| draft-ietf-lamps-samples-00.txt | draft-ietf-lamps-samples-01.txt | |||
|---|---|---|---|---|
| lamps D.K. Gillmor, Ed. | lamps D.K. Gillmor, Ed. | |||
| Internet-Draft ACLU | Internet-Draft ACLU | |||
| Intended status: Informational 3 May 2021 | Intended status: Informational 8 May 2021 | |||
| Expires: 4 November 2021 | Expires: 9 November 2021 | |||
| S/MIME Example Keys and Certificates | S/MIME Example Keys and Certificates | |||
| draft-ietf-lamps-samples-00 | draft-ietf-lamps-samples-01 | |||
| Abstract | Abstract | |||
| The S/MIME development community benefits from sharing samples of | The S/MIME development community benefits from sharing samples of | |||
| signed or encrypted data. This document facilitates such | signed or encrypted data. This document facilitates such | |||
| collaboration by defining a small set of X.509v3 certificates and | collaboration by defining a small set of X.509v3 certificates and | |||
| keys for use when generating such samples. | keys for use when generating such samples. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 33 ¶ | skipping to change at page 1, line 33 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 4 November 2021. | This Internet-Draft will expire on 9 November 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.3. Prior Work . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.3. Prior Work . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Certificate Usage . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Certificate Usage . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.2. Certificate Expiration . . . . . . . . . . . . . . . . . 4 | 2.2. Certificate Expiration . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. Certificate Revocation . . . . . . . . . . . . . . . . . 4 | 2.3. Certificate Revocation . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Using the CA in Test Suites . . . . . . . . . . . . . . . 4 | 2.4. Using the CA in Test Suites . . . . . . . . . . . . . . . 5 | |||
| 2.5. Certificate Chains . . . . . . . . . . . . . . . . . . . 5 | 2.5. Certificate Chains . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.6. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.6. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.7. Secret key origins . . . . . . . . . . . . . . . . . . . 5 | 2.7. Secret key origins . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Example Certificate Authority . . . . . . . . . . . . . . . . 6 | 3. Example Certificate Authority . . . . . . . . . . . . . . . . 6 | |||
| 3.1. Certificate Authority Certificate . . . . . . . . . . . . 6 | 3.1. Certificate Authority Certificate . . . . . . . . . . . . 6 | |||
| 3.2. Certificate Authority Secret Key . . . . . . . . . . . . 6 | 3.2. Certificate Authority Secret Key . . . . . . . . . . . . 7 | |||
| 4. Alice's Sample Certificates . . . . . . . . . . . . . . . . . 7 | 4. Alice's Sample Certificates . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. Alice's Signature Verification End-Entity Certificate . . 7 | 4.1. Alice's Signature Verification End-Entity Certificate . . 8 | |||
| 4.2. Alice's Signing Private Key Material . . . . . . . . . . 8 | 4.2. Alice's Signing Private Key Material . . . . . . . . . . 9 | |||
| 4.3. Alice's Encryption End-Entity Certificate . . . . . . . . 9 | 4.3. Alice's Encryption End-Entity Certificate . . . . . . . . 10 | |||
| 4.4. Alice's Decryption Private Key Material . . . . . . . . . 10 | 4.4. Alice's Decryption Private Key Material . . . . . . . . . 11 | |||
| 4.5. PKCS12 Object for Alice . . . . . . . . . . . . . . . . . 11 | 4.5. PKCS12 Object for Alice . . . . . . . . . . . . . . . . . 12 | |||
| 5. Bob's Sample . . . . . . . . . . . . . . . . . . . . . . . . 14 | 5. Bob's Sample . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 5.1. Bob's Signature Verification End-Entity Certificate . . . 14 | 5.1. Bob's Signature Verification End-Entity Certificate . . . 15 | |||
| 5.2. Bob's Signing Private Key Material . . . . . . . . . . . 15 | 5.2. Bob's Signing Private Key Material . . . . . . . . . . . 16 | |||
| 5.3. Bob's Encryption End-Entity Certificate . . . . . . . . . 16 | 5.3. Bob's Encryption End-Entity Certificate . . . . . . . . . 17 | |||
| 5.4. Bob's Decryption Private Key Material . . . . . . . . . . 17 | 5.4. Bob's Decryption Private Key Material . . . . . . . . . . 18 | |||
| 5.5. PKCS12 Object for Bob . . . . . . . . . . . . . . . . . . 18 | 5.5. PKCS12 Object for Bob . . . . . . . . . . . . . . . . . . 19 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 6. Example Ed25519 Certificate Authority . . . . . . . . . . . . 22 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | 6.1. Certificate Authority Certificate . . . . . . . . . . . . 22 | |||
| 8. Document Considerations . . . . . . . . . . . . . . . . . . . 22 | 6.2. Ed25519 Certificate Authority Secret Key . . . . . . . . 23 | |||
| 8.1. Document History . . . . . . . . . . . . . . . . . . . . 22 | 7. Carlos's Sample Certificates . . . . . . . . . . . . . . . . 23 | |||
| 8.1.1. Substantive Changes from draft-dkg-*-05 to | 7.1. Carlos's Signature Verification End-Entity Certificate . 23 | |||
| draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 22 | 7.2. Carlos's Signing Private Key Material . . . . . . . . . . 24 | |||
| 8.1.2. Substantive Changes from draft-dkg-*-04 to | 7.3. Carlos's Encryption End-Entity Certificate . . . . . . . 24 | |||
| draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 22 | 7.4. Carlos's Decryption Private Key Material . . . . . . . . 24 | |||
| 8.1.3. Substantive Changes from draft-dkg-*-03 to | 7.5. PKCS12 Object for Carlos . . . . . . . . . . . . . . . . 24 | |||
| draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 22 | 8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 26 | |||
| 8.1.4. Substantive Changes from draft-dkg-*-02 to | 8.1. Dana's Signature Verification End-Entity Certificate . . 26 | |||
| draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 22 | 8.2. Dana's Signing Private Key Material . . . . . . . . . . . 26 | |||
| 8.1.5. Substantive Changes from draft-dkg-*-01 to | 8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 26 | |||
| draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 22 | 8.4. Dana's Decryption Private Key Material . . . . . . . . . 27 | |||
| 8.1.6. Substantive Changes from draft-dkg-*-00 to | 8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 27 | |||
| draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 22 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 28 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 11. Document Considerations . . . . . . . . . . . . . . . . . . . 29 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 23 | 11.1. Outstanding Changes . . . . . . . . . . . . . . . . . . 29 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 23 | 11.2. Document History . . . . . . . . . . . . . . . . . . . . 29 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 24 | 11.2.1. Substantive Changes from draft-ietf-*-00 to | |||
| draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 11.2.2. Substantive Changes from draft-dkg-*-05 to | ||||
| draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 11.2.3. Substantive Changes from draft-dkg-*-04 to | ||||
| draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 11.2.4. Substantive Changes from draft-dkg-*-03 to | ||||
| draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 11.2.5. Substantive Changes from draft-dkg-*-02 to | ||||
| draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 11.2.6. Substantive Changes from draft-dkg-*-01 to | ||||
| draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 11.2.7. Substantive Changes from draft-dkg-*-00 to | ||||
| draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 29 | ||||
| 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 | ||||
| 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | ||||
| 13.1. Normative References . . . . . . . . . . . . . . . . . . 30 | ||||
| 13.2. Informative References . . . . . . . . . . . . . . . . . 31 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 32 | ||||
| 1. Introduction | 1. Introduction | |||
| The S/MIME ([RFC8551]) development community, in particular the | The S/MIME ([RFC8551]) development community, in particular the | |||
| e-mail development community, benefits from sharing samples of signed | e-mail development community, benefits from sharing samples of signed | |||
| and/or encrypted data. Often the exact key material used does not | and/or encrypted data. Often the exact key material used does not | |||
| matter because the properties being tested pertain to implementation | matter because the properties being tested pertain to implementation | |||
| correctness, completeness or interoperability of the overall system. | correctness, completeness or interoperability of the overall system. | |||
| However, without access to the relevant secret key material, a sample | However, without access to the relevant secret key material, a sample | |||
| is useless. | is useless. | |||
| This document defines a small set of X.509v3 certificates ([RFC5280]) | This document defines a small set of X.509v3 certificates ([RFC5280]) | |||
| and secret keys for use when generating or operating on such samples. | and secret keys for use when generating or operating on such samples. | |||
| An example certificate authority is supplied, and samples are | An example RSA certificate authority is supplied, and sample RSA | |||
| provided for two "personas", Alice and Bob. | certificates are provided for two "personas", Alice and Bob. | |||
| Additionally, an Ed25519 ([RFC8032]) certificate authority is | ||||
| supplied, along with sample Ed25519 certificates for two more | ||||
| "personas", Carlos and Dana. | ||||
| This document focuses narrowly on functional, well-formed identity | ||||
| and key material. It is a starting point that other documents can | ||||
| use to develop sample signed or encrypted messages, test vectors, or | ||||
| other artifacts for improved interoperability. | ||||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| skipping to change at page 4, line 10 ¶ | skipping to change at page 4, line 37 ¶ | |||
| various S/MIME formats. That older work has unacceptably old | various S/MIME formats. That older work has unacceptably old | |||
| algorithm choices that may introduce failures when testing modern | algorithm choices that may introduce failures when testing modern | |||
| systems: in 2019, some tools explicitly mark 1024-bit RSA and | systems: in 2019, some tools explicitly mark 1024-bit RSA and | |||
| 1024-bit DSS as weak. | 1024-bit DSS as weak. | |||
| This earlier document also does not use the now widely-accepted PEM | This earlier document also does not use the now widely-accepted PEM | |||
| encoding for the objects, and instead embeds runnable perl code to | encoding for the objects, and instead embeds runnable perl code to | |||
| extract them from the document. | extract them from the document. | |||
| It also includes examples of messages and other structures which are | It also includes examples of messages and other structures which are | |||
| greater in ambition than this document intends to be. This document | greater in ambition than this document intends to be. | |||
| intends to focus specifically on identity and key material, as a | ||||
| starting point for other documents that can develop examples or test | [RFC8410] includes an example X25519 certificate that is certified | |||
| cases from them. | with Ed25519, but it appears to be self-issued, and it is not | |||
| directly useful in testing an S/MIME-capable MUA. | ||||
| 2. Background | 2. Background | |||
| 2.1. Certificate Usage | 2.1. Certificate Usage | |||
| These X.509 certificates ([RFC5280]) are designed for use with S/MIME | These X.509 certificates ([RFC5280]) are designed for use with S/MIME | |||
| protections ([RFC8551]) for e-mail ([RFC5322]). | protections ([RFC8551]) for e-mail ([RFC5322]). | |||
| In particular, they should be usable with signed and encrypted | In particular, they should be usable with signed and encrypted | |||
| messages. | messages. | |||
| skipping to change at page 5, line 46 ¶ | skipping to change at page 6, line 27 ¶ | |||
| As such, the secret key objects are not suitable for verifying | As such, the secret key objects are not suitable for verifying | |||
| interoperable password protection schemes. | interoperable password protection schemes. | |||
| However, the PKCS#12 [RFC7292] objects do have simple textual | However, the PKCS#12 [RFC7292] objects do have simple textual | |||
| passwords, because tooling for dealing with passwordless PKCS#12 | passwords, because tooling for dealing with passwordless PKCS#12 | |||
| objects is underdeveloped at the time of this draft. | objects is underdeveloped at the time of this draft. | |||
| 2.7. Secret key origins | 2.7. Secret key origins | |||
| The secret keys in this document are all deterministically derived | The secret RSA keys in this document are all deterministically | |||
| using provable prime generation as found in [FIPS186-4], based on | derived using provable prime generation as found in [FIPS186-4], | |||
| known seeds derived via [SHA256] from simple strings. The seeds and | based on known seeds derived via [SHA256] from simple strings. The | |||
| their derivation are included in the document for informational | secret Ed25519 and X25519 keys in this document are all derived by | |||
| purposes, and to allow re-creation of the objects from appropriate | hashing a simple string. The seeds and their derivation are included | |||
| tooling. | in the document for informational purposes, and to allow re-creation | |||
| of the objects from appropriate tooling. | ||||
| All seeds used are 224 bits long (the first 224 bits of the SHA-256 | All RSA seeds used are 224 bits long (the first 224 bits of the | |||
| digest of the origin string), and are represented in hexadecimal. | SHA-256 digest of the origin string), and are represented in | |||
| hexadecimal. | ||||
| 3. Example Certificate Authority | 3. Example Certificate Authority | |||
| The example Certificate Authority has the following information: | The example Certificate Authority has the following information: | |||
| * Name: "Sample LAMPS Certificate Authority" | * Name: "Sample LAMPS Certificate Authority" | |||
| 3.1. Certificate Authority Certificate | 3.1. Certificate Authority Certificate | |||
| This cerificate is used to verify certificates issued by the example | This cerificate is used to verify certificates issued by the example | |||
| skipping to change at page 21, line 38 ¶ | skipping to change at page 22, line 38 ¶ | |||
| dsTURagfJIyqULoe08EIIozahivbzoWVA6oPAkk2D8DnTiMegX4IZ/Zb3LPxJKAe | dsTURagfJIyqULoe08EIIozahivbzoWVA6oPAkk2D8DnTiMegX4IZ/Zb3LPxJKAe | |||
| XO3Ys1YQrNSNZ3B2ZISBapzGzhFZfRVzPOmXhN53pDhlxkw0btkKblYA9CvP+kzg | XO3Ys1YQrNSNZ3B2ZISBapzGzhFZfRVzPOmXhN53pDhlxkw0btkKblYA9CvP+kzg | |||
| wekzCy/Mlq/HbO38CV1NKzay3yg4ntehJ+v9/k7gaqKmo3ZWMGk0WGBv/GFxYhme | wekzCy/Mlq/HbO38CV1NKzay3yg4ntehJ+v9/k7gaqKmo3ZWMGk0WGBv/GFxYhme | |||
| Nd14Y65D9TlypM/zrXSyGoOqZgSA6HlAgogzwwSaGwx9n/o6czE8MBUGCSqGSIb3 | Nd14Y65D9TlypM/zrXSyGoOqZgSA6HlAgogzwwSaGwx9n/o6czE8MBUGCSqGSIb3 | |||
| DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFBfFhHvQp+92kDi4s28IvJK1 | DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFBfFhHvQp+92kDi4s28IvJK1 | |||
| niuUMF8wTzALBglghkgBZQMEAgMEQESULk1nPh/xbTET83QqxpxbEpCxkvY1zrpc | niuUMF8wTzALBglghkgBZQMEAgMEQESULk1nPh/xbTET83QqxpxbEpCxkvY1zrpc | |||
| aWzzbehThKle6bJRDM3zlpr0dHs8Qxs3ocSpAQ1XOXjuXlqFfKsECJ1vqXe6ro0F | aWzzbehThKle6bJRDM3zlpr0dHs8Qxs3ocSpAQ1XOXjuXlqFfKsECJ1vqXe6ro0F | |||
| AgIoAA== | AgIoAA== | |||
| -----END PKCS12----- | -----END PKCS12----- | |||
| 6. Security Considerations | 6. Example Ed25519 Certificate Authority | |||
| The example Ed25519 Certificate Authority has the following | ||||
| information: | ||||
| * Name: "Sample LAMPS Ed25519 Certificate Authority" | ||||
| 6.1. Certificate Authority Certificate | ||||
| This cerificate is used to verify certificates issued by the example | ||||
| Ed25519 Certificate Authority. | ||||
| -----BEGIN CERTIFICATE----- | ||||
| MIIBcDCCASKgAwIBAgITGz6zL8fCL93bElmwkKaEVA49zzAFBgMrZXAwNTEzMDEG | ||||
| A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 | ||||
| MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA1MTMwMQYDVQQDEypT | ||||
| YW1wbGUgTEFNUFMgRWQyNTUxOSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwKjAFBgMr | ||||
| ZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+RKE3URyp+eN2TxJDBKNDMEEwDwYDVR0T | ||||
| AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRropV9uhSb5C0E | ||||
| 0Qek0YLkLmuMtTAFBgMrZXADQQCpSPkvILHd5nLh+YT34REF0VVphNaxdw1dnx/J | ||||
| 7BGYvgKOObND0sqpkpc1neTiIi9gdfs5zSIak6TnVDdiuccK | ||||
| -----END CERTIFICATE----- | ||||
| 6.2. Ed25519 Certificate Authority Secret Key | ||||
| This secret key material is used by the example Ed25519 Certificate | ||||
| Authority to issue new certificates. | ||||
| -----BEGIN PRIVATE KEY----- | ||||
| MC4CAQAwBQYDK2VwBCIEIAt889xRDvxNT8ak53T7tzKuSn6CQDe8fIdjrCiSFRcp | ||||
| -----END PRIVATE KEY----- | ||||
| This secret key is the [SHA256] digest of the ASCII string "draft- | ||||
| lamps-sample-certs-keygen.ca.25519.seed". | ||||
| 7. Carlos's Sample Certificates | ||||
| Carlos has the following information: | ||||
| * Name: "Carlos Turing" | ||||
| * E-mail Address: "carlos@smime.example" | ||||
| 7.1. Carlos's Signature Verification End-Entity Certificate | ||||
| This certificate is used for verification of signatures made by | ||||
| Carlos. | ||||
| -----BEGIN CERTIFICATE----- | ||||
| MIIBqTCCAVugAwIBAgITfTA2/ZV2DbKUTmbWgsuSzBMGCTAFBgMrZXAwNTEzMDEG | ||||
| A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 | ||||
| MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAYMRYwFAYDVQQDEw1D | ||||
| YXJsb3MgVHVyaW5nMCowBQYDK2VwAyEAws6AMizeYchNhE1g75Gc552urn8e5Add | ||||
| I/IAppL3yK2jgZgwgZUwDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgRRjYXJsb3NA | ||||
| c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAPBgNVHQ8BAf8EBQMD | ||||
| B8AAMB0GA1UdDgQWBBRkheM7nB1azeYLuhp/CL7EnMyEPzAfBgNVHSMEGDAWgBRr | ||||
| opV9uhSb5C0E0Qek0YLkLmuMtTAFBgMrZXADQQDHbvRfqrivP1YFE1vR4s8IxQba | ||||
| mPgWm+bh1bz0WQZEJx27+HXSwcQq1OaigzpNX5x/8fXy3Tdfyh/syZqkGwAD | ||||
| -----END CERTIFICATE----- | ||||
| 7.2. Carlos's Signing Private Key Material | ||||
| This private key material is used by Carlos to create signatures. | ||||
| -----BEGIN PRIVATE KEY----- | ||||
| MC4CAQAwBQYDK2VwBCIEILvvxL741LfX+Ep3Iyye3Cjr4JmONIVYhZPM4M9N1IHY | ||||
| -----END PRIVATE KEY----- | ||||
| This secret key is the [SHA256] digest of the ASCII string "draft- | ||||
| lamps-sample-certs-keygen.carlos.sign.25519.seed". | ||||
| 7.3. Carlos's Encryption End-Entity Certificate | ||||
| This certificate is used to encrypt messages to Carlos. | ||||
| -----BEGIN CERTIFICATE----- | ||||
| MIIBqTCCAVugAwIBAgITqKfyfNYXEMyA0hgjaMFYQldVQzAFBgMrZXAwNTEzMDEG | ||||
| A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 | ||||
| MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAYMRYwFAYDVQQDEw1D | ||||
| YXJsb3MgVHVyaW5nMCowBQYDK2VuAyEALmgxzNMgyJ11NRhNz9bKYSpfDyFmbVBs | ||||
| jPbFfaAUPHSjgZgwgZUwDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgRRjYXJsb3NA | ||||
| c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAPBgNVHQ8BAf8EBQMD | ||||
| BwgAMB0GA1UdDgQWBBSBKaD6I6BLIIwNeADe7doWyzQluTAfBgNVHSMEGDAWgBRr | ||||
| opV9uhSb5C0E0Qek0YLkLmuMtTAFBgMrZXADQQBAEptLosUVLmgSGgX/KBtx6end | ||||
| 0GlzlW+uz/tkIV0FlqKwrOXt3ixbQJ1dTWBnKdpxKxOwwJrfn5/01YgzUJ0E | ||||
| -----END CERTIFICATE----- | ||||
| 7.4. Carlos's Decryption Private Key Material | ||||
| This private key material is used by Carlos to decrypt messages. | ||||
| -----BEGIN PRIVATE KEY----- | ||||
| MC4CAQAwBQYDK2VuBCIEIIH5782H/otrhLy9Dtvzt79ffsvpcVXgdUczTdUvSQsK | ||||
| -----END PRIVATE KEY----- | ||||
| This secret key is the [SHA256] digest of the ASCII string "draft- | ||||
| lamps-sample-certs-keygen.carlos.encrypt.25519.seed". | ||||
| 7.5. PKCS12 Object for Carlos | ||||
| This PKCS12 ([RFC7292]) object contains the same information as | ||||
| presented in Section 7.1, Section 7.2, Section 7.3, Section 7.4, and | ||||
| Section 6.1. | ||||
| It is locked with the simple five-letter password "carlos". | ||||
| -----BEGIN PKCS12----- | ||||
| MIIIxgIBAzCCCF4GCSqGSIb3DQEHAaCCCE8EgghLMIIIRzCCAm8GCSqGSIb3DQEH | ||||
| BqCCAmAwggJcAgEAMIICVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIwS3R | ||||
| pT1mkyMCAhS7gIICKKwyttinvdBY3pNtMUJ4/G6tE8tBny4Xnh5vONwv0SU1nPzN | ||||
| NKDPjaanMtw61VEFsQTJOTktIeNVV8uzT1a15/A9ax7U+70Mw3zwiXsyzMxEd7ry | ||||
| Qmj7djYjx5xQ+UsnBgzrjapUSYmryDvYqEuig27O9Q8zaxdMd/wep3OGeaa4jrXo | ||||
| dEW3iXBEkjH0wvCc9FV72z5AGMQzvz1dGC+cjSeJyvNvcfqkifhpPCmdM1Wltj1J | ||||
| aejep+P21+yZRle9mDYSgiwWOzMcOD7hLYOEo81CvNmPtoYjctm3L7okSwS6lVoA | ||||
| pDLoIumlHgvA7jMWOUM5VkW5ONrPREB3uSQnP2CoKJjmTYQ1VupJl9/Gfltj3O5c | ||||
| eX5/gsU8q/G0Bti9hpEV5Cu83hnz6Zrb2LzIu0TpyYsjslUUs3vkG5fTBkCcjWkM | ||||
| R40VTz5kxL16U1px1cDGQ50Fa1qISXMzBsXV38gSGIU/qcUVPtuTZzNckFrcQDLs | ||||
| 4IxjUO+ijnh5oHEHdeSBM9CWzMsq/agNihb0dO4uC/VLtwh+TxLiTOrMLrAhIpqx | ||||
| NUDo8jyYhn0/GQNQJHBgSn2GIoUpC5CLOBGw37LxXqvJqNeuZ378mTO1xbc10MTo | ||||
| TBW5aZkNZPJsx59msjJVXZjTr3qZ7AephyEWJEJIyJbzNVbvLP+qBWzie4avydlJ | ||||
| fpYqjoWQxsJBcY5vjVDl7ofF5kgRLZkz++GWPMYACfgqf5ZcMDCCAk8GCSqGSIb3 | ||||
| DQEHBqCCAkAwggI8AgEAMIICNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI | ||||
| 4zNcyy17/xoCAhSUgIICCO+ILkjMy7C90J/ATzaSEgL69GkwwyuZbTo/YwY2fq/E | ||||
| NNrBt/RMcgRLgNAWw/QpFI9QhwjAicFscq9V7NXPpVCd9x/cX0qbx+EA9k3UdSBJ | ||||
| NyF0rOX0ZkrXJAUuu8aO41DaSpbUshJhh5hx5MRqbANlaT+1Q7D+k9vz3zcpO3wx | ||||
| zyHqNYxmZ+x1ExxiCxmLTxTwLHsJnFMamYuP7fBT5A34iYZdtVwotA/ussPx/HXP | ||||
| n+KAXt1QQyvEb7kch9nJEWAmuCjdpIvf2AQCTSHp+WnDB/Tg7pEw8RT+HIcAwbXd | ||||
| 8AfhZmncDCOmNKe+4HPrp8R5CXwz7tpOqo/EqC5x36ak94RQXh7QM/r7thL68d1U | ||||
| VL9Vx7LnRLjsQAedSHXrKyYShluzTLbJNHLDVnYBT1m1WyO0mDRm4Y0SLUiJ+Lud | ||||
| AeKlVMJV6H+BeyxsXBSRQu5BHI8XhO/gQh00dmXTT9plqZ7V44qRHpYqeeoHYzZO | ||||
| G8gPoCQ+AXCWmrctugcDu09tgbpGkDOFI+J0mAJz/E3vkHJ7T92TXj98Bf/zlKEX | ||||
| AQGvaxCI5FpT224x0DBF/z6ZxWKZortuaxPhChBqrZ14qdBVdnXpgdoFUY9SLAn8 | ||||
| hthwn93in0IFHHdjRgaxR3c0TE0a28xwQpvI17w5t/Vl+WGQ8GHmPAzFUDLO33oE | ||||
| mn2FmWVjMWswggHvBgkqhkiG9w0BBwagggHgMIIB3AIBADCCAdUGCSqGSIb3DQEH | ||||
| ATAcBgoqhkiG9w0BDAEDMA4ECGj2DS1DJhO/AgIUgYCCAaiPztSEqZVM6ghfLfK9 | ||||
| UFKypTE38W/ozxw1QDOKxETQplu8iDrsYI54EbU1w6g6vWxrhHvIcJEMPbnUX7V2 | ||||
| DQwyi/Hd3ad0EdQ45kGb7mNciltIuDGPrFrBqsPEx4hDJGjePIvgEXDpj8szxJwQ | ||||
| wq9WbdPq2pH7uD4Va9+HbeJjRTP7CP8ceGAO77zfAU1MZl7n+ydptAwVN3Ex9GGc | ||||
| jbs0yocOXheRDYK8U1Hl22UjQ5OtXA83DID8QeLr+NNFIlwcYJEPM5kxKnBIcngP | ||||
| utB3SLz16w8eap9yfHuVwdr1dI6rn93dcFix2ympTJnQLNSVEPZS62cydmWOYKUo | ||||
| LyhuYfM7ZnuI1vOWl932pgkIHdplfkmygB+OE5w9NXhv5En6tqtISNdJcpfB65as | ||||
| E8orGVDrQeao9E2mVTAFgiHHLCKcsbL4n3OwG83I0fzEja6yLyDzu/hGyMh/Jyuf | ||||
| rcJGgMWrn2/+2TVzTVUcvcTFsypfaPAb6UkEvt5h+2xatZMnJC5CkBY+yzc3ahqN | ||||
| GtgFtEf7RdDZK12+IA1qxrRkNSH+DE57xFLGMIHEBgkqhkiG9w0BBwGggbYEgbMw | ||||
| gbAwga0GCyqGSIb3DQEMCgECoFowWDAcBgoqhkiG9w0BDAEDMA4ECA2F84MR3NKt | ||||
| AgIUXQQ4ISoWJ7Wl6JxL05Jc1CMvBs3eQ7yVgzYep5JmgQonglIWVXWRZbfHB+7l | ||||
| pkqsYRgF8Yx3yt6dGKMxQjAbBgkqhkiG9w0BCRQxDh4MAGMAYQByAGwAbwBzMCMG | ||||
| CSqGSIb3DQEJFTEWBBSBKaD6I6BLIIwNeADe7doWyzQluTCBxAYJKoZIhvcNAQcB | ||||
| oIG2BIGzMIGwMIGtBgsqhkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAg0 | ||||
| VyogQx931QICFLUEOBmu4SxJoFj4Kb1YpHweEfcleH4CgxKvCQMIrK1a34w0hcHS | ||||
| NjZBkcNs3e4WfuofDTowO2GcqeJrMUIwGwYJKoZIhvcNAQkUMQ4eDABjAGEAcgBs | ||||
| AG8AczAjBgkqhkiG9w0BCRUxFgQUZIXjO5wdWs3mC7oafwi+xJzMhD8wXzBPMAsG | ||||
| CWCGSAFlAwQCAwRAit56S2r7yFrpjMaCK3ybG63nQrjdqKEIHQZSMvr4UmbA6u1n | ||||
| tadRca4edJMDRdUIRFckfpa1qHI9YWBWGP4TFAQIkONpmR/LgWcCAigA | ||||
| -----END PKCS12----- | ||||
| 8. Dana's Sample Certificates | ||||
| Dana has the following information: | ||||
| * Name: "Dana Hopper" | ||||
| * E-mail Address: "dna@smime.example" | ||||
| 8.1. Dana's Signature Verification End-Entity Certificate | ||||
| This certificate is used for verification of signatures made by Dana. | ||||
| -----BEGIN CERTIFICATE----- | ||||
| MIIBpTCCAVegAwIBAgITpJvJ/RfYIwaHOq+JHuYw2w0HKzAFBgMrZXAwNTEzMDEG | ||||
| A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 | ||||
| MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAWMRQwEgYDVQQDEwtE | ||||
| YW5hIEhvcHBlcjAqMAUGAytlcAMhALLaHeGGRooNjrs+4K40ueetCId1JZik+WAW | ||||
| w6J/zm+uo4GWMIGTMAwGA1UdEwEB/wQCMAAwHQYDVR0RBBYwFIESZGFuYUBzbWlt | ||||
| ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB/wQFAwMHwAAw | ||||
| HQYDVR0OBBYEFEgDhsFpuHhtrt7zzAawM6xXMt2WMB8GA1UdIwQYMBaAFGuilX26 | ||||
| FJvkLQTRB6TRguQua4y1MAUGAytlcANBAO1JTk7QtXn5yCwgjVRYMzwY6vCaxR0v | ||||
| yNVq04iiXCADZWNyeBt2rvpTwJ0j5ky5/OzJygrhSmkxoi1ySsvypgw= | ||||
| -----END CERTIFICATE----- | ||||
| 8.2. Dana's Signing Private Key Material | ||||
| This private key material is used by Dana to create signatures. | ||||
| -----BEGIN PRIVATE KEY----- | ||||
| MC4CAQAwBQYDK2VwBCIEINZ8GPfmQh2AMp+uNIsZMbzvyTOltwvEt13usjnUaW4N | ||||
| -----END PRIVATE KEY----- | ||||
| This secret key is the [SHA256] digest of the ASCII string "draft- | ||||
| lamps-sample-certs-keygen.dana.sign.25519.seed". | ||||
| 8.3. Dana's Encryption End-Entity Certificate | ||||
| This certificate is used to encrypt messages to Dana. | ||||
| -----BEGIN CERTIFICATE----- | ||||
| MIIBpTCCAVegAwIBAgITC+vfipqj1grZL8ViMpnNj1gd6zAFBgMrZXAwNTEzMDEG | ||||
| A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 | ||||
| MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAWMRQwEgYDVQQDEwtE | ||||
| YW5hIEhvcHBlcjAqMAUGAytlbgMhAOAxojYBaRT0sbwK9pEeANIRj13vZjwQ1l4z | ||||
| CJs+6CRUo4GWMIGTMAwGA1UdEwEB/wQCMAAwHQYDVR0RBBYwFIESZGFuYUBzbWlt | ||||
| ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB/wQFAwMHCAAw | ||||
| HQYDVR0OBBYEFJ3fTdQF75rsYIa8J20E6c5a3I+kMB8GA1UdIwQYMBaAFGuilX26 | ||||
| FJvkLQTRB6TRguQua4y1MAUGAytlcANBAD5H9BEI9UMNr17ZTPgcUqP7Lj4LYpmm | ||||
| AMjqTuul+fQWupaq81D3eqKH/+I0xBgU7tOm5daFOcylUECUppIxIgk= | ||||
| -----END CERTIFICATE----- | ||||
| 8.4. Dana's Decryption Private Key Material | ||||
| This private key material is used by Dana to decrypt messages. | ||||
| -----BEGIN PRIVATE KEY----- | ||||
| MC4CAQAwBQYDK2VuBCIEIGxZt8L7lY48OEq4gs/smQ4weDhRNMlYHG21StivPfz3 | ||||
| -----END PRIVATE KEY----- | ||||
| This seed is the [SHA256] digest of the ASCII string "draft-lamps- | ||||
| sample-certs-keygen.dana.encrypt.25519.seed". | ||||
| 8.5. PKCS12 Object for Dana | ||||
| This PKCS12 ([RFC7292]) object contains the same information as | ||||
| presented in Section 8.1, Section 8.2, Section 8.3, Section 8.4, and | ||||
| Section 6.1. | ||||
| It is locked with the simple four-letter password "dana". | ||||
| -----BEGIN PKCS12----- | ||||
| MIIItgIBAzCCCE4GCSqGSIb3DQEHAaCCCD8Eggg7MIIINzCCAmcGCSqGSIb3DQEH | ||||
| BqCCAlgwggJUAgEAMIICTQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH | ||||
| TA2APx0CAhQXgIICII41QoooyUFqZ/fDWmgn1xEzYA0oJmBoFCl8uyXfZ/0yP63q | ||||
| EYmGtmplf0qtFoI9tG1k0yKnmYY4xACo8Vy12BxSY62YfDv/2Uk+R4vNsyO9IwDR | ||||
| rR4LF1rvYOlj8VNbIovXp2c1RUZW7QZKL/qVb5V9hNL80mKk77TteeFFKvDBYPyw | ||||
| DYUBr+CP5gbMi71DwePoXHN+Rd6hHFFrUBhFVEUlXgCTs/rgsN+WJ3Wx1SK44xel | ||||
| MyP9PzrMO5rnZDnP1pPsanIB/Zl5xDKbg/lg19St+dnnaHr3Le5knMRcc48PZ/r8 | ||||
| 0bSaEQ2TxxUbdVQoshPtpoJ20EMgD0omRYZNYBB3ukj2j5c2gHCAsv+3cRKYZbpn | ||||
| 37N0MreFTdVyx7KKXKUz9pyVk7TDxtseq4uF/tZzo2QTe0aWoVAsapcu9Ypc4OW+ | ||||
| r/EehKR5MxPoNxa9eKIZEmDPU6ZnNRhnJG3QB63zAZ9ojY72PgvNOMrrKipCI4Jc | ||||
| irJ7KK5hOLh7ScsFaYnZnVwfdN5Vw6os4VxY51uW6JOQuCaCZtB6ypEe40DCPevd | ||||
| ej+YYm4qCxGnbiS7lf2yBkoYsmmz9yGCePvkHLpdYL3yql12Ti8cEV1hyQP9manq | ||||
| ye4OvnlHKczGOIeE3sHipkjTyAqo+uSDy2/TMZU6U9Wpq5FcrmOIs3HHFaEKWq7N | ||||
| oIVLEGgVcvgyL9hGrb5WsU71e6JgeZsZ9jL2QigwggJPBgkqhkiG9w0BBwagggJA | ||||
| MIICPAIBADCCAjUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECPG6iJpJkNuf | ||||
| AgIUf4CCAgj/MCKXWbtp1qlHufYRzMhWeV3BaYoisKS4N0I+MYEv0VpHKLGp8e5v | ||||
| CtkuWnuY3WJ6Mqn5F27MIGyjoimcoeQboApOgVYu+QZbwWX4HV7jPfByE3DX1Ll5 | ||||
| 7irBYXUaoGzqBspDsmancqL7LHr/HJszKpv7kSTKiRpHvqdcg3RtD+AetoZxrYci | ||||
| zmfcBONW4XDyTDKM4sSyypMrSjiO/huGjg4TXQQYLbxOxUo+RH7JWzTH3RLHhH/w | ||||
| /+RHKXvym7uRm+oSlXkffz47VyA348w7+YADMCxeujG+NlBikGJEc53R1xGuiVjI | ||||
| 8aButCifePwyQ65/m+jklMOqIrq2M12mh9z6mtT6kYqZjcKxwV+rEib4TX48+HOt | ||||
| 2vp9r6o41+ulLu9f2P/EJka86biQU0MbWA+cd0JXpDm7CgVT/c7opob3Fs3fM1BH | ||||
| Sh8g8moOIAI7EBfkxkymrgrCBptm74W6AxQGAgYFrNWBHunFer4DnE2rhDLxFvZg | ||||
| X2c1VJPfhKDM9lt7vksoAttmXNWY1UuCBqGipH11qe7txE/tgAZJF51owRvFGOLQ | ||||
| 7dCFH+cyS55UIJPhuFgUR7qskzrrh5SyWuBdMDSgyf7z+Jo86mBQEtwIsT2erqGf | ||||
| z7fqo1TFyK2HpTr1FsTFjhNq4cXBQB2Red7f6IuK9/b6A6soKwpApjE3Uoymc3MK | ||||
| MIIB7wYJKoZIhvcNAQcGoIIB4DCCAdwCAQAwggHVBgkqhkiG9w0BBwEwHAYKKoZI | ||||
| hvcNAQwBAzAOBAjnyf7N2H+W4AICFJ2AggGoGREGUW0ANjBShA7junSDi0+1a3uu | ||||
| PVz1O2L0eWnKISTivDOBDjmhkAwoMF+RSaTqc0eFz4yCEiMdBEkO/Uk3+R5HCOGr | ||||
| tKh0sMh1Ti8dPEPbXcwVvs7vUuXx5iAMAMN2BP2/4DTB32XMCHwFwTHyTFkQcsdI | ||||
| 4GtpnP9YsusabQWaD2YjHKZnNTP1LBKrllhxEyUK1zB39rfQkRtM6X/2cpO/rKjH | ||||
| NEKW0QQIzx4jrrf93cbXGMZy7ZZWygkbS8SNfe6ztvR3/AAU03PD7b9GfMSHW0gN | ||||
| 6HAHuRX3U6STB3kGUB0u80+Ff4OHIRf0gTwfXjj0RW1cJ+T+mpJfsmgycVFSNn4r | ||||
| ThuIwSSHWB/dJguhj1pd2kldHS90T3xbcxxQPru41HIRpc69BVPmdgsywt285Q1A | ||||
| IkR0laF7yTn7j0mNCkFjgiUPyUh0B6oziqa6bPFX33v9vbIkvGEH/xiyH5KL8NVn | ||||
| e+SJqOqo5Ldz+VwuVjRVaJKYRiEIwG/igukbZELynt+n2ab7MQBwaF7szah6rgoJ | ||||
| 9siHtn2qqcLH/yFSpa31l+zmrzCBwAYJKoZIhvcNAQcBoIGyBIGvMIGsMIGpBgsq | ||||
| hkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAi9gc9b1vmGZAICFLoEOGDs | ||||
| hI5HudzQ7whUdHIlB2e63n/f8D8eU4Fd6sxoX0eGz9q3aYjrfYQB1SuXJlAEe/sI | ||||
| wCYmHS1EMT4wFwYJKoZIhvcNAQkUMQoeCABkAGEAbgBhMCMGCSqGSIb3DQEJFTEW | ||||
| BBSd303UBe+a7GCGvCdtBOnOWtyPpDCBwAYJKoZIhvcNAQcBoIGyBIGvMIGsMIGp | ||||
| BgsqhkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAhcO/FJPCuuLgICFPoE | ||||
| OIndI0W9ychDOX3aWnkEfmBHjJ/mOSmr6ZVQ+R7YEEGPYYaaW0KhuGn+ymPjE+sb | ||||
| rOqDREHiQBOcMT4wFwYJKoZIhvcNAQkUMQoeCABkAGEAbgBhMCMGCSqGSIb3DQEJ | ||||
| FTEWBBRIA4bBabh4ba7e88wGsDOsVzLdljBfME8wCwYJYIZIAWUDBAIDBEBIhL6p | ||||
| HFTK0hwRZDyE3YSCZQkqqfjtQ5Af5bMNXzoKrBwKyiIFjaLjzqOHsXjZfvpYFn9l | ||||
| SfA4Br7bcbT0GhQEBAguQ5JM5djJbQICKAA= | ||||
| -----END PKCS12----- | ||||
| 9. Security Considerations | ||||
| The keys presented in this document should be considered compromised | The keys presented in this document should be considered compromised | |||
| and insecure, because the secret key material is published and | and insecure, because the secret key material is published and | |||
| therefore not secret. | therefore not secret. | |||
| Applications which maintain blacklists of invalid key material SHOULD | Applications which maintain blacklists of invalid key material SHOULD | |||
| include these keys in their lists. | include these keys in their lists. | |||
| 7. IANA Considerations | 10. IANA Considerations | |||
| IANA has nothing to do for this document. | IANA has nothing to do for this document. | |||
| 8. Document Considerations | 11. Document Considerations | |||
| [ RFC Editor: please remove this section before publication ] | [ RFC Editor: please remove this section before publication ] | |||
| This document is currently edited as markdown. Minor editorial | This document is currently edited as markdown. Minor editorial | |||
| changes can be suggested via merge requests at | changes can be suggested via merge requests at | |||
| https://gitlab.com/dkg/lamps-samples or by e-mail to the author. | https://gitlab.com/dkg/lamps-samples or by e-mail to the author. | |||
| Please direct all significant commentary to the public IETF LAMPS | Please direct all significant commentary to the public IETF LAMPS | |||
| mailing list: "spasm@ietf.org" | mailing list: "spasm@ietf.org" | |||
| 8.1. Document History | 11.1. Outstanding Changes | |||
| 8.1.1. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 | * Cross-sign between two sample CAs ? | |||
| * Add SMIMECapabilities (RFC 4262) for X25519 certificates | ||||
| indicating supported ECDH schemes, as in section 8 of RFC 8418? | ||||
| 11.2. Document History | ||||
| 11.2.1. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01 | ||||
| * Added Curve25519 sample certificates (new CA, Carlos, and Dana) | ||||
| 11.2.2. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 | ||||
| * WG adoption (dkg moves from Author to Editor) | * WG adoption (dkg moves from Author to Editor) | |||
| 8.1.2. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 | 11.2.3. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 | |||
| * PEM blobs are now "sourcecode", not "artwork" | * PEM blobs are now "sourcecode", not "artwork" | |||
| 8.1.3. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 | 11.2.4. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 | |||
| * Describe deterministic key generation | * Describe deterministic key generation | |||
| * label PEM blobs with filenames in XML | * label PEM blobs with filenames in XML | |||
| 8.1.4. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 | 11.2.5. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 | |||
| * Alice and Bob now each have two distinct certificates: one for | * Alice and Bob now each have two distinct certificates: one for | |||
| signing, one for encryption, and public keys to match. | signing, one for encryption, and public keys to match. | |||
| 8.1.5. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 | 11.2.6. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 | |||
| * PKCS#12 objects are deliberately locked with simple passphrases | * PKCS#12 objects are deliberately locked with simple passphrases | |||
| 8.1.6. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 | 11.2.7. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 | |||
| * changed all three keys to use RSA instead of RSA-PSS | * changed all three keys to use RSA instead of RSA-PSS | |||
| * set keyEncipherment keyUsage flag instead of dataEncipherment in | * set keyEncipherment keyUsage flag instead of dataEncipherment in | |||
| EE certs | EE certs | |||
| 9. Acknowledgements | 12. Acknowledgements | |||
| This draft was inspired by similar work in the OpenPGP space by | This draft was inspired by similar work in the OpenPGP space by | |||
| Bjarni Runar and juga at [I-D.bre-openpgp-samples]. | Bjarni Runar and juga at [I-D.bre-openpgp-samples]. | |||
| Eric Rescorla helped spot issues with certificate formats. | Eric Rescorla helped spot issues with certificate formats. | |||
| Sean Turner pointed to [RFC4134] as prior work. | Sean Turner pointed to [RFC4134] as prior work. | |||
| Deb Cooley suggested that Alice and Bob should have separate | Deb Cooley suggested that Alice and Bob should have separate | |||
| certificates for signing and encryption. | certificates for signing and encryption. | |||
| Wolfgang Hommel helped to build reproducible encrypted PKCS#12 | Wolfgang Hommel helped to build reproducible encrypted PKCS#12 | |||
| objects. | objects. | |||
| Carsten Bormann got the XML "sourcecode" markup working for this | Carsten Bormann got the XML "sourcecode" markup working for this | |||
| draft. | draft. | |||
| 10. References | 13. References | |||
| 10.1. Normative References | 13.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| skipping to change at page 23, line 40 ¶ | skipping to change at page 31, line 5 ¶ | |||
| [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, | [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, | |||
| DOI 10.17487/RFC5322, October 2008, | DOI 10.17487/RFC5322, October 2008, | |||
| <https://www.rfc-editor.org/info/rfc5322>. | <https://www.rfc-editor.org/info/rfc5322>. | |||
| [RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A., | [RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A., | |||
| and M. Scott, "PKCS #12: Personal Information Exchange | and M. Scott, "PKCS #12: Personal Information Exchange | |||
| Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014, | Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014, | |||
| <https://www.rfc-editor.org/info/rfc7292>. | <https://www.rfc-editor.org/info/rfc7292>. | |||
| [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | ||||
| Signature Algorithm (EdDSA)", RFC 8032, | ||||
| DOI 10.17487/RFC8032, January 2017, | ||||
| <https://www.rfc-editor.org/info/rfc8032>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | |||
| Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | |||
| Message Specification", RFC 8551, DOI 10.17487/RFC8551, | Message Specification", RFC 8551, DOI 10.17487/RFC8551, | |||
| April 2019, <https://www.rfc-editor.org/info/rfc8551>. | April 2019, <https://www.rfc-editor.org/info/rfc8551>. | |||
| 10.2. Informative References | 13.2. Informative References | |||
| [FIPS186-4] | [FIPS186-4] | |||
| "Digital Signature Standard (DSS)", National Institute of | "Digital Signature Standard (DSS)", National Institute of | |||
| Standards and Technology report, | Standards and Technology report, | |||
| DOI 10.6028/nist.fips.186-4, July 2013, | DOI 10.6028/nist.fips.186-4, July 2013, | |||
| <https://doi.org/10.6028/nist.fips.186-4>. | <https://doi.org/10.6028/nist.fips.186-4>. | |||
| [I-D.bre-openpgp-samples] | [I-D.bre-openpgp-samples] | |||
| Einarsson, B. R., juga, and D. K. Gillmor, "OpenPGP | Einarsson, B. R., juga, and D. K. Gillmor, "OpenPGP | |||
| Example Keys and Certificates", Work in Progress, | Example Keys and Certificates", Work in Progress, | |||
| skipping to change at page 24, line 26 ¶ | skipping to change at page 31, line 42 ¶ | |||
| samples-01.txt>. | samples-01.txt>. | |||
| [RFC4134] Hoffman, P., Ed., "Examples of S/MIME Messages", RFC 4134, | [RFC4134] Hoffman, P., Ed., "Examples of S/MIME Messages", RFC 4134, | |||
| DOI 10.17487/RFC4134, July 2005, | DOI 10.17487/RFC4134, July 2005, | |||
| <https://www.rfc-editor.org/info/rfc4134>. | <https://www.rfc-editor.org/info/rfc4134>. | |||
| [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning | [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning | |||
| Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April | Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April | |||
| 2015, <https://www.rfc-editor.org/info/rfc7469>. | 2015, <https://www.rfc-editor.org/info/rfc7469>. | |||
| [RFC8410] Josefsson, S. and J. Schaad, "Algorithm Identifiers for | ||||
| Ed25519, Ed448, X25519, and X448 for Use in the Internet | ||||
| X.509 Public Key Infrastructure", RFC 8410, | ||||
| DOI 10.17487/RFC8410, August 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8410>. | ||||
| [SHA256] Dang, Q., "Secure Hash Standard", National Institute of | [SHA256] Dang, Q., "Secure Hash Standard", National Institute of | |||
| Standards and Technology report, | Standards and Technology report, | |||
| DOI 10.6028/nist.fips.180-4, July 2015, | DOI 10.6028/nist.fips.180-4, July 2015, | |||
| <https://doi.org/10.6028/nist.fips.180-4>. | <https://doi.org/10.6028/nist.fips.180-4>. | |||
| Author's Address | Author's Address | |||
| Daniel Kahn Gillmor (editor) | Daniel Kahn Gillmor (editor) | |||
| American Civil Liberties Union | American Civil Liberties Union | |||
| 125 Broad St. | 125 Broad St. | |||
| End of changes. 27 change blocks. | ||||
| 75 lines changed or deleted | 402 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||