KEYPROV Working Group                                 Sean Turner, IECA
Internet Draft                             Russ Housley, Vigil Security
Intended Status: Standard Track                           July 10, 2009
Expires: January 10, 2010



                    Symmetric Key Package Content Type
               draft-ietf-keyprov-symmetrickeyformat-05.txt


Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on January 10, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.







Turner & Housley        Expires January 10, 2010               [Page 1]


Internet-Draft    Symmetric Key Package Content Type          July 2009


Abstract

   This document defines the symmetric key format content type.  It is
   transport independent. The Cryptographic Message Syntax can be used
   to digitally sign, digest, authenticate, or encrypt this content
   type.

Table of Contents

   1. Introduction...................................................2
      1.1. Requirements Terminology..................................2
      1.2. ASN.1 Syntax Notation.....................................2
   2. Symmetric Key Package Content Type.............................2
   3. Security Considerations........................................4
   4. IANA Considerations............................................4
   5. References.....................................................4
      5.1. Normative References......................................4
      5.2. Non-Normative References..................................4
   APPENDIX A: ASN.1 Module..........................................5

1. Introduction

   This document defines the symmetric key format content type.  It is
   transport independent. The Cryptographic Message Syntax [RFC3852] can
   be used to digitally sign, digest, authenticate, or encrypt this
   content type.

   The uses cases that motivated this work are elaborated in [PSKC].
   They are omitted to avoid duplication.

1.1. Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.2. ASN.1 Syntax Notation

   The key package is defined using the ASN.1 [X.680, X.681, X.682,
   X.683].

2. Symmetric Key Package Content Type

   The symmetric key package content type is used to transfer one or
   more plaintext symmetric keys from one party to another.  A symmetric
   key package MAY be encapsulated in one or more CMS protecting content
   types.  This content type must be DER encoded [X.690].


Turner & Housley        Expires January 16, 2010               [Page 2]


Internet-Draft    Symmetric Key Package Content Type          July 2009


   The symmetric key package content type has the following syntax:

     PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER

     symmetric-key-package PKCS7-CONTENT-TYPE ::=
       { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage }

     id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::= |
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
         smime(16) ct(1) 25 }

     SymmetricKeyPackage ::= SEQUENCE {
       version          KeyPkgVersion DEFAULT v1,
       sKeyPkgAtts  [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL,
       sKeys            SymmetricKeys }

     SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey

     OneSymmetricKey ::= SEQUENCE {
       sKeyAttrs  SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL,
       sKey       OCTET STRING OPTIONAL
                  -- At least sKeyAttrs or sKey MUST be present.
     }

     KeyPkgVersion ::= INTEGER  { v1(1), ... }

   The SymmetricKeyPackage fields are used as follows:

   - version identifies version of the symmetric key package content
     structure.  For this version of the specification, the default
     value, v1, MUST be used.

   - sKeyPkgAttrs optionally provides attributes that apply to all of
     the symmetric keys in the package.  If an attribute appears here it
     MUST NOT also be included in sKeyAttrs.

   - sKeys contains a sequence of OneSymmetricKey values.  This
     structure is discussed below.

   The OneSymmetricKey fields are used as follows:

   - sKeyAttrs optionally provides attributes that apply to one
      symmetric key. If an attribute appears here it MUST NOT also be
      included in sKeyPkgAttrs.

   - sKey optionally contains the key value encoded as an OCTET STRING.



Turner & Housley        Expires January 16, 2010               [Page 3]


Internet-Draft    Symmetric Key Package Content Type          July 2009


   The OneSymmetricKey field MUST include either sKeyAttrs, sKey, or
   sKeyAttrs and sKey.

3. Security Considerations

   The symmetric key package contents are not protected.  This content
   type can be combined with a security protocol to protect the contents
   of the package.

4. IANA Considerations

   None: All identifiers are already registered.  Please remove this
   section prior to publication as an RFC.

5. References

5.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

   [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002.
   Information Technology - Abstract Syntax Notation One.

   [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002.
   Information Technology - Abstract Syntax Notation One: Information
   Object Specification.

   [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002.
   Information Technology - Abstract Syntax Notation One: Constraint
   Specification.

   [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002.
   Information Technology - Abstract Syntax Notation One:
   Parameterization of ASN.1 Specifications.

   [X.690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002.
   Information Technology - ASN.1 encoding rules: Specification of Basic
   Encoding Rules (BER), Canonical Encoding Rules (CER) and
   Distinguished Encoding Rules (DER).

5.2. Non-Normative References

   [PSKC] Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric Key
   Container (PSKC), draft-ietf-keyprov-pskc-03.txt, work-in-progress.




Turner & Housley        Expires January 16, 2010               [Page 4]


Internet-Draft    Symmetric Key Package Content Type          July 2009


   [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC3852,
   July 2004.

APPENDIX A: ASN.1 Module

   This appendix provides the normative ASN.1 definitions for the
   structures described in this specification using ASN.1 as defined in
   [X.680] through [X.683].

   SymmetricKeyPackageModulev1
     { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
       smime(16) modules(0) 33 }

   DEFINITIONS IMPLICIT TAGS ::=

   BEGIN

   -- EXPORTS ALL

   -- IMPORTS NOTHING

     PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER

     KeyPackageContentTypes PKCS7-CONTENT-TYPE ::= {
       symmetric-key-package |
       ... -- Expect additional content types --
     }

     symmetric-key-package PKCS7-CONTENT-TYPE ::=
       { SymmetricKeyPackage IDENTIFIED BY id-ct-KP-sKeyPackage }

     id-ct-KP-sKeyPackage OBJECT IDENTIFIER ::=
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
         smime(16) ct(1) 25 }

     SymmetricKeyPackage ::= SEQUENCE {
       version           KeyPkgVersion DEFAULT v1,
       sKeyPkgAttrs  [0] SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL,
       sKeys             SymmetricKeys }

     SymmetricKeys ::= SEQUENCE SIZE (1..MAX) OF OneSymmetricKey

     OneSymmetricKey ::= SEQUENCE {
       sKeyAttrs  SEQUENCE SIZE (1..MAX) OF Attribute OPTIONAL,
       sKey       OCTET STRING OPTIONAL
                  -- At least sKeyAttrs or sKey MUST be present.
     }


Turner & Housley        Expires January 16, 2010               [Page 5]


Internet-Draft    Symmetric Key Package Content Type          July 2009


     KeyPkgVersion ::= INTEGER  { v1(1), ... }

     Attribute ::= SEQUENCE {
       type          ATTRIBUTE.&id ({SupportedAttributes}),
       values        SET SIZE (1..MAX) OF ATTRIBUTE.&Type
                          ({SupportedAttributes}{@type}) }

     SupportedAttributes ATTRIBUTE ::= { ... }

     ATTRIBUTE ::= CLASS {
       &derivation             ATTRIBUTE OPTIONAL,
       &Type                   OPTIONAL,
       -- either &Type or &derivation required
       &equality-match         MATCHING-RULE OPTIONAL,
       &ordering-match         MATCHING-RULE OPTIONAL,
       &substrings-match       MATCHING-RULE OPTIONAL,
       &single-valued          BOOLEAN DEFAULT FALSE,
       &collective             BOOLEAN DEFAULT FALSE,
       -- operational extensions
       &no-user-modification   BOOLEAN DEFAULT FALSE,
       &usage                  AttributeUsage DEFAULT userApplications,
       &id                     OBJECT IDENTIFIER UNIQUE }
     WITH SYNTAX {
       [ SUBTYPE OF               &derivation ]
       [ WITH SYNTAX              &Type ]
       [ EQUALITY MATCHING RULE   &equality-match ]
       [ ORDERING MATCHING RULE   &ordering-match ]
       [ SUBSTRINGS MATCHING RULE &substrings-match ]
       [ SINGLE VALUE             &single-valued ]
       [ COLLECTIVE               &collective ]
       [ NO USER MODIFICATION     &no-user-modification ]
       [ USAGE                    &usage ]
       ID                         &id }

     MATCHING-RULE ::= CLASS {
       &AssertionType             OPTIONAL,
       &id                        OBJECT IDENTIFIER UNIQUE }
     WITH SYNTAX {
       [ SYNTAX                   &AssertionType ]
       ID                         &id }

     AttributeType ::= ATTRIBUTE.&id

     AttributeValue ::= ATTRIBUTE.&Type





Turner & Housley        Expires January 16, 2010               [Page 6]


Internet-Draft    Symmetric Key Package Content Type          July 2009


     AttributeUsage ::= ENUMERATED {
       userApplications          (0),
       directoryOperation        (1),
       distributedOperation      (2),
       dSAOperation              (3) }

   END

Author's Address

   Sean Turner

   IECA, Inc.
   3057 Nutley Street, Suite 106
   Fairfax, VA 22031
   USA

   Email: turners@ieca.com

   Russ Housley

   Vigil Security, LLC
   918 Spring Knoll Drive
   Herndon, VA 20170
   USA

   EMail: housley@vigilsec.com






















Turner & Housley        Expires January 16, 2010               [Page 7]