idnits 2.17.00 (12 Aug 2021) /tmp/idnits49550/draft-turner-lamps-adding-sha3-to-pkix-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 6, 2017) is 1901 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'DSS' ** Downref: Normative reference to an Informational RFC: RFC 5912 -- Possible downref: Non-RFC (?) normative reference: ref. 'SHA3' == Outdated reference: draft-ietf-curdle-pkix has been published as RFC 8410 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Turner 3 Internet-Draft sn3rd 4 Intended status: Standards Track March 6, 2017 5 Expires: September 7, 2017 7 SHA-3 Related Algorithms and Identifiers for PKIX 8 draft-turner-lamps-adding-sha3-to-pkix-00 10 Abstract 12 This document describes the conventions for using the SHA-3 family of 13 hash functions in the Internet X.509 PKI as one-way hash functions 14 and with the ECDSA signature algorithm; the conventions for the 15 associated ECDSA subject public keys are also described. Digital 16 signatures are used to sign certificates and CRLs (Certificate 17 Revocation Lists). 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on September 7, 2017. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Algorithm Support . . . . . . . . . . . . . . . . . . . . . . 2 55 2.1. SHA-3 One-way Hash Functions . . . . . . . . . . . . . . 3 56 2.2. ECDSA Signature Algorithm with SHA-3 . . . . . . . . . . 3 57 2.3. ECDSA Public Keys . . . . . . . . . . . . . . . . . . . . 4 58 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 59 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 60 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 62 5.2. Informative References . . . . . . . . . . . . . . . . . 6 63 Appendix A. 2015 ASN.1 Module . . . . . . . . . . . . . . . . . 6 64 Appendix B. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . 10 65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 67 1. Introduction 69 [RFC3279], [RFC4055], [RFC5480], and [I-D.ietf-curdle-pkix] defines 70 the contents of the signatureAlgorithm, signatureValue, signature, 71 and subjectPublicKeyInfo fields within Internet X.509 certificates 72 and CRLs (Certificate Revocation Lists) [RFC5280] for a number of 73 algorithms. This document does the same for the SHA-3 family of one- 74 way hash functions and their use with the ECDSA and RSA PKCS#1 v1.5 75 digital signature algorithms. 77 Familiarity with [RFC5280] is assumed. 79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 81 "OPTIONAL" in this document are to be interpreted as described in 82 [RFC2119]. 84 2. Algorithm Support 86 This section describes cryptographic algorithms which may be used 87 with the Internet X.509 Certificate and CRL profile [RFC5280]. This 88 section describes one-way hash functions and digital signature 89 algorithms which may be used to sign certificates and CRLs, and 90 identifies OIDs (Object Identifiers) for public keys contained in a 91 certificate. 93 2.1. SHA-3 One-way Hash Functions 95 The SHA-3 family of one-way hash functions is specified in [SHA3]. 96 In the SHA-3 family, four hash functions are defined: SHA3-224, 97 SHA3-256, SHA3-384, and SHA3-512; two extendable-output functions, 98 called SHAKE128 and SHAKE256, are also defined but are not addressed 99 by this document. The respective output lengths, in bits, of the 100 SHA-3 hash functions are 224, 256, 384, and 512 and as of this 101 document's publication date correspond to 112, 128, 192, and 256 bits 102 of security [RFC3766]. The OIDs (Object Identifiers) for these four 103 hash functions are as follows: 105 id-sha3-224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 106 us(840) organization(1) gov(101) 107 csor(3) nistAlgorithm(4) 108 hashAlgs(2) 7 } 110 id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 111 us(840) organization(1) gov(101) 112 csor(3) nistAlgorithm(4) 113 hashAlgs(2) 8 } 115 id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 116 us(840) organization(1) gov(101) 117 csor(3) nistAlgorithm(4) 118 hashAlgs(2) 9 } 120 id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 121 us(840) organization(1) gov(101) 122 csor(3) nistAlgorithm(4) 123 hashAlgs(2) 10 } 125 When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 126 algorithm identifiers, the parameters field MUST be absent; not NULL 127 but absent. 129 2.2. ECDSA Signature Algorithm with SHA-3 131 The ECDSA (Elliptic Curve Digital Signature Algorithm) is defined in 132 [DSS]. When ECDSA is used in conjunction with one of the SHA-3 one- 133 way hash functions the OID is, respectively: 135 id-ecdsa-with-sha3-224 ::= { joint-iso-itu-t(2) country(16) 136 us(840) organization(1) gov(101) 137 csor(3) nistAlgorithm(4) 138 sigAlgs(3) 9 } 140 id-ecdsa-with-sha3-256 ::= { joint-iso-itu-t(2) country(16) 141 us(840) organization(1) gov(101) 142 csor(3) nistAlgorithm(4) 143 sigAlgs(3) 10 } 145 id-ecdsa-with-sha3-384 ::= { joint-iso-itu-t(2) country(16) 146 us(840) organization(1) gov(101) 147 csor(3) nistAlgorithm(4) 148 sigAlgs(3) 11 } 150 id-ecdsa-with-sha3-512 ::= { joint-iso-itu-t(2) country(16) 151 us(840) organization(1) gov(101) 152 csor(3) nistAlgorithm(4) 153 sigAlgs(3) 12 } 155 When these algorithm identifiers appear as the algorithm field in an 156 AlgorithmIdentifier, the encoding MUST omit the parameters field. 157 That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one 158 component: the OBJECT IDENTIFIER id-ecdsa-with-sha3-224, id-ecdsa- 159 with-sha3-256, id-ecdsa-with-sha3-384, or id-ecdsa-with-sha3-512. 161 The ECParameters in the subjectPublicKeyInfo field of the issuer's 162 certificate SHALL apply to the verification of the signature. 164 When signing, the ECDSA algorithm generates two values. These values 165 are commonly referred to as r and s. To easily transfer these two 166 values as one signature, they MUST be ASN.1 encoded using the ECDSA- 167 Sig-Value defined in [RFC3279] but repeated here for convenience: 169 ECDSA-Sig-Value ::= SEQUENCE { 170 r INTEGER, 171 s INTEGER } 173 2.3. ECDSA Public Keys 175 The conventions for ECDSA public keys is as specified in [RFC5480]. 177 3. Security Considerations 179 TBD 181 4. IANA Considerations 183 IANA is kindly requested to register two OIDs in the SMI Security for 184 PKIX Module Identifier registry for the ASN.1 modules found in 185 Appendix A.1 and A.2. The description is as follows: 187 o id-mod-pkix1-sha3-2015 189 o id-mod-pkix1-sha3-1988 191 where the four digits at the end represent the ASN.1's publication 192 date. 194 5. References 196 5.1. Normative References 198 [DSS] National Institute of Standards and Technology, U.S. 199 Department of Commerce, "Digital Signature Standard, 200 version 4", NIST FIPS PUB 186-4, 2013. 202 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 203 Requirement Levels", BCP 14, RFC 2119, 204 DOI 10.17487/RFC2119, March 1997, 205 . 207 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 208 Identifiers for the Internet X.509 Public Key 209 Infrastructure Certificate and Certificate Revocation List 210 (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 211 2002, . 213 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 214 Housley, R., and W. Polk, "Internet X.509 Public Key 215 Infrastructure Certificate and Certificate Revocation List 216 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 217 . 219 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 220 "Elliptic Curve Cryptography Subject Public Key 221 Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, 222 . 224 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 225 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 226 DOI 10.17487/RFC5912, June 2010, 227 . 229 [SHA3] National Institute of Standards and Technology, U.S. 230 Department of Commerce, "SHA-3 Standard - Permutation- 231 Based Hash and Extendable-Output Functions", NIST FIPS PUB 232 202, August 2015. 234 5.2. Informative References 236 [I-D.ietf-curdle-pkix] 237 Josefsson, S. and J. Schaad, "Algorithm Identifiers for 238 Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for 239 use in the Internet X.509 Public Key Infrastructure", 240 draft-ietf-curdle-pkix-03 (work in progress), November 241 2016. 243 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 244 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 245 RFC 3766, DOI 10.17487/RFC3766, April 2004, 246 . 248 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 249 Algorithms and Identifiers for RSA Cryptography for use in 250 the Internet X.509 Public Key Infrastructure Certificate 251 and Certificate Revocation List (CRL) Profile", RFC 4055, 252 DOI 10.17487/RFC4055, June 2005, 253 . 255 Appendix A. 2015 ASN.1 Module 257 PKIXAlgsForSHA3-2015 { iso(1) identified-organization(3) dod(6) 258 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 259 id-mod-pkix1-sha3-2015(TBD) } 261 DEFINITIONS EXPLICIT TAGS ::= 263 BEGIN 265 -- EXPORTS ALL; 267 IMPORTS 269 -- FROM [RFC5912] 271 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS 272 SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS 273 FROM AlgorithmInformation-2009 274 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 275 mechanisms(5) pkix(7) id-mod(0) 276 id-mod-algorithmInformation-02(58) } 278 -- FROM [RFC5912] 280 id-ecPublicKey, ECPoint, ECDSA-Sig-Value 281 PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) 282 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 283 id-mod-pkix1-algorithms2008-02(56) } 285 ; 287 -- One-Way Hash Functions 289 -- SHA3-256 291 mda-sha3-256 DIGEST-ALGORITHM ::= { 292 IDENTIFIER id-sha3-256 293 PARAMS ARE absent 294 } 296 id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 297 us(840) organization(1) gov(101) 298 csor(3) nistAlgorithm(4) 299 hashAlgs(2) 8 } 301 -- SHA3-384 303 mda-sha3-384 DIGEST-ALGORITHM ::= { 304 IDENTIFIER id-sha3-384 305 PARAMS ARE absent 306 } 308 id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 309 us(840) organization(1) gov(101) 310 csor(3) nistAlgorithm(4) 311 hashAlgs(2) 9 } 313 -- SHA3-512 315 mda-sha3-512 DIGEST-ALGORITHM ::= { 316 IDENTIFIER id-sha3-512 317 PARAMS ARE absent 318 } 320 id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 321 us(840) organization(1) gov(101) 322 csor(3) nistAlgorithm(4) 323 hashAlgs(2) 10 } 325 -- 326 -- Public Key (pk-) Algorithms 327 -- 329 PublicKeys PUBLIC-KEY ::= { 330 ..., 331 pk-ec 332 } 334 -- From [RFC5912] - Here so it compiles. 336 pk-ec PUBLIC-KEY ::= { 337 IDENTIFIER id-ecPublicKey 338 KEY ECPoint 339 PARAMS TYPE ECParameters ARE required 340 -- Private key format not in this module -- 341 CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyAgreement, 342 keyCertSign, cRLSign } 343 } 345 -- 346 -- Signature Algorithms (sa-) 347 -- 349 SignatureAlgs SIGNATURE-ALGORITHM ::= { 350 ..., 351 -- This expands SignatureAlgorithms from [RFC5912] 352 sa-ecdsaWithSHA3-256 | 353 sa-ecdsaWithSHA3-384 | 354 sa-ecdsaWithSHA3-512 355 } 357 -- 358 -- SMIME Capabilities (sa-) 359 -- 361 SMimeCaps SMIME-CAPS ::= { 362 -- The expands SMimeCaps from [RFC5912] 363 sa-ecdsaWithSHA3-256.&smimeCaps | 364 sa-ecdsaWithSHA3-384.&smimeCaps | 365 sa-ecdsaWithSHA3-512.&smimeCaps 366 } 368 -- ECDSA with SHA3-256 370 sa-ecdsaWithSHA3-256 SIGNATURE-ALGORITHM ::= { 371 IDENTIFIER id-ecdsa-with-SHA3-256 372 VALUE ECDSA-Sig-Value 373 PARAMS TYPE NULL ARE absent 374 HASHES { mda-sha3-256 } 375 PUBLIC-KEYS { pk-ec } 376 SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-SHA3-256 } 377 } 379 id-ecdsa-with-sha3-256 ::= { joint-iso-itu-t(2) country(16) 380 us(840) organization(1) gov(101) 381 csor(3) nistAlgorithm(4) 382 sigAlgs(3) 10 } 384 -- ECDSA with SHA3-384 386 sa-ecdsaWithSHA3-384 SIGNATURE-ALGORITHM ::= { 387 IDENTIFIER id-ecdsa-with-SHA3-384 388 VALUE ECDSA-Sig-Value 389 PARAMS TYPE NULL ARE absent 390 HASHES { mda-sha3-384 } 391 PUBLIC-KEYS { pk-ec } 392 SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-SHA3-384 } 393 } 395 id-ecdsa-with-sha3-384 ::= { joint-iso-itu-t(2) country(16) 396 us(840) organization(1) gov(101) 397 csor(3) nistAlgorithm(4) 398 sigAlgs(3) 11 } 400 -- ECDSA with SHA3-512 402 sa-ecdsaWithSHA3-512 SIGNATURE-ALGORITHM ::= { 403 IDENTIFIER id-ecdsa-with-SHA3-512 404 VALUE ECDSA-Sig-Value 405 PARAMS TYPE NULL ARE absent 406 HASHES { mda-sha3-512 } 407 PUBLIC-KEYS { pk-ec } 408 SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-SHA3-512 } 409 } 411 id-ecdsa-with-sha3-512 ::= { joint-iso-itu-t(2) country(16) 412 us(840) organization(1) gov(101) 413 csor(3) nistAlgorithm(4) 414 sigAlgs(3) 12 } 416 END 418 Appendix B. 1988 ASN.1 Module 420 PKIXAlgsForSHA3-1988 { iso(1) identified-organization(3) dod(6) 421 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 422 id-mod-pkix1-sha3-1988(TBD) } 424 DEFINITIONS EXPLICIT TAGS ::= 426 BEGIN 428 -- EXPORTS ALL; 430 -- IMPORTS NONE; 432 -- 433 -- Message Digest Algorithms 434 -- 436 -- SHA3-256 437 -- Parameters are absent 439 id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 440 us(840) organization(1) gov(101) 441 csor(3) nistAlgorithm(4) 442 hashAlgs(2) 8 } 444 -- SHA3-384 445 -- Parameters are absent 447 id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 448 us(840) organization(1) gov(101) 449 csor(3) nistAlgorithm(4) 450 hashAlgs(2) 9 } 452 -- SHA3-512 453 -- Parameters are absent 455 id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 456 us(840) organization(1) gov(101) 457 csor(3) nistAlgorithm(4) 458 hashAlgs(2) 10 } 460 -- 461 -- ECDSA Keys, Signatures, and Curves 462 -- 464 -- OID for ECDSA signatures with SHA3-256 465 id-ecdsa-with-sha3-256 ::= { joint-iso-itu-t(2) country(16) 466 us(840) organization(1) gov(101) 467 csor(3) nistAlgorithm(4) 468 sigAlgs(3) 10 } 470 -- OID for ECDSA signatures with SHA3-384 472 id-ecdsa-with-sha3-384 ::= { joint-iso-itu-t(2) country(16) 473 us(840) organization(1) gov(101) 474 csor(3) nistAlgorithm(4) 475 sigAlgs(3) 11 } 477 -- OID for ECDSA signatures with SHA3-512 479 id-ecdsa-with-sha3-512 ::= { joint-iso-itu-t(2) country(16) 480 us(840) organization(1) gov(101) 481 csor(3) nistAlgorithm(4) 482 sigAlgs(3) 12 } 484 -- See [RFC5480] for ECDSA-Sig-Value, which is the format for 485 -- the value of an ECDSA signature value. 487 -- See [RFC5480] for ECDSA Keys and Curves. 489 END 491 Author's Address 493 Sean Turner 494 sn3rd 496 Email: sean@sn3rd.com