KEYPROV Working Group Sean Turner, IECA Internet Draft Russ Housley, Vigil Security Intended Status: Standard Track January 16, 2009 Expires: July 16, 2009 Symmetric Key Package Content Type draft-ietf-keyprov-symmetrickeyformat-04.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on July 16, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Turner & Housley Expires August 16, 2009 [Page 1] Internet-Draft Symmetric Key Package Content Type January 2009 Abstract This document defines the symmetric key format content type. It is transport independent. The Cryptographic Message Syntax can be used to digitally sign, digest, authenticate, or encrypt this content type. Table of Contents 1. Introduction...................................................2 1.1. Requirements Terminology..................................2 1.2. ASN.1 Syntax Notation.....................................2 2. Symmetric Key Package Content Type.............................2 3. Security Considerations........................................4 4. IANA Considerations............................................4 5. References.....................................................4 5.1. Normative References......................................4 5.2. Non-Normative References..................................4 APPENDIX A: ASN.1 Module..........................................5 1. Introduction This document defines the symmetric key format content type. It is transport independent. The Cryptographic Message Syntax [RFC3852] can be used to digitally sign, digest, authenticate, or encrypt this content type. The uses cases that motivated this work are elaborated in [PSKC]. They are omitted to avoid duplication. 1.1. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. ASN.1 Syntax Notation The key package is defined using the ASN.1 [X.680, X.681, X.682, X.683]. 2. Symmetric Key Package Content Type The symmetric key package content type is used to transfer one or more plaintext symmetric keys from one party to another. A symmetric key package MAY be encapsulated in one or more CMS protecting content types. This content type must be DER encoded [X.690]. Turner & Housley Expires August 16, 2009 [Page 2] Internet-Draft Symmetric Key Package Content Type January 2009 The symmetric key package content type has the following syntax: PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER symmetric-key-package PKCS7-CONTENT-TYPE ::= { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage } id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= | { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 25 } SymmetricKeyPackage ::= SEQUENCE { version KeyPkgVersion DEFAULT v1, sKeyPkgAtts [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeys SymmetricKeys } SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey OneSymmetricKey ::= SEQUENCE { sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKey OCTET STRING OPTIONAL -- At least sKeyAttrs or sKey MUST be present. } KeyPkgVersion ::= INTEGER { v1(1), ... } The SymmetricKeyPackage fields are used as follows: - version identifies version of the symmetric key package content structure. For this version of the specification, the default value, v1, MUST be used. - sKeyPkgAttrs optionally provides attributes that apply to all of the symmetric keys in the package. If an attribute appears here it MUST NOT also be included in sKeyAttrs. - sKeys contains a sequence of OneSymmetricKey values. This structure is discussed below. The OneSymmetricKey fields are used as follows: - sKeyAttrs optionally provides attributes that apply to one symmetric key. If an attribute appears here it MUST NOT also be included in sKeyPkgAttrs. - sKey optionally contains the key value encoded as an OCTET STRING. Turner & Housley Expires August 16, 2009 [Page 3] Internet-Draft Symmetric Key Package Content Type January 2009 The OneSymmetricKey field MUST include either sKeyAttrs, sKey, or sKeyAttrs and sKey. 3. Security Considerations The symmetric key package contents are not protected. This content type can be combined with a security protocol to protect the contents of the package. 4. IANA Considerations None: All identifiers are already registered. Please remove this section prior to publication as an RFC. 5. References 5.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. Information Technology - Abstract Syntax Notation One. [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. Information Technology - Abstract Syntax Notation One: Information Object Specification. [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. Information Technology - Abstract Syntax Notation One: Constraint Specification. [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002. Information Technology - Abstract Syntax Notation One: Parameterization of ASN.1 Specifications. [X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002. Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). 5.2. Non-Normative References [PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key Container (PSKC), draft-ietf-keyprov-pskc-00.txt, work-in-progress. Turner & Housley Expires August 16, 2009 [Page 4] Internet-Draft Symmetric Key Package Content Type January 2009 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC3852, July 2004. APPENDIX A: ASN.1 Module This appendix provides the normative ASN.1 definitions for the structures described in this specification using ASN.1 as defined in [X.680] through [X.683]. SymmetricKeyPackageModulev1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) 33 } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS NOTHING PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER KeyPackageContentTypes PKCS7-CONTENT-TYPE ::= { symmetric-key-package | ... -- Expect additional content types -- } symmetric-key-package PKCS7-CONTENT-TYPE ::= { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage } id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) ct(1) 25 } SymmetricKeyPackage ::= SEQUENCE { version KeyPkgVersion DEFAULT v1, sKeyPkgAttrs [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKeys SymmetricKeys } SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey OneSymmetricKey ::= SEQUENCE { sKeyAttrs SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL, sKey OCTET STRING OPTIONAL -- At least sKeyAttrs or sKey MUST be present. } Turner & Housley Expires August 16, 2009 [Page 5] Internet-Draft Symmetric Key Package Content Type January 2009 KeyPkgVersion ::= INTEGER { v1(1), ... } Attribute ::= SEQUENCE { type ATTRIBUTE.&id ({SupportedAttributes}), values SET SIZE (1..MAX) OF ATTRIBUTE.&Type ({SupportedAttributes}{@type}) } SupportedAttributes ATTRIBUTE ::= { ... } ATTRIBUTE ::= CLASS { &derivation ATTRIBUTE OPTIONAL, &Type OPTIONAL, -- either &Type or &derivation required &equality-match MATCHING-RULE OPTIONAL, &ordering-match MATCHING-RULE OPTIONAL, &substrings-match MATCHING-RULE OPTIONAL, &single-valued BOOLEAN DEFAULT FALSE, &collective BOOLEAN DEFAULT FALSE, -- operational extensions &no-user-modification BOOLEAN DEFAULT FALSE, &usage AttributeUsage DEFAULT userApplications, &id OBJECT IDENTIFIER UNIQUE } WITH SYNTAX { [ SUBTYPE OF &derivation ] [ WITH SYNTAX &Type ] [ EQUALITY MATCHING RULE &equality-match ] [ ORDERING MATCHING RULE &ordering-match ] [ SUBSTRINGS MATCHING RULE &substrings-match ] [ SINGLE VALUE &single-valued ] [ COLLECTIVE &collective ] [ NO USER MODIFICATION &no-user-modification ] [ USAGE &usage ] ID &id } MATCHING-RULE ::= CLASS { &AssertionType OPTIONAL, &id OBJECT IDENTIFIER UNIQUE } WITH SYNTAX { [ SYNTAX &AssertionType ] ID &id } AttributeType ::= ATTRIBUTE.&id AttributeValue ::= ATTRIBUTE.&Type Turner & Housley Expires August 16, 2009 [Page 6] Internet-Draft Symmetric Key Package Content Type January 2009 AttributeUsage ::= ENUMERATED { userApplications (0), directoryOperation (1), distributedOperation (2), dSAOperation (3) } END Author's Address Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA Email: turners@ieca.com Russ Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA EMail: housley@vigilsec.com Turner & Housley Expires August 16, 2009 [Page 7]