idnits 2.17.00 (12 Aug 2021) /tmp/idnits58294/draft-rfced-info-pgutmann-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2022-05-21) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 175 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. ** There are 3 instances of lines with control characters in the document. ** The abstract seems to contain references ([1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 84 has weird spacing: '...encoded as fo...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. '1' -- Possible downref: Non-RFC (?) normative reference: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' -- Possible downref: Non-RFC (?) normative reference: ref. '4' -- Possible downref: Non-RFC (?) normative reference: ref. '5' Summary: 11 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET DRAFT EXPIRES FEB 1998 INTERNET DRAFT 2 Internet Draft Peter Gutmann 3 University of Auckland 5 ElGamal Profile for X.509 Certificates 6 8 Status of this Memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its areas, 12 and its working groups. Note that other groups may also distribute working 13 documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six months 16 and may be updated, replaced, or obsoleted by other documents at any 17 time. It is inappropriate to use Internet-Drafts as reference material 18 or to cite them other than as "work in progress." 20 To learn the current status of any Internet-Draft, please check the 21 "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 22 Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), 23 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or 24 ftp.isi.edu (US West Coast). 26 Distribution of this document is unlimited. 28 Abstract 30 This document describes the ASN.1 encoding for an X.509 certificate 31 profiled for use with the ElGamal public key cryptosystem [1]. It is 32 intended to provide guidelines for those developing software that will 33 be used to issue and use ElGamal certificates, and to ensure that 34 ElGamal certificate and key information will be handled consistently 35 throughout the public key infrastructure. 37 1. ASN.1 Definition of Certificate Elements 39 The abstract definition of X.509 certificates is given in [2]. The 40 elements specific to ElGamal are the algorithm identifier, the public 41 key information, and the signature data. These are as follows: 43 -- ElGamal may be used in conjunction with the SHA-1 and RIPEMD-160 44 -- hash algorithms. The ASN.1 object identifiers used to identify 45 --- the ElGamal signature algorithm when used with these two hash 46 -- algorithms is: 48 elGamalWithSHA-1 OBJECT IDENTIFIER ::= { 49 {iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) 50 dds(3029) 51 signature(3) 1} 52 } 54 elGamalWithRIPEMD-160 OBJECT IDENTIFIER :;= { 55 {iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) 56 dds(3029) 57 signature(3) 2} 58 } 60 -- Some of the ElGamal parameters may be shared among a number of 61 -- users. These are conveyed in the parameters component of the 62 -- ElGamal AlgorithmIdentifier, and are as follows: 64 elGamal-Params ::= SEQUENCE { 65 p INTEGER, 66 g INTEGER 67 } 69 -- The remaining ElGamal parameter is the users public key: 71 elGamalPublicKey ::= SEQUENCE { 72 y INTEGER, 73 } 75 -- The AlgorithmIdentifier and public key are then encoded into a 76 -- standard X.509 SubjectPublicKeyInfo: 78 SubjectPublicKeyInfo ::= SEQUENCE { 79 algorithm AlgorithmIdentifier, 80 subjectPublicKey BIT STRING 81 } 83 -- Prior to the bitstring encoding of an ElGamal signature, the 84 -- signature components are encoded as follows: 86 elGamal-Sig ::= SEQUENCE { 87 r INTEGER, 88 s INTEGER 89 } 91 2. Use of ElGamal for Encryption 93 The ElGamal algorithm may also be used for encryption. In this case 94 the message formatting rules follow the rules for RSA encryption as 95 set 96 out in PKCS #1 [3], and use a message block type of 01. The object 97 identifier for ElGamal encryption is: 99 elGamalEncryption OBJECT IDENTIFIER ::= { 100 {iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) 101 dds(3029) 102 asymmetric-encryption(2) 1} 103 } 105 The encrypted message consists of two components, the integers a = g^k 106 mod p and b = My^k mod p (this is not intended as an explanation of 107 the 108 ElGamal algorithm, but merely to indicate which integer is which). 109 The 110 encoding of these integers is: 112 elGamalEncryptedMessage ::= SEQUENCE { 113 a INTEGER, 114 b INTEGER 115 } 117 Decryption follows the ElGamal algorithm, and the decrypted message is 118 again handled as per PKCS #1. 120 3. Security considerations 122 Although the use of the ElGamal algorithm for digital signature 123 generation is not directly addressed in this document, it should be 124 pointed out that some care needs to be taken with both the choice of 125 keys and the use of the algorithm. Details on the safe use of ElGamal 126 are given in [4]. A weakness of ElGamal when used for digital 127 signatures, and workarounds to avoid the weakness, are given in [5]. 129 Ongoing research into the security of ElGamal may reveal other factors 130 which need to be taken into account to provide adequate security for 131 signature and encryption applications, for example it is desirable 132 that 133 g generate a large subgroup of Zp*; it is recommended that 134 implementors 135 keep abreast of current research on the choice of parameters and use 136 of 137 the algorithm in order to avoid potential security weaknesses. 139 3. References 141 [1] "A public-key cryptosystem based on discrete logarithms", Taher 142 ElGamal, IEEE Transactions on Information Theory, Vol.31, No.4 143 (1985), p.469. 145 [2] ITU Recommendation X.509 (1993). 147 [3] Public-Key Cryptography Standard #1 (PKCS #1) v1.5, RSA Data 148 Security Inc, November 1993. 150 [4] "Handbook of Applied Cryptography", Alfred Menezes, Paul van 151 Oorschot, and Scott Vanstone, CRC Press, 1996. 153 [5] "Generating ElGamal signatures without knowing the secret key", 154 Daniel Bleichenbacher, presented at EuroCrypt'96. 156 Author's Address 158 Peter Gutmann 159 University of Auckland 160 Private Bag 92019 161 Auckland 162 New Zealand 164 Phone: +64 9 373-7599 165 Email: pgut001@cs.auckland.ac.nz 167 INTERNET DRAFT EXPIRES FEB 1998 INTERNET DRAFT