draft-ietf-smime-new-asn1-07.txt   rfc5911.txt 
Network Working Group P. Hoffman Internet Engineering Task Force (IETF) P. Hoffman
Internet-Draft VPN Consortium Request for Comments: 5911 VPN Consortium
Intended status: Informational J. Schaad Category: Informational J. Schaad
Expires: February 14, 2010 Soaring Hawk Consulting ISSN: 2070-1721 Soaring Hawk Consulting
August 13, 2009 June 2010
New ASN.1 Modules for CMS and S/MIME
draft-ietf-smime-new-asn1-07.txt
Status of this Memo New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME
This Internet-Draft is submitted to IETF in full conformance with the Abstract
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering The Cryptographic Message Syntax (CMS) format, and many associated
Task Force (IETF), its areas, and its working groups. Note that formats, are expressed using ASN.1. The current ASN.1 modules
other groups may also distribute working documents as Internet- conform to the 1988 version of ASN.1. This document updates those
Drafts. ASN.1 modules to conform to the 2002 version of ASN.1. There are no
bits-on-the-wire changes to any of the formats; this is simply a
change to the syntax.
Internet-Drafts are draft documents valid for a maximum of six months Status of This Memo
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This document is not an Internet Standards Track specification; it is
http://www.ietf.org/ietf/1id-abstracts.txt. published for informational purposes.
The list of Internet-Draft Shadow Directories can be accessed at This document is a product of the Internet Engineering Task Force
http://www.ietf.org/shadow.html. (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on February 14, 2010. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5911.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
The Cryptographic Message Syntax (CMS) format, and many associated This document may contain material from IETF Documents or IETF
formats, are expressed using ASN.1. The current ASN.1 modules Contributions published or made publicly available before November
conform to the 1988 version of ASN.1. This document updates those 10, 2008. The person(s) controlling the copyright in some of this
ASN.1 modules to conform to the 2002 version of ASN.1. There are no material may not have granted the IETF Trust the right to allow
bits-on-the-wire changes to any of the formats; this is simply a modifications of such material outside the IETF Standards Process.
change to the syntax. Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4
2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 4
3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14
4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 20
5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 21 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 22
6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24
7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34
8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 39 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40
9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41
10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 47
11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48
12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 50
13. Security Considerations . . . . . . . . . . . . . . . . . . . 58 13. Security Considerations . . . . . . . . . . . . . . . . . . . 57
14. Normative References . . . . . . . . . . . . . . . . . . . . . 58 14. Normative References . . . . . . . . . . . . . . . . . . . . . 57
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59
A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60
A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60
A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 . . . 60
A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 . . . 60
A.6. Changes between draft-ietf-smime-new-asn1-04 and -05 . . . 60
A.7. Changes between draft-ietf-smime-new-asn1-05 and -06 . . . 60
A.8. Changes between draft-ietf-smime-new-asn1-06 and -07 . . . 60
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 61
1. Introduction 1. Introduction
Some developers would like the IETF to use the latest version of Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME. to PKIX, CMS, and S/MIME.
This document updates the following RFCs to use ASN.1 modules that This document updates the following RFCs to use ASN.1 modules that
skipping to change at page 3, line 42 skipping to change at page 3, line 42
o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083] o RFC 5083, CMS Authenticated-Enveloped-Data Content Type [RFC5083]
o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in o RFC 5084, Using AES-CCM and AES-GCM Authenticated Encryption in
CMS [RFC5084] CMS [RFC5084]
o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275]
Note that some of the modules in this document get some of their Note that some of the modules in this document get some of their
definitions from places different than the modules in the original definitions from places different than the modules in the original
RFCs. The idea is that these modules, when combined with the modules RFCs. The idea is that these modules, when combined with the modules
in [NEW-PKIX] can stand on their own and do not need to import in [RFC5912] can stand on their own and do not need to import
definitions from anywhere else. definitions from anywhere else. Also note that the ASN.1 modules in
this document have references in their text comments that need to be
looked up in original RFCs, and that some of those references may
have already been superseded by later RFCs.
The document also includes a module of common definitions called The document also includes a module of common definitions called
"AlgorithmInformation". These definitions are used here and in "AlgorithmInformation". These definitions are used here and in
[NEW-PKIX]. [RFC5912].
Note that some of the modules here import definitions from the common Note that some of the modules here import definitions from the common
definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. definitions module, "PKIX-CommonTypes", in [RFC5912].
1.1. Design Notes 1.1. Design Notes
The modules in this document use the object model available in the The modules in this document use the object model available in the
2002 ASN.1 documents to a great extent. Objects for each of the 2002 ASN.1 documents to a great extent. Objects for each of the
different algorithm types are defined. Also, all of the places where different algorithm types are defined. Also, all of the places where
in the 1988 ASN.1 syntax had ANY holes to allow for variable syntax the 1988 ASN.1 syntax had ANY holes to allow for variable syntax now
now have objects. use objects.
Much like the way that the PKIX and S/MIME working groups use the Much like the way that the PKIX and S/MIME working groups use the
prefix of id- for object identifiers, this document has also adopted prefix of id- for object identifiers, this document has also adopted
a set of two, three, and four letter prefixes to allow for quick a set of two-, three-, and four-letter prefixes to allow for quick
identification of the type of an object based on its name. This identification of the type of an object based on its name. This
allows, for example, the same back half of the name to be used for allows, for example, the same back half of the name to be used for
the different objects. Thus, "id-sha1" is the object identifier, the different objects. Thus, "id-sha1" is the object identifier,
while "mda-sha1" is the message digest object for "sha1". while "mda-sha1" is the message digest object for "sha1".
One or more object sets for the different type of algorithms are One or more object sets for the different types of algorithms are
defined. A single consistent name for each of the different defined. A single consistent name for each different algorithm type
algorithm types is used. For example, an object set named PublicKeys is used. For example, an object set named PublicKeys contains the
might contain the public keys defined in that module. If no public public keys defined in that module. If no public keys are defined,
keys are defined, then the object set is not created. When then the object set is not created. When importing these object sets
referencing these objects sets when imported, one needs to be able to into an ASN.1 module, one needs to be able to distinguish between the
disambiguate between the different modules. This is done by using different object sets with the same name. This is done by using both
both the module name (as specified in the IMPORT statement) and the the module name (as specified in the IMPORT statement) and the object
object set name. For example, in the module for RFC 5280: set name. For example, in the module for RFC 5280:
PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 } PublicKeys FROM PKIXAlgs-2008 { 1 3 6 1 5 5 7 0 995 }
PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 } PublicKeys FROM PKIX1-PSS-OAEP-Algorithms { 1 3 6 1 5 5 7 33 }
PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ..., PublicKeyAlgorithms PUBLIC-KEY ::= { PKIXAlgs-2008.PublicKeys, ...,
PKIX1-PSS-OAEP-Algorithms.PublicKeys } PKIX1-PSS-OAEP-Algorithms.PublicKeys }
2. ASN.1 Module AlgorithmInformation 2. ASN.1 Module AlgorithmInformation
This section contains a module that is imported by many other modules This section contains a module that is imported by many other modules
in this document. Note that this module is also given in [NEW-PKIX]. in this document. Note that this module is also given in [RFC5912].
This module does not come from any existing RFC. This module does not come from any existing RFC.
AlgorithmInformation-2009 AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)} id-mod-algorithmInformation-02(58)}
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
KeyUsage
FROM PKIX1Implicit-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-implicit-02(59)} ;
-- Suggested prefixes for algorithm objects are: KeyUsage
-- FROM PKIX1Implicit-2009
-- mda- Message Digest Algorithms {iso(1) identified-organization(3) dod(6) internet(1)
-- sa- Signature Algorithms security(5) mechanisms(5) pkix(7) id-mod(0)
-- kta- Key Transport Algorithms (Asymmetric) id-mod-pkix1-implicit-02(59)} ;
-- kaa- Key Agreement Algorithms (Asymmetric)
-- kwa- Key Wrap Algorithms (Symmetric)
-- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms
-- pk- Public Key
-- cea- Content (symmetric) Encryption Algorithm
-- cap- S/MIME Capabilities
ParamOptions ::= ENUMERATED { -- Suggested prefixes for algorithm objects are:
required, -- Parameters MUST be encoded in structure --
preferredPresent, -- Parameters SHOULD be encoded in structure -- mda- Message Digest Algorithms
preferredAbsent, -- Parameters SHOULD NOT be encoded in structure -- sa- Signature Algorithms
absent, -- Parameters MUST NOT be encoded in structure -- kta- Key Transport Algorithms (Asymmetric)
inheritable, -- Parameters are inherited if not present -- kaa- Key Agreement Algorithms (Asymmetric)
optional, -- Parameters MAY be encoded in the structure -- kwa- Key Wrap Algorithms (Symmetric)
... -- kda- Key Derivation Algorithms
} -- maca- Message Authentication Code Algorithms
-- pk- Public Key
-- cea- Content (symmetric) Encryption Algorithms
-- cap- S/MIME Capabilities
-- DIGEST-ALGORITHM ParamOptions ::= ENUMERATED {
-- required, -- Parameters MUST be encoded in structure
-- Describes the basic information for ASN.1 and a digest preferredPresent, -- Parameters SHOULD be encoded in structure
-- algorithm. preferredAbsent, -- Parameters SHOULD NOT be encoded in structure
-- absent, -- Parameters MUST NOT be encoded in structure
-- &id - contains the OID identifying the digest algorithm inheritable, -- Parameters are inherited if not present
-- &Params - contains the type for the algorithm parameters, optional, -- Parameters MAY be encoded in the structure
-- if present; absent implies no paramters ...
-- &paramPresence - parameter presence requirement }
--
-- Additional information such as the length of the hash could also
-- be encoded.
--
-- Example:
-- sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1
-- PARAMS TYPE NULL ARE preferredAbsent
-- }
DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] [ARE &paramPresence] ]
}
-- SIGNATURE-ALGORITHM -- DIGEST-ALGORITHM
-- --
-- Describes the basic properties of a signature algorithm -- Describes the basic information for ASN.1 and a digest
-- -- algorithm.
-- &id - contains the OID identifying the signature algorithm --
-- &Value - contains a type defintion for the value structure of -- &id - contains the OID identifying the digest algorithm
-- the signature -- &Params - if present, contains the type for the algorithm
-- &Params - contains the type for the algorithm parameters, -- parameters; if absent, implies no parameters
-- if present; absent implies no paramters -- &paramPresence - parameter presence requirement
-- &paramPresence - parameter presence resquirement --
-- &HashSet - The set of hash algorithms used with this -- Additional information such as the length of the hash could have
-- signature algorithm -- been encoded. Without a clear understanding of what information
-- &PublicKeySet - the set of public key algorithms for this -- is needed by applications, such extraneous information was not
-- signature algorithm -- considered to be of sufficient importance.
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS
-- PARAMS TYPE RSASSA-PSS-params ARE required
-- HASHES { mda-sha1 | mda-md5, ... }
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
SIGNATURE-ALGORITHM ::= CLASS { --
&id OBJECT IDENTIFIER UNIQUE, -- Example:
&Value OPTIONAL, -- mda-sha1 DIGEST-ALGORITHM ::= {
&Params OPTIONAL, -- IDENTIFIER id-sha1
&paramPresence ParamOptions DEFAULT absent, -- PARAMS TYPE NULL ARE preferredAbsent
&HashSet DIGEST-ALGORITHM OPTIONAL, -- }
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[VALUE &Value]
[PARAMS [TYPE &Params] ARE &paramPresence ]
[HASHES &HashSet]
[PUBLIC-KEYS &PublicKeySet]
[SMIME-CAPS &smimeCaps] DIGEST-ALGORITHM ::= CLASS {
} &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence ]
}
-- PUBLIC-KEY -- SIGNATURE-ALGORITHM
-- --
-- Describes the basic properties of a public key -- Describes the basic properties of a signature algorithm
-- --
-- &id - contains the OID identifying the public key -- &id - contains the OID identifying the signature algorithm
-- &KeyValue - contains the type for the key value -- &Value - contains a type definition for the value structure of
-- &Params - contains the type for the algorithm parameters, -- the signature; if absent, implies that no ASN.1
-- if present; absent implies no paramters -- encoding is performed on the value
-- &paramPresence - parameter presence requirement -- &Params - if present, contains the type for the algorithm
-- &keyUsage - contains the set of bits that are legal for this -- parameters; if absent, implies no parameters
-- key type. Note that is does not make any statement -- &paramPresence - parameter presence requirement
-- about how bits may be paired. -- &HashSet - The set of hash algorithms used with this
-- &PrivateKey - contains a type structure for encoding the private -- signature algorithm
-- key information. -- &PublicKeySet - the set of public key algorithms for this
-- -- signature algorithm
-- Example: -- &smimeCaps - contains the object describing how the S/MIME
-- pk-rsa-pss PUBLIC-KEY ::= { -- capabilities are presented.
-- IDENTIFIER id-RSASSA-PSS --
-- KEY RSAPublicKey -- Example:
-- PARAMS TYPE RSASSA-PSS-params ARE optional -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- CERT-KEY-USAGE { .... } -- IDENTIFIER id-RSASSA-PSS
-- } -- PARAMS TYPE RSASSA-PSS-params ARE required
-- HASHES { mda-sha1 | mda-md5, ... }
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
- } SIGNATURE-ALGORITHM ::= CLASS {
PUBLIC-KEY ::= CLASS { &id OBJECT IDENTIFIER UNIQUE,
&id OBJECT IDENTIFIER UNIQUE, &Value OPTIONAL,
&KeyValue OPTIONAL, &Params OPTIONAL,
&Params OPTIONAL, &paramPresence ParamOptions DEFAULT absent,
&paramPresence ParamOptions DEFAULT absent, &HashSet DIGEST-ALGORITHM OPTIONAL,
&keyUsage KeyUsage OPTIONAL, &PublicKeySet PUBLIC-KEY OPTIONAL,
&PrivateKey OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[KEY &KeyValue] [VALUE &Value]
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence ]
[CERT-KEY-USAGE &keyUsage] [HASHES &HashSet]
[PRIVATE-KEY &PrivateKey] [PUBLIC-KEYS &PublicKeySet]
} [SMIME-CAPS &smimeCaps]
}
-- KEY-TRANSPORT -- PUBLIC-KEY
-- --
-- Describes the basic properties of a key transport algorithm -- Describes the basic properties of a public key
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the public key
-- &Params - contains the type for the algorithm parameters, -- &KeyValue - contains the type for the key value
-- if present; absent implies no paramters -- &Params - if present, contains the type for the algorithm
-- &paramPresence - parameter presence requirement -- parameters; if absent, implies no parameters
-- &PublicKeySet - specify which public keys are used with -- &paramPresence - parameter presence requirement
-- this algorithm -- &keyUsage - contains the set of bits that are legal for this
-- &smimeCaps - contains the object describing how the S/MIME -- key type. Note that it does not make any statement
-- capabilities are presented. -- about how bits may be paired.
-- -- &PrivateKey - contains a type structure for encoding the private
-- Example: -- key information.
-- rsaTransport KEY-TRANSPORT ::= { --
-- IDENTIFIER &id -- Example:
-- PARAMS TYPE NULL ARE required -- pk-rsa-pss PUBLIC-KEY ::= {
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss } -- IDENTIFIER id-RSASSA-PSS
-- } -- KEY RSAPublicKey
-- PARAMS TYPE RSASSA-PSS-params ARE optional
-- CERT-KEY-USAGE { .... }
-- }
- } PUBLIC-KEY ::= CLASS {
KEY-TRANSPORT ::= CLASS { &id OBJECT IDENTIFIER UNIQUE,
&id OBJECT IDENTIFIER UNIQUE, &KeyValue OPTIONAL,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL, &keyUsage KeyUsage OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL &PrivateKey OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [KEY &KeyValue]
[PUBLIC-KEYS &PublicKeySet] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME-CAPS &smimeCaps] [CERT-KEY-USAGE &keyUsage]
} [PRIVATE-KEY &PrivateKey]
}
-- KEY-TRANSPORT
--
-- Describes the basic properties of a key transport algorithm
--
-- &id - contains the OID identifying the key transport algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- &paramPresence - parameter presence requirement
-- &PublicKeySet - specifies which public keys are used with
-- this algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kta-rsaTransport KEY-TRANSPORT ::= {
-- IDENTIFIER &id
-- PARAMS TYPE NULL ARE required
-- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- }
-- KEY-AGREE KEY-TRANSPORT ::= CLASS {
-- &id OBJECT IDENTIFIER UNIQUE,
-- Describes the basic properties of a key agreement algorithm &Params OPTIONAL,
-- &paramPresence ParamOptions DEFAULT absent,
-- &id - contains the OID identifying the key agreement algorithm &PublicKeySet PUBLIC-KEY OPTIONAL,
-- &Params - contains the type for the algorithm parameters, &smimeCaps SMIME-CAPS OPTIONAL
-- if present; absent implies no paramters } WITH SYNTAX {
-- &paramPresence - parameter presence requirement IDENTIFIER &id
-- &PublicKeySet - specify which public keys are used with [PARAMS [TYPE &Params] ARE &paramPresence]
-- this algorithm [PUBLIC-KEYS &PublicKeySet]
-- &Ukm - type of user keying material used [SMIME-CAPS &smimeCaps]
-- &ukmPresence - specifies the requirements to define the UKM field }
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- dh-static-ephemerial KEY-AGREE ::= {
-- IDENTIFIER id-alg-ESDH
-- PARAMS TYPE KeyWrapAlgorithm ARE required
-- - - user key material is not ASN.1-encoded.
-- PUBLIC-KEYS {
-- {IDENTIFIER dh-public-number KEY DHPublicKey
-- PARAMS TYPE DHDomainParameters ARE inheritable }
-- }
-- - - UKM should be present but is not separately ASN.1-encoded
-- UKM ARE preferredPresent
-- }
KEY-AGREE ::= CLASS { -- KEY-AGREE
&id OBJECT IDENTIFIER UNIQUE, --
&Params OPTIONAL, -- Describes the basic properties of a key agreement algorithm
&paramPresence ParamOptions DEFAULT absent, --
&PublicKeySet PUBLIC-KEY OPTIONAL, -- &id - contains the OID identifying the key agreement algorithm
&Ukm OPTIONAL, -- &Params - if present, contains the type for the algorithm
&ukmPresence ParamOptions DEFAULT absent, -- parameters; if absent, implies no parameters
&smimeCaps SMIME-CAPS OPTIONAL -- &paramPresence - parameter presence requirement
} WITH SYNTAX { -- &PublicKeySet - specifies which public keys are used with
IDENTIFIER &id -- this algorithm
[PARAMS [TYPE &Params] ARE &paramPresence] -- &Ukm - type of user keying material used
[PUBLIC-KEYS &PublicKeySet] -- &ukmPresence - specifies the requirements to define the UKM field
[UKM [TYPE &Ukm] ARE &ukmPresence] -- &smimeCaps - contains the object describing how the S/MIME
[SMIME-CAPS &smimeCaps] -- capabilities are presented.
} --
-- Example:
-- kaa-dh-static-ephemeral KEY-AGREE ::= {
-- IDENTIFIER id-alg-ESDH
-- PARAMS TYPE KeyWrapAlgorithm ARE required
-- PUBLIC-KEYS {
-- {IDENTIFIER dh-public-number KEY DHPublicKey
-- PARAMS TYPE DHDomainParameters ARE inheritable }
-- }
-- - - UKM should be present but is not separately ASN.1-encoded
-- UKM ARE preferredPresent
-- }
-- KEY-WRAP KEY-AGREE ::= CLASS {
-- &id OBJECT IDENTIFIER UNIQUE,
-- Describes the basic properties of a key wrap algorithm &Params OPTIONAL,
-- &paramPresence ParamOptions DEFAULT absent,
-- &id - contains the OID identifying the key wrap algorithm &PublicKeySet PUBLIC-KEY OPTIONAL,
-- &Params - contains the type for the algorithm parameters, &Ukm OPTIONAL,
-- if present; absent implies no paramters &ukmPresence ParamOptions DEFAULT absent,
-- &paramPresence - parameter presence requirement &smimeCaps SMIME-CAPS OPTIONAL
-- &smimeCaps - contains the object describing how the S/MIME } WITH SYNTAX {
-- capabilities are presented. IDENTIFIER &id
-- [PARAMS [TYPE &Params] ARE &paramPresence]
-- Example: [PUBLIC-KEYS &PublicKeySet]
-- cms3DESwrap KEY-WRAP ::= { [UKM [TYPE &Ukm] ARE &ukmPresence]
-- IDENTIFIER id-alg-CMS3DESwrap [SMIME-CAPS &smimeCaps]
-- PARAMS TYPE NULL ARE required }
-- }
KEY-WRAP ::= CLASS { -- KEY-WRAP
&id OBJECT IDENTIFIER UNIQUE, --
&Params OPTIONAL, -- Describes the basic properties of a key wrap algorithm
&paramPresence ParamOptions DEFAULT absent, --
&smimeCaps SMIME-CAPS OPTIONAL -- &id - contains the OID identifying the key wrap algorithm
} WITH SYNTAX { -- &Params - if present, contains the type for the algorithm
IDENTIFIER &id -- parameters; if absent, implies no parameters
[PARAMS [TYPE &Params] ARE &paramPresence] -- &paramPresence - parameter presence requirement
[SMIME-CAPS &smimeCaps] -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example:
-- kwa-cms3DESwrap KEY-WRAP ::= {
-- IDENTIFIER id-alg-CMS3DESwrap
-- PARAMS TYPE NULL ARE required
-- }
} KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX {
IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME-CAPS &smimeCaps]
}
-- KEY-DERIVATION -- KEY-DERIVATION
-- --
-- Describes the basic properties of a key derivation algorithm -- Describes the basic properties of a key derivation algorithm
-- --
-- &id - contains the OID identifying the key derivation algorithm -- &id - contains the OID identifying the key derivation algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - if present, contains the type for the algorithm
-- if present; absent implies no paramters -- parameters; if absent, implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Could add information about defaults for the derivation algorithm -- Example:
-- such as PRFs -- kda-pbkdf2 KEY-DERIVATION ::= {
-- -- IDENTIFIER id-PBKDF2
-- Example: -- PARAMS TYPE PBKDF2-params ARE required
-- pbkdf2 KEY-DERIVATION ::= { -- }
-- IDENTIFIER id-PBKDF2
-- PARAMS TYPE PBKDF2-params ARE required
-- }
- } KEY-DERIVATION ::= CLASS {
KEY-DERIVATION ::= CLASS { &id OBJECT IDENTIFIER UNIQUE,
&id OBJECT IDENTIFIER UNIQUE, &Params OPTIONAL,
&Params OPTIONAL, &paramPresence ParamOptions DEFAULT absent,
&paramPresence ParamOptions DEFAULT absent, &smimeCaps SMIME-CAPS OPTIONAL
&smimeCaps SMIME-CAPS OPTIONAL } WITH SYNTAX {
} WITH SYNTAX { IDENTIFIER &id
IDENTIFIER &id [PARAMS [TYPE &Params] ARE &paramPresence]
[PARAMS [TYPE &Params] ARE &paramPresence] [SMIME-CAPS &smimeCaps]
[SMIME-CAPS &smimeCaps] }
}
-- MAC-ALGORITHM -- MAC-ALGORITHM
-- --
-- Describes the basic properties of a MAC algorithm -- Describes the basic properties of a message
-- -- authentication code (MAC) algorithm
-- &id - contains the OID identifying the MAC algorithm --
-- &Params - contains the type for the algorithm parameters, -- &id - contains the OID identifying the MAC algorithm
-- if present; absent implies no paramters -- &Params - if present, contains the type for the algorithm
-- &paramPresence - parameter presence requirement -- parameters; if absent, implies no parameters
-- &keyed - MAC algorithm is a keyed MAC algorithm -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &keyed - MAC algorithm is a keyed MAC algorithm
-- capabilities are presented. -- &smimeCaps - contains the object describing how the S/MIME
-- -- capabilities are presented.
-- It would make sense to also add minimum and maximum MAC lengths
--
-- Example:
- capabilities are presented. --
-- maca-hmac-sha1 MAC-ALGORITHM ::= { -- Some parameters that perhaps should have been added would be
-- IDENTIFIER hMAC-SHA1 -- fields with the minimum and maximum MAC lengths for
-- PARAMS TYPE NULL ARE preferredAbsent -- those MAC algorithms that allow truncations.
-- IS KEYED MAC TRUE --
-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1} -- Example:
-- } -- maca-hmac-sha1 MAC-ALGORITHM ::= {
-- IDENTIFIER hMAC-SHA1
-- PARAMS TYPE NULL ARE preferredAbsent
-- IS KEYED MAC TRUE
-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
-- }
- } MAC-ALGORITHM ::= CLASS {
MAC-ALGORITHM ::= CLASS { &id OBJECT IDENTIFIER UNIQUE,
&id OBJECT IDENTIFIER UNIQUE, &Params OPTIONAL,
&Params OPTIONAL, &paramPresence ParamOptions DEFAULT absent,
&paramPresence ParamOptions DEFAULT absent, &keyed BOOLEAN,
&keyed BOOLEAN, &smimeCaps SMIME-CAPS OPTIONAL
&smimeCaps SMIME-CAPS OPTIONAL } WITH SYNTAX {
} WITH SYNTAX { IDENTIFIER &id
IDENTIFIER &id [PARAMS [TYPE &Params] ARE &paramPresence]
[PARAMS [TYPE &Params] [ARE &paramPresence]] IS-KEYED-MAC &keyed
IS-KEYED-MAC &keyed [SMIME-CAPS &smimeCaps]
[SMIME-CAPS &smimeCaps] }
}
-- CONTENT-ENCRYPTION -- CONTENT-ENCRYPTION
-- --
-- Describes the basic properties of a content encryption -- Describes the basic properties of a content encryption
-- algorithm -- algorithm
-- --
-- &id - contains the OID identifying the content -- &id - contains the OID identifying the content
-- encryption algorithm -- encryption algorithm
-- &Params - contains the type for the algorithm parameters, -- &Params - if present, contains the type for the algorithm
-- if present; absent implies no paramters -- parameters; if absent, implies no parameters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME -- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented. -- capabilities are presented.
-- --
-- Example: -- Example:
-- cea-3DES-cbc CONTENT-ENCRYPTION ::= { -- cea-3DES-cbc CONTENT-ENCRYPTION ::= {
-- IDENTIFIER des-ede3-cbc -- IDENTIFIER des-ede3-cbc
-- PARAMS TYPE IV ARE required -- PARAMS TYPE IV ARE required
-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } -- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
-- } -- }
- } CONTENT-ENCRYPTION ::= CLASS {
CONTENT-ENCRYPTION ::= CLASS { &id OBJECT IDENTIFIER UNIQUE,
&id OBJECT IDENTIFIER UNIQUE, &Params OPTIONAL,
&Params OPTIONAL, &paramPresence ParamOptions DEFAULT absent,
&paramPresence ParamOptions DEFAULT absent, &smimeCaps SMIME-CAPS OPTIONAL
&smimeCaps SMIME-CAPS OPTIONAL } WITH SYNTAX {
} WITH SYNTAX { IDENTIFIER &id
IDENTIFIER &id [PARAMS [TYPE &Params] ARE &paramPresence]
[PARAMS [TYPE &Params] ARE &paramPresence] [SMIME-CAPS &smimeCaps]
}
[SMIME-CAPS &smimeCaps] -- ALGORITHM
} --
-- Describes a generic algorithm identifier
--
-- &id - contains the OID identifying the algorithm
-- &Params - if present, contains the type for the algorithm
-- parameters; if absent, implies no parameters
-- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- This would be used for cases where an algorithm of an unknown
-- type is used. In general however, one should either define
-- a more complete algorithm structure (such as the one above)
-- or use the TYPE-IDENTIFIER class.
-- ALGORITHM ALGORITHM ::= CLASS {
-- &id OBJECT IDENTIFIER UNIQUE,
-- Describes a generic algorithm identifier &Params OPTIONAL,
-- &paramPresence ParamOptions DEFAULT absent,
-- &id - contains the OID identifying the algorithm &smimeCaps SMIME-CAPS OPTIONAL
-- &Params - contains the type for the algorithm parameters, } WITH SYNTAX {
-- if present; absent implies no paramters IDENTIFIER &id
-- &paramPresence - parameter presence requirement [PARAMS [TYPE &Params] ARE &paramPresence]
-- &smimeCaps - contains the object describing how the S/MIME [SMIME-CAPS &smimeCaps]
-- capabilities are presented. }
--
-- This would be used for cases where an unknown algorithm is
-- used. One should consider using TYPE-IDENTIFIER in these cases.
ALGORITHM ::= CLASS { -- AlgorithmIdentifier
&id OBJECT IDENTIFIER UNIQUE, --
&Params OPTIONAL, -- Provides the generic structure that is used to encode algorithm
&paramPresence ParamOptions DEFAULT absent, -- identification and the parameters associated with the
&smimeCaps SMIME-CAPS OPTIONAL -- algorithm.
} WITH SYNTAX { --
IDENTIFIER &id -- The first parameter represents the type of the algorithm being
[PARAMS [TYPE &Params] ARE &paramPresence] -- used.
[SMIME-CAPS &smimeCaps] -- The second parameter represents an object set containing the
} -- algorithms that may occur in this situation.
-- The initial list of required algorithms should occur to the
-- left of an extension marker; all other algorithms should
-- occur to the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
-- items.
-- If new ALGORITHM classes are defined, the fields &id and &Params
-- need to be present as fields in the object in order to use
-- this parameterized type.
--
-- Example:
-- SignatureAlgorithmIdentifier ::=
-- AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgSet}}
-- AlgorithmIdentifier AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
-- SEQUENCE {
-- Provides the generic structure that is used to encode algorithm algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
-- identification and the parameters associated with the parameters ALGORITHM-TYPE.
-- algorithm. &Params({AlgorithmSet}{@algorithm}) OPTIONAL
-- }
-- The first parameter represents the type of the algorithm being
-- used.
-- The second parameter represents an object set containing the
-- algorithms that may occur in this situation.
-- The initial list of required algorithms should occur to the
-- left of an extension marker, all other algorithms should
-- occur to the right of an extension marker.
--
-- The object class ALGORITHM can be used for generic unspecified
-- items.
-- If new ALGORITHM objects are defined, the fields &id and &Params
-- need to be present as field in the object.
--
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL
}
-- S/MIME Capabilities -- S/MIME Capabilities
-- --
-- We have moved the SMIME-CAPS from the module for RFC 3851 to here -- We have moved the SMIME-CAPS from the module for RFC 3851 to here
-- because it is used in the PKIX document RFC 4262 - Use of S/MIME -- because it is used in RFC 4262 (X.509 Certificate Extension for
-- Caps in certificate extension -- S/MIME Capabilities)
-- --
-- --
-- This class is used to represent an S/MIME capability. S/MIME -- This class is used to represent an S/MIME capability. S/MIME
-- capabilities are used to represent what algorithm capabilities -- capabilities are used to represent what algorithm capabilities
-- an individual has. The classic example was the content encryption -- an individual has. The classic example was the content encryption
-- algorithm RC2 where the algorithm id and the RC2 key lengths -- algorithm RC2 where the algorithm id and the RC2 key lengths
-- supported needed to be advertised, but the IV used is not fixed. -- supported needed to be advertised, but the IV used is not fixed.
-- Thus for RC2 we used -- Thus, for RC2 we used
-- --
-- cap-RC2CBC SMIME-CAPS ::= { -- cap-RC2CBC SMIME-CAPS ::= {
-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
-- --
-- where 40 and 128 represent the RC2 key length in number of bits. -- where 40 and 128 represent the RC2 key length in number of bits.
-- --
-- Another example where information needs to be shown is for -- Another example where information needs to be shown is for
-- RSA-OAEP where only specific hash functions or mask generation -- RSA-OAEP where only specific hash functions or mask generation
-- functions are supported, but the saltLength is specified by the -- functions are supported, but the saltLength is specified by the
-- sender and not the recipient. In this case one can either -- sender and not the recipient. In this case, one can either
-- generate a number of capability items, -- generate a number of capability items,
-- or a new S/MIME capability type could be generated where -- or a new S/MIME capability type could be generated where
-- multiple hash functions could be specified. -- multiple hash functions could be specified.
-- --
-- --
-- SMIME-CAP -- SMIME-CAP
-- --
-- This class is used to associate the type describing capabilities -- This class is used to associate the type that describes the
-- with the object identifier. -- capabilities with the object identifier.
-- --
- SMIME-CAPS ::= CLASS {
SMIME-CAPS ::= CLASS { &id OBJECT IDENTIFIER UNIQUE,
&id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL
&Type OPTIONAL }
} WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
--
-- Generic type - this is used for defining values.
--
-- Define a single S/MIME capability encoding --
-- Generic type - this is used for defining values.
--
SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { -- Define a single S/MIME capability encoding
capabilityID SMIME-CAPS.&id({CapabilitySet}),
parameters SMIME-CAPS.&Type({CapabilitySet}
{@capabilityID}) OPTIONAL
}
-- Define a sequence of S/MIME capability value SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
capabilityID SMIME-CAPS.&id({CapabilitySet}),
parameters SMIME-CAPS.&Type({CapabilitySet}
{@capabilityID}) OPTIONAL
}
SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::= -- Define a sequence of S/MIME capability values
SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
END SMIMECapabilities { SMIME-CAPS:CapabilitySet } ::=
SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
END
3. ASN.1 Module for RFC 3370 3. ASN.1 Module for RFC 3370
CryptographicMessageSyntaxAlgorithms-2009 CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) } smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
skipping to change at page 15, line 6 skipping to change at page 15, line 16
FROM PKIXAlgs-2009 FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6) {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56)} id-mod-pkix1-algorithms2008-02(56)}
cap-RC2CBC cap-RC2CBC
FROM SecureMimeMessageV3dot1-2009 FROM SecureMimeMessageV3dot1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-msg-v3dot1-02(39)}; smime(16) modules(0) id-mod-msg-v3dot1-02(39)};
-- 2. Hash algorthms in this document -- 2. Hash algorithms in this document
MessageDigestAlgs DIGEST-ALGORITHM ::= { MessageDigestAlgs DIGEST-ALGORITHM ::= {
-- mda-md5 | mda-sha1, -- mda-md5 | mda-sha1,
... } ... }
-- 3. Signature algorithms in this document -- 3. Signature algorithms in this document
SignatureAlgs SIGNATURE-ALGORITHM ::= { SignatureAlgs SIGNATURE-ALGORITHM ::= {
-- See RFC 3279 -- See RFC 3279
-- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1, -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1,
... } ... }
-- 4. Key Managment Algorithms -- 4. Key Management Algorithms
-- 4.1 Key Agreement Algorithms -- 4.1 Key Agreement Algorithms
KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...}
KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...}
-- 4.2 Key Transport Algorithms -- 4.2 Key Transport Algorithms
KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... }
-- 4.3 Symmetric Key-Encryption Key Algorithms -- 4.3 Symmetric Key-Encryption Key Algorithms
skipping to change at page 15, line 43 skipping to change at page 16, line 4
-- 4.4 Key Derivation Algorithms -- 4.4 Key Derivation Algorithms
KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }
-- 5. Content Encryption Algorithms -- 5. Content Encryption Algorithms
ContentEncryptionAlgs CONTENT-ENCRYPTION ::= ContentEncryptionAlgs CONTENT-ENCRYPTION ::=
{ cea-3DES-cbc | cea-RC2-cbc, ... } { cea-3DES-cbc | cea-RC2-cbc, ... }
-- 6. Message Authentication Code Algorithms -- 6. Message Authentication Code Algorithms
MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... }
-- SMIME Capabilities for these items -- S/MIME Capabilities for these items
SMimeCaps SMIME-CAPS ::= { SMimeCaps SMIME-CAPS ::= {
kaa-esdh.&smimeCaps | kaa-esdh.&smimeCaps |
kaa-ssdh.&smimeCaps | kaa-ssdh.&smimeCaps |
kt-rsa.&smimeCaps | kt-rsa.&smimeCaps |
kwa-3DESWrap.&smimeCaps | kwa-3DESWrap.&smimeCaps |
kwa-RC2Wrap.&smimeCaps | kwa-RC2Wrap.&smimeCaps |
cea-3DES-cbc.&smimeCaps | cea-3DES-cbc.&smimeCaps |
cea-RC2-cbc.&smimeCaps | cea-RC2-cbc.&smimeCaps |
maca-hMAC-SHA1.&smimeCaps, maca-hMAC-SHA1.&smimeCaps,
skipping to change at page 19, line 11 skipping to change at page 19, line 16
kwa-RC2Wrap KEY-WRAP ::= { kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap IDENTIFIER id-alg-CMSRC2wrap
PARAMS TYPE RC2wrapParameter ARE required PARAMS TYPE RC2wrapParameter ARE required
SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap }
} }
kda-PBKDF2 KEY-DERIVATION ::= { kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2 IDENTIFIER id-PBKDF2
PARAMS TYPE PBKDF2-params ARE required PARAMS TYPE PBKDF2-params ARE required
-- No s/mime caps defined -- No S/MIME caps defined
} }
cea-3DES-cbc CONTENT-ENCRYPTION ::= { cea-3DES-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER des-ede3-cbc IDENTIFIER des-ede3-cbc
PARAMS TYPE IV ARE required PARAMS TYPE IV ARE required
SMIME-CAPS { IDENTIFIED BY des-ede3-cbc } SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
} }
cea-RC2-cbc CONTENT-ENCRYPTION ::= { cea-RC2-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER rc2-cbc IDENTIFIER rc2-cbc
skipping to change at page 21, line 39 skipping to change at page 22, line 7
IDENTIFIER id-aes256-wrap IDENTIFIER id-aes256-wrap
PARAMS ARE absent PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap } SMIME-CAPS { IDENTIFIED BY id-aes256-wrap }
} }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
END END
5. ASN.1 Module for RFC 3851 5. ASN.1 Module for RFC 3851
SecureMimeMessageV3dot1-2009 SecureMimeMessageV3dot1-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-msg-v3dot1-02(39)} smime(16) modules(0) id-mod-msg-v3dot1-02(39)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
SMIME-CAPS, SMIMECapabilities{}
FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ATTRIBUTE SMIME-CAPS, SMIMECapabilities{}
FROM PKIX-CommonTypes-2009 FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier ATTRIBUTE
FROM CryptographicMessageSyntax-2009 FROM PKIX-CommonTypes-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
smime(16) modules(0) id-mod-cms-2004-02(41)} mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
rc2-cbc, SMimeCaps SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier
FROM CryptographicMessageSyntaxAlgorithms-2009 FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37)} smime(16) modules(0) id-mod-cms-2004-02(41)}
SMimeCaps rc2-cbc, SMimeCaps
FROM PKIXAlgs-2009 FROM CryptographicMessageSyntaxAlgorithms-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
mechanisms(5) pkix(7) id-mod(0) smime(16) modules(0) id-mod-cmsalg-2001-02(37)}
id-mod-pkix1-algorithms2008-02(56)}
SMimeCaps SMimeCaps
FROM PKIX1-PSS-OAEP-Algorithms-2009 FROM PKIXAlgs-2009
{iso(1) identified-organization(3) dod(6) internet(1) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
security(5) mechanisms(5) pkix(7) id-mod(0) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54)}; id-mod-pkix1-algorithms2008-02(56)}
SMimeAttributeSet ATTRIBUTE ::= SMimeCaps
{ aa-smimeCapabilities | aa-encrypKeyPref, ... } FROM PKIX1-PSS-OAEP-Algorithms-2009
{iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54)};
-- id-aa is the arc with all new authenticated and unauthenticated SMimeAttributeSet ATTRIBUTE ::=
-- attributes produced by the S/MIME Working Group { aa-smimeCapabilities | aa-encrypKeyPref, ... }
id-aa OBJECT IDENTIFIER ::= -- id-aa is the arc with all new authenticated and unauthenticated
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) -- attributes produced by the S/MIME Working Group
smime(16) attributes(2)} id-aa OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) attributes(2)}
-- S/MIME Capabilities provides a method of broadcasting the symmetric -- The S/MIME Capabilities attribute provides a method of broadcasting
-- capabilities understood. Algorithms SHOULD be ordered by -- the symmetric capabilities understood. Algorithms SHOULD be ordered
-- preference and grouped by type -- by preference and grouped by type
aa-smimeCapabilities ATTRIBUTE ::= aa-smimeCapabilities ATTRIBUTE ::=
{ TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY
smimeCapabilities } smimeCapabilities }
smimeCapabilities OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
15 }
smimeCapabilities OBJECT IDENTIFIER ::= SMimeCapsSet SMIME-CAPS ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { cap-preferBinaryInside | cap-RC2CBC |
15 } PKIXAlgs-2009.SMimeCaps |
CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps |
PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... }
SMimeCapsSet SMIME-CAPS ::= -- Encryption Key Preference provides a method of broadcasting the
{ cap-preferBinaryInside | cap-RC2CBC | -- preferred encryption certificate.
PKIXAlgs-2009.SMimeCaps |
CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps |
PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... }
-- Encryption Key Preference provides a method of broadcasting the aa-encrypKeyPref ATTRIBUTE ::=
-- preferred encryption certificate. { TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref }
aa-encrypKeyPref ATTRIBUTE ::= id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
{ TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref }
id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber,
receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier
}
SMIMEEncryptionKeyPreference ::= CHOICE { -- receipentKeyId is spelt incorrectly, but kept for historical
issuerAndSerialNumber [0] IssuerAndSerialNumber, -- reasons.
receipentKeyId [1] RecipientKeyIdentifier,
subjectAltKeyIdentifier [2] SubjectKeyIdentifier
}
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-cap OBJECT IDENTIFIER ::= { id-smime 11 } id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
-- The preferBinaryInside indicates an ability to receive messages -- The preferBinaryInside indicates an ability to receive messages
-- with binary encoding inside the CMS wrapper -- with binary encoding inside the CMS wrapper
cap-preferBinaryInside SMIME-CAPS ::= cap-preferBinaryInside SMIME-CAPS ::=
{ -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside }
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
-- The following list OIDs to be used with S/MIME V3 -- The following list OIDs to be used with S/MIME V3
-- Signature Algorithms Not Found in [CMSALG] -- Signature Algorithms Not Found in [RFC3370]
-- --
-- md2WithRSAEncryption OBJECT IDENTIFIER ::= -- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2} -- 2}
-- --
-- Other Signed Attributes -- Other Signed Attributes
-- --
-- signingTime OBJECT IDENTIFIER ::= -- signingTime OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
-- 5} -- 5}
-- See [CMS] for a description of how to encode the attribute -- See [RFC5652] for a description of how to encode the attribute
-- value. -- value.
cap-RC2CBC SMIME-CAPS ::= cap-RC2CBC SMIME-CAPS ::=
{ TYPE SMIMECapabilitiesParametersForRC2CBC { TYPE SMIMECapabilitiesParametersForRC2CBC
IDENTIFIED BY rc2-cbc} IDENTIFIED BY rc2-cbc}
SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...) SMIMECapabilitiesParametersForRC2CBC ::= INTEGER (40 | 128, ...)
-- (RC2 Key Length (number of bits)) -- (RC2 Key Length (number of bits))
END END
6. ASN.1 Module for RFC 3852 6. ASN.1 Module for RFC 3852
This module has an ASN.1 idiom for noting in which version of CMS This module has an ASN.1 idiom for noting in which version of CMS
changes were made from the original PKCS #7; that idiom is "[[v:", changes were made from the original PKCS #7; that idiom is "[[v:",
where "v" is an integer. For example: where "v" is an integer. For example:
RevocationInfoChoice ::= CHOICE { RevocationInfoChoice ::= CHOICE {
crl CertificateList, crl CertificateList,
..., ...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
Similarly, this module adds the ASN.1 idiom for extensiblity (the Similarly, this module adds the ASN.1 idiom for extensibility (the
"...,") in all places that have been extended in the past. See the "...,") in all places that have been extended in the past. See the
example above. example above.
CryptographicMessageSyntax-2009 CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
skipping to change at page 41, line 34 skipping to change at page 41, line 40
} }
ENCINFO-TYPE ::= TYPE-IDENTIFIER ENCINFO-TYPE ::= TYPE-IDENTIFIER
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...}
END END
9. ASN.1 Module for RFC 5035 9. ASN.1 Module for RFC 5035
Section numbers in the module refer to the sections of RFC 2634 as
updated by RFC 5035.
ExtendedSecurityServices-2009 ExtendedSecurityServices-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006-02(42) } smime(16) modules(0) id-mod-ess-2006-02(42) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{}
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
skipping to change at page 49, line 32 skipping to change at page 48, line 47
cea-aes256-CCM.&smimeCaps | cea-aes256-CCM.&smimeCaps |
cea-aes128-GCM.&smimeCaps | cea-aes128-GCM.&smimeCaps |
cea-aes192-GCM.&smimeCaps | cea-aes192-GCM.&smimeCaps |
cea-aes256-GCM.&smimeCaps, cea-aes256-GCM.&smimeCaps,
... ...
} }
-- Defining objects -- Defining objects
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } organization(1) gov(101) csor(3) nistAlgorithms(4) 1 }
cea-aes128-CCM CONTENT-ENCRYPTION ::= { cea-aes128-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CCM IDENTIFIER id-aes128-CCM
PARAMS TYPE CCMParameters ARE required PARAMS TYPE CCMParameters ARE required
SMIME-CAPS { IDENTIFIED BY id-aes128-CCM } SMIME-CAPS { IDENTIFIED BY id-aes128-CCM }
} }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 } id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
cea-aes192-CCM CONTENT-ENCRYPTION ::= { cea-aes192-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CCM IDENTIFIER id-aes192-CCM
skipping to change at page 51, line 41 skipping to change at page 51, line 7
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cmsalg-2001-02(37) } smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
AttributeCertificate AttributeCertificate
FROM PKIXAttributeCertificate-2009 FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) } mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) }
CMC-CONTROL, EXTENDED-FAILURE-INFO CMC-CONTROL, EXTENDED-FAILURE-INFO
FROM EnrollmentMessageSyntax FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(4) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) } mechanisms(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) }
kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap
FROM CMSAesRsaesOaep-2009 FROM CMSAesRsaesOaep-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ; pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ;
-- This defines the group list (GL symmetric key distribution OID arc -- This defines the group list (GL symmetric key distribution OID arc
id-skd OBJECT IDENTIFIER ::= id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) } smime(16) skd(8) }
skipping to change at page 52, line 47 skipping to change at page 52, line 10
certificates Certificates OPTIONAL certificates Certificates OPTIONAL
} }
GLAdministration ::= INTEGER { GLAdministration ::= INTEGER {
unmanaged (0), unmanaged (0),
managed (1), managed (1),
closed (2) closed (2)
} }
-- --
-- The advertised set of algorithm capabilites for the docment -- The advertised set of algorithm capabilities for the document
-- --
SKD-Caps SMIME-CAPS ::= { SKD-Caps SMIME-CAPS ::= {
cap-3DESwrap | kwa-aes128-wrap.&smimeCaps | cap-3DESwrap | kwa-aes128-wrap.&smimeCaps |
kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ... kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ...
} }
cap-aes128-cbc KeyWrapAlgorithm ::= cap-aes128-cbc KeyWrapAlgorithm ::=
{ capabilityID kwa-aes128-wrap.&smimeCaps.&id } { capabilityID kwa-aes128-wrap.&smimeCaps.&id }
skipping to change at page 57, line 21 skipping to change at page 56, line 29
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert } { GLManageCert IDENTIFIED BY id-skd-glProvideCert }
id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13}
GLManageCert ::= SEQUENCE { GLManageCert ::= SEQUENCE {
glName GeneralName, glName GeneralName,
glMember GLMember glMember GLMember
} }
-- This defines the control attribute to return an updated -- This defines the control attribute to return an updated
-- certificate to the GLA. It has the type GLManageCert. -- certificate to the GLA. It has the type GLManageCert.
skd-glManageCert CMC-CONTROL ::= skd-glManageCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glManageCert } { GLManageCert IDENTIFIED BY id-skd-glManageCert }
id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14} id-skd-glManageCert OBJECT IDENTIFIER ::= { id-skd 14}
-- This defines the control attribute to distribute the GL shared -- This defines the control attribute to distribute the GL shared
-- KEK. -- KEK.
skd-glKey CMC-CONTROL ::= skd-glKey CMC-CONTROL ::=
skipping to change at page 58, line 35 skipping to change at page 57, line 42
13. Security Considerations 13. Security Considerations
Even though all the RFCs in this document are security-related, the Even though all the RFCs in this document are security-related, the
document itself does not have any security considerations. The ASN.1 document itself does not have any security considerations. The ASN.1
modules keep the same bits-on-the-wire as the modules that they modules keep the same bits-on-the-wire as the modules that they
replace. replace.
14. Normative References 14. Normative References
[ASN1-2002] [ASN1-2002] ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and
ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and X.683", ITU-T X.680, X.681, X.682, and X.683, 2002.
X.683", ITU-T X.680, X.681, X.682, and X.683, 2002.
[NEW-PKIX]
Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX",
draft-ietf-pkix-new-asn1 (work in progress),
December 2007.
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, July 2003.
[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004.
[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004.
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to
Protect Firmware Packages", RFC 4108, August 2005.
[RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence
Record Syntax (ERS)", RFC 4998, August 2007.
[RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update:
Adding CertID Algorithm Agility", RFC 5035, August 2007.
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007.
[RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated
Encryption in the Cryptographic Message Syntax (CMS)",
RFC 5084, November 2007.
[RFC5275] Turner, S., "CMS Symmetric Key Management and
Distribution", RFC 5275, June 2008.
Appendix A. Change History
[[ This entire section is to be removed upon publication. ]]
A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00
Changed the draft name.
Added RFC 3565,
Added RFC 4998.
Made RFCs-to-be 5083 and 5084 into RFCs.
In RFC 3370, a line in the comment staring with "Another way to
do..." was not commented out when it should have been.
In RFC 3851, the name of the module from which we are importing was
wrong, although the OID was right.
In RFC 3852, added the "...," and "[[v:" ASN.1 idioms to indicate
which version of CMS added the various extensions.
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01
Added RFC 5275.
Added module for algorithm classes, and modified RFC 3370 and RFC
3852 to uses the classes defined.
A.3. Changes between draft-ietf-smime-new-asn1-01 and -02
Added design notes.
Removed issue on "Algorithm Structure" and issue on "More Modules To
Be Added".
Updated all modules to use objects more deeply.
In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual
module where the changes were made.
A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
Many cosmetic-only changes to the modules. [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard
(AES) Encryption Algorithm in Cryptographic Message
Syntax (CMS)", RFC 3565, July 2003.
Changed some multi-word keywords to hypenated (such as "SMIME CAPS" [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
to "SMIME-CAPS"). Extensions (S/MIME) Version 3.1 Message Specification",
RFC 3851, July 2004.
Updated the reference of X.680 to X.680, X.681, X.682, and X.683. [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004.
A.5. Changes between draft-ietf-smime-new-asn1-03 and -04 [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS)
to Protect Firmware Packages", RFC 4108, August 2005.
Changed the status of the document. [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence
Record Syntax (ERS)", RFC 4998, August 2007.
A.6. Changes between draft-ietf-smime-new-asn1-04 and -05 [RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update:
Adding CertID Algorithm Agility", RFC 5035, August 2007.
Removed the "Issues" section from section 1, which should have been [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS)
done in the last draft. Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007.
A.7. Changes between draft-ietf-smime-new-asn1-05 and -06 [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated
Encryption in the Cryptographic Message Syntax (CMS)",
RFC 5084, November 2007.
Minor nits to keep the nits checker happy. [RFC5275] Turner, S., "CMS Symmetric Key Management and
Distribution", RFC 5275, June 2008.
A.8. Changes between draft-ietf-smime-new-asn1-06 and -07 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 5652, September 2009.
In the AlgorithmInformation module, there was an error in a [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
commented-out example. Changed "-- HASHES {sha1 | md5, ... }" to "-- Public Key Infrastructure using X.509 (PKIX)", RFC 5912,
HASHES { mda-sha1 | mda-md5, ... }". June 2010.
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
127 Segre Place 127 Segre Place
Santa Cruz, CA 95060 Santa Cruz, CA 95060
US US
Phone: 1-831-426-9827 Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org EMail: paul.hoffman@vpnc.org
Jim Schaad Jim Schaad
Soaring Hawk Consulting Soaring Hawk Consulting
Email: jimsch@exmsft.com EMail: jimsch@exmsft.com
 End of changes. 110 change blocks. 
720 lines changed or deleted 645 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/