| draft-ietf-lamps-cms-hash-sig-01.txt | draft-ietf-lamps-cms-hash-sig-02.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) R. Housley | INTERNET-DRAFT R. Housley | |||
| Intended Status: Proposed Standard Vigil Security | Internet Engineering Task Force (IETF) Vigil Security | |||
| Expires: 27 March 2019 23 September 2018 | Intended Status: Proposed Standard | |||
| Expires: 17 April 2019 17 October 2018 | ||||
| Use of the HSS/LMS Hash-based Signature Algorithm | Use of the HSS/LMS Hash-based Signature Algorithm | |||
| in the Cryptographic Message Syntax (CMS) | in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-lamps-cms-hash-sig-01> | <draft-ietf-lamps-cms-hash-sig-02> | |||
| Abstract | Abstract | |||
| This document specifies the conventions for using the the HSS/LMS | This document specifies the conventions for using the the HSS/LMS | |||
| hash-based signature algorithm with the Cryptographic Message Syntax | hash-based signature algorithm with the Cryptographic Message Syntax | |||
| (CMS). The HSS/LMS algorithm is one form of hash-based digital | (CMS). The HSS/LMS algorithm is one form of hash-based digital | |||
| signature; it is described in [HASHSIG]. | signature; it is described in [HASHSIG]. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 2, line 31 ¶ | skipping to change at page 2, line 31 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. HSS/LMS Hash-based Signature Algorithm Overview . . . . . . . 3 | 2. HSS/LMS Hash-based Signature Algorithm Overview . . . . . . . 3 | |||
| 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 | 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 | |||
| 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 4 | 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 4 | |||
| 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 5 | 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 5 | |||
| 3. Algorithm Identifiers and Parameters . . . . . . . . . . . . . 6 | 3. Algorithm Identifiers and Parameters . . . . . . . . . . . . . 6 | |||
| 4. HSS/LMS Public Key Identifier . . . . . . . . . . . . . . . . 7 | 4. HSS/LMS Public Key Identifier . . . . . . . . . . . . . . . . 7 | |||
| 5. Signed-data Conventions . . . . . . . . . . . . . . . . . . . 7 | 5. Signed-data Conventions . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. Implementation Security Considerations . . . . . . . . . . 8 | 6.1. Implementation Security Considerations . . . . . . . . . . 9 | |||
| 6.2. Algorithm Security Considerations . . . . . . . . . . . . 9 | 6.2. Algorithm Security Considerations . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| Appendix: ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 12 | Appendix: ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies the conventions for using the HSS/LMS hash- | This document specifies the conventions for using the HSS/LMS hash- | |||
| based signature algorithm with the Cryptographic Message Syntax (CMS) | based signature algorithm with the Cryptographic Message Syntax (CMS) | |||
| [CMS] signed-data content type. The Leighton-Micali Signature (LMS) | [CMS] signed-data content type. The Leighton-Micali Signature (LMS) | |||
| system provides a one-time digital signature that is a variant of | system provides a one-time digital signature that is a variant of | |||
| Merkle Tree Signatures (MTS). A Hierarchical Signature System (HSS) | Merkle Tree Signatures (MTS). The Hierarchical Signature System | |||
| built on top of the LMS system to efficiently scale for a larger | (HSS) is built on top of the LMS system to efficiently scale for a | |||
| numbers of signatures. The HSS/LMS algorithm is one form of hash- | larger numbers of signatures. The HSS/LMS algorithm is one form of | |||
| based digital signature, and it is described in [HASHSIG]. The | hash-based digital signature, and it is described in [HASHSIG]. The | |||
| HSS/LMS signature algorithm can only be used for a fixed number of | HSS/LMS signature algorithm can only be used for a fixed number of | |||
| signing operations. The HSS/LMS signature algorithm uses small | signing operations. The HSS/LMS signature algorithm uses small | |||
| private and public keys, and it has low computational cost; however, | private and public keys, and it has low computational cost; however, | |||
| the signatures are quite large. | the signatures are quite large. | |||
| 1.1. ASN.1 | 1.1. ASN.1 | |||
| CMS values are generated using ASN.1 [ASN1-B], using the Basic | CMS values are generated using ASN.1 [ASN1-B], using the Basic | |||
| Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | |||
| [ASN1-E]. | [ASN1-E]. | |||
| skipping to change at page 4, line 12 ¶ | skipping to change at page 4, line 12 ¶ | |||
| permit the registration of additional one-way hash functions in the | permit the registration of additional one-way hash functions in the | |||
| future. | future. | |||
| 2.1. Hierarchical Signature System (HSS) | 2.1. Hierarchical Signature System (HSS) | |||
| The MTS system specified in [HASHSIG] uses a hierarchy of trees. The | The MTS system specified in [HASHSIG] uses a hierarchy of trees. The | |||
| Hierarchical N-time Signature System (HSS) allows subordinate trees | Hierarchical N-time Signature System (HSS) allows subordinate trees | |||
| to be generated when needed by the signer. Otherwise, generation of | to be generated when needed by the signer. Otherwise, generation of | |||
| the entire tree might take weeks or longer. | the entire tree might take weeks or longer. | |||
| An HSS signature as specified in specified in [HASHSIG] carries the | An HSS signature as specified in [HASHSIG] carries the number of | |||
| number of signed public keys (Nspk), followed by that number of | signed public keys (Nspk), followed by that number of signed public | |||
| signed public keys, followed by the LMS signature as described in | keys, followed by the LMS signature as described in Section 2.2. | |||
| Section 2.2. Each signed public key is represented by the hash value | Each signed public key is represented by the hash value at the root | |||
| at the root of the tree, and it also contains information about the | of the tree, and it also contains information about the tree | |||
| tree structure. The signature over the public key is an LMS | structure. The signature over the public key is an LMS signature as | |||
| signature as described in Section 2.2. | described in Section 2.2. | |||
| The elements of the HSS signature value for a stand-alone tree can be | The elements of the HSS signature value for a stand-alone tree can be | |||
| summarized as: | summarized as: | |||
| u32str(0) || | u32str(0) || | |||
| lms_signature /* signature of message */ | lms_signature /* signature of message */ | |||
| The elements of the HSS signature value for a tree with Nspk levels | The elements of the HSS signature value for a tree with Nspk signed | |||
| can be summarized as: | public keys can be summarized as: | |||
| u32str(Nspk) || | u32str(Nspk) || | |||
| signed_public_key[0] || | signed_public_key[0] || | |||
| signed_public_key[1] || | signed_public_key[1] || | |||
| ... | ... | |||
| signed_public_key[Nspk-2] || | signed_public_key[Nspk-2] || | |||
| signed_public_key[Nspk-1] || | signed_public_key[Nspk-1] || | |||
| lms_signature_on_message | lms_signature_on_message | |||
| where, as defined in Section 7 of [HASHSIG], a signed_public_key is | where, as defined in Section 3.3 of [HASHSIG], a signed_public_key is | |||
| the lms_signature over the public key followed by the public key | the lms_signature over the public key followed by the public key | |||
| itself. | itself. Note that Nspk is the number of levels in the hierarchy of | |||
| trees minus 1. | ||||
| 2.2. Leighton-Micali Signature (LMS) | 2.2. Leighton-Micali Signature (LMS) | |||
| Each tree in the system specified in [HASHSIG] uses the Leighton- | Each tree in the system specified in [HASHSIG] uses the Leighton- | |||
| Micali Signature (LMS) system. LMS systems have two parameters. The | Micali Signature (LMS) system. LMS systems have two parameters. The | |||
| first parameter is the height of the tree, h, which is the number of | first parameter is the height of the tree, h, which is the number of | |||
| levels in the tree minus one. The [HASHSIG] specification supports | levels in the tree minus one. The [HASHSIG] specification supports | |||
| five values for this parameter: h=5; h=10; h=15; h=20; and h=25. | five values for this parameter: h=5; h=10; h=15; h=20; and h=25. | |||
| Note that there are 2^h leaves in the tree. The second parameter is | Note that there are 2^h leaves in the tree. The second parameter is | |||
| the number of bytes output by the hash function, m, which the amount | the number of bytes output by the hash function, m, which is the | |||
| of data associated with each node in the tree. The [HASHSIG] | amount of data associated with each node in the tree. The [HASHSIG] | |||
| specification supports only the SHA-256 hash function [SHS], with | specification supports only the SHA-256 hash function [SHS], with | |||
| m=32. | m=32. | |||
| Currently, the [HASHSIG] specification supports five tree sizes: | Currently, the [HASHSIG] specification supports five tree sizes: | |||
| LMS_SHA256_M32_H5; | LMS_SHA256_M32_H5; | |||
| LMS_SHA256_M32_H10; | LMS_SHA256_M32_H10; | |||
| LMS_SHA256_M32_H15; | LMS_SHA256_M32_H15; | |||
| LMS_SHA256_M32_H20; and | LMS_SHA256_M32_H20; and | |||
| LMS_SHA256_M32_H25. | LMS_SHA256_M32_H25. | |||
| skipping to change at page 6, line 9 ¶ | skipping to change at page 6, line 9 ¶ | |||
| of any length, and returns an n-byte string. | of any length, and returns an n-byte string. | |||
| w - The width in bits of the Winternitz coefficients. [HASHSIG] | w - The width in bits of the Winternitz coefficients. [HASHSIG] | |||
| supports four values for this parameter: w=1; w=2; w=4; and | supports four values for this parameter: w=1; w=2; w=4; and | |||
| w=8. | w=8. | |||
| p - The number of n-byte string elements that make up the LM-OTS | p - The number of n-byte string elements that make up the LM-OTS | |||
| signature. | signature. | |||
| ls - The number of left-shift bits used in the checksum function, | ls - The number of left-shift bits used in the checksum function, | |||
| which is defined in Section 4.5 of [HASHSIG]. | which is defined in Section 4.4 of [HASHSIG]. | |||
| The values of p and ls are dependent on the choices of the parameters | The values of p and ls are dependent on the choices of the parameters | |||
| n and w, as described in Appendix A of [HASHSIG]. | n and w, as described in Appendix B of [HASHSIG]. | |||
| Currently, the [HASHSIG] specification supports four LM-OTS variants: | Currently, the [HASHSIG] specification supports four LM-OTS variants: | |||
| LMOTS_SHA256_N32_W1; | LMOTS_SHA256_N32_W1; | |||
| LMOTS_SHA256_N32_W2; | LMOTS_SHA256_N32_W2; | |||
| LMOTS_SHA256_N32_W4; and | LMOTS_SHA256_N32_W4; and | |||
| LMOTS_SHA256_N32_W8. | LMOTS_SHA256_N32_W8. | |||
| The [HASHSIG] specification establishes an IANA registry to permit | The [HASHSIG] specification establishes an IANA registry to permit | |||
| the registration of additional variants in the future. | the registration of additional variants in the future. | |||
| Signing involves the generation of C, an n-byte random value. | Signing involves the generation of C, an n-byte random value. | |||
| The LM-OTS signature value can be summarized as: | The LM-OTS signature value can be summarized as: | |||
| u32str(otstype) || C || y[0] || ... || y[p-1] | u32str(otstype) || C || y[0] || ... || y[p-1] | |||
| 3. Algorithm Identifiers and Parameters | 3. Algorithm Identifiers and Parameters | |||
| The algorithm identifier for an HSS/LMS hash-based signature is | The algorithm identifier for an HSS/LMS hash-based signature when | |||
| solely the id-alg-hss-lms-hashsig object identifier: | SHA-256 [SHS] is used to hash the content is the | |||
| id-alg-hss-lms-hashsig-with-sha256 object identifier: | ||||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig-with-sha256 OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | smime(16) alg(3) TBD } | |||
| When the id-alg-hss-lms-hashsig object identifier is used for a | The algorithm identifier for an HSS/LMS hash-based signature when | |||
| signature, the AlgorithmIdentifier parameters field MUST be absent | SHA-384 [SHS] is used to hash the content is the | |||
| (that is, the parameters are not present; the parameters are not set | id-alg-hss-lms-hashsig-with-sha384 object identifier: | |||
| to NULL). | ||||
| Note that the id-alg-hss-lms-hashsig algorithm identifier is also | id-alg-hss-lms-hashsig-with-sha384 OBJECT IDENTIFIER ::= { iso(1) | |||
| referred to as id-alg-mts-hashsig. This synonym is based on the | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| terminology used in an early draft of the document that became | smime(16) alg(3) TBD } | |||
| [HASHSIG]. | ||||
| The algorithm identifier for an HSS/LMS hash-based signature when | ||||
| SHA-512 [SHS] is used to hash the content is the | ||||
| id-alg-hss-lms-hashsig-with-sha512 object identifier: | ||||
| id-alg-hss-lms-hashsig-with-sha512 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| When any of these object identifiers is used for a signature, the | ||||
| AlgorithmIdentifier parameters field MUST be absent (that is, the | ||||
| parameters are not present; the parameters are not set to NULL). | ||||
| The signature values is a large OCTET STRING. The signature format | The signature values is a large OCTET STRING. The signature format | |||
| is designed for easy parsing. Each format includes a counter and | is designed for easy parsing. Each format includes a counter and | |||
| type codes that indirectly providing all of the information that is | type codes that indirectly providing all of the information that is | |||
| needed to parse the value during signature validation. | needed to parse the value during signature validation. | |||
| 4. HSS/LMS Public Key Identifier | 4. HSS/LMS Public Key Identifier | |||
| When using [HASHSIG], the algorithm identifier that is used to | The AlgorithmIdentifier for an HHS/LMS public key uses the id-alg- | |||
| identify the signature value is also used to identify the HSS/LMS | hss-lms-hashsig object identifier, and the parameters field MUST be | |||
| public key. The algorithm parameters field MUST be absent. | absent. | |||
| The SubjectPublicKeyInfo field of an X.509 certificate [RFC5280] is | The SubjectPublicKeyInfo field of an X.509 certificate [RFC5280] is | |||
| one place where this identifier appears. In this situation, the | one place where this algorithm identifier appears. In this | |||
| certificate key usage extension MAY contain digitalSignature, | situation, the certificate key usage extension MAY contain | |||
| nonRepudiation, keyCertSign, and cRLSign; however, it MUST NOT | digitalSignature, nonRepudiation, keyCertSign, and cRLSign; however, | |||
| contain other values. | it MUST NOT contain other values. | |||
| pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| KEY HSS-LMS-HashSig-PublicKey | KEY HSS-LMS-HashSig-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| HSS-LMS-HashSig-PublicKey ::= OCTET STRING | HSS-LMS-HashSig-PublicKey ::= OCTET STRING | |||
| Note that the id-alg-hss-lms-hashsig algorithm identifier is also | ||||
| referred to as id-alg-mts-hashsig. This synonym is based on the | ||||
| terminology used in an early draft of the document that became | ||||
| [HASHSIG]. | ||||
| The public key value is an OCTET STRING. Like the signature format, | The public key value is an OCTET STRING. Like the signature format, | |||
| it is designed for easy parsing. The value is a length, L, followed | it is designed for easy parsing. The value is the number of levels | |||
| by the public key itself. | in the public key, L, followed by the LMS public key. | |||
| The HSS/LMS public key value can be summarized as: | The HSS/LMS public key value can be summarized as: | |||
| u32str(L) || | u32str(L) || | |||
| lms_public_key | lms_public_key | |||
| 5. Signed-data Conventions | 5. Signed-data Conventions | |||
| As specified in [CMS], the digital signature is produced from the | As specified in [CMS], the digital signature is produced from the | |||
| message digest and the signer's private key. If signed attributes | message digest and the signer's private key. If signed attributes | |||
| skipping to change at page 8, line 9 ¶ | skipping to change at page 8, line 31 ¶ | |||
| THEN md = Hash(content) | THEN md = Hash(content) | |||
| ELSE message-digest attribute = Hash(content); | ELSE message-digest attribute = Hash(content); | |||
| md = Hash(DER(SignedAttributes)) | md = Hash(DER(SignedAttributes)) | |||
| Sign(md) | Sign(md) | |||
| When using [HASHSIG], the fields in the SignerInfo are used as | When using [HASHSIG], the fields in the SignerInfo are used as | |||
| follows: | follows: | |||
| digestAlgorithms SHOULD contain the one-way hash function used to | digestAlgorithms SHOULD contain the one-way hash function used to | |||
| compute the message digest on the eContent value. Since the | compute the message digest on the eContent value. In | |||
| hash-based signature algorithms all depend on SHA-256, it is | [HASHSIG], SHA-256 is used throughout the hash tree, and the | |||
| strongly RECOMMENDED that SHA-256 also be used to compute the | hash computation includes a random string. This random data | |||
| message digest on the content. | makes it harder for an attacker to find collisions. The signer | |||
| SHOULD use SHA-256 or a stronger hash function to compute the | ||||
| message digest on the content. For | ||||
| this purpose, Algorithm identifiers for SHA-256, SHA-384, and | ||||
| SHA-512 are provided in this document. | ||||
| Further, the same one-way hash function SHOULD be used to | Further, the same one-way hash function SHOULD be used to | |||
| compute the message digest on both the eContent and the | compute the message digest on both the eContent and the | |||
| signedAttributes value if signedAttributes are present. Again, | signedAttributes value if signedAttributes are present. | |||
| since the hash-based signature algorithms all depend on | ||||
| SHA-256, it is strongly RECOMMENDED that SHA-256 be used. | ||||
| signatureAlgorithm MUST contain id-alg-hss-lms-hashsig. The | signatureAlgorithm MUST contain id-alg-hss-lms-hashsig-with- | |||
| algorithm parameters field MUST be absent. | sha256, id-alg-hss-lms-hashsig-with-sha384, or id-alg-hss-lms- | |||
| hashsig-with-sha512. The algorithm parameters field MUST be | ||||
| absent. | ||||
| signature contains the single HSS signature value resulting from | signature contains the single HSS signature value resulting from | |||
| the signing operation as specified in [HASHSIG]. | the signing operation as specified in [HASHSIG]. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| 6.1. Implementation Security Considerations | 6.1. Implementation Security Considerations | |||
| Implementations must protect the private keys. Compromise of the | Implementations must protect the private keys. Compromise of the | |||
| private keys may result in the ability to forge signatures. Along | private keys may result in the ability to forge signatures. Along | |||
| skipping to change at page 9, line 9 ¶ | skipping to change at page 9, line 37 ¶ | |||
| force searching the whole key space. The generation of quality | force searching the whole key space. The generation of quality | |||
| random numbers is difficult. RFC 4086 [RANDOM] offers important | random numbers is difficult. RFC 4086 [RANDOM] offers important | |||
| guidance in this area. | guidance in this area. | |||
| The generation of hash-based signatures also depends on random | The generation of hash-based signatures also depends on random | |||
| numbers. While the consequences of an inadequate pseudo-random | numbers. While the consequences of an inadequate pseudo-random | |||
| number generator (PRNGs) to generate these values is much less severe | number generator (PRNGs) to generate these values is much less severe | |||
| than the generation of private keys, the guidance in [RFC4086] | than the generation of private keys, the guidance in [RFC4086] | |||
| remains important. | remains important. | |||
| When computing signatures, the same hash function SHOULD be used for | When computing signatures, the same hash function SHOULD be used to | |||
| all operations. In this specification, only SHA-256 is used. Using | compute the message digest of the content and the signed attributes, | |||
| only SHA-256 reduces the number of possible failure points in the | if they are present. | |||
| signature process. | ||||
| 6.2. Algorithm Security Considerations | 6.2. Algorithm Security Considerations | |||
| At Black Hat USA 2013, some researchers gave a presentation on the | At Black Hat USA 2013, some researchers gave a presentation on the | |||
| current sate of public key cryptography. They said: "Current | current sate of public key cryptography. They said: "Current | |||
| cryptosystems depend on discrete logarithm and factoring which has | cryptosystems depend on discrete logarithm and factoring which has | |||
| seen some major new developments in the past 6 months" [BH2013]. | seen some major new developments in the past 6 months" [BH2013]. | |||
| They encouraged preparation for a day when RSA and DSA cannot be | They encouraged preparation for a day when RSA and DSA cannot be | |||
| depended upon. | depended upon. | |||
| skipping to change at page 10, line 14 ¶ | skipping to change at page 10, line 35 ¶ | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) | SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) | |||
| registry, change the reference for value 64 to point to this | registry, change the reference for value 64 to point to this | |||
| document. | document. | |||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | |||
| registry, change the description for value 17 to | registry, change the description for value 17 to | |||
| "id-alg-hss-lms-hashsig" and change the reference to point to this | "id-alg-hss-lms-hashsig" and change the reference to point to this | |||
| document. Also, add the following note at the top of the registry: | document. Also, add the following note to the registry: | |||
| Value 17, "id-alg-hss-lms-hashsig", is also referred to as | Value 17, "id-alg-hss-lms-hashsig", is also referred to as | |||
| "id-alg-mts-hashsig". | "id-alg-mts-hashsig". | |||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | ||||
| registry, assign a new value for id-alg-hss-lms-hashsig-with-sha256 | ||||
| with a reference to this document. | ||||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | ||||
| registry, assign a new value for id-alg-hss-lms-hashsig-with-sha384 | ||||
| with a reference to this document. | ||||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | ||||
| registry, assign a new value for id-alg-hss-lms-hashsig-with-sha512 | ||||
| with a reference to this document. | ||||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Many thanks to Panos Kampanakis, Jim Schaad, Sean Turner, and Daniel | Many thanks to Panos Kampanakis, Jim Schaad, Sean Turner, and Daniel | |||
| Van Geest for their careful review and comments. | Van Geest for their careful review and comments. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [ASN1-B] ITU-T, "Information technology -- Abstract Syntax Notation | [ASN1-B] ITU-T, "Information technology -- Abstract Syntax Notation | |||
| skipping to change at page 12, line 46 ¶ | skipping to change at page 13, line 36 ¶ | |||
| DEFINITIONS IMPLICIT TAGS ::= BEGIN | DEFINITIONS IMPLICIT TAGS ::= BEGIN | |||
| EXPORTS ALL; | EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS | PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS | |||
| FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] | FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58) } | id-mod-algorithmInformation-02(58) } | |||
| mda-sha256 | mda-sha256, mda-sha384, mda-sha512 | |||
| FROM PKIX1-PSS-OAEP-Algorithms-2009 -- RFC 5912 [PKIXASN1] | FROM PKIX1-PSS-OAEP-Algorithms-2009 -- RFC 5912 [PKIXASN1] | |||
| { iso(1) identified-organization(3) dod(6) | { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-rsa-pkalgs-02(54) } ; | id-mod-pkix1-rsa-pkalgs-02(54) } ; | |||
| -- | -- | |||
| -- Object Identifiers | -- Object Identifiers | |||
| -- | -- | |||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) member-body(2) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) alg(3) 17 } | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | ||||
| id-alg-hss-lms-hashsig-with-sha256 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| id-alg-hss-lms-hashsig-with-sha384 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| id-alg-hss-lms-hashsig-with-sha512 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| -- | -- | |||
| -- Signature Algorithm and Public Key | -- Signature Algorithm and Public Key | |||
| -- | -- | |||
| sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { | sa-HSS-LMS-HashSig-with-SHA256 SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig-with-sha256 | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| HASHES { mda-sha256 } | HASHES { mda-sha256 } | |||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | PUBLIC-KEYS { pk-HSS-LMS-HashSig } | |||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } | SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig-with-sha256 } } | |||
| sa-HSS-LMS-HashSig-with-SHA384 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-lms-hashsig-with-sha384 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha384 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig-with-sha384 } } | ||||
| sa-HSS-LMS-HashSig-with-SHA512 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-lms-hashsig-with-sha512 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha512 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig-with-sha512 } } | ||||
| pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| KEY HSS-LMS-HashSig-PublicKey | KEY HSS-LMS-HashSig-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| HSS-LMS-HashSig-PublicKey ::= OCTET STRING | HSS-LMS-HashSig-PublicKey ::= OCTET STRING | |||
| -- | -- | |||
| -- Expand the signature algorithm set used by CMS [CMSASN1U] | -- Expand the signature algorithm set used by CMS [CMSASN1U] | |||
| -- | -- | |||
| SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= | SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= | |||
| { sa-HSS-LMS-HashSig, ... } | { sa-HSS-LMS-HashSig-with-SHA256 | | |||
| sa-HSS-LMS-HashSig-with-SHA384 | | ||||
| sa-HSS-LMS-HashSig-with-SHA512, ... } | ||||
| -- | -- | |||
| -- Expand the S/MIME capabilities set used by CMS [CMSASN1] | -- Expand the S/MIME capabilities set used by CMS [CMSASN1] | |||
| -- | -- | |||
| SMimeCaps SMIME-CAPS ::= { sa-HSS-LMS-HashSig.&smimeCaps, ... } | SMimeCaps SMIME-CAPS ::= | |||
| { sa-HSS-LMS-HashSig-with-SHA256.&smimeCaps | | ||||
| sa-HSS-LMS-HashSig-with-SHA384.&smimeCaps | | ||||
| sa-HSS-LMS-HashSig-with-SHA512.&smimeCaps, ... } | ||||
| END | END | |||
| Author's Address | Author's Address | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| 918 Spring Knoll Drive | 918 Spring Knoll Drive | |||
| Herndon, VA 20170 | Herndon, VA 20170 | |||
| USA | USA | |||
| End of changes. 35 change blocks. | ||||
| 75 lines changed or deleted | 140 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||