| rfc9336.original.xml | rfc9336.xml | |||
|---|---|---|---|---|
| <?xml version='1.0' encoding='utf-8'?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <!-- draft submitted in xml v3 --> | ||||
| <!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
| <!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
| <!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
| <!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
| <!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
| ]> | ]> | |||
| <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | ||||
| <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.17 (Ruby 3.1. 2) --> | <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.17 (Ruby 3.1. 2) --> | |||
| <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | ||||
| -ietf-lamps-documentsigning-eku-06" category="std" consensus="true" tocInclude=" | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft | |||
| true" sortRefs="true" symRefs="true" version="3"> | -ietf-lamps-documentsigning-eku-06" number="9336" submissionType="IETF" category | |||
| <!-- xml2rfc v2v3 conversion 3.14.2 --> | ="std" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" updates | |||
| ="" obsoletes="" xml:lang="en" version="3"> | ||||
| <!-- xml2rfc v2v3 conversion 3.14.2 --> | ||||
| <front> | <front> | |||
| <title abbrev="EKU for Document Signing">General Purpose Extended Key Usage | <title abbrev="EKU for Document Signing">X.509 Certificate General-Purpose E | |||
| (EKU) for Document Signing X.509 Certificates</title> | xtended Key Usage (EKU) for Document Signing</title> | |||
| <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-documentsigning-ek | <seriesInfo name="RFC" value="9336"/> | |||
| u-06"/> | ||||
| <author initials="T." surname="Ito" fullname="Tadahiko Ito"> | <author initials="T." surname="Ito" fullname="Tadahiko Ito"> | |||
| <organization>SECOM CO., LTD.</organization> | <organization>SECOM CO., LTD.</organization> | |||
| <address> | <address> | |||
| <email>tadahiko.ito.public@gmail.com</email> | <email>tadahiko.ito.public@gmail.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="T." surname="Okubo" fullname="Tomofumi Okubo"> | <author initials="T." surname="Okubo" fullname="Tomofumi Okubo"> | |||
| <organization>DigiCert, Inc.</organization> | <organization>DigiCert, Inc.</organization> | |||
| <address> | <address> | |||
| <email>tomofumi.okubo+ietf@gmail.com</email> | <email>tomofumi.okubo+ietf@gmail.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="S." surname="Turner" fullname="Sean Turner"> | <author initials="S." surname="Turner" fullname="Sean Turner"> | |||
| <organization>sn3rd</organization> | <organization>sn3rd</organization> | |||
| <address> | <address> | |||
| <email>sean@sn3rd.com</email> | <email>sean@sn3rd.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <date year="2022" month="September" day="29"/> | <date year="2022" month="December"/> | |||
| <area>SEC</area> | <area>sec</area> | |||
| <workgroup>LAMPS Working Group</workgroup> | <workgroup>lamps</workgroup> | |||
| <keyword>Internet-Draft</keyword> | ||||
| <abstract> | <abstract> | |||
| <t>RFC 5280 specifies several extended key purpose identifiers | <t>RFC 5280 specifies several extended key purpose identifiers | |||
| (KeyPurposeIds) for X.509 certificates. This document defines a general | (KeyPurposeIds) for X.509 certificates. This document defines a | |||
| purpose document signing KeyPurposeId for inclusion in the Extended Key | general-purpose Document-Signing KeyPurposeId for inclusion in the | |||
| Usage (EKU) extension of X.509 public key certificates. | Extended Key Usage (EKU) extension of X.509 public key certificates. | |||
| Document Signing applications may require that the EKU extension | Document-Signing applications may require that the EKU extension be | |||
| be present and that a document signing KeyPurposeId be indicated | present and that a Document-Signing KeyPurposeId be indicated in order | |||
| in order for the certificate to be acceptable | for the certificate to be acceptable to that Document-Signing | |||
| to that Document Signing application.</t> | application.</t> | |||
| </abstract> | </abstract> | |||
| <note removeInRFC="true"> | ||||
| <name>About This Document</name> | ||||
| <t> | ||||
| Status information for this document may be found at <eref target="https | ||||
| ://datatracker.ietf.org/doc/draft-ietf-lamps-documentsigning-eku/"/>. | ||||
| </t> | ||||
| <t> | ||||
| Discussion of this document takes place on the | ||||
| Limited Additional Mechanisms for PKIX and SMIME (LAMPS) Working Group m | ||||
| ailing list (<eref target="mailto:spasm@ietf.org"/>), | ||||
| which is archived at <eref target="https://mailarchive.ietf.org/arch/bro | ||||
| wse/spasm/"/>. | ||||
| Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/spasm/" | ||||
| />. | ||||
| </t> | ||||
| <t>Source for this draft and an issue tracker can be found at | ||||
| <eref target="https://github.com/lamps-wg/documentsigning-eku"/>.</t> | ||||
| </note> | ||||
| </front> | </front> | |||
| <middle> | <middle> | |||
| <section anchor="introduction"> | <section anchor="introduction"> | |||
| <name>Introduction</name> | <name>Introduction</name> | |||
| <t><xref target="RFC5280"/> specifies several extended key purpose identif | ||||
| iers | <t><xref target="RFC5280"/> specifies several extended key purpose | |||
| (KeyPurposeIds) for X.509 certificates. In addition, several | identifiers (KeyPurposeIds) for X.509 certificates. In addition, the | |||
| KeyPurposeIds have been added under the IANA repository "SMI | IANA repository "SMI Security for PKIX Extended Key Purpose" <xref | |||
| Security for PKIX Extended Key Purpose" <xref target="RFC7299"/>. While usage of | target="RFC7299"/> includes a number of KeyPurposeIds. While usage of | |||
| the | the anyExtendedKeyUsage KeyPurposeId is bad practice for publicly | |||
| "anyExtendedKeyUsage" KeyPurposeId is bad practice for publicly trusted | trusted certificates, there is no public and general KeyPurposeId | |||
| certificates, there is no public and general KeyPurposeId explicitly | explicitly assigned for Document Signing. The current practice is to use | |||
| assigned for Document Signing. The current practice is to | id-kp-emailProtection, id-kp-codeSigning, or a vendor-defined | |||
| use id-kp-emailProtection, id-kp-codeSigning or a vendor-defined | KeyPurposeId for general Document-Signing purposes.</t> | |||
| KeyPurposeId for general document signing purposes.</t> | ||||
| <t>In circumstances where code signing and S/MIME certificates are also | <t>In circumstances where code signing and S/MIME certificates are also | |||
| used for document signing, technical or policy changes made to the | used for Document Signing, technical or policy changes made to the | |||
| code signing and S/MIME ecosystem may cause unexpected behaviors or | code signing and S/MIME ecosystem may cause unexpected behaviors or | |||
| have an adverse impact such as decreased cryptographic | have an adverse impact such as decreased cryptographic | |||
| agility on the document signing ecosystem and vice versa.</t> | agility on the Document-Signing ecosystem and vice versa.</t> | |||
| <t>Vendor-defined KeyPurposeIds that are used in a PKI governed by the | <t>Vendor-defined KeyPurposeIds that are used in a PKI governed by the | |||
| vendor or a group of vendors poses no interoperability concern. | vendor or a group of vendors pose no interoperability concern. | |||
| Appropriating, or misappropriating as the case may be, KeyPurposeIDs | Appropriating, or misappropriating as the case may be, KeyPurposeIDs for | |||
| for use outside of their originally intended vendor or group of vendors | use outside of their originally intended vendor or group of vendors | |||
| controlled environment can introduce problems, the impact of which is | controlled environment can introduce problems, the impact of which is | |||
| difficult to determine.</t> | difficult to determine.</t> | |||
| <t>Therefore, it is not favorable to use a vendor-defined KeyPurposeId for | <t>Therefore, it is not favorable to use a vendor-defined KeyPurposeId for | |||
| signing a document that is not governed by the vendor.</t> | signing a document that is not governed by the vendor.</t> | |||
| <t>This document defines an extended key purpose identifier for Document | <t>This document defines an extended key purpose identifier for Document | |||
| Signing.</t> | Signing.</t> | |||
| </section> | </section> | |||
| <section anchor="conventions-and-definitions"> | <section anchor="conventions-and-definitions"> | |||
| <name>Conventions and Definitions</name> | <name>Conventions and Definitions</name> | |||
| <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | <t> | |||
| NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU | |||
| "MAY", and "OPTIONAL" in this document are to be interpreted as | IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | |||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and | NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14> | |||
| only when, they | RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
| appear in all capitals, as shown here.</t> | "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | |||
| be interpreted as | ||||
| described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> | ||||
| when, and only when, they appear in all capitals, as shown here. | ||||
| </t> | ||||
| </section> | </section> | |||
| <section anchor="extended-key-purpose-for-document-signing"> | <section anchor="extended-key-purpose-for-document-signing"> | |||
| <name>Extended Key Purpose for Document Signing</name> | <name>Extended Key Purpose for Document Signing</name> | |||
| <t>This specification defines the KeyPurposeId id-kp-documentSigning.</t> | <t>This specification defines the KeyPurposeId id-kp-documentSigning.</t> | |||
| <t>As described in <xref target="RFC5280"/>, "[i]f the [Extended Key Usage ] extension is present, | <t>As described in <xref target="RFC5280"/>, "[i]f the [Extended Key Usage ] extension is present, | |||
| then the certificate MUST only be used for one of the purposes indicated." | then the certificate <bcp14>MUST</bcp14> only be used for one of the purposes in | |||
| <xref target="RFC5280"/> also describes that "[i]f multiple [key] purposes are i | dicated." | |||
| ndicated | <xref target="RFC5280"/> also notes that "[i]f multiple [key] purposes are indic | |||
| ated | ||||
| the application need not recognize all purposes indicated, | the application need not recognize all purposes indicated, | |||
| as long as the intended purpose is present."</t> | as long as the intended purpose is present."</t> | |||
| <t>Document Signing applications MAY require that the Extended Key Usage e xtension be present | <t>Document-Signing applications <bcp14>MAY</bcp14> require that the EKU e xtension be present | |||
| and that the id-kp-documentSigning be indicated in order for the certificate to be acceptable | and that the id-kp-documentSigning be indicated in order for the certificate to be acceptable | |||
| to that Document Signing application.</t> | to that Document-Signing application.</t> | |||
| <t>The term "Document Signing" in this document refers to digitally signin | ||||
| g | <t>The term "Document Signing" in this document refers to digitally signing | |||
| contents that are consumed by people. To be more precise, contents are | contents that are consumed by people. To be more precise, contents are | |||
| intended to be shown to a person with printable or displayable form by | intended to be shown to a person in a printable or displayable form by | |||
| means of services or software, rather than primarily processed by | means of services or software, rather than processed by machines. | |||
| machines.</t> | ||||
| </t> | ||||
| <section anchor="ext"> | <section anchor="ext"> | |||
| <name>Including the Extended Key Purpose for Document Signing in Certifi cates</name> | <name>Including the Extended Key Purpose for Document Signing in Certifi cates</name> | |||
| <t><xref target="RFC5280"/> specifies the EKU X.509 certificate extensio n for use on the | <t><xref target="RFC5280"/> specifies the EKU X.509 certificate extensio n for use on the | |||
| Internet. The extension indicates one or more purposes for which the | Internet. The extension indicates one or more purposes for which the | |||
| certified public key is valid. The EKU extension can be used in | certified public key is valid. The EKU extension can be used in | |||
| conjunction with the key usage extension, which indicates the set of | conjunction with the key usage extension, which indicates the set of | |||
| basic cryptographic operations for which the certified key may be used.</t> | basic cryptographic operations for which the certified key may be used.</t> | |||
| <t>The EKU extension syntax is repeated here for convenience:</t> | <t>The EKU extension syntax is repeated here for convenience:</t> | |||
| <artwork><![CDATA[ | <sourcecode type=""><![CDATA[ | |||
| ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId | ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId | |||
| KeyPurposeId ::= OBJECT IDENTIFIER | KeyPurposeId ::= OBJECT IDENTIFIER | |||
| ]]></artwork> | ]]></sourcecode> | |||
| <t>As described in <xref target="RFC5280"/>, EKU extension may, | <t>As described in <xref target="RFC5280"/>, the EKU extension may, | |||
| at the option of the certificate issuer, be either critical or non-critical.</t> | at the option of the certificate issuer, be either critical or non-critical.</t> | |||
| <t>This specification defines the KeyPurposeId id-kp-documentSigning. | <t>This specification defines the KeyPurposeId id-kp-documentSigning. | |||
| Inclusion of this KeyPurposeId in a certificate indicates that the | Inclusion of this KeyPurposeId in a certificate indicates that the | |||
| public key encoded in the certificate has been certified to be used for | public key encoded in the certificate has been certified to be used for | |||
| cryptographic operations on contents that are consumed by people.</t> | cryptographic operations on contents that are consumed by people.</t> | |||
| <artwork><![CDATA[ | ||||
| <sourcecode type=""><![CDATA[ | ||||
| id-kp OBJECT IDENTIFIER ::= | id-kp OBJECT IDENTIFIER ::= | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) 3 } | security(5) mechanisms(5) pkix(7) 3 } | |||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp 36 } | id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp 36 } | |||
| ]]></artwork> | ]]></sourcecode> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section anchor="using-the-extended-key-purpose-for-document-signing-in-a-ce rtificate"> | <section anchor="using-the-extended-key-purpose-for-document-signing-in-a-ce rtificate"> | |||
| <name>Using the Extended Key Purpose for Document Signing in a Certificate </name> | <name>Using the Extended Key Purpose for Document Signing in a Certificate </name> | |||
| <t>Our intended use case is people consuming the contents of signed | <t>Our intended use case is people consuming the contents of signed | |||
| documents. To be more precise, contents are intended to be | documents. To be more precise, contents are intended to be shown to a | |||
| shown to a person in a printable or displayable form by means of services | person in a printable or displayable form by means of services or | |||
| or software, rather than processed by machines. The digital signature on | software, rather than processed by machines. The digital | |||
| the contents is to indicate to the recipient of the contents that the | signature on the contents is to indicate to the recipient of the | |||
| content has not changed since it was signed by the identity indicated as | contents that the content has not changed since it was signed by the | |||
| the subject of the certificate. To validate the digital signature which | identity indicated as the subject of the certificate. To validate the | |||
| is signed on contents intended to be consumed by people, implementations | digital signature that is signed on contents intended to be consumed by | |||
| MAY perform the steps below during certificate validation:</t> | people, implementations <bcp14>MAY</bcp14> perform the steps below | |||
| during certificate validation.</t> | ||||
| <t>The following procedure is used to examine the KeyPurposeId(s) included in the | <t>The following procedure is used to examine the KeyPurposeId(s) included in the | |||
| Extended Key Usage extension. | EKU extension. | |||
| Restrictions on Extended Key Usage is derived and implemented from | Restrictions on EKU is derived and implemented from | |||
| (or configured with) the policy to which the implementation conforms.</t> | (or configured with) the policy to which the implementation conforms.</t> | |||
| <ul spacing="normal"> | <ul spacing="normal"> | |||
| <li>If there are no restrictions set for the relying party and the | <li>If there are no restrictions set for the relying party and the | |||
| relying party software, the certificate is acceptable.</li> | relying party software, the certificate is acceptable.</li> | |||
| <li> | <li> | |||
| <t>If there are restrictions set for the relying party and relying | <t>If there are restrictions set for the relying party and relying | |||
| party software, then process the KeyPurposeId(s) as described below. </t> | party software, then process the KeyPurposeId(s) as described below. </t> | |||
| <t> | <t> | |||
| This procedure is intended to permit or prohibit presence of a | This procedure is intended to permit or prohibit the presence of a | |||
| certain KeyPurposeId or complete absence of KeyPurposeIds. It is | certain KeyPurposeId or the complete absence of KeyPurposeIds. It is | |||
| outside the scope of this document, but the relying party can permit | outside the scope of this document, but the relying party can permit | |||
| or prohibit combinations of KeyPurposeIds, instead of a single | or prohibit combinations of KeyPurposeIds, instead of a single | |||
| KeyPurposeId. | KeyPurposeId. | |||
| A consideration on | A consideration on | |||
| prohibiting combinations of KeyPurposeIds is described in the | prohibiting combinations of KeyPurposeIds is described in the | |||
| Security Considerations section of this document. | Security Considerations section of this document. | |||
| If both "Excluded KeyPurposeId" and "Permitted KeyPurposeId" exists, | If both Excluded KeyPurposeId and Permitted KeyPurposeId exist, | |||
| the relying party or the relying party software processes each restriction | the relying party or the relying party software processes each restriction | |||
| on "Excluded KeyPurposeId" first, and then processes each restriction on | on Excluded KeyPurposeId first and then processes each restriction on | |||
| "Permitted KeyPurposeId". </t> | Permitted KeyPurposeId. </t> | |||
| <dl> | <dl newline="true"> | |||
| <dt>Excluded KeyPurposeId procedure:</dt> | <dt>Excluded KeyPurposeId procedure:</dt> | |||
| <dd> | <dd> | |||
| <t>"Excluded KeyPurposeId" is a | <t>Excluded KeyPurposeId is a | |||
| KeyPurposeId which the relying party or the relying party software | KeyPurposeId that the relying party or the relying party software | |||
| prohibits. Examples of "Excluded KeyPurposeId" are, presence of the | prohibits. Examples of Excluded KeyPurposeId include the presence of the | |||
| anyExtendedKeyUsage KeyPurposeId or complete absence of the EKU | anyExtendedKeyUsage KeyPurposeId or the complete absence of the EKU | |||
| extension in a certificate. If a KeyPurposeId of the certificate | extension in a certificate. If a KeyPurposeId of the certificate | |||
| meets the conditions set by the "Excluded KeyPurposeId" restriction, | meets the conditions set by the Excluded KeyPurposeId restriction, | |||
| the relying party or the relying party software rejects the | the relying party or the relying party software rejects the | |||
| certificate.</t> | certificate.</t> | |||
| </dd> | </dd> | |||
| <dt>Permitted KeyPurposeId procedure:</dt> | <dt>Permitted KeyPurposeId procedure:</dt> | |||
| <dd> | <dd> | |||
| <t>"Permitted KeyPurposeId" is a KeyPurposeId which the relying pa | ||||
| rty or | <t>Permitted KeyPurposeId is a KeyPurposeId that the relying party | |||
| the relying party software accepts. Examples of "Permitted | or | |||
| KeyPurposeId" are, presence of this general document signing | the relying party software accepts. Examples of Permitted | |||
| KeyPurposeId and/or protocol specific document signing-type | KeyPurposeId include the presence of this general-purpose Document-Signing | |||
| KeyPurposeIds. If a KeyPurposeId of the certificate meets the | KeyPurposeId and/or the protocol-specific | |||
| condition set by a "Permitted KeyPurposeId" restriction, the | KeyPurposeIds that are relevant to Document Signing. If a KeyPurposeId of the ce | |||
| certificate is acceptable. Otherwise, relying party or the relying | rtificate meets the | |||
| condition set by a Permitted KeyPurposeId restriction, the | ||||
| certificate is acceptable. Otherwise, the relying party or the relying | ||||
| party software rejects the certificate.</t> | party software rejects the certificate.</t> | |||
| </dd> | </dd> | |||
| </dl> | </dl> | |||
| </li> | </li> | |||
| </ul> | </ul> | |||
| <t>When a single application has the capability to process various data | <t>When a single application has the capability to process various data | |||
| formats, the software may choose to make the excluded and permitted | formats, the software may choose to make the excluded and permitted | |||
| decisions separately in accordance with the format it is handling (e.g., | decisions separately in accordance with the format it is handling (e.g., | |||
| TEXT, PDF).</t> | TEXT and PDF).</t> | |||
| </section> | </section> | |||
| <section anchor="implications-for-a-certification-authority"> | <section anchor="implications-for-a-certification-authority"> | |||
| <name>Implications for a Certification Authority</name> | <name>Implications for a Certification Authority</name> | |||
| <t>The procedures and practices employed by a certification authority MUST | <t>The procedures and practices employed by a certification authority <bcp 14>MUST</bcp14> | |||
| ensure that the correct values for the EKU extension are inserted in | ensure that the correct values for the EKU extension are inserted in | |||
| each certificate that is issued. Unless certificates are governed by a | each certificate that is issued. Unless certificates are governed by a | |||
| vendor(s) specific PKI, certificates that indicate usage | vendor-specific PKI, certificates that indicate usage | |||
| for document signing MAY include the id-kp-documentSigning KeyPurposeId. | for Document Signing <bcp14>MAY</bcp14> include the id-kp-documentSigning KeyPur | |||
| poseId. | ||||
| The inclusion of the id-kp-documentSigning KeyPurposeId does not | The inclusion of the id-kp-documentSigning KeyPurposeId does not | |||
| preclude the inclusion of other KeyPurposeIds.</t> | preclude the inclusion of other KeyPurposeIds.</t> | |||
| </section> | </section> | |||
| <section anchor="security-considerations"> | <section anchor="security-considerations"> | |||
| <name>Security Considerations</name> | <name>Security Considerations</name> | |||
| <t>The usage of id-kp-documentSigning KeyPurposeId is to provide an | <t>The usage of the id-kp-documentSigning KeyPurposeId is to provide an | |||
| alternative to id-kp-emailProtection being used for non-email purposes | alternative to id-kp-emailProtection being used for non-email purposes | |||
| and id-kp-codeSigning being used to sign objects other than binary code. | and id-kp-codeSigning being used to sign objects other than binary code. | |||
| This extended key purpose does not introduce new security risks but | This extended key purpose does not introduce new security risks but | |||
| instead reduces existing security risks by providing means to separate | instead reduces existing security risks by providing means to separate | |||
| other extended key purposes used for communication protocols namely, | other extended key purposes used for communication protocols, which include | |||
| TLS (id-kp-clientAuth) or S/MIME (id-kp-emailProtection) etc. | TLS (id-kp-clientAuth) and S/&wj;MIME (id-kp-emailProtection), | |||
| in order to minimize the risk of cross-protocol attacks.</t> | in order to minimize the risk of cross-protocol attacks.</t> | |||
| <t>To reduce the risk of specific cross-protocol attacks, the relying part y | <t>To reduce the risk of specific cross-protocol attacks, the relying part y | |||
| or relying party software may additionally prohibit use of specific | or the relying party software may additionally prohibit use of specific | |||
| combinations of KeyPurposeIds.</t> | combinations of KeyPurposeIds.</t> | |||
| <t>While a specific protocol or signing scheme may choose to come up with | <t>While a specific protocol or signing scheme may choose to come up with | |||
| their own KeyPurposeIds, some may not have significant motive or | their own KeyPurposeIds, some may not have significant motive or | |||
| resources to set up and manage their own KeyPurposeIds. This general | resources to set up and manage their own KeyPurposeIds. This general-purpose | |||
| document signing KeyPurposeId may be used as a stop-gap for those that | Document-Signing KeyPurposeId may be used as a stop-gap for those that | |||
| intend to define their own document signing KeyPurposeId or those who do not int | intend to define their own Document-Signing KeyPurposeId or those who do not int | |||
| end to | end to | |||
| set up a KeyPurposeId but still would like to distinguish document | set up a KeyPurposeId but still would like to distinguish Document Signing from | |||
| signing from other usages.</t> | other usages.</t> | |||
| <t>Introduction of this id-kp-documentSigning KeyPurposeId does not | <t>Introduction of this id-kp-documentSigning KeyPurposeId does not | |||
| introduce any new security or privacy concerns.</t> | introduce any new security or privacy concerns.</t> | |||
| </section> | </section> | |||
| <section anchor="iana-considerations"> | <section anchor="iana-considerations"> | |||
| <name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
| <t>IANA made one assignment for the id-kp- | ||||
| documentSigning object identifier (OID), as defined in Section 3.1, in the "SMI | <t>IANA has registered the following OID in the "SMI Security for PKIX | |||
| Security for PKIX Extended Key Purpose" (1.3.6.1.5.5.7.3) registry. The other | Extended Key Purpose" registry (1.3.6.1.5.5.7.3). This OID is defined in | |||
| assignment was made for the id-mod-docsign-eku ASN.1 | <xref target="ext"/>. | |||
| module <xref target="X.680"/> object identifier (OID), as defined in Appendix A, | </t> | |||
| in the "SMI | ||||
| Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry.</t> | <table anchor="iana_table1"> | |||
| <name></name> | ||||
| <thead> | ||||
| <tr> | ||||
| <th>Decimal</th> | ||||
| <th>Description</th> | ||||
| <th>References</th> | ||||
| </tr> | ||||
| </thead> | ||||
| <tbody> | ||||
| <tr> | ||||
| <td>36</td> | ||||
| <td>id-kp-documentSigning</td> | ||||
| <td>RFC 9336</td> | ||||
| </tr> | ||||
| </tbody> | ||||
| </table> | ||||
| <t>IANA has also registered the following ASN.1 <xref | ||||
| target="X.680"/> module OID in the "SMI | ||||
| Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). This OID is | ||||
| defined in <xref target="asn1-module"/>.</t> | ||||
| <table anchor="iana_table2"> | ||||
| <name></name> | ||||
| <thead> | ||||
| <tr> | ||||
| <th>Decimal</th> | ||||
| <th>Description</th> | ||||
| <th>References</th> | ||||
| </tr> | ||||
| </thead> | ||||
| <tbody> | ||||
| <tr> | ||||
| <td>104</td> | ||||
| <td>id-mod-docsign-eku</td> | ||||
| <td>RFC 9336</td> | ||||
| </tr> | ||||
| </tbody> | ||||
| </table> | ||||
| </section> | </section> | |||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references> | <references> | |||
| <name>References</name> | <name>References</name> | |||
| <references> | <references> | |||
| <name>Normative References</name> | <name>Normative References</name> | |||
| <reference anchor="X.680"> | <reference anchor="X.680"> | |||
| <front> | <front> | |||
| <title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title> | <title>Information technology - Abstract Syntax Notation One (ASN.1) : Specification of basic notation</title> | |||
| <author> | <author> | |||
| <organization>ITU-T</organization> | <organization>ITU-T</organization> | |||
| </author> | </author> | |||
| <date year="2015" month="November"/> | <date year="2021" month="February"/> | |||
| </front> | ||||
| <seriesInfo name="ISO/IEC" value="8824-1:2015"/> | ||||
| </reference> | ||||
| <reference anchor="RFC5280"> | ||||
| <front> | ||||
| <title>Internet X.509 Public Key Infrastructure Certificate and Cert | ||||
| ificate Revocation List (CRL) Profile</title> | ||||
| <author fullname="D. Cooper" initials="D." surname="Cooper"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author fullname="S. Santesson" initials="S." surname="Santesson"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author fullname="S. Farrell" initials="S." surname="Farrell"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author fullname="S. Boeyen" initials="S." surname="Boeyen"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author fullname="R. Housley" initials="R." surname="Housley"> | ||||
| <organization/> | ||||
| </author> | ||||
| <author fullname="W. Polk" initials="W." surname="Polk"> | ||||
| <organization/> | ||||
| </author> | ||||
| <date month="May" year="2008"/> | ||||
| <abstract> | ||||
| <t>This memo profiles the X.509 v3 certificate and X.509 v2 certif | ||||
| icate revocation list (CRL) for use in the Internet. An overview of this approa | ||||
| ch and model is provided as an introduction. The X.509 v3 certificate format is | ||||
| described in detail, with additional information regarding the format and seman | ||||
| tics of Internet name forms. Standard certificate extensions are described and | ||||
| two Internet-specific extensions are defined. A set of required certificate ext | ||||
| ensions is specified. The X.509 v2 CRL format is described in detail along with | ||||
| standard and Internet-specific extensions. An algorithm for X.509 certificatio | ||||
| n path validation is described. An ASN.1 module and examples are provided in th | ||||
| e appendices. [STANDARDS-TRACK]</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="5280"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC5280"/> | ||||
| </reference> | ||||
| <reference anchor="RFC2119"> | ||||
| <front> | ||||
| <title>Key words for use in RFCs to Indicate Requirement Levels</tit | ||||
| le> | ||||
| <author fullname="S. Bradner" initials="S." surname="Bradner"> | ||||
| <organization/> | ||||
| </author> | ||||
| <date month="March" year="1997"/> | ||||
| <abstract> | ||||
| <t>In many standards track documents several words are used to sig | ||||
| nify the requirements in the specification. These words are often capitalized. | ||||
| This document defines these words as they should be interpreted in IETF document | ||||
| s. This document specifies an Internet Best Current Practices for the Internet | ||||
| Community, and requests discussion and suggestions for improvements.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="BCP" value="14"/> | ||||
| <seriesInfo name="RFC" value="2119"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC2119"/> | ||||
| </reference> | ||||
| <reference anchor="RFC8174"> | ||||
| <front> | ||||
| <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</ti | ||||
| tle> | ||||
| <author fullname="B. Leiba" initials="B." surname="Leiba"> | ||||
| <organization/> | ||||
| </author> | ||||
| <date month="May" year="2017"/> | ||||
| <abstract> | ||||
| <t>RFC 2119 specifies common key words that may be used in protoco | ||||
| l specifications. This document aims to reduce the ambiguity by clarifying tha | ||||
| t only UPPERCASE usage of the key words have the defined special meanings.</t> | ||||
| </abstract> | ||||
| </front> | </front> | |||
| <seriesInfo name="BCP" value="14"/> | <seriesInfo name="ITU-T Recommendation" value="X.680"/> | |||
| <seriesInfo name="RFC" value="8174"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC8174"/> | ||||
| </reference> | </reference> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280. | ||||
| xml"/> | ||||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119. | ||||
| xml"/> | ||||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174. | ||||
| xml"/> | ||||
| </references> | </references> | |||
| <references> | <references> | |||
| <name>Informative References</name> | <name>Informative References</name> | |||
| <reference anchor="RFC7299"> | ||||
| <front> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7299. | |||
| <title>Object Identifier Registry for the PKIX Working Group</title> | xml"/> | |||
| <author fullname="R. Housley" initials="R." surname="Housley"> | ||||
| <organization/> | ||||
| </author> | ||||
| <date month="July" year="2014"/> | ||||
| <abstract> | ||||
| <t>When the Public-Key Infrastructure using X.509 (PKIX) Working G | ||||
| roup was chartered, an object identifier arc was allocated by IANA for use by th | ||||
| at working group. This document describes the object identifiers that were assi | ||||
| gned in that arc, returns control of that arc to IANA, and establishes IANA allo | ||||
| cation policies for any future assignments within that arc.</t> | ||||
| </abstract> | ||||
| </front> | ||||
| <seriesInfo name="RFC" value="7299"/> | ||||
| <seriesInfo name="DOI" value="10.17487/RFC7299"/> | ||||
| </reference> | ||||
| </references> | </references> | |||
| </references> | </references> | |||
| <section numbered="false" anchor="appendix-a-asn1-module"> | <section numbered="true" anchor="asn1-module"> | |||
| <name>Appendix A. ASN.1 Module</name> | <name>ASN.1 Module</name> | |||
| <t>The following ASN.1 module provides the complete definition of the | <t>The following ASN.1 <xref | |||
| Document Signing KeyPurposeId.</t> | target="X.680"/> module provides the complete definition of the | |||
| <artwork><![CDATA[ | Document-Signing KeyPurposeId.</t> | |||
| <sourcecode type="asn.1"><![CDATA[ | ||||
| DocSignEKU { iso(1) identified-organization(3) dod(6) internet(1) | DocSignEKU { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-docsign-eku(104) } | id-mod-docsign-eku(104) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| -- IMPORTS NOTHING -- | -- IMPORTS NOTHING -- | |||
| -- OID Arc -- | -- OID Arc -- | |||
| id-kp OBJECT IDENTIFIER ::= { | id-kp OBJECT IDENTIFIER ::= { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) kp(3) } | security(5) mechanisms(5) pkix(7) kp(3) } | |||
| -- Document Signing Extended Key Usage -- | -- Document-Signing Extended Key Usage -- | |||
| id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp 36 } | id-kp-documentSigning OBJECT IDENTIFIER ::= { id-kp 36 } | |||
| END | END | |||
| ]]></artwork> | ]]></sourcecode> | |||
| </section> | </section> | |||
| <section numbered="false" anchor="acknowledgments"> | <section numbered="false" anchor="acknowledgments"> | |||
| <name>Acknowledgments</name> | <name>Acknowledgments</name> | |||
| <t>We would like to thank Russ Housley for verifying the ASN.1 module. | <t>We would like to thank <contact fullname="Russ Housley"/> for verifying | |||
| Additionally, we would like to thank Corey Bonnell, Wendy Brown, Russ | the ASN.1 module. | |||
| Housley, Prachi Jain, and Stefan Santesson for their comments.</t> | Additionally, we would like to thank <contact fullname="Corey Bonnell"/>, <conta | |||
| ct fullname="Wendy Brown"/>, <contact fullname="Russ | ||||
| Housley"/>, <contact fullname="Prachi Jain"/>, and <contact fullname="Stefan San | ||||
| tesson"/> for their comments.</t> | ||||
| </section> | </section> | |||
| </back> | </back> | |||
| <!-- ##markdown-source: | ||||
| H4sIAAAAAAAAA7Va63IbN5b+j6fAKn+kGpKS7NhxWDW1YSTZ4US3NeW1d5PU | ||||
| FNgNkhg1Gz1At2SOyql5kN2qfZZ9lHmS/c4ButlNUrKzu4l/ROwGDs71Oxd0 | ||||
| v98XpSkzPZRvdK6dyuR15QrrtTz7WOo81an8Ua/kO6/mWu6f/fjuQM6sk6c2 | ||||
| qZY6L+XEzHOTz+WHwYujb+WJdqWZmUSV2gs1nTp9N5TYtHOPoGVz61ZD6ctU | ||||
| iNQmuVqCk9SpWdk3upz1M7UsfD+NO33Y2Ne3Vf/opTCFG8rSVb58dnT07dEz | ||||
| catX99alQznOS+1yXfZPiZRQTquhnJydCLy+nTtbFUN5Prq4nsj3eED8v6GH | ||||
| 4k7nlR4KKeOavXOzNCV0MEpTUxqbQz8XOlmo3PilZ6mufxx/kCpP5eRifHEm | ||||
| 95nswR5olKsCwux1TqDnS2UyPPeF8svvSMqBdXN6oVyywItFWRZ+eHhI6+iR | ||||
| udODetkhPTicOnvv9SFTOKSdc1MuqulQBnXdzw93aEwIX4LPP6vM5uBrBQv5 | ||||
| pXLln/9aWZhrKHMrCjOUP5U26UlvXen0zOOv1ZL++EUIVZUL66CePo6U0uTY | ||||
| dDOQ49Ly72C8G5Wqhbm1zWNwDXX9TZH62AhXF/LkatCT5zenA16hg0bKuHNg | ||||
| Sjsoqmlmku/m9GqQ2OXmoVe31bRzrF3aWbU0rRfdg0/N3JB79uAcSffcuHVg | ||||
| aesfSNWPnDsZyJsKfuVaB0+0yttPu6f6/LlL24d5LP+OnzJ1kVu3xNo79roP | ||||
| g5evjoa8HO4TwnJvnM/CGpvLEr6X28zOV7IvR1NfOpUgnlZ5qT7KS1uGVVc5 | ||||
| QnU0uRwcH4C/QichJOmVncmp8iaBscPivXhailgcgsSdXk61k8+Ojl/EN43V | ||||
| 438QEAF2865/Ex957Yz2BmyuF40nV4fjs5OhfPXq2df94yHTE/1+X6rItRBv | ||||
| X5/IF89eHUkfWNQepO4Yg3SNPYhoWURAMikcmtY5L/YBShGoxqkPmBQgKGlB | ||||
| EMy1MF7WwSBTPTM5jlFyHsBO1LSbJTFgZJs+Uzd5klWedGhgh0UXH0UbH5l5 | ||||
| H7UdmArezNJ0+BNbOKqKIovG8kCKlXT6r5VxGkeqMpwLOG2OEFMtC6c9kSAQ | ||||
| 4lXqM+Jgj8lTZiEVkAaQCZOTkES/xSBCgxarJNFFqaaZFnjARzzF9yAYemnS | ||||
| FDvEV4TGzqZVQi+FeHj4J1ieDP/p0+9p+nEuVUTtXk1ddPbKhbrTEFDzShxZ | ||||
| 5aQIUsJ4dDmC6rEQYORWcg/oLiY6qZwpV2vc7+TISHhPPjz8MyT85tm33376 | ||||
| NJDvFybTsmIHgUOAuthT+areip3sPHtdG8FtpyqFbREqJtF8ZPCibBVyHmzX | ||||
| FrhHlOEn2Jjb2uHIJaKrd8nrj2QuIMxKKE9OotOdOZoiCC5ROUcPG25wCNC9 | ||||
| Ysv0b4s+g9u1Qx5Jgr7D48SmunYQEFcS+TW1rh/iMBVbQVbzuuW/0REQMQJ2 | ||||
| TYzDe0pnCTznnuWms5rlnI8POSG3dYQMC2/OPLMeTtw8qRcwFuszYrmwUBOC | ||||
| Fhl/rikgUw4KMuJjB+rE+hXMs+TwTRRpqcqhcOhGU/DB64x1HuQFO6Ai94N7 | ||||
| kjaXBQG6r5KFVAAunaByIVYTtypKO3eqWJhEqLnJyA9tQKItba1ZIL7uyGJE | ||||
| X0F7/9qxgOzGQ0APR96Kd0AGRW4u58gKjlZPVyx5sGKwKBdK5NfhoZdsJnJB | ||||
| QzWYLWDPaeA2sTCXAzyMigIvnAFakMJBZ2m8aj8k4RmLIDyrcap7bV5PvSDj | ||||
| kWpthSInrUPLEFvI9CjUECfEAofnmuNNfmFGQqcswyqd3xlnc1ZlogjoA24R | ||||
| xFqg3zIEWW0lELmHNRaIBpGaGXysykryjlRD8iX0C33fkHOCV/BvyhCcpZyp | ||||
| O+sIT2k1CbEZGVvpRzSOtrY2WytS3DBRJMfn70yA+edwtoMGokYDQvMTm9/R | ||||
| KkpQ5F6nRJNh1rO4TJDKcC/3Lt5NbvZ64f/y8or/fnv2L+/Gb89O6e/JD6Pz | ||||
| 8+YPEVdMfrh6d366/mu9E7XjxdnladiMp7LzSOxdjP4Nb4irvavrm/HV5eh8 | ||||
| L+TrthbIw0NmYx9F/qTAVLCi9okz0+D7359c//d/HX8tQ756dnwMNI8/Xh1/ | ||||
| 8zV+AHjycJrN4W3hJ7QPTC0KrRxHUJbBlwpTAnZ65NZ+Ye9zSV4BbUKdu1LI | ||||
| 7nYp2NJ36rnaoGTzbv5gAK5FXttvRKjSkvLhoUnGUOnPP5mff+FAkj//tN0A | ||||
| /vxLq7gBL7Hy6AlsyLeKBzY6a2YaEYXEQvMRY7UB9XU1MtgTLYYYqht2IzzV | ||||
| PC4RbKbIiFE4HDhrqJF51/UNHdQqTmSuwQiFjANKQit/02yjbV56yIwSvVID | ||||
| Rg2aNNHSaAB8f6aUg2fuKOW2W+y1fteVnWgqO2Zjl2U7NZ38XWo6Cm3CNbm3 | ||||
| uXBHiAHzkHAYDIHGJaOxr9t+S4osW+kGTzz2MXoV2sKqqDuYzSWQk9SQGA8E | ||||
| bXZik2jMEQQKcYW/FUg4DwXeoynGXqxjqKVkb3yRqRX/pKYK54klGjJPHok2 | ||||
| hjIl5WV0v7PyXhFoO0VlFbGaEy00zAaiIB9gpWeOxVKhR8+5NvmKil30CSmp | ||||
| b8vCT0U3qbA9PZEPX8EVPolOPKyr5boR2Cp8Ww7UZEgOTVHPREJJ14rj6DY+ | ||||
| hKaLOq/jgaiENMdFTziJg6BpaWD4O5WZNFDu9CecR6dNQUG2/0uVc5EY7FPG | ||||
| hFF1vb9Xp9aGOVroNWVdETrYTkkkudAIodbhWK45pmNCLcHsRJfusutDKw2J | ||||
| UPxrDiauLolmwonPaFQxQyF+/fVXdLuwb13Axy5cDod/lHKCJHd2eXImJ+N/ | ||||
| P5P7x4PBxejDgbx63UFpEOiAdth79f2fzk5u5Pj07PJm/Hp89pbPehK4u0JA | ||||
| SIBXQAtb1H3/Jg4Y7yvteqQObdjJQbysC9/c5v369+D/JfWMmwaamQG97i6q | ||||
| Njv8tUwfhBEtn4MVbBo0sSnYAnjNTd3a9AEi6hwkHnUdctgvQafa/CzqDoux | ||||
| JeMw5AGatvvHB+viKu23h0T7zw+Am+n+y4NQjiBEsbqZpPjYdO6/OJDLZvRI | ||||
| v4pb83H/mwP5XH6qWdlKC4+wxlwx789fYjcJg1Lknf9fwZZqA5cQV5Vbp0rC | ||||
| Hy7iKVey7qI665MadRMCcx8qmtnl55OA7CYBsZ0EmL/PJQG5lQTEE0lgDf2y | ||||
| gX5GvpjqWA5VVo6gV3SE5L658ezYSVIlYgpDWq3DtOODodnkJ+zbVLyEhjTF | ||||
| UTm146W8p9Iy9PGxBQjuVq5adQFKXIbRavoXnZQ7QIE1zljO7O2UiaFVmOa4 | ||||
| dsxs5OTtyOlR84ROCqtDyAkqjGArtgQzV+qC4jez9zKF58NP2sEdmaPhasDv | ||||
| GXo3e88zArJMWoUZCMc6uNAfFXViWyi17w/CSG8NIuKpcmwg3mpfOpM0QLFj | ||||
| NVVA2pk7UjVKtkZUgh1nl2I/ZJGZmYPLlBPgQaiEw5gB/K4TV1dRvA86oiqj | ||||
| L8ezOO2hGECv7dq8UZasCz+nsxXrRjl4Qqgjteg+Xfv5dopo1YnbB/+GU+MT | ||||
| sePEJqR22ki10x57BfggXOSM1DF52/kKasBLnuA4uzBTU8ZiOuHuQ3Eho2D3 | ||||
| Tg5i85DaIbuaNqs7QxK676COv547sM8myCFNWqvxC6m1Knfog0qiwJ9o84eT | ||||
| pyavE9HGqT26gCi1Spl7Cvs5Kvf2koEYcbyBJxdn/bmoiXMUPUU/uG6rvCA3 | ||||
| aeadJ226ZOqkbOfxWmDk+JmcWlR1//j7f5x9jMHVPucff/9Pdge8v2YNlDsW | ||||
| 6I/Gl56byg3N7XSv2pkaZPZSA5bb3inA7FMszYzzZa8Oj/wJSqTUp5iPzrnz | ||||
| pLW3DsOq4ZNMUfB1J6RrbPgNaml8AJ57BjCEd7P593YevCc5LNuxQp6wY179 | ||||
| RZET2xTR7ja6Zd6AIEVtENvKS+jSdOnr3BiG+gFyYrJ7SpEt8/12p3KaUqVv | ||||
| Nz/MdrDgbj/YbejHHZ4sLb/Q0jsEaHgNWL1h5/bJYisWt40NZh6bwne9EdFy | ||||
| GPCrtInNmu5ga1ufLsLFJoh+gdVlY3XRWL02unpapW2bb9puI63JK8po91xb | ||||
| PuUZ4nHPkF3PeE8YUoN0Z/i0aObaRT0Vp2QV89+dcsZWnu5ilQiXvnHi3BzK | ||||
| VwoLS+U4Ni7VbUhAuvZ9grCiMXdKJXMMFXAP7ngoTtJbl9LtyboJD+fFITWq | ||||
| yzQjRezrwXzQEzdnH2568vr09QGPgMfL1mRrxvcA6xaA5BzxnTHECzVaEw9h | ||||
| YlxfIwFeQciuQoHYhgWioWoaPEgUwI+qPTuDBI6KWBSEVRxTbN2OxhYBRX2Y | ||||
| igmG884wLM7QuRlOB/JdnpElti6N2vN1FS9AqDxpnP76x3Gvuy2Qrkt9nm+I | ||||
| XTdOPBqMpegTA75urr/heWSnof6SjTicL2dKQe3U+sQ2Jcu9TjdcyeiPVAPB | ||||
| ws315hfwEJog+MQd1U8qFyqjtpe/guD2aNeVImo/ItSMkWk+wUuaSRVPSbfv | ||||
| HVv7QJt0Lu00RK5dd3VUGbkVXyIOwrBj5/1Irb7W1VCu75seXTrjbz2VfaIu | ||||
| 11DnV+zpVNQQJ5trV1ET9C60ocRmDFcRWNzFi1/rApl3WeV13NSA7PkDlWyF | ||||
| 6D2fyP2omYz6TArPA4K3eGW5v1PlB1KXyWD9gQABjsnNkkbmjIsQgEyeOOt9 | ||||
| v8kDqixVcks+c2Oj+J3lTcjs3tfbTntUJj+S8ggPVfNtVpjMhnKaJ5/r08ST | ||||
| 5S+DNl3TqzV7DWM0CojO5JMFWrINFAZlBEDBUCriHeR9vlm/exs3kvvwvS8T | ||||
| JbQAFiwtez/yO0DSVo5chv2gJMrk2UuVU4g9Qj9+6VJ/1vL09x+tISj1V5C5 | ||||
| tEV/roqIoiwX0CuO2MOV5ix20fH0p09oyNwvsNfWIROIiVqqja9S0CwhRLJM | ||||
| 3tsqS2VmbnW4QODAqYxfNKc216HUVsc4ZggKHwisPzdpaprfgo3r4Ebd2w1w | ||||
| LnjMnUqa6+wAjvy9yCYw8kP+ZIAm6+E7C9ZZnawCU2KTq4BP7cvY/avx6UEv | ||||
| NMPhghhROYnI+Hxw3KvnoL/pO5X948HzwcvB8eAF/n0zeH6AKJtD224V5lms | ||||
| V9Him4ZMLE9LgKVNSa20hr4ylPzdmcDTCuH0E3/R9suXSjQqCrBpPsrR5wS6 | ||||
| CPTHDcEtaY5a0oQPkqaAF7LV+pRB4DZSEw/DvKKv33T6x72ZyqCiT5szprA+ | ||||
| ShdTWN2XxPYnbe7D6+5pa2jazeVxloxV9J4KmP/DyPjz4+Jgs/2jsH7bgvvH | ||||
| R18fyE/UuZyevR5fjukefSLPPlyfj0/GN/Jm9GbC420s+P7szfiS/oB6seDq | ||||
| 7c1Ejs7P8TM+HF+Eh5dXNz+ML9+sX8D8cuSS+ODJObp8CJz+fiq5LWj7p8ja | ||||
| lrl2TPpabG+ByrYULER74E43R5en9dx9lNzm9j7T6ZzH3rv98L3ewEWqW27l | ||||
| 2wrl6g/oGjIdwgN1qpmt6vF6218HYtTKlD15v5viiXUg9b3Nc51lPfkeouOn | ||||
| A+j3+DQRT0M/4Gj8Lf+kTPwMYlLqGYqpCTIaquh4BRlyBtUoPNMX/wMPiXWS | ||||
| cy4AAA== | ||||
| </rfc> | </rfc> | |||
| End of changes. 47 change blocks. | ||||
| 333 lines changed or deleted | 200 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||