One document matched: draft-josefsson-pkix-eddsa-00.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc3279 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3279.xml">
<!ENTITY rfc4055 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4055.xml">
<!ENTITY rfc5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY rfc5480 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5480.xml">
<!ENTITY rfc5639 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5639.xml">
<!ENTITY rfc5758 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5758.xml">
<!ENTITY eddsaed25519 SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.josefsson-eddsa-ed25519.xml">
]>
<?rfc symrefs="yes"?>
<rfc category="info"
ipr="trust200902"
docName="draft-josefsson-pkix-eddsa-00" >
<front>
<title abbrev="PKIX OIDs for EdDSA/Ed25519">
Using EdDSA/Ed25519 in the Internet X.509 Public Key
Infrastructure
</title>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
</address>
</author>
<date month="June" year="2015" />
<keyword>Elliptic Curve Cryptography, EdDSA, Ed25519, Curve25519,
X.509, PKIX, PKI, OID, ASN.1</keyword>
<abstract>
<t>This document specify algorithm identifiers and ASN.1
encoding formats for EdDSA/Ed25519 digital signatures and
subject public keys used in the Internet X.509 Public Key
Infrastructure (PKIX) for Certificates and CRLs.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>In <xref target="Ed25519" />, an elliptic curve signature
system EdDSA was introduced, and a recommended choice of curve
Ed25519 is chosen. Ed25519 was designed with performance and
security in mind. EdDSA and Ed25519 is also described in <xref
target="I-D.josefsson-eddsa-ed25519"/>.</t>
<t>This RFC defines ASN.1 object identifiers for EdDSA and
Ed25519 for use in the <xref target="RFC5280">Internet X.509
PKI</xref>. This document serves a similar role as <xref
target="RFC3279"/> does for RSA (and more), <xref
target="RFC4055"/> for RSA-OAEP/PSS, and <xref
target="RFC5758"/> for SHA2-based (EC)DSA.</t>
</section>
<section title="Requirements Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119" />.</t>
</section>
<section title="EdDSA ASN.1 Object Identifier Tree">
<t>The root of the tree for the object identifiers defined in
this specification is given by:</t>
<figure>
<artwork><![CDATA[
id-EdDSA OBJECT IDENTIFIER ::= { 1.3.6.1.4.1.11591.4.12 }
]]></artwork>
</figure>
</section>
<section title="Subject Public Key Information Fields">
<t>In the X.509 certificate, the subjectPublicKeyInfo field has
the SubjectPublicKeyInfo type, which has the following ASN.1
syntax:</t>
<figure>
<artwork><![CDATA[
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
]]></artwork>
</figure>
<t>The fields in SubjectPublicKeyInfo have the following meanings:</t>
<t><list style="symbols">
<t>algorithm is the algorithm identifier and parameters for
the public key (see below).</t>
<t>subjectPublicKey is the EdDSA public key.</t>
</list></t>
<t>The AlgorithmIdentifier type, which is included for
convenience, is defined as follows:</t>
<figure>
<artwork><![CDATA[
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
]]></artwork>
</figure>
<t>The fields in AlgorithmIdentifier have the following
meanings:</t>
<t><list style="symbols">
<t>algorithm identifies the cryptographic algorithm with an
object identifier. This is the EdDSA OID defined below.</t>
<t>parameters, which are optional, are the associated
parameters for the algorithm identifier in the algorithm
field.</t>
</list></t>
</section>
<section title="EdDSA Public Keys">
<t>Certificates conforming to <xref target="RFC5280"/> may
convey a public key for any public key algorithm. The
certificate indicates the algorithm through an algorithm
identifier. This algorithm identifier is an OID and optionally
associated parameters.</t>
<t>This section identify the OID and parameters for the EdDSA
algorithm. Conforming CAs MUST use the identified OIDs when
issuing certificates containing EdDSA public keys. Conforming
applications supporting EdDSA MUST, at a minimum, recognize the
OID identified in this section.</t>
<t>The id-EdDSAPublicKey OID is used for identifying EdDSA
public keys.</t>
<figure>
<artwork><![CDATA[
id-EdDSAPublicKey OBJECT IDENTIFIER ::= { id-EdDSA 1 }
]]></artwork>
</figure>
<t>The id-EdDSAPublicKey OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier. The
parameters field MUST have ASN.1 type NULL for this algorithm
identifier.</t>
<t>[[TODO: We need to clarify the curve choice. I see two
options: 1) Let the OID defined here mean Ed25519 directly. 2)
Let the OID defined here mean EdDSA, and specify a parameters
structure (maybe reusing RFC 3279's EcpkParameters) and another
NamedCurve OID to refer to Ed25519. The second is only useful
if EdDSA will ever be used with other curves.]]</t>
<t>The EdDSA public key MUST be encoded using the ASN.1 type
EdDSAPublicKey:</t>
<figure>
<artwork><![CDATA[
EdDSAPublicKey ::= OCTET STRING -- LE edwards point
]]></artwork>
</figure>
<t>where the value is the little-endian encoded edwards point.
The DER encoded EdDSAPublicKey is the value of the BIT STRING
subjectPublicKey.</t>
</section>
<section title="Key Usage Bits">
<t>The intended application for the key MAY be indicated in the
keyUsage certificate extension.</t>
<t>If the keyUsage extension is present in an end-entity
certificate that conveys an EdDSA public key with the
id-EdDSAPublicKey object identifier, then the keyUsage extension
MUST contain one or both of the following values:</t>
<figure>
<artwork><![CDATA[
nonRepudiation; and
digitalSignature.
]]></artwork>
</figure>
<t>If the keyUsage extension is present in a certification
authority certificate that conveys an EdDSA public key with the
id-EdDSAPublicKey object identifier, then the keyUsage extension
MUST contain one or more of the following values:</t>
<figure>
<artwork><![CDATA[
nonRepudiation;
digitalSignature;
keyCertSign; and
cRLSign.
]]></artwork>
</figure>
</section>
<section title="EdDSA Signatures">
<t>Certificates and CRLs conforming to <xref target="RFC5280"/>
may be signed with any public key signature algorithm. The
certificate or CRL indicates the algorithm through an algorithm
identifier which appears in the signatureAlgorithm field within
the Certificate or CertificateList. This algorithm identifier
is an OID and has optionally associated parameters. For
illustration the Certificate structure is reproduced here:</t>
<figure>
<artwork><![CDATA[
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
]]></artwork>
</figure>
<t>Also recall the definition of the AlgorithmIdentifier
type:</t>
<figure>
<artwork><![CDATA[
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
]]></artwork>
</figure>
<t>This document identify an AlgorithmIdentifier OID for EdDSA
signatures. No parameters are defined.</t>
<t>The data to be signed is prepared for EdDSA. Then, a private
key operation is performed to generate the signature value.
This signature value is then ASN.1 encoded as a BIT STRING and
included in the Certificate or CertificateList in the signature
field.</t>
<t>The id-EdDSASignature OID is used for identifying EdDSA
signatures.</t>
<figure>
<artwork><![CDATA[
id-EdDSASignature OBJECT IDENTIFIER ::= { id-EdDSA 2 }
]]></artwork>
</figure>
<t>The id-EdDSASignature OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier. The
parameters field MUST have ASN.1 type NULL for this algorithm
identifier.</t>
</section>
<section anchor="ack"
title="Acknowledgements">
<t>Text and/or inspiration were drawn from <xref
target="RFC5280"/>, <xref target="RFC3279"/>, <xref
target="RFC4055"/>, <xref target="RFC5480"/>, and <xref
target="RFC5639"/>.</t>
<t>Thanks to Ilari Liusvaara for ideas and discussion.</t>
</section>
<section title="IANA Considerations">
<t>None.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The security considerations of <xref target='RFC5280' /> and
<xref target="I-D.josefsson-eddsa-ed25519"/> apply
accordingly.</t>
</section>
</middle>
<back>
<references title="Normative References">
&eddsaed25519;
&rfc2119;
&rfc5280;
</references>
<references title="Informative References">
&rfc3279;
&rfc4055;
&rfc5480;
&rfc5639;
&rfc5758;
<reference anchor="Ed25519">
<front>
<title>
Ed25519: High-speed high-security signatures
</title>
<author surname="Bernstein" initials="J." fullname="Daniel J. Bernstein">
<organization>
</organization>
</author>
<author surname="Duif" initials="" fullname="Niels Duif">
<organization>
</organization>
</author>
<author surname="Lange" initials="" fullname="Tanja Lange">
<organization>
</organization>
</author>
<author surname="Schwabe" initials="" fullname="Peter Schwabe">
<organization>
</organization>
</author>
<author surname="Yang" initials="" fullname="Bo-Yin Yang">
<organization>
</organization>
</author>
<date month="September" year="2011"/>
</front>
<seriesInfo name="WWW"
value="http://ed25519.cr.yp.to/ed25519-20110926.pdf"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 18:02:55 |