MSEC WG                                                      D. Ignjatic
Internet-Draft                                                   Polycom
Expires: January 8, 2006                                      L. Dondeti
                                                                F. Audet
                                                                  P. Lin
                                                            July 7, 2005

      An additional mode of key distribution in MIKEY: MIKEY-RSA-R

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on January 8, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).


   The MIKEY specification describes several modes of key distribution
   to setup secure RTP sessions -- using pre-shared keys, public-keys,
   and optionally a Diffie-Hellman key exchange.  In the public-key
   mode, the Initiator encrypts a random key with the Responder's public

Ignjatic, et al.         Expires January 8, 2006                [Page 1]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   key and sends it to the Responder.  In many communication scenarios,
   the Initiator may not know the Responder's public key or in some
   cases the Responder's ID (e.g., call forwarding) in advance.  We
   propose a new MIKEY mode that works well in such scenarios.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1   Terminology used in this document  . . . . . . . . . . . .  3
   2.  Motivation . . . . . . . . . . . . . . . . . . . . . . . . . .  3
     2.1   Description of the MIKEY modes . . . . . . . . . . . . . .  3
     2.2   Use case motivating the proposed mode  . . . . . . . . . .  4
   3.  A new MIKEY-RSA mode: MIKEY-RSA-R  . . . . . . . . . . . . . .  5
     3.1   Outline  . . . . . . . . . . . . . . . . . . . . . . . . .  5
     3.2   Components of the I_MESSAGE  . . . . . . . . . . . . . . .  5
     3.3   Components of the R_MESSAGE  . . . . . . . . . . . . . . .  6
     3.4   Additions to RFC 3830 message types and other values . . .  8
   4.  Applicability of the RSA-R and RSA modes . . . . . . . . . . .  8
     4.1   Limitations  . . . . . . . . . . . . . . . . . . . . . . .  9
     4.2   Impact of the Responder choosing the TGK . . . . . . . . . 10
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 11
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     8.1   Normative References . . . . . . . . . . . . . . . . . . . 11
     8.2   References . . . . . . . . . . . . . . . . . . . . . . . . 11
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12
       Intellectual Property and Copyright Statements . . . . . . . . 13

Ignjatic, et al.         Expires January 8, 2006                [Page 2]

Internet-Draft                 MIKEY-RSA-R                     July 2005

1.  Introduction

   The MIKEY protocol [RFC3830] has three different methods for key
   transport or exchange: a pre-shared key mode (PSK), a public-key
   (RSA) mode, and an optional Diffie-Hellman exchange (DHE) mode.  In
   addition, there is also an optional DH-HMAC mode [I-D.ietf-msec-
   mikey-dhhmac], bringing the total number of modes to four.  The
   primary motivation in the protocol design is efficiency and thus all
   the exchanges finish in one-half to 1 round-trip; in other words,
   there is no room for security parameter negotiation.  In this
   document, we note that the MIKEY modes are insufficient to address
   some deployment scenarious and common use cases, and propose a new
   mode called MIKEY-RSA in Reverse mode, or simply as MIKEY-RSA-R.

1.1  Terminology used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in BCP 14, RFC 2119

2.  Motivation

   As noted in the introduction, the MIKEY specification and other
   proposals define four different modes of efficient key management for
   real-time applications.  The modes differ from each other in either
   the authentication method of choice (public-key, or symmetric shared
   key-based), or the key establishment method of choice (key download,
   or key agreement using a Diffie-Hellman exchange).  We summarize the
   modes, their advantages, and shortcomings in the following and also
   describe use cases where these modes might be insufficient or

2.1  Description of the MIKEY modes

   In the PSK mode, the Initiator selects a TEK Generation Key (TGK),
   encrypts and authenticates it with the PSK, and sends it to the
   Responder as part of the first message, viz., I_MESSAGE.  The PSK
   mode requires that the Initiator and the Responder have a common
   secret key established offline.  The PSK mode does not scale to use
   cases where any user may want to communicate to any other user in an
   Enterprise or the Internet at large.  The RSA mode might be more
   suitable for such applications.

   In the RSA mode, the Initiator selects a TGK, encrypts and
   authenticates it with an envelope key, and sends it to the Responder
   as part of the first message, viz., I_MESSAGE.  The Initiator
   includes the envelope key, encrypted with the Responder's public key,

Ignjatic, et al.         Expires January 8, 2006                [Page 3]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   in I_MESSAGE.  The I_MESSAGE is replay protected with timestamps, and
   signed with the Initiator's public key.  The Initiator's ID, CERT and
   the Responder's ID that the Initiator intends to talk may be included
   in I_MESSAGE.  If the Initiator knows several public-keys of the
   Responder, it can indicate the key used in a CHASH payload.  The RSA
   mode works as long as the Initiator knows the Responder's ID and CERT
   (or can obtain the CERT independent of the MIKEY protocol).  RFC 3830
   suggests that an Initiator, in the event that it does not have the
   Responder's CERT, may obtain the CERT from a directory agent using
   one or more round trips.  However, in some cases, the Initiator may
   not even know the Responder's ID in advance, and because of that or
   for other reasons cannot obtain the Responder's CERT.

   In addition to the case where the Responder may have several IDs,
   some applications may allow for the Responder's ID to change
   unilaterally, as is typical in telephony (e.g., forwarding).  In
   those cases and in others, the Initiator might be willing to let the
   other party establish identity and prove it via an Initiator-trusted
   third party (e.g., a Certification Authority or CA).

   The DH mode or the DH-HMAC mode of MIKEY might be useful in cases
   where the Initiator does not have access to the Responder's exact
   identity and/or CERT.  In these modes, the two parties engage in an
   authenticated DH exchange to derive the TGK.  However, the DH modes
   have higher computational and communication overhead compared to the
   RSA and the PSK modes.  More importantly, these modes are unsuitable
   for group key distribution.

   In summary, in some communication scenarios -- where the Initiator
   might not have the correct ID and/or the CERT of the Responder --
   none of the MIKEY modes described in [RFC3830] and [I-D.ietf-msec-
   mikey-dhhmac] are suitable/efficient for SRTP [RFC3711] key

2.2  Use case motivating the proposed mode

   In addition to the issues listed above, there are some types of
   applications that motivate the new MIKEY mode design proposed in this

   Note that in the MIKEY-RSA mode (as in case of the PSK mode), the
   Initiator proposes the RTP security policy, and chooses the TGK.
   However, it is also possible that the Initiator wants to allow the
   Responder to specify the security policy and send the TGK.  This
   would be the case in some multicast and group conferencing scenarios.
   Consider for example the case of a conferencing scenario where the
   convener sends an invitation to a group of people to attend a
   meeting.  The procedure then might be for the invitees to request the

Ignjatic, et al.         Expires January 8, 2006                [Page 4]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   convener for group key material by sending a MIKEY I_MESSAGE.  Thus,
   in the MIKEY definition of initiators and responders, the Initiator
   is asking the Responder for keying material.  Note that this mode of
   operation is inline with the MSEC group key management architecture

3.  A new MIKEY-RSA mode: MIKEY-RSA-R

3.1  Outline

   The proposed solution requires 1 full round trip.  The Initiator
   sends a signed I_MESSAGE to the intended Responder requesting the
   Responder to send the SRTP keying material.  The I_MESSAGE MAY
   contain the Initiator's CERT (or a link to the CERT?), and similarly
   the Responder's reply, R_MESSAGE MAY contain the Responder's CERT.
   The Responder can use the Initiator's public key from the CERT in the
   I_MESSAGE to send the encrypted TGK in the R_MESSAGE.  Upon receiving
   the R_MESSAGE, the Initiator can use the CERT in the R_MESSAGE to
   verify whether the Responder is in fact the party that it wants to
   communicate to, and accept the TGK.  We refer to this protocol as
   MIKEY-RSA in the reverse mode, or simply as MIKEY-RSA-R.

   The MIKEY-RSA-R mode exchange is defined as follows:

   Initiator                                            Responder
   ---------                                            ---------

   I_MESSAGE = HDR, T, [IDi|CERTi], [IDr], {SP}, SIGNi

   R_MESSAGE = HDR, [GenExt(CSB-ID)], T, RAND, [IDr|CERTr], [SP], KEMAC,

                        Figure 1: MIKEY-RSA-R mode

3.2  Components of the I_MESSAGE

   This method requires a full round trip to download the TGKs.  The
   I_MESSAGE MUST have the MIKEY HDR and the timestamp payload for
   replay protection.  The HDR field contains a CSB_ID randomly selected
   by the Initiator.  The V bit MUST be set to '1' and ignored by the
   Responder, as a response is MANDATORY in this mode.  The Initiator
   MAY indicate the number of CSs supported and fill in the CS map type
   and information.  The I_MESSAGE MUST be signed by the Initiator
   following the procedure to sign MIKEY messages specified in RFC 3830.
   The SIGNi payload contains this signature.  Thus the I_MESSAGE is
   integrity and replay protected.

Ignjatic, et al.         Expires January 8, 2006                [Page 5]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   IDi and CERTi SHOULD be included, but they MAY be left out when it
   can be expected that the peer already knows the other party's ID (or
   can obtain the certificate in some other manner).  For example, this
   could be the case if the ID is extracted from SIP.  For certificate
   handling, authorization, and policies, see Section 4.3. of RFC 3830.
   If CERTi is included, it MUST correspond to the private key used to
   sign the I_MESSAGE.

   If the Responder has multiple Identities, the Initiator MAY also
   include the specific ID, IDr, of the Responder that it wants to
   communicate with.

   The Initiator MAY also send SP payload(s) containing all the security
   policies that it supports.  If the Responder's does not support any
   of the policies included, it should reply with an Error message of
   type "Invalid SPpar" (Error no. 10).

   The SIGNi is a signature covering the Initiator's MIKEY message,
   I_MESSAGE, using the Initiator's signature key (see Section 5.2 of
   RFC 3830 for the exact definition).  I_MESSAGE is signed to protect
   against DoS attacks.

   A RAND payload MUST NOT be present in a MIKEY-RSA-R I_MESSAGE.

3.3  Components of the R_MESSAGE

   Upon receiving an I_MESSAGE of the RSA-R format, the Responder MUST
   respond with one of the following messages:
   o  The Responder MUST send an Error message "Message type not
      supported" (Error no. 13), if it cannot correctly parse the
      received MIKEY message.
   o  The Responder MUST send an Error message "Invalid SPpar" (Error
      no. 10), if it does not support any of the security policies
      included in the SP payload.
   o  The Responder MUST send an R_MESSAGE if SIGNi can be correctly
      verified, the timestamp is current, and if an SP payload is
      present, one of the security policies proposed matches the
      Responder's local policy.

   The HDR payload in the R_MESSAGE is formed following the procedure
   described in RFC 3830.  Specifically, the CSB ID in the HDR payload
   MUST be the same as the one in the HDR of the I_MESSAGE.  The
   Responder MUST fill in the number of CSs and the CS map type and
   information fields of the HDR payload.

   For group communication, all the members MUST use the same CSB ID in
   computing the SRTP keying material.  Therefore, for group key
   establishment, the Responder MUST include a General Extension Payload

Ignjatic, et al.         Expires January 8, 2006                [Page 6]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   containing a new CSB ID in the R_MESSAGE.  If a new CSB ID is present
   in the R_MESSAGE, the Initiator and the Responder MUST use that value
   in key material computation.  This payload MUST not be present in
   case of one-to-one communication.

   The T payload is exactly the same as that received in the I_MESSAGE.

   A RAND payload containing a (pseudo-)random string of 128 or more
   bits MUST be present in the R_MESSAGE.

   IDr and CERTr SHOULD be included, but they MAY be left out when it
   can be expected that the peer already knows the other party's ID (or
   can obtain the certificate in some other manner).  For example, this
   could be the case if the ID is extracted from SIP.  For certificate
   handling, authorization, and policies, see Section 4.3. of RFC 3830.
   If CERTr is included, it MUST correspond to the private key used to
   sign the R_MESSAGE.

   An SP payload MAY be included in the R_MESSAGE.  If an SP payload was
   in the I_MESSAGE, then R_MESSAGE MUST contain an SP payload
   specifying the security policies of the secure RTP session being

   The KEMAC payload contains a set of encrypted sub-payloads and a MAC:
   KEMAC = E(encr_key, IDr || {TGK}) || MAC The first payload (IDr) in
   KEMAC is the identity of the Responder (not a certificate, but
   generally the same ID as the one specified in the certificate).  Each
   of the following payloads (TGK) includes a TGK randomly and
   independently chosen by the Responder (and possible other related
   parameters, e.g., the key lifetime).  The encrypted part is then
   followed by a MAC, which is calculated over the KEMAC payload.  The
   encr_key and the auth_key are derived from the envelope key, env_key,
   as specified in Section 4.1.4. of RFC 3830.  The payload definitions
   are specified in Section 6.2 of RFC 3830.

   The Responder encrypts and integrity protects the TGK with keys
   derived from a randomly/pseudo-randomly chosen envelope key, and
   encrypts the envelope key itself with the public key of the
   Initiator.  The PKE payload contains the encrypted envelope key: PKE
   = E(PKi, env_key).  It is encrypted using the Initiator's public key
   (PKi).  Note that, as suggested in RFC 3830, the envelope key MAY be
   cached and used as the PSK for re-keying.

   To compute the signature that goes in the SIGNr payload, the
   Responder MUST sign R_MESSAGE (excluding the SIGNr payload itself) ||
   IDi || IDr || T. Note that the added identities and timestamp are
   identical to those transported in the ID and T payloads.

Ignjatic, et al.         Expires January 8, 2006                [Page 7]

Internet-Draft                 MIKEY-RSA-R                     July 2005

3.4  Additions to RFC 3830 message types and other values

   Modified Table 6.1a from RFC 3830:

   Data type   | Value |                           Comment
   Pre-shared  |   0   | Initiator's pre-shared key message
   PSK ver msg |   1   | Verification message of a Pre-shared key msg
   Public key  |   2   | Initiator's public-key transport message
   PK ver msg  |   3   | Verification message of a public-key message
   D-H init    |   4   | Initiator's DH exchange message
   D-H resp    |   5   | Responder's DH exchange message
   Error       |   6   | Error message
   RSA-R I_MSG |   7   | Initiator's public-key message in RSA-R mode
   RSA-R R_MSG |   8   | Responder's public-key message in RSA-R mode

               Figure 2: Table 6.1a from RFC 3830 (Revised)

   Modified Table 6.12 from RFC 3830:

         Error no          | Value | Comment
         Auth failure      |     0 | Authentication failure
         Invalid TS        |     1 | Invalid timestamp
         Invalid PRF       |     2 | PRF function not supported
         Invalid MAC       |     3 | MAC algorithm not supported
         Invalid EA        |     4 | Encryption algorithm not supported
         Invalid HA        |     5 | Hash function not supported
         Invalid DH        |     6 | DH group not supported
         Invalid ID        |     7 | ID not supported
         Invalid Cert      |     8 | Certificate not supported
         Invalid SP        |     9 | SP type not supported
         Invalid SPpar     |    10 | SP parameters not supported
         Invalid DT        |    11 | not supported Data type
         Unspecified error |    12 | an unspecified error occurred
         Unsupported       |       |
             message type  |    13 | unparseable MIKEY message

               Figure 3: Table 6.12 from RFC 3830 (Revised)

4.  Applicability of the RSA-R and RSA modes

   MIKEY-RSA-R mode and RSA mode are both very useful: deciding on which
   mode to use depends on the application.

Ignjatic, et al.         Expires January 8, 2006                [Page 8]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   The RSA-R mode is useful when you have reasons to believe that the
   Responder may be different from who you are sending the MIKEY message
   to.  This is quite common in telephony and multimedia applications
   where the session/call can be retargetted/forwarded.  When the
   security policy allows it, it may be appropriate for the Initiator to
   have some flexibility in who the Responder may turn out to be.  In
   such cases, the main objective of the Initiator's RSA-R message is to
   present its public key/certificate to the Responder.

   The second scenario is when the Initiator already has Responder's
   certificate but wants to allow the Responder to come up with all the
   keying material.  This is applicable in conferences where the
   Responder is the key distributor and the Initiators contact the
   Responder to initiate key dowloand.  Notice that this is quite
   similar to the group key download model as specified in GDOI
   [RFC3547], GSAKMP, and GKDP protocols (also see [RFC4046]).  The
   catch however is that the participating entities must know that they
   need to contact a well-known address as far as that conferencing
   group is concerned.  Note that they only need the Responder's
   address, not necessarily its CERT.  If the group members have the
   Responder's CERT, there is no harm; they simply do not need the CERT
   to compose I_MESSAGE.

   The RSA mode is useful when the Initiator knows the Responder's
   identity and CERT.  This mode is also useful when the key exchange is
   happening in an established session with a Responder (for example,
   when switching from a non-secure mode to a secure mode), and when the
   policy is such that it is only appropriate to establish a MIKEY
   session with the Responder that is targeted by the Initiator.

4.1  Limitations

   The RSA-R mode may not easily support 3-way calling, under the
   assumptions that motivated the design.  An extra message may be
   required compared to the MIKEY-RSA mode specified in RFC 3830.
   Consider that A wants to talk to B and C, but does not have B's or
   C's CERT.  A might contact B and request that B supply a key for a
   3-way call.  Now if B knows C's CERT, then B can simply use the
   MIKEY-RSA mode (as defined in RFC 3830) to send the TGK to C. If not,
   then the solution is not straightforward.  For instance, A might ask
   C to contact B or itself to get the TGK, in effect initiating a 3-way
   exchange.  It should be noted that 3-way calling is typically
   implemented using a bridge, in which case there are no issues (it
   looks like 3 point-to-point sessions, where one end of each session
   is a bridge mixing the traffic into a single stream).

Ignjatic, et al.         Expires January 8, 2006                [Page 9]

Internet-Draft                 MIKEY-RSA-R                     July 2005

4.2  Impact of the Responder choosing the TGK

   In the MIKEY-RSA or PSK modes, the Initiator chooses the TGK and the
   Responder has the option to accept the key or not.  The Responder
   then has a chance to verify whether the key is a known weak key (Q:
   Is this an issue with AES-CM or AES-f8 TBD).  Other than that who
   chooses the key has no impact on SRTP (verify this).

   Thus, in case of one-to-one communication, there is no impact on the
   functionality provided by the MIKEY-RSA mode and our modified mode
   being outlined earlier.  Whereas MIKEY-RSA mode allows R_MESSAGE to
   be optional, in the new mode, it is required.  However, as noted
   earlier, the new mode allows simpler provisioning at the VoIP entity.

5.  Security Considerations

   We offer a brief overview of the security properties of the exchange.
   There are two messages, viz., I_MESSAGE and R_MESSAGE.  I_MESSAGE is
   a signed request by an Initiator requesting the Responder to select a
   TGK to be used to protect SRTP and SRTCP sessions.

   The message is signed, which assures the Responder that the claimed
   Initiator has indeed generated the message.  This automatically
   provides message integrity as well.

   There is a timestamp in I_MESSAGE, which when generated and
   interpreted in the context of the MIKEY specification assures the
   Responder that the request is live and not a replay.  Indirectly,
   this also provides protection against a DoS attack.  The Responder
   however would have to verify the Initiator's signature and the
   timestamp, and thus would spend significant computing resources.  It
   is possible to mitigate this by caching recently received and
   verified requests.

   Note that the I_MESSAGE in this method basically equals DoS
   protection properties of the DH method and not the public key method
   as there are no payloads encrypted by the Responder's public key in
   I_MESSAGE.  If IDr is not included in the I_MESSAGE, the Responder
   will accept the message and a response (and state) would be created
   for the malicious request.

   R_MESSAGE is quite similar to the I_MESSAGE in the MIKEY-RSA mode and
   has all the same security properties.

   When using the RSA-R mode, the Responder may turn out to be different
   from who the Initiator sent the MIKEY message to.  It is the
   responsibility of the Initiator to verify that the identity of the
   Responder is acceptable if it changes from the intended Responder,

Ignjatic, et al.         Expires January 8, 2006               [Page 10]

Internet-Draft                 MIKEY-RSA-R                     July 2005

   based on its policy, and to take appropriate action based on the
   outcome.  In some cases, it could be appropriate to accept any
   Responder's identity; in other cases, a blacklist or a whitelist may
   be appropriate.

6.  IANA Considerations


7.  Acknowledgments

8.  References

8.1  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3830]  Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
              Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
              August 2004.

8.2  References

   [RFC4046]  Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
              "Multicast Security (MSEC) Group Key Management
              Architecture", RFC 4046, April 2005.

   [RFC3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
              Group Domain of Interpretation", RFC 3547, July 2003.

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, March 2004.

              Euchner, M., "HMAC-authenticated Diffie-Hellman for
              MIKEY", draft-ietf-msec-mikey-dhhmac-11 (work in
              progress), April 2005.

Ignjatic, et al.         Expires January 8, 2006               [Page 11]

Internet-Draft                 MIKEY-RSA-R                     July 2005

Authors' Addresses

   Dragan Ignjatic
   1000 W. 14th Street
   North Vancouver, BC  V7P 3P3

   Phone: +1 604 982 3424

   Lakshminath Dondeti
   5775 Morehouse drive
   San Diego, CA  92121

   Phone: +1 858 845 1267

   Francois Audet
   4655 Great America Parkway
   Santa Clara, CA  95054

   Phone: +1 408 495 3756

   Ping Lin
   250 Sidney St.
   Belleville, Ontario  K8P3Z3


Ignjatic, et al.         Expires January 8, 2006               [Page 12]

Internet-Draft                 MIKEY-RSA-R                     July 2005

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at

   The IETF has been notified of intellectual property rights claimed in
   regard to some or all of the specification contained in this
   document.  For more information consult the online list of claimed

Disclaimer of Validity

   This document and the information contained herein are provided on an

Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

Ignjatic, et al.         Expires January 8, 2006               [Page 13]

Internet-Draft                 MIKEY-RSA-R                     July 2005


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Ignjatic, et al.         Expires January 8, 2006               [Page 14]