| rfc9295v3.txt | rfc9295.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) S. Turner | Internet Engineering Task Force (IETF) S. Turner | |||
| Request for Comments: 9295 sn3rd | Request for Comments: 9295 sn3rd | |||
| Updates: 8410 S. Josefsson | Updates: 8410 S. Josefsson | |||
| Category: Standards Track SJD AB | Category: Standards Track SJD AB | |||
| ISSN: 2070-1721 D. McCarney | ISSN: 2070-1721 D. McCarney | |||
| Square Inc. | Square Inc. | |||
| T. Ito | T. Ito | |||
| SECOM CO., LTD. | SECOM CO., LTD. | |||
| August 2022 | September 2022 | |||
| Clarifications for Ed25519, Ed448, X25519, and X448 Algorithm | Clarifications for Ed25519, Ed448, X25519, and X448 Algorithm | |||
| Identifiers | Identifiers | |||
| Abstract | Abstract | |||
| This document updates RFC 8410 to clarify existing semantics, and | This document updates RFC 8410 to clarify existing semantics, and | |||
| specify missing semantics, for key usage bits when used in | specify missing semantics, for key usage bits when used in | |||
| certificates that support the Ed25519, Ed448, X25519, and X448 | certificates that support the Ed25519, Ed448, X25519, and X448 | |||
| Elliptic Curve Cryptography algorithms. | Elliptic Curve Cryptography algorithms. | |||
| skipping to change at line 101 ¶ | skipping to change at line 101 ¶ | |||
| id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST | id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST | |||
| be present: | be present: | |||
| keyAgreement | keyAgreement | |||
| One of the following MAY also be present: | One of the following MAY also be present: | |||
| encipherOnly | encipherOnly | |||
| decipherOnly | decipherOnly | |||
| and the following MUST NOT be present: | and any of the following MUST NOT be present: | |||
| digitalSignature | digitalSignature | |||
| nonRepudiation | nonRepudiation | |||
| keyEncipherment | keyEncipherment | |||
| dataEncipherment | dataEncipherment | |||
| keyCertSign | keyCertSign | |||
| cRLSign | cRLSign | |||
| If the keyUsage extension is present in an end-entity certificate | If the keyUsage extension is present in an end-entity certificate | |||
| that indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then | that indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then | |||
| the keyUsage extension MUST contain at least one of the following: | the keyUsage extension MUST contain at least one of the following: | |||
| nonRepudiation | nonRepudiation | |||
| digitalSignature | digitalSignature | |||
| cRLSign | cRLSign | |||
| and the following MUST NOT be present: | and any of the following MUST NOT be present: | |||
| keyEncipherment | keyEncipherment | |||
| dataEncipherment | dataEncipherment | |||
| keyAgreement | keyAgreement | |||
| keyCertSign | keyCertSign | |||
| encipherOnly | encipherOnly | |||
| decipherOnly | decipherOnly | |||
| If the keyUsage extension is present in a CRL issuer certificate that | If the keyUsage extension is present in a CRL issuer certificate that | |||
| indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then the | indicates id-Ed25519 or id-Ed448 in SubjectPublicKeyInfo, then the | |||
| keyUsage extension MUST contain: | keyUsage extension MUST contain: | |||
| cRLSign | cRLSign | |||
| and zero or more of the following: | and zero or more of the following: | |||
| nonRepudiation | nonRepudiation | |||
| digitalSignature | digitalSignature | |||
| and the following MUST NOT be present: | and any of the following MUST NOT be present: | |||
| keyEncipherment | keyEncipherment | |||
| dataEncipherment | dataEncipherment | |||
| keyAgreement | keyAgreement | |||
| encipherOnly | encipherOnly | |||
| decipherOnly | decipherOnly | |||
| and if the CRL issuer is also a certification authority, then the | and if the CRL issuer is also a certification authority, then the | |||
| keyUsage extension MUST also contain: | keyUsage extension MUST also contain: | |||
| skipping to change at line 163 ¶ | skipping to change at line 163 ¶ | |||
| SubjectPublicKeyInfo, then the keyUsage extension MUST contain: | SubjectPublicKeyInfo, then the keyUsage extension MUST contain: | |||
| keyCertSign | keyCertSign | |||
| and zero or more of the following: | and zero or more of the following: | |||
| nonRepudiation | nonRepudiation | |||
| digitalSignature | digitalSignature | |||
| cRLSign | cRLSign | |||
| and the following MUST NOT be present: | and any of the following MUST NOT be present: | |||
| keyEncipherment | keyEncipherment | |||
| dataEncipherment | dataEncipherment | |||
| keyAgreement | keyAgreement | |||
| encipherOnly | encipherOnly | |||
| decipherOnly | decipherOnly | |||
| 4. Security Considerations | 4. Security Considerations | |||
| This document introduces no new security considerations beyond those | This document introduces no new security considerations beyond those | |||
| End of changes. 5 change blocks. | ||||
| 5 lines changed or deleted | 5 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||