One document matched: draft-josefsson-pkix-eddsa-04.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc3279 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3279.xml">
<!ENTITY rfc4055 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4055.xml">
<!ENTITY rfc5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml">
<!ENTITY rfc5480 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5480.xml">
<!ENTITY rfc5639 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5639.xml">
<!ENTITY rfc5758 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5758.xml">
<!ENTITY eddsa SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.irtf-cfrg-eddsa.xml">
]>
<?rfc strict="yes" ?>
<?rfc compact="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<rfc category="info"
ipr="trust200902"
docName="draft-josefsson-pkix-eddsa-04">
<front>
<title abbrev="PKIX OIDs for EdDSA/Ed25519/Ed448">
Using EdDSA with Ed25519/Ed448 in the Internet X.509 Public Key
Infrastructure
</title>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson">
<organization>SJD AB</organization>
<address>
<email>simon@josefsson.org</email>
</address>
</author>
<author fullname="Nikos Mavrogiannopoulos" initials="N."
surname="Mavrogiannopoulos">
<organization>Red Hat, Inc.</organization>
<address>
<email>nmav@redhat.com</email>
</address>
</author>
<date month="October" year="2015" />
<keyword>Elliptic Curve Cryptography, EdDSA, Ed25519, Curve25519,
Ed448, Curve448, X.509, PKIX, PKI, OID, ASN.1</keyword>
<abstract>
<t>This document specify algorithm identifiers and ASN.1
encoding formats for EdDSA digital signatures and subject public
keys used in the Internet X.509 Public Key Infrastructure (PKIX)
for Certificates and CRLs. Parameters for Ed25519, Ed25519ph,
Ed448, and Ed448ph are defined.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>In <xref target="I-D.irtf-cfrg-eddsa"/> the elliptic curve
signature system EdDSA is described and recommended choice of
curves Ed25519/Ed448 are chosen. For each curve, two modes are
defined, the PureEdDSA mode without pre-hashing (Ed25519 and
Ed448), and the HashEdDSA mode with pre-hashing (Ed25519ph and
Ed448ph).</t>
<t>This RFC defines ASN.1 object identifiers for EdDSA for use
in the <xref target="RFC5280">Internet X.509 PKI</xref>, and
parameters for Ed25519, Ed25519ph, Ed448 and Ed448ph. This
document serves a similar role as <xref target="RFC3279"/> does
for RSA (and more), <xref target="RFC4055"/> for RSA-OAEP/PSS,
and <xref target="RFC5758"/> for SHA2-based (EC)DSA.</t>
</section>
<section title="Requirements Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
in <xref target="RFC2119" />.</t>
</section>
<section title="Subject Public Key Information Fields">
<t>In the X.509 certificate, the subjectPublicKeyInfo field has
the SubjectPublicKeyInfo type, which has the following ASN.1
syntax:</t>
<figure>
<artwork><![CDATA[
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
]]></artwork>
</figure>
<t>The fields in SubjectPublicKeyInfo have the following meanings:</t>
<t><list style="symbols">
<t>algorithm is the algorithm identifier and parameters for
the public key (see below).</t>
<t>subjectPublicKey is the EdDSA public key.</t>
</list></t>
<t>The AlgorithmIdentifier type, which is included for
convenience, is defined as follows:</t>
<figure>
<artwork><![CDATA[
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
]]></artwork>
</figure>
<t>The fields in AlgorithmIdentifier have the following
meanings:</t>
<t><list style="symbols">
<t>algorithm identifies the cryptographic algorithm with an
object identifier. This is the EdDSA OID defined below.</t>
<t>parameters, which are optional, are the associated
parameters for the algorithm identifier in the algorithm
field.</t>
</list></t>
</section>
<section title="EdDSA Public Keys">
<t>Certificates conforming to <xref target="RFC5280"/> may
convey a public key for any public key algorithm. The
certificate indicates the algorithm through an algorithm
identifier. This algorithm identifier is an OID and optionally
associated parameters.</t>
<t>This section identify the OID and parameters for the EdDSA
algorithm. Conforming CAs MUST use the identified OIDs when
issuing certificates containing EdDSA public keys. Conforming
applications supporting EdDSA MUST, at a minimum, recognize the
OID identified in this section.</t>
<t>The id-EdDSAPublicKey OID is used for identifying EdDSA
public keys.</t>
<figure>
<artwork><![CDATA[
id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1 3 101 100 }
]]></artwork>
</figure>
<t>The id-EdDSAPublicKey OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier.</t>
<t>EdDSA public keys use the parameter field to specify the
particular instantiation of EdDSA parameters. The parameters
field have the ASN.1 type EdDSAParameters as follows.</t>
<figure>
<artwork><![CDATA[
EdDSAParameters ::= ENUMERATED { ed25519 (1),
ed25519ph (2) }
ed448 (3) }
ed448ph (4) }
]]></artwork>
</figure>
<t>The EdDSAParameters enumeration may be extended in the
future.</t>
<t>The "ed25519" and "ed448" values correspond to the PureEdDSA
variants, and the "ed25519ph" and "ed448ph" values correspond to
the HashEdDSA variants, as discussed in <xref
target="I-D.irtf-cfrg-eddsa"/>.</t>
<t>The raw binary EdDSA public key is encoded directly in the
subjectPublicKey BIT STRING object. Note that unlike some other
schemes, there is no additional OCTET STRING encoding step.</t>
</section>
<section title="Key Usage Bits">
<t>The intended application for the key MAY be indicated in the
keyUsage certificate extension.</t>
<t>If the keyUsage extension is present in an end-entity
certificate that conveys an EdDSA public key with the
id-EdDSAPublicKey object identifier, then the keyUsage extension
MUST contain one or both of the following values:</t>
<figure>
<artwork><![CDATA[
nonRepudiation; and
digitalSignature.
]]></artwork>
</figure>
<t>If the keyUsage extension is present in a certification
authority certificate that conveys an EdDSA public key with the
id-EdDSAPublicKey object identifier, then the keyUsage extension
MUST contain one or more of the following values:</t>
<figure>
<artwork><![CDATA[
nonRepudiation;
digitalSignature;
keyCertSign; and
cRLSign.
]]></artwork>
</figure>
</section>
<section title="EdDSA Signatures">
<t>Certificates and CRLs conforming to <xref target="RFC5280"/>
may be signed with any public key signature algorithm. The
certificate or CRL indicates the algorithm through an algorithm
identifier which appears in the signatureAlgorithm field within
the Certificate or CertificateList. This algorithm identifier
is an OID and has optionally associated parameters. For
illustration the Certificate structure is reproduced here:</t>
<figure>
<artwork><![CDATA[
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
]]></artwork>
</figure>
<t>Recall the definition of the AlgorithmIdentifier type:</t>
<figure>
<artwork><![CDATA[
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
]]></artwork>
</figure>
<t>This document identify an AlgorithmIdentifier OID for EdDSA
signatures. No parameters are defined. The EdDSA parameters
follow from the public-key parameters.</t>
<t>The data to be signed is prepared for EdDSA. Then, a private
key operation is performed to generate the signature value.
This value is the opaque value ENC(R) || ENC(S) described in
section 3.3 of <xref target="I-D.irtf-cfrg-eddsa"/>. This
signature value is then ASN.1 encoded as a BIT STRING and
included in the Certificate or CertificateList in the
signatureValue field.</t>
<t>The id-EdDSASignature OID is used for identifying EdDSA
signatures.</t>
<figure>
<artwork><![CDATA[
id-EdDSASignature OBJECT IDENTIFIER ::= { 1 3 101 101 }
]]></artwork>
</figure>
<t>The id-EdDSASignature OID is intended to be used in the
algorithm field of a value of type AlgorithmIdentifier. The
parameters field MUST be absent. To further clarify how to
encode the parameters field, due to historical misunderstandings
in this area, it MUST NOT have an ASN.1 type NULL.</t>
</section>
<section title="Human Readable Algorithm Names">
<t>For the purpose of consistent cross-implementation naming
this section establish human readable names for the algorithms
specified in this document. Implementations SHOULD use these
names when referring to the algorithms. If there is a strong
reason to deviate from these names -- for example, if the
implementation has a different naming convention and wants to
maintain internal consistency -- it is encouraged to deviate as
little as possible from the names given here.</t>
<t>Use the string "EdDSA" when referring to a public key or
signature when the parameter set is not known or relevant.</t>
<t>When the EdDSAParameters value is known, use a more specific
string. For the ed25519(1) value use the string "Ed25519". For
the ed25519ph(2) value use the string "Ed25519ph". For ed448(3)
use "Ed448". For ed448ph(4) use "Ed448ph".</t>
</section>
<section title="Examples">
<t>This section contains illustrations of EdDSA public keys and
certificates, illustrating parameter choices.</t>
<section title="Example Ed25519ph Public Key">
<t>An example of a Ed25519ph public key:</t>
<figure>
<artwork><![CDATA[
Public Key Information:
Public Key Algorithm: EdDSA
Algorithm Security Level: High
Parameters: Ed25519ph
Public Key Usage:
Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
-----BEGIN PUBLIC KEY-----
MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
-----END PUBLIC KEY-----
]]></artwork>
</figure>
</section>
<section title="Example Ed25519ph Certificate">
<t>An example of a PKIX certificate using Ed25519ph would
be:</t>
<figure>
<artwork><![CDATA[
X.509 Certificate Information:
Version: 3
Serial Number (hex): 5601474a2a8dc326
Issuer: CN=Test Ed25519ph certificate
Validity:
Not Before: Tue Sep 22 12:19:24 UTC 2015
Not After: Fri Dec 31 23:59:59 UTC 9999
Subject: CN=Test Ed25519ph certificate
Subject Public Key Algorithm: Ed25519ph
Algorithm Security Level: High
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Usage (critical):
Digital signature.
Subject Key Identifier (not critical):
9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
Signature Algorithm: Ed25519ph
Signature:
be:9d:f8:b4:19:07:99:c9:04:12:21:e7:85:33:55:76
b0:5f:29:70:77:bd:69:7a:a6:db:33:fe:c4:f5:3d:79
d2:ba:77:6d:68:9b:a3:e9:53:bc:a6:56:54:3f:fa:f4
1c:37:89:4e:c7:43:c0:3b:77:68:5d:98:f6:19:9d:05
Other Information:
SHA1 fingerprint:
a3b75d83a56e127d0728ed8563233cadf943757e
SHA256 fingerprint:
cab1d7df29bdf82270d2192997c81f1b333dc37e670d7e88068fbe9dd747da3a
Public Key ID:
9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
Public key's random art:
+---[Ed25519ph]---+
| . |
| o ..|
| o.=|
| . . +=|
| S o .+oo|
| o o.++o|
| o ...*.o.|
| o Eo.oo |
| ooo ..o|
+-----------------+
-----BEGIN CERTIFICATE-----
MIIBUTCCAQKgAwIBAgIIVgFHSiqNwyYwBgYEK2VkATAqMSgwJgYDVQQDEx9UZXN0
IEVkMjU1MTktU0hBNTEyIGNlcnRpZmljYXRlMCAXDTE1MDkyMjEyMTkyNFoYDzk5
OTkxMjMxMjM1OTU5WjAqMSgwJgYDVQQDEx9UZXN0IEVkMjU1MTktU0hBNTEyIGNl
cnRpZmljYXRlMC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbL
DFw4rXAxZuGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADAdBgNV
HQ4EFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBgYEK2VkAQNBAL6d+LQZB5nJBBIh
54UzVXawXylwd71peqbbM/7E9T150rp3bWibo+lTvKZWVD/69Bw3iU7HQ8A7d2hd
mPYZnQU=
-----END CERTIFICATE-----
]]></artwork>
</figure>
</section>
<section title="Example Ed25519ph Private Key">
<t>An example of a Ed25519ph private key:</t>
<figure>
<artwork><![CDATA[
Public Key Info:
Public Key Algorithm: EdDSA
Key Security Level: High
parameters: Ed25519ph
private key:
d4:ee:72:db:f9:13:58:4a:d5:b6:d8:f1:f7:69:f8:ad
3a:fe:7c:28:cb:f1:d4:fb:e0:97:a8:8f:44:75:58:42
x:
19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b:96
c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31:66:e1
Public Key ID: 9B:1F:5E:ED:ED:04:33:85:E4:F7:BC:62:3C:59:75:B9:0B:C8:BB:3B
Public key's random art:
+---[Ed25519ph]---+
| . |
| o ..|
| o.=|
| . . +=|
| S o .+oo|
| o o.++o|
| o ...*.o.|
| o Eo.oo |
| ooo ..o|
+-----------------+
-----BEGIN EDDSA PRIVATE KEY-----
MCUKAQEEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
-----END EdDSA PRIVATE KEY-----
]]></artwork>
</figure>
</section>
</section>
<section anchor="ack"
title="Acknowledgements">
<t>Text and/or inspiration were drawn from <xref
target="RFC5280"/>, <xref target="RFC3279"/>, <xref
target="RFC4055"/>, <xref target="RFC5480"/>, and <xref
target="RFC5639"/>.</t>
<t>The following people discussed the document and provided
feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick
Andrews, Rob Stradling, James Manger.</t>
<t>A big thank you to Symantec for kindly donating the OIDs used
in this draft.</t>
</section>
<section title="IANA Considerations">
<t>None.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The security considerations of <xref target='RFC5280' /> and
<xref target="I-D.irtf-cfrg-eddsa"/> apply accordingly.</t>
<t>A common misconception may be that a Ed25519 public key can
be used to create Ed25519ph signatures, or vice versa. This
leads to cross-key attacks, and is not permitted.</t>
</section>
</middle>
<back>
<references title="Normative References">
&eddsa;
&rfc2119;
&rfc5280;
</references>
<references title="Informative References">
&rfc3279;
&rfc4055;
&rfc5480;
&rfc5639;
&rfc5758;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-21 17:51:24 |