-cms-new-asn1-00 and A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00 draft-ietf-smime-new-asn1-00
Changed the draft name. Changed the draft name.
Added RFC 3565, Added RFC 3565,
skipping to change at page 38, line 25 skipping to change at page 55, line 25
In RFC 3370, a line in the comment staring with "Another way to In RFC 3370, a line in the comment staring with "Another way to
do..." was not commented out when it should have been. do..." was not commented out when it should have been.
In RFC 3851, the name of the module from which we are importing was In RFC 3851, the name of the module from which we are importing was
wrong, although the OID was right. wrong, although the OID was right.
In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate
which version of CMS added the various extensions. which version of CMS added the various extensions.
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01
Added RFC 5275.
Added module for algorithm classes, and modified RFC 3370 and RFC
3852 to uses the classes defined.
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
127 Segre Place 127 Segre Place
Santa Cruz, CA 95060 Santa Cruz, CA 95060
US US
Phone: 1-831-426-9827 Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
Jim Schaad Jim Schaad
Soaring Hawk Consulting Soaring Hawk Consulting
Email: jimsch@exmsft.com Email: jimsch@exmsft.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
 End of changes. 70 change blocks. 
122 lines changed or deleted 958 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/