diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9169.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9169.txt')
-rw-r--r-- | doc/rfc/rfc9169.txt | 360 |
1 files changed, 360 insertions, 0 deletions
diff --git a/doc/rfc/rfc9169.txt b/doc/rfc/rfc9169.txt new file mode 100644 index 0000000..58df8c3 --- /dev/null +++ b/doc/rfc/rfc9169.txt @@ -0,0 +1,360 @@ + + + + +Internet Engineering Task Force (IETF) R. Housley +Request for Comments: 9169 Vigil Security +Category: Informational C. Wallace +ISSN: 2070-1721 Red Hound Software + December 2021 + + + New ASN.1 Modules for the Evidence Record Syntax (ERS) + +Abstract + + The Evidence Record Syntax (ERS) and the conventions for including + these evidence records in the Server-based Certificate Validation + Protocol (SCVP) are expressed using ASN.1. This document offers + alternative ASN.1 modules that conform to the 2002 version of ASN.1 + and employ the conventions adopted in RFCs 5911, 5912, and 6268. + There are no bits-on-the-wire changes to any of the formats; this is + simply a change to the ASN.1 syntax. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are candidates for any level of Internet + Standard; see Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9169. + +Copyright Notice + + Copyright (c) 2021 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 2. ASN.1 Module for RFC 4998 + 3. ASN.1 Module for RFC 5276 + 4. IANA Considerations + 5. Security Considerations + 6. References + 6.1. Normative References + 6.2. Informative References + Authors' Addresses + +1. Introduction + + Some developers would like the IETF to use the latest version of + ASN.1 in its standards. This document provides alternative ASN.1 + modules to assist in that goal. + + The Evidence Record Syntax (ERS) [RFC4998] provides two ASN.1 + modules: one using the 1988 syntax [OLD-ASN1], which has been + deprecated by the ITU-T, and another one using the newer syntax + [NEW-ASN1], which continues to be maintained and enhanced. This + document provides an alternative ASN.1 module that follows the + conventions established in [RFC5911], [RFC5912], and [RFC6268]. + + In addition, [RFC5276] specifies the mechanism for conveying evidence + records in the Server-based Certificate Validation Protocol (SCVP) + [RFC5055]. There is only one ASN.1 module in [RFC5276], and it uses + the 1988 syntax [OLD-ASN1]. This document provides an alternative + ASN.1 module using the newer syntax [NEW-ASN1] and follows the + conventions established in [RFC5911], [RFC5912], and [RFC6268]. Note + that [RFC5912] already includes an alternative ASN.1 module for SCVP + [RFC5055]. + + The original ASN.1 modules get some of their definitions from places + outside the RFC series. Some of the referenced definitions are + somewhat difficult to find. The alternative ASN.1 modules offered in + this document stand on their own when combined with the modules in + [RFC5911], [RFC5912], and [RFC6268]. + + The alternative ASN.1 modules produce the same bits on the wire as + the original ones. + + The alternative ASN.1 modules are informative; the original ones are + normative. + +2. ASN.1 Module for RFC 4998 + + <CODE BEGINS> + ERS-2021 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) ltans(11) id-mod(0) + id-mod-ers(1) id-mod-ers-v2(2) } + + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + + EXPORTS ALL; + + IMPORTS + + ContentInfo + FROM CryptographicMessageSyntax-2010 -- in [RFC6268] + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } + + AlgorithmIdentifier{}, DIGEST-ALGORITHM + FROM AlgorithmInformation-2009 -- in [RFC5912] + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58) } + + AttributeSet{}, ATTRIBUTE + FROM PKIX-CommonTypes-2009 -- in [RFC5912] + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkixCommon-02(57) } + ; + + ltans OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) + dod(6) internet(1) security(5) mechanisms(5) ltans(11) } + + EvidenceRecord ::= SEQUENCE { + version INTEGER { v1(1) }, + digestAlgorithms SEQUENCE OF AlgorithmIdentifier + {DIGEST-ALGORITHM, {...}}, + cryptoInfos [0] CryptoInfos OPTIONAL, + encryptionInfo [1] EncryptionInfo OPTIONAL, + archiveTimeStampSequence ArchiveTimeStampSequence } + + CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF Attribute + + ArchiveTimeStamp ::= SEQUENCE { + digestAlgorithm [0] AlgorithmIdentifier + {DIGEST-ALGORITHM, {...}} OPTIONAL, + attributes [1] Attributes OPTIONAL, + reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, + timeStamp ContentInfo } + + PartialHashtree ::= SEQUENCE OF OCTET STRING + + Attributes ::= SET SIZE (1..MAX) OF Attribute + + ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp + + ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain + + EncryptionInfo ::= SEQUENCE { + encryptionInfoType ENCINFO-TYPE.&id + ({SupportedEncryptionAlgorithms}), + encryptionInfoValue ENCINFO-TYPE.&Type + ({SupportedEncryptionAlgorithms}{@encryptionInfoType}) } + + ENCINFO-TYPE ::= TYPE-IDENTIFIER + + SupportedEncryptionAlgorithms ENCINFO-TYPE ::= { ... } + + aa-er-internal ATTRIBUTE ::= + { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal } + + id-aa-er-internal OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 49 } + + aa-er-external ATTRIBUTE ::= + { TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external } + + id-aa-er-external OBJECT IDENTIFIER ::= { iso(1) member-body(2) + us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 50 } + + ERSAttrSet ATTRIBUTE ::= { aa-er-internal | aa-er-external, ... } + + Attribute ::= AttributeSet {{ERSAttrSet}} + + END + <CODE ENDS> + +3. ASN.1 Module for RFC 5276 + + <CODE BEGINS> + LTANS-SCVP-EXTENSION-2021 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) ltans(11) id-mod(0) + id-mod-ers-scvp(5) id-mod-ers-scvp-v2(2) } + + DEFINITIONS IMPLICIT TAGS ::= + BEGIN + + EXPORTS ALL; + + IMPORTS + + id-swb, CertBundle, WANT-BACK, AllWantBacks + FROM SCVP-2009 -- in [RFC5912] + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-scvp-02(52) } + + EvidenceRecord + FROM ERS-2021 -- in [RFC9169] + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) ltans(11) id-mod(0) + id-mod-ers(1) id-mod-ers-v2(2) } + ; + + EvidenceRecordWantBack ::= SEQUENCE { + targetWantBack WANT-BACK.&id ({ExpandedWantBacks}), + evidenceRecord EvidenceRecord OPTIONAL } + + EvidenceRecordWantBacks ::= SEQUENCE SIZE (1..MAX) OF + EvidenceRecordWantBack + + EvidenceRecords ::= SEQUENCE SIZE (1..MAX) OF EvidenceRecord + + ExpandedWantBacks WANT-BACK ::= { AllWantBacks | + NewWantBacks | + ERSWantBacks, ... } + + NewWantBacks WANT-BACK ::= { swb-partial-cert-path, ... } + + swb-partial-cert-path WANT-BACK ::= + { CertBundle IDENTIFIED BY id-swb-partial-cert-path } + + id-swb-partial-cert-path OBJECT IDENTIFIER ::= { id-swb 15 } + + ERSWantBacks WANT-BACK ::= { swb-ers-pkc-cert | + swb-ers-best-cert-path | + swb-ers-partial-cert-path | + swb-ers-revocation-info | + swb-ers-all, ... } + + swb-ers-pkc-cert WANT-BACK ::= + { EvidenceRecord IDENTIFIED BY id-swb-ers-pkc-cert } + + id-swb-ers-pkc-cert OBJECT IDENTIFIER ::= { id-swb 16 } + + swb-ers-best-cert-path WANT-BACK ::= + { EvidenceRecord IDENTIFIED BY id-swb-ers-best-cert-path } + + id-swb-ers-best-cert-path OBJECT IDENTIFIER ::= { id-swb 17 } + + swb-ers-partial-cert-path WANT-BACK ::= + { EvidenceRecord IDENTIFIED BY id-swb-ers-partial-cert-path } + + id-swb-ers-partial-cert-path OBJECT IDENTIFIER ::= { id-swb 18 } + + swb-ers-revocation-info WANT-BACK ::= + { EvidenceRecords IDENTIFIED BY id-swb-ers-revocation-info } + + id-swb-ers-revocation-info OBJECT IDENTIFIER ::= { id-swb 19 } + + swb-ers-all WANT-BACK ::= + { EvidenceRecordWantBacks IDENTIFIED BY id-swb-ers-all } + + id-swb-ers-all OBJECT IDENTIFIER ::= { id-swb 20 } + + END + <CODE ENDS> + +4. IANA Considerations + + IANA has assigned two object identifiers from the "SMI Security for + LTANS Module Identifier" registry to identify the two ASN.1 modules + in this document. + + The following object identifiers have been assigned: + + +======================+====================+===========+ + | OID Value | Description | Reference | + +======================+====================+===========+ + | 1.3.6.1.5.5.11.0.1.2 | id-mod-ers-v2 | RFC 9169 | + +----------------------+--------------------+-----------+ + | 1.3.6.1.5.5.11.0.5.2 | id-mod-ers-scvp-v2 | RFC 9169 | + +----------------------+--------------------+-----------+ + + Table 1: IANA Object Identifiers + +5. Security Considerations + + Please see the security considerations in [RFC4998] and [RFC5276]. + This document makes no changes to the security considerations in + those documents. The ASN.1 modules in this document preserve bits on + the wire as the ASN.1 modules that they replace. + +6. References + +6.1. Normative References + + [NEW-ASN1] ITU-T, "Information technology -- Abstract Syntax Notation + One (ASN.1): Specification of basic notation", ITU-T + Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, + <https://www.itu.int/rec/T-REC-X.680>. + + [RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, "Evidence + Record Syntax (ERS)", RFC 4998, DOI 10.17487/RFC4998, + August 2007, <https://www.rfc-editor.org/info/rfc4998>. + + [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. + Polk, "Server-Based Certificate Validation Protocol + (SCVP)", RFC 5055, DOI 10.17487/RFC5055, December 2007, + <https://www.rfc-editor.org/info/rfc5055>. + + [RFC5276] Wallace, C., "Using the Server-Based Certificate + Validation Protocol (SCVP) to Convey Long-Term Evidence + Records", RFC 5276, DOI 10.17487/RFC5276, August 2008, + <https://www.rfc-editor.org/info/rfc5276>. + + [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for + Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, + DOI 10.17487/RFC5911, June 2010, + <https://www.rfc-editor.org/info/rfc5911>. + + [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the + Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, + DOI 10.17487/RFC5912, June 2010, + <https://www.rfc-editor.org/info/rfc5912>. + + [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules + for the Cryptographic Message Syntax (CMS) and the Public + Key Infrastructure Using X.509 (PKIX)", RFC 6268, + DOI 10.17487/RFC6268, July 2011, + <https://www.rfc-editor.org/info/rfc6268>. + +6.2. Informative References + + [OLD-ASN1] CCITT, "Specification of Abstract Syntax Notation One + (ASN.1)", CCITT Recommendation X.208, November 1988, + <https://www.itu.int/rec/T-REC-X.208/en>. + +Authors' Addresses + + Russ Housley + Vigil Security, LLC + 516 Dranesville Road + Herndon, VA 20170 + United States of America + + Email: housley@vigilsec.com + + + Carl Wallace + Red Hound Software, Inc. + 5112 27th St. N + Arlington, VA 22207 + United States of America + + Email: carl@redhoundsoftware.com |