| draft-ietf-lamps-cms-hash-sig-04.txt | draft-ietf-lamps-cms-hash-sig-05.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT R. Housley | INTERNET-DRAFT R. Housley | |||
| Internet Engineering Task Force (IETF) Vigil Security | Internet Engineering Task Force (IETF) Vigil Security | |||
| Intended Status: Proposed Standard | Intended Status: Proposed Standard | |||
| Expires: 12 August 2019 12 February 2019 | Expires: 22 August 2019 22 February 2019 | |||
| Use of the HSS/LMS Hash-based Signature Algorithm | Use of the HSS/LMS Hash-based Signature Algorithm | |||
| in the Cryptographic Message Syntax (CMS) | in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-lamps-cms-hash-sig-04> | <draft-ietf-lamps-cms-hash-sig-05> | |||
| Abstract | Abstract | |||
| This document specifies the conventions for using the the HSS/LMS | This document specifies the conventions for using the the HSS/LMS | |||
| hash-based signature algorithm with the Cryptographic Message Syntax | hash-based signature algorithm with the Cryptographic Message Syntax | |||
| (CMS). In addition, the algorithm identifier and public key syntax | (CMS). In addition, the algorithm identifier and public key syntax | |||
| are provided. The HSS/LMS algorithm is one form of hash-based | are provided. The HSS/LMS algorithm is one form of hash-based | |||
| digital signature; it is described in [HASHSIG]. | digital signature; it is described in [HASHSIG]. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 2, line 7 ¶ | skipping to change at page 2, line 7 ¶ | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/1id-abstracts.html | http://www.ietf.org/1id-abstracts.html | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| Copyright and License Notice | Copyright and License Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 18 ¶ | skipping to change at page 3, line 18 ¶ | |||
| based signature algorithm with the Cryptographic Message Syntax (CMS) | based signature algorithm with the Cryptographic Message Syntax (CMS) | |||
| [CMS] signed-data content type. The Leighton-Micali Signature (LMS) | [CMS] signed-data content type. The Leighton-Micali Signature (LMS) | |||
| system provides a one-time digital signature that is a variant of | system provides a one-time digital signature that is a variant of | |||
| Merkle Tree Signatures (MTS). The Hierarchical Signature System | Merkle Tree Signatures (MTS). The Hierarchical Signature System | |||
| (HSS) is built on top of the LMS system to efficiently scale for a | (HSS) is built on top of the LMS system to efficiently scale for a | |||
| larger numbers of signatures. The HSS/LMS algorithm is one form of | larger numbers of signatures. The HSS/LMS algorithm is one form of | |||
| hash-based digital signature, and it is described in [HASHSIG]. The | hash-based digital signature, and it is described in [HASHSIG]. The | |||
| HSS/LMS signature algorithm can only be used for a fixed number of | HSS/LMS signature algorithm can only be used for a fixed number of | |||
| signing operations. The number of signing operations depends upon | signing operations. The number of signing operations depends upon | |||
| the size of the tree. The HSS/LMS signature algorithm uses small | the size of the tree. The HSS/LMS signature algorithm uses small | |||
| private and public keys, and it has low computational cost; however, | public keys, and it has low computational cost; however, the | |||
| the signatures are quite large. | signatures are quite large. The HSS/LMS private key can be very | |||
| small when the signer is willing to perform additional computation at | ||||
| signing time; alternatively, the private key can consume additional | ||||
| memory and provide a faster signing time. | ||||
| Well, yes, there is quite a range of possible time/memory trade-offs | ||||
| available when storing the private key; if you need to, the private | ||||
| key can be expressed in quite a small amount of space (albeit at the | ||||
| expense of making the signature generation operation expensive). | ||||
| 1.1. ASN.1 | 1.1. ASN.1 | |||
| CMS values are generated using ASN.1 [ASN1-B], using the Basic | CMS values are generated using ASN.1 [ASN1-B], using the Basic | |||
| Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | |||
| [ASN1-E]. | [ASN1-E]. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| skipping to change at page 4, line 6 ¶ | skipping to change at page 4, line 15 ¶ | |||
| A post-quantum cryptosystem is a system that is secure against | A post-quantum cryptosystem is a system that is secure against | |||
| quantum computers that have more than a trivial number of quantum | quantum computers that have more than a trivial number of quantum | |||
| bits. It is open to conjecture when it will be feasible to build | bits. It is open to conjecture when it will be feasible to build | |||
| such a machine. RSA, DSA, and ECDSA are not post-quantum secure. | such a machine. RSA, DSA, and ECDSA are not post-quantum secure. | |||
| The LM-OTS one-time signature, LMS, and HSS do not depend on discrete | The LM-OTS one-time signature, LMS, and HSS do not depend on discrete | |||
| logarithm or factoring, as a result these algorithms are considered | logarithm or factoring, as a result these algorithms are considered | |||
| to be post-quantum secure. | to be post-quantum secure. | |||
| Hash-based signatures [HASHSIG] are currently defined to use | Hash-based signatures [HASHSIG] are currently defined to use | |||
| exclusively SHA-256. An IANA registry is defined so that other hash | exclusively SHA-256 [SHS]. An IANA registry is defined so that other | |||
| functions could be used in the future. LM-OTS signature generation | hash functions could be used in the future. LM-OTS signature | |||
| prepends a random string as well as other metadata before computing | generation prepends a random string as well as other metadata before | |||
| the hash value. The inclusion of the random value reduces the | computing the hash value. The inclusion of the random value reduces | |||
| chances of an attacker being able to find collisions, even if the | the chances of an attacker being able to find collisions, even if the | |||
| attacker has a large-scale quantum computer. | attacker has a large-scale quantum computer. | |||
| Today, RSA is often used to digitally sign software updates. This | Today, RSA is often used to digitally sign software updates. This | |||
| means that the distribution of software updates could be compromised | means that the distribution of software updates could be compromised | |||
| if a significant advance is made in factoring or a quantum computer | if a significant advance is made in factoring or a quantum computer | |||
| is invented. The use of HSS/LMS hash-based signatures to protect | is invented. The use of HSS/LMS hash-based signatures to protect | |||
| software update distribution, perhaps using the format described in | software update distribution, perhaps using the format described in | |||
| [FWPROT], will allow the deployment of software that implements new | [FWPROT], will allow the deployment of software that implements new | |||
| cryptosystems. | cryptosystems. | |||
| skipping to change at page 5, line 42 ¶ | skipping to change at page 6, line 5 ¶ | |||
| Micali Signature (LMS) system. LMS systems have two parameters. The | Micali Signature (LMS) system. LMS systems have two parameters. The | |||
| first parameter is the height of the tree, h, which is the number of | first parameter is the height of the tree, h, which is the number of | |||
| levels in the tree minus one. The [HASHSIG] specification supports | levels in the tree minus one. The [HASHSIG] specification supports | |||
| five values for this parameter: h=5; h=10; h=15; h=20; and h=25. | five values for this parameter: h=5; h=10; h=15; h=20; and h=25. | |||
| Note that there are 2^h leaves in the tree. The second parameter is | Note that there are 2^h leaves in the tree. The second parameter is | |||
| the number of bytes output by the hash function, m, which is the | the number of bytes output by the hash function, m, which is the | |||
| amount of data associated with each node in the tree. The [HASHSIG] | amount of data associated with each node in the tree. The [HASHSIG] | |||
| specification supports only the SHA-256 hash function [SHS], with | specification supports only the SHA-256 hash function [SHS], with | |||
| m=32. | m=32. | |||
| Currently, the [HASHSIG] specification supports five tree sizes: | The [HASHSIG] specification supports five tree sizes: | |||
| LMS_SHA256_M32_H5; | LMS_SHA256_M32_H5; | |||
| LMS_SHA256_M32_H10; | LMS_SHA256_M32_H10; | |||
| LMS_SHA256_M32_H15; | LMS_SHA256_M32_H15; | |||
| LMS_SHA256_M32_H20; and | LMS_SHA256_M32_H20; and | |||
| LMS_SHA256_M32_H25. | LMS_SHA256_M32_H25. | |||
| The [HASHSIG] specification establishes an IANA registry to permit | The [HASHSIG] specification establishes an IANA registry to permit | |||
| the registration of additional tree sizes in the future. | the registration of additional tree sizes in the future. | |||
| skipping to change at page 7, line 11 ¶ | skipping to change at page 7, line 21 ¶ | |||
| p - The number of n-byte string elements that make up the LM-OTS | p - The number of n-byte string elements that make up the LM-OTS | |||
| signature. | signature. | |||
| ls - The number of left-shift bits used in the checksum function, | ls - The number of left-shift bits used in the checksum function, | |||
| which is defined in Section 4.4 of [HASHSIG]. | which is defined in Section 4.4 of [HASHSIG]. | |||
| The values of p and ls are dependent on the choices of the parameters | The values of p and ls are dependent on the choices of the parameters | |||
| n and w, as described in Appendix B of [HASHSIG]. | n and w, as described in Appendix B of [HASHSIG]. | |||
| Currently, the [HASHSIG] specification supports four LM-OTS variants: | The [HASHSIG] specification supports four LM-OTS variants: | |||
| LMOTS_SHA256_N32_W1; | LMOTS_SHA256_N32_W1; | |||
| LMOTS_SHA256_N32_W2; | LMOTS_SHA256_N32_W2; | |||
| LMOTS_SHA256_N32_W4; and | LMOTS_SHA256_N32_W4; and | |||
| LMOTS_SHA256_N32_W8. | LMOTS_SHA256_N32_W8. | |||
| The [HASHSIG] specification establishes an IANA registry to permit | The [HASHSIG] specification establishes an IANA registry to permit | |||
| the registration of additional variants in the future. | the registration of additional variants in the future. | |||
| Signing involves the generation of C, an n-byte random value. | Signing involves the generation of C, an n-byte random value. | |||
| The LM-OTS signature value can be summarized as the identifier of the | The LM-OTS signature value can be summarized as the identifier of the | |||
| LM-OTS variant, the random value, and a sequence of hash values that | LM-OTS variant, the random value, and a sequence of hash values that | |||
| correspond to the elements of the public key as described in Section | correspond to the elements of the public key as described in Section | |||
| 4.5 of [HASHSIG]: | 4.5 of [HASHSIG]: | |||
| u32str(otstype) || C || y[0] || ... || y[p-1] | u32str(otstype) || C || y[0] || ... || y[p-1] | |||
| 3. Algorithm Identifiers and Parameters | 3. Algorithm Identifiers and Parameters | |||
| The algorithm identifier for an HSS/LMS hash-based signature when | The algorithm identifier for an HSS/LMS hash-based signatures is: | |||
| SHA-256 [SHS] is used to hash the content is the | ||||
| id-alg-hss-lms-hashsig-with-sha256 object identifier: | ||||
| id-alg-hss-lms-hashsig-with-sha256 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| The algorithm identifier for an HSS/LMS hash-based signature when | ||||
| SHA-384 [SHS] is used to hash the content is the | ||||
| id-alg-hss-lms-hashsig-with-sha384 object identifier: | ||||
| id-alg-hss-lms-hashsig-with-sha384 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| The algorithm identifier for an HSS/LMS hash-based signature when | ||||
| SHA-512 [SHS] is used to hash the content is the | ||||
| id-alg-hss-lms-hashsig-with-sha512 object identifier: | ||||
| id-alg-hss-lms-hashsig-with-sha512 OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) TBD } | smime(16) alg(3) 17 } | |||
| When any of these object identifiers is used for a signature, the | When this object identifier is used for a HSS/LMS signature, the | |||
| AlgorithmIdentifier parameters field MUST be absent (that is, the | AlgorithmIdentifier parameters field MUST be absent (that is, the | |||
| parameters are not present; the parameters are not set to NULL). | parameters are not present; the parameters are not set to NULL). | |||
| The signature values is a large OCTET STRING. The signature format | The signature value is a large OCTET STRING. The signature format is | |||
| is designed for easy parsing. Each format includes a counter and | designed for easy parsing. Each format includes a counter and type | |||
| type codes that indirectly providing all of the information that is | codes that indirectly providing all of the information that is needed | |||
| needed to parse the value during signature validation. | to parse the value during signature validation. | |||
| The signature value identifies the hash function used in the HSS/LMS | ||||
| tree. In [HASHSIG] only the SHA-256 hash function [SHS] is | ||||
| supported, but it also establishes an IANA registry to permit the | ||||
| registration of additional hash functions in the future. | ||||
| 4. HSS/LMS Public Key Identifier | 4. HSS/LMS Public Key Identifier | |||
| The AlgorithmIdentifier for an HSS/LMS public key uses the id-alg- | The AlgorithmIdentifier for an HSS/LMS public key uses the id-alg- | |||
| hss-lms-hashsig object identifier, and the parameters field MUST be | hss-lms-hashsig object identifier, and the parameters field MUST be | |||
| absent. | absent. | |||
| The SubjectPublicKeyInfo field of an X.509 certificate [RFC5280] is | When this AlgorithmIdentifier appears in the SubjectPublicKeyInfo | |||
| one place where this algorithm identifier appears. In this | field of an X.509 certificate [RFC5280], the certificate key usage | |||
| situation, the certificate key usage extension MAY contain | extension MAY contain digitalSignature, nonRepudiation, keyCertSign, | |||
| digitalSignature, nonRepudiation, keyCertSign, and cRLSign; however, | and cRLSign; however, it MUST NOT contain other values. | |||
| it MUST NOT contain other values. | ||||
| pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| KEY HSS-LMS-HashSig-PublicKey | KEY HSS-LMS-HashSig-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| HSS-LMS-HashSig-PublicKey ::= OCTET STRING | HSS-LMS-HashSig-PublicKey ::= OCTET STRING | |||
| skipping to change at page 9, line 6 ¶ | skipping to change at page 8, line 47 ¶ | |||
| The public key value is an OCTET STRING. Like the signature format, | The public key value is an OCTET STRING. Like the signature format, | |||
| it is designed for easy parsing. The value is the number of levels | it is designed for easy parsing. The value is the number of levels | |||
| in the public key, L, followed by the LMS public key. | in the public key, L, followed by the LMS public key. | |||
| The HSS/LMS public key value can be summarized as: | The HSS/LMS public key value can be summarized as: | |||
| u32str(L) || lms_public_key | u32str(L) || lms_public_key | |||
| Note that the public key for the top-most LMS tree is the public key | Note that the public key for the top-most LMS tree is the public key | |||
| of the HSS system, and when L=1 it is a stand-alone tree. | of the HSS system. When L=1, the HSS system is a single tree. | |||
| 5. Signed-data Conventions | 5. Signed-data Conventions | |||
| As specified in [CMS], the digital signature is produced from the | As specified in [CMS], the digital signature is produced from the | |||
| message digest and the signer's private key. If signed attributes | message digest and the signer's private key. The signature is | |||
| are absent, then the message digest is the hash of the content. If | computed over different value depending on whether signed attributes | |||
| signed attributes are present, then the hash of the content is placed | are absent or present. When signed attributes are absent, the | |||
| in the message-digest attribute, the set of signed attributes is DER | HSS/LMS signature is computed over the content. When signed | |||
| encoded, and the message digest is the hash of the encoded | attributes are present, a hash is computed over the content using the | |||
| attributes. In summary: | same hash function that is used in the HSS/LMS tree, and then a | |||
| message-digest attribute is constructed with the resulting hash | ||||
| value, and then DER encode the set of signed attributes, which MUST | ||||
| include a content-type attribute and a message-digest attribute, and | ||||
| then the HSS/LMS signature is computed over the output of the DER- | ||||
| encode operation. In summary: | ||||
| IF (signed attributes are absent) | IF (signed attributes are absent) | |||
| THEN md = Hash(content) | THEN HSS_LMS_Sign(content) | |||
| ELSE message-digest attribute = Hash(content); | ELSE message-digest attribute = Hash(content); | |||
| md = Hash(DER(SignedAttributes)) | HSS_LMS_Sign(DER(SignedAttributes)) | |||
| Sign(md) | ||||
| When using [HASHSIG], the fields in the SignerInfo are used as | When using [HASHSIG], the fields in the SignerInfo are used as | |||
| follows: | follows: | |||
| digestAlgorithms SHOULD contain the one-way hash function used to | digestAlgorithm MUST contain the one-way hash function used to in | |||
| compute the message digest on the eContent value. In | the HSS/LMS tree. In [HASHSIG], SHA-256 is the only supported | |||
| [HASHSIG], SHA-256 is used throughout the hash tree, and the | hash function, but other hash functions might be registered in | |||
| hash computation includes a random string. This random data | the future. For convenience, the AlgorithmIdentifier for | |||
| makes it harder for an attacker to find collisions. The signer | SHA-256 from [PKIXASN1] is repeated here: | |||
| SHOULD use SHA-256 or a stronger hash function to compute the | ||||
| message digest on the content. For this purpose, Algorithm | ||||
| identifiers for SHA-256, SHA-384, and SHA-512 are provided in | ||||
| this document. | ||||
| Further, the same one-way hash function SHOULD be used to | mda-sha256 DIGEST-ALGORITHM ::= { | |||
| compute the message digest on both the eContent and the | IDENTIFIER id-sha256 | |||
| signedAttributes value if signedAttributes are present. | PARAMS TYPE NULL ARE preferredAbsent } | |||
| signatureAlgorithm MUST contain id-alg-hss-lms-hashsig-with- | id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| sha256, id-alg-hss-lms-hashsig-with-sha384, or id-alg-hss-lms- | country(16) us(840) organization(1) gov(101) csor(3) | |||
| hashsig-with-sha512. The algorithm parameters field MUST be | nistAlgorithms(4) hashalgs(2) 1 } | |||
| absent. | ||||
| signatureAlgorithm MUST contain id-alg-hss-lms-hashsig, and the | ||||
| algorithm parameters field MUST be absent. | ||||
| signature contains the single HSS signature value resulting from | signature contains the single HSS signature value resulting from | |||
| the signing operation as specified in [HASHSIG]. | the signing operation as specified in [HASHSIG]. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| Implementations MUST protect the private keys. Compromise of the | Implementations MUST protect the private keys. Compromise of the | |||
| private keys may result in the ability to forge signatures. Along | private keys may result in the ability to forge signatures. Along | |||
| with the private key, the implementation MUST keep track of which | with the private key, the implementation MUST keep track of which | |||
| leaf nodes in the tree have been used. Loss of integrity of this | leaf nodes in the tree have been used. Loss of integrity of this | |||
| skipping to change at page 11, line 10 ¶ | skipping to change at page 11, line 5 ¶ | |||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | |||
| registry, change the description for value 17 to | registry, change the description for value 17 to | |||
| "id-alg-hss-lms-hashsig" and change the reference to point to this | "id-alg-hss-lms-hashsig" and change the reference to point to this | |||
| document. | document. | |||
| Also, add the following note to the registry: | Also, add the following note to the registry: | |||
| Value 17, "id-alg-hss-lms-hashsig", is also referred to as | Value 17, "id-alg-hss-lms-hashsig", is also referred to as | |||
| "id-alg-mts-hashsig". | "id-alg-mts-hashsig". | |||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | ||||
| registry, assign a new value for id-alg-hss-lms-hashsig-with-sha256 | ||||
| with a reference to this document. | ||||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | ||||
| registry, assign a new value for id-alg-hss-lms-hashsig-with-sha384 | ||||
| with a reference to this document. | ||||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | ||||
| registry, assign a new value for id-alg-hss-lms-hashsig-with-sha512 | ||||
| with a reference to this document. | ||||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Many thanks to Scott Fluhrer, Jonathan Hammell, Panos Kampanakis, Jim | Many thanks to Scott Fluhrer, Jonathan Hammell, Panos Kampanakis, Jim | |||
| Schaad, Sean Turner, and Daniel Van Geest for their careful review | Schaad, Sean Turner, and Daniel Van Geest for their careful review | |||
| and comments. | and comments. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| skipping to change at page 14, line 21 ¶ | skipping to change at page 13, line 31 ¶ | |||
| DEFINITIONS IMPLICIT TAGS ::= BEGIN | DEFINITIONS IMPLICIT TAGS ::= BEGIN | |||
| EXPORTS ALL; | EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS | PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS | |||
| FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] | FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58) } | id-mod-algorithmInformation-02(58) } | |||
| mda-sha256, mda-sha384, mda-sha512 | mda-sha256 | |||
| FROM PKIX1-PSS-OAEP-Algorithms-2009 -- RFC 5912 [PKIXASN1] | FROM PKIX1-PSS-OAEP-Algorithms-2009 -- RFC 5912 [PKIXASN1] | |||
| { iso(1) identified-organization(3) dod(6) | { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-rsa-pkalgs-02(54) } ; | id-mod-pkix1-rsa-pkalgs-02(54) } ; | |||
| -- | -- | |||
| -- Object Identifiers | -- Object Identifiers | |||
| -- | -- | |||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | smime(16) alg(3) 17 } | |||
| id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig | id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig | |||
| id-alg-hss-lms-hashsig-with-sha256 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| id-alg-hss-lms-hashsig-with-sha384 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| id-alg-hss-lms-hashsig-with-sha512 OBJECT IDENTIFIER ::= { iso(1) | ||||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | ||||
| smime(16) alg(3) TBD } | ||||
| -- | -- | |||
| -- Signature Algorithm and Public Key | -- Signature Algorithm and Public Key | |||
| -- | -- | |||
| sa-HSS-LMS-HashSig-with-SHA256 SIGNATURE-ALGORITHM ::= { | sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig-with-sha256 | IDENTIFIER id-alg-hss-lms-hashsig | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| HASHES { mda-sha256 } | HASHES { mda-sha256 } | |||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | PUBLIC-KEYS { pk-HSS-LMS-HashSig } | |||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig-with-sha256 } } | SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } | |||
| sa-HSS-LMS-HashSig-with-SHA384 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-lms-hashsig-with-sha384 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha384 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig-with-sha384 } } | ||||
| sa-HSS-LMS-HashSig-with-SHA512 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-lms-hashsig-with-sha512 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha512 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig-with-sha512 } } | ||||
| pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| KEY HSS-LMS-HashSig-PublicKey | KEY HSS-LMS-HashSig-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| HSS-LMS-HashSig-PublicKey ::= OCTET STRING | HSS-LMS-HashSig-PublicKey ::= OCTET STRING | |||
| -- | -- | |||
| -- Expand the signature algorithm set used by CMS [CMSASN1U] | -- Expand the signature algorithm set used by CMS [CMSASN1U] | |||
| -- | -- | |||
| SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= | SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= | |||
| { sa-HSS-LMS-HashSig-with-SHA256 | | { sa-HSS-LMS-HashSig, ... } | |||
| sa-HSS-LMS-HashSig-with-SHA384 | | ||||
| sa-HSS-LMS-HashSig-with-SHA512, ... } | ||||
| -- | -- | |||
| -- Expand the S/MIME capabilities set used by CMS [CMSASN1] | -- Expand the S/MIME capabilities set used by CMS [CMSASN1] | |||
| -- | -- | |||
| SMimeCaps SMIME-CAPS ::= | SMimeCaps SMIME-CAPS ::= | |||
| { sa-HSS-LMS-HashSig-with-SHA256.&smimeCaps | | { sa-HSS-LMS-HashSig.&smimeCaps, ... } | |||
| sa-HSS-LMS-HashSig-with-SHA384.&smimeCaps | | ||||
| sa-HSS-LMS-HashSig-with-SHA512.&smimeCaps, ... } | ||||
| END | END | |||
| Author's Address | Author's Address | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| 516 Dranesville Road | 516 Dranesville Road | |||
| Herndon, VA 20170 | Herndon, VA 20170 | |||
| USA | USA | |||
| End of changes. 26 change blocks. | ||||
| 120 lines changed or deleted | 72 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||