draft-ietf-netconf-crypto-types-02.txt | draft-ietf-netconf-crypto-types-03.txt | |||
---|---|---|---|---|

NETCONF Working Group K. Watsen | NETCONF Working Group K. Watsen | |||

Internet-Draft Juniper Networks | Internet-Draft Watsen Networks | |||

Intended status: Standards Track H. Wang | Intended status: Standards Track H. Wang | |||

Expires: April 25, 2019 Huawei | Expires: September 10, 2019 Huawei | |||

October 22, 2018 | March 9, 2019 | |||

Common YANG Data Types for Cryptography | Common YANG Data Types for Cryptography | |||

draft-ietf-netconf-crypto-types-02 | draft-ietf-netconf-crypto-types-03 | |||

Abstract | Abstract | |||

This document defines YANG identities, typedefs, the groupings useful | This document defines YANG identities, typedefs, the groupings useful | |||

for cryptographic applications. | for cryptographic applications. | |||

Editorial Note (To be removed by RFC Editor) | Editorial Note (To be removed by RFC Editor) | |||

This draft contains many placeholder values that need to be replaced | This draft contains many placeholder values that need to be replaced | |||

with finalized values at the time of publication. This note | with finalized values at the time of publication. This note | |||

skipping to change at page 1, line 32 ¶ | skipping to change at page 1, line 32 ¶ | |||

Editor instructions are specified elsewhere in this document. | Editor instructions are specified elsewhere in this document. | |||

Artwork in this document contains shorthand references to drafts in | Artwork in this document contains shorthand references to drafts in | |||

progress. Please apply the following replacements: | progress. Please apply the following replacements: | |||

o "XXXX" --> the assigned RFC value for this draft | o "XXXX" --> the assigned RFC value for this draft | |||

Artwork in this document contains placeholder values for the date of | Artwork in this document contains placeholder values for the date of | |||

publication of this draft. Please apply the following replacement: | publication of this draft. Please apply the following replacement: | |||

o "2018-10-22" --> the publication date of this draft | o "2019-03-09" --> the publication date of this draft | |||

The following Appendix section is to be removed prior to publication: | The following Appendix section is to be removed prior to publication: | |||

o Appendix B. Change Log | o Appendix B. Change Log | |||

Status of This Memo | Status of This Memo | |||

This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||

provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on April 25, 2019. | This Internet-Draft will expire on September 10, 2019. | |||

Copyright Notice | Copyright Notice | |||

Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||

to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||

include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||

the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||

described in the Simplified BSD License. | described in the Simplified BSD License. | |||

Table of Contents | Table of Contents | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||

2. The Crypto Types Module . . . . . . . . . . . . . . . . . . . 3 | 2. The Crypto Types Module . . . . . . . . . . . . . . . . . . . 3 | |||

2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 | |||

2.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 4 | |||

3. Security Considerations . . . . . . . . . . . . . . . . . . . 39 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 38 | |||

4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | |||

4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 40 | 4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 39 | |||

4.2. The YANG Module Names Registry . . . . . . . . . . . . . 40 | 4.2. The YANG Module Names Registry . . . . . . . . . . . . . 39 | |||

5. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 | 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||

5.1. Normative References . . . . . . . . . . . . . . . . . . 40 | 5.1. Normative References . . . . . . . . . . . . . . . . . . 39 | |||

5.2. Informative References . . . . . . . . . . . . . . . . . 44 | 5.2. Informative References . . . . . . . . . . . . . . . . . 42 | |||

Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 45 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 44 | |||

A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping . 45 | A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping . 44 | |||

A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 47 | A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 46 | |||

A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 48 | A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 47 | |||

A.4. The "generate-certificate-signing-request" Action . . . . 49 | A.4. The "generate-certificate-signing-request" Action . . . . 47 | |||

A.5. The "certificate-expiration" Notification . . . . . . . . 50 | A.5. The "certificate-expiration" Notification . . . . . . . . 48 | |||

Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 51 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 51 | B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 51 | B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 51 | B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||

Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 52 | B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 | ||||

1. Introduction | 1. Introduction | |||

This document defines a YANG 1.1 [RFC7950] module specifying | This document defines a YANG 1.1 [RFC7950] module specifying | |||

identities, typedefs, and groupings useful for cryptography. | identities, typedefs, and groupings useful for cryptography. | |||

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||

"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||

"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||

14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||

capitals, as shown here. | capitals, as shown here. | |||

2. The Crypto Types Module | 2. The Crypto Types Module | |||

2.1. Tree Diagram | 2.1. Tree Diagram | |||

This section provides a tree diagram [RFC8340] for the "ietf-crypto- | This section provides a tree diagram [RFC8340] for the "ietf-crypto- | |||

types" module. Only the groupings as represented, as tree diagrams | types" module. Only the groupings as represented, as tree diagrams | |||

have no means to represent identities or typedefs. | have no means to represent identities or typedefs. | |||

[Note: '\' line wrapping for formatting only] | ||||

module: ietf-crypto-types | module: ietf-crypto-types | |||

grouping asymmetric-key-pair-grouping | grouping public-key-grouping: | |||

+-- algorithm? asymmetric-key-encryption-algorithm-r\ | +---- algorithm? asymmetric-key-algorithm-ref | |||

ef | +---- public-key? binary | |||

+-- public-key? binary | grouping asymmetric-key-pair-grouping: | |||

+-- private-key? union | +---- algorithm? asymmetric-key-algorithm-ref | |||

+---- public-key? binary | ||||

+---- private-key? union | ||||

+---x generate-hidden-key | +---x generate-hidden-key | |||

| +---w input | | +---- input | |||

| +---w algorithm asymmetric-key-encryption-algorithm-ref | | +---w algorithm asymmetric-key-algorithm-ref | |||

+---x install-hidden-key | +---x install-hidden-key | |||

+---w input | +---- input | |||

+---w algorithm asymmetric-key-encryption-algorithm-r\ | +---w algorithm asymmetric-key-algorithm-ref | |||

ef | ||||

+---w public-key? binary | +---w public-key? binary | |||

+---w private-key? binary | +---w private-key? binary | |||

grouping public-key-grouping | grouping trust-anchor-cert-grouping: | |||

+-- algorithm? asymmetric-key-encryption-algorithm-ref | +---- cert? trust-anchor-cert-cms | |||

+-- public-key? binary | +---n certificate-expiration | |||

grouping asymmetric-key-pair-with-certs-grouping | +--ro expiration-date ietf-yang-types:date-and-time | |||

+-- algorithm? | grouping end-entity-cert-grouping: | |||

| asymmetric-key-encryption-algorithm-ref | +---- cert? end-entity-cert-cms | |||

+-- public-key? binary | +---n certificate-expiration | |||

+-- private-key? union | +--ro expiration-date ietf-yang-types:date-and-time | |||

grouping asymmetric-key-pair-with-certs-grouping: | ||||

+---- algorithm? | ||||

| asymmetric-key-algorithm-ref | ||||

+---- public-key? binary | ||||

+---- private-key? union | ||||

+---x generate-hidden-key | +---x generate-hidden-key | |||

| +---w input | | +---- input | |||

| +---w algorithm asymmetric-key-encryption-algorithm-ref | | +---w algorithm asymmetric-key-algorithm-ref | |||

+---x install-hidden-key | +---x install-hidden-key | |||

| +---w input | | +---- input | |||

| +---w algorithm asymmetric-key-encryption-algorithm-r\ | | +---w algorithm asymmetric-key-algorithm-ref | |||

ef | ||||

| +---w public-key? binary | | +---w public-key? binary | |||

| +---w private-key? binary | | +---w private-key? binary | |||

+-- certificates | +---- certificates | |||

| +-- certificate* [name] | | +---- certificate* [name] | |||

| +-- name? string | | +---- name string | |||

| +-- cert? end-entity-cert-cms | | +---- cert? end-entity-cert-cms | |||

| +---n certificate-expiration | | +---n certificate-expiration | |||

| +-- expiration-date yang:date-and-time | | +--ro expiration-date ietf-yang-types:date-and-time | |||

+---x generate-certificate-signing-request | +---x generate-certificate-signing-request | |||

+---w input | +---- input | |||

| +---w subject binary | | +---w subject binary | |||

| +---w attributes? binary | | +---w attributes? binary | |||

+--ro output | +---- output | |||

+--ro certificate-signing-request binary | +--ro certificate-signing-request binary | |||

grouping end-entity-cert-grouping | ||||

+-- cert? end-entity-cert-cms | ||||

+---n certificate-expiration | ||||

+-- expiration-date yang:date-and-time | ||||

grouping trust-anchor-cert-grouping | ||||

+-- cert? trust-anchor-cert-cms | ||||

+---n certificate-expiration | ||||

+-- expiration-date yang:date-and-time | ||||

2.2. YANG Module | 2.2. YANG Module | |||

This module has normative references to [RFC2404], [RFC2986], | This module has normative references to [RFC2404], [RFC3565], | |||

[RFC3174], [RFC3565], [RFC3686], [RFC4106], [RFC4253], [RFC4279], | [RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC4309], [RFC4494], | |||

[RFC4309], [RFC4493], [RFC4494], [RFC4543], [RFC4868], [RFC5280], | [RFC4543], [RFC4868], [RFC5280], [RFC5652], [RFC5656], [RFC6187], | |||

[RFC5652], [RFC5656], [RFC5915], [RFC6187], [RFC6234], [RFC6239], | [RFC6991], [RFC7919], [RFC8268], [RFC8332], [RFC8341], [RFC8422], | |||

[RFC6507], [RFC6991], [RFC7539], [RFC7919], [RFC8017], [RFC8032], | [RFC8446], and [ITU.X690.2015]. | |||

[RFC8268], [RFC8332], [RFC8341], [RFC8422], [RFC8446], and | ||||

[ITU.X690.2015]. | ||||

This module has an informational reference to [RFC6125]. | This module has an informational reference to [RFC2986], [RFC3174], | |||

[RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507], | ||||

[RFC8017], [RFC8032], [RFC8439]. | ||||

<CODE BEGINS> file "ietf-crypto-types@2018-10-22.yang" | <CODE BEGINS> file "ietf-crypto-types@2019-03-09.yang" | |||

module ietf-crypto-types { | ||||

yang-version 1.1; | ||||

namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; | module ietf-crypto-types { | |||

prefix "ct"; | yang-version 1.1; | |||

namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; | ||||

prefix "ct"; | ||||

import ietf-yang-types { | import ietf-yang-types { | |||

prefix yang; | prefix yang; | |||

reference | reference | |||

"RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||

} | } | |||

import ietf-netconf-acm { | import ietf-netconf-acm { | |||

prefix nacm; | prefix nacm; | |||

reference | reference | |||

"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||

} | } | |||

organization | organization | |||

"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||

contact | contact | |||

"WG Web: <http://datatracker.ietf.org/wg/netconf/> | "WG Web: <http://datatracker.ietf.org/wg/netconf/> | |||

WG List: <mailto:netconf@ietf.org> | WG List: <mailto:netconf@ietf.org> | |||

Author: Kent Watsen <mailto:kent+ietf@watsen.net> | ||||

Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>"; | ||||

Author: Kent Watsen | description | |||

<mailto:kwatsen@juniper.net> | "This module defines common YANG types for cryptographic | |||

applications. | ||||

Author: Wang Haiguang | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||

<wang.haiguang.shieldlab@huawei.com>"; | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||

'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||

are to be interpreted as described in BCP 14 [RFC2119] | ||||

[RFC8174] when, and only when, they appear in all | ||||

capitals, as shown here. | ||||

description | Copyright (c) 2019 IETF Trust and the persons identified | |||

"This module defines common YANG types for cryptographic | as authors of the code. All rights reserved. | |||

applications. | ||||

Copyright (c) 2018 IETF Trust and the persons identified | Redistribution and use in source and binary forms, with | |||

as authors of the code. All rights reserved. | or without modification, is permitted pursuant to, and | |||

subject to the license terms contained in, the Simplified | ||||

BSD License set forth in Section 4.c of the IETF Trust's | ||||

Legal Provisions Relating to IETF Documents | ||||

(http://trustee.ietf.org/license-info). | ||||

Redistribution and use in source and binary forms, with | This version of this YANG module is part of RFC XXXX; see | |||

or without modification, is permitted pursuant to, and | the RFC itself for full legal notices."; | |||

subject to the license terms contained in, the Simplified | ||||

BSD License set forth in Section 4.c of the IETF Trust's | ||||

Legal Provisions Relating to IETF Documents | ||||

(http://trustee.ietf.org/license-info). | ||||

This version of this YANG module is part of RFC XXXX; see | revision "2019-03-09" { | |||

the RFC itself for full legal notices."; | description | |||

"Initial version"; | ||||

reference | ||||

"RFC XXXX: Common YANG Data Types for Cryptography"; | ||||

} | ||||

revision "2018-10-22" { | /**************************************/ | |||

description | /* Identities for Hash Algorithms */ | |||

"Initial version"; | /**************************************/ | |||

reference | identity hash-algorithm { | |||

"RFC XXXX: Common YANG Data Types for Cryptography"; | description | |||

} | "A base identity for hash algorithm verification."; | |||

/**************************************/ | } | |||

/* Identities for Hash Algorithms */ | ||||

/**************************************/ | ||||

identity hash-algorithm { | identity sha-224 { | |||

description | base "hash-algorithm"; | |||

"A base identity for hash algorithm verification."; | description "The SHA-224 algorithm."; | |||

} | reference "RFC 6234: US Secure Hash Algorithms."; | |||

} | ||||

identity sha-224 { | identity sha-256 { | |||

base "hash-algorithm"; | base "hash-algorithm"; | |||

description "The SHA-224 algorithm."; | description "The SHA-256 algorithm."; | |||

reference "RFC 6234: US Secure Hash Algorithms."; | reference "RFC 6234: US Secure Hash Algorithms."; | |||

} | } | |||

identity sha-256 { | identity sha-384 { | |||

base "hash-algorithm"; | base "hash-algorithm"; | |||

description "The SHA-256 algorithm."; | description "The SHA-384 algorithm."; | |||

reference "RFC 6234: US Secure Hash Algorithms."; | reference "RFC 6234: US Secure Hash Algorithms."; | |||

} | } | |||

identity sha-384 { | identity sha-512 { | |||

base "hash-algorithm"; | base "hash-algorithm"; | |||

description "The SHA-384 algorithm."; | description "The SHA-512 algorithm."; | |||

reference "RFC 6234: US Secure Hash Algorithms."; | reference "RFC 6234: US Secure Hash Algorithms."; | |||

} | } | |||

identity sha-512 { | /***********************************************/ | |||

base "hash-algorithm"; | /* Identities for Asymmetric Key Algorithms */ | |||

description "The SHA-512 algorithm."; | /***********************************************/ | |||

reference "RFC 6234: US Secure Hash Algorithms."; | ||||

} | ||||

/********************************************************/ | identity asymmetric-key-algorithm { | |||

/* Identities for Asymmetric Key Encyption Algorithms */ | description | |||

/********************************************************/ | "Base identity from which all asymmetric key | |||

encryption Algorithm."; | ||||

} | ||||

identity asymmetric-key-encryption-algorithm { | identity rsa1024 { | |||

description | base asymmetric-key-algorithm; | |||

"Base identity from which all asymmetric key | description | |||

encryption Algorithm."; | "The RSA algorithm using a 1024-bit key."; | |||

} | reference | |||

"RFC 8017: | ||||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | ||||

} | ||||

identity rsa2048 { | ||||

base asymmetric-key-algorithm; | ||||

description | ||||

"The RSA algorithm using a 2048-bit key."; | ||||

reference | ||||

"RFC 8017: | ||||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | ||||

} | ||||

identity rsa1024 { | identity rsa3072 { | |||

base asymmetric-key-encryption-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 1024-bit key."; | "The RSA algorithm using a 3072-bit key."; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity rsa2048 { | identity rsa4096 { | |||

base asymmetric-key-encryption-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 2048-bit key."; | "The RSA algorithm using a 4096-bit key."; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity rsa3072 { | identity rsa7680 { | |||

base asymmetric-key-encryption-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 3072-bit key."; | "The RSA algorithm using a 7680-bit key."; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity rsa4096 { | identity rsa15360 { | |||

base asymmetric-key-encryption-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 4096-bit key."; | "The RSA algorithm using a 15360-bit key."; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity rsa7680 { | identity secp192r1 { | |||

base asymmetric-key-encryption-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 7680-bit key."; | ||||

reference | ||||

"RFC 8017: | ||||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | ||||

} | ||||

identity rsa15360 { | "The ECDSA algorithm using a NIST P256 Curve."; | |||

base asymmetric-key-encryption-algorithm; | reference | |||

description | "RFC 6090: | |||

"The RSA algorithm using a 15360-bit key."; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

reference | } | |||

"RFC 8017: | ||||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | ||||

} | ||||

/*************************************/ | ||||

/* Identities for MAC Algorithms */ | ||||

/*************************************/ | ||||

identity mac-algorithm { | identity secp224r1 { | |||

description | base asymmetric-key-algorithm; | |||

"A base identity for mac generation."; | description | |||

} | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | ||||

"RFC 6090: | ||||

Fundamental Elliptic Curve Cryptography Algorithms."; | ||||

} | ||||

identity hmac-sha1 { | identity secp256r1 { | |||

base "mac-algorithm"; | base asymmetric-key-algorithm; | |||

description "Generating MAC using SHA1 hash function"; | description | |||

reference "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

} | reference | |||

"RFC 6090: | ||||

Fundamental Elliptic Curve Cryptography Algorithms."; | ||||

} | ||||

identity hmac-sha1-96 { | identity secp384r1 { | |||

base "mac-algorithm"; | base asymmetric-key-algorithm; | |||

description "Generating MAC using SHA1 hash function"; | description | |||

reference "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

} | reference | |||

"RFC 6090: | ||||

Fundamental Elliptic Curve Cryptography Algorithms."; | ||||

} | ||||

identity hmac-sha2-224 { | identity secp521r1 { | |||

base "mac-algorithm"; | base asymmetric-key-algorithm; | |||

description | description | |||

"Generating MAC using SHA2 hash function"; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | reference | |||

"RFC 6234: | "RFC 6090: | |||

US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

} | } | |||

identity hmac-sha2-256 { | /*************************************/ | |||

base "mac-algorithm"; | /* Identities for MAC Algorithms */ | |||

description | /*************************************/ | |||

"Generating MAC using SHA2 hash function"; | ||||

reference | ||||

"RFC 6234: | ||||

US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"; | ||||

} | ||||

identity hmac-sha2-256-128 { | identity mac-algorithm { | |||

base "mac-algorithm"; | description | |||

description | "A base identity for mac generation."; | |||

"Generating a 256 bits MAC using SHA2 hash function and truncate | } | |||

it to 128 bits"; | ||||

reference | ||||

"RFC 4868: | ||||

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | ||||

IPsec"; | ||||

} | identity hmac-sha1 { | |||

base "mac-algorithm"; | ||||

description "Generating MAC using SHA1 hash function"; | ||||

reference "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; | ||||

} | ||||

identity hmac-sha2-384 { | identity hmac-sha1-96 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description "Generating MAC using SHA1 hash function"; | |||

"Generating MAC using SHA2 hash function"; | reference "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; | |||

reference | } | |||

"RFC 6234: | ||||

US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"; | ||||

} | ||||

identity hmac-sha2-384-192 { | identity hmac-sha2-224 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating a 384 bits MAC using SHA2 hash function and truncate | "Generating MAC using SHA2 hash function"; | |||

it to 192 bits"; | reference | |||

reference | "RFC 6234: | |||

"RFC 4868: | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | HKDF)"; | |||

IPsec"; | } | |||

} | ||||

identity hmac-sha2-512 { | identity hmac-sha2-256 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description "Generating MAC using SHA2 hash function"; | description | |||

reference | "Generating MAC using SHA2 hash function"; | |||

"RFC 6234: | reference | |||

US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"; | "RFC 6234: | |||

} | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

HKDF)"; | ||||

} | ||||

identity hmac-sha2-512-256 { | identity hmac-sha2-256-128 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating a 512 bits MAC using SHA2 hash function and | "Generating a 256 bits MAC using SHA2 hash function and | |||

truncating it to 256 bits"; | truncate it to 128 bits"; | |||

reference | reference | |||

"RFC 4868: | "RFC 4868: | |||

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 | |||

IPsec"; | with IPsec"; | |||

} | } | |||

identity aes-128-gmac { | identity hmac-sha2-384 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC using the Advanced Encryption Standard (AES) | "Generating MAC using SHA2 hash function"; | |||

Galois Message Authentication Code (GMAC) as a mechanism to | reference | |||

provide data origin authentication"; | "RFC 6234: | |||

reference | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

"RFC 4543: | HKDF)"; | |||

The Use of Galois Message Authentication Code (GMAC) in | } | |||

IPsec ESP and AH"; | ||||

} | ||||

identity aes-192-gmac { | identity hmac-sha2-384-192 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC using the Advanced Encryption Standard (AES) | "Generating a 384 bits MAC using SHA2 hash function and | |||

Galois Message Authentication Code (GMAC) as a mechanism to | truncate it to 192 bits"; | |||

provide data origin authentication"; | reference | |||

reference | "RFC 4868: | |||

"RFC 4543: | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | |||

The Use of Galois Message Authentication Code (GMAC) in | IPsec"; | |||

IPsec ESP and AH"; | } | |||

} | identity hmac-sha2-512 { | |||

base "mac-algorithm"; | ||||

description "Generating MAC using SHA2 hash function"; | ||||

reference | ||||

"RFC 6234: | ||||

US Secure Hash Algorithms (SHA and SHA-based HMAC and | ||||

HKDF)"; | ||||

} | ||||

identity aes-256-gmac { | identity hmac-sha2-512-256 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC using the Advanced Encryption Standard (AES) | "Generating a 512 bits MAC using SHA2 hash function and | |||

Galois Message Authentication Code (GMAC) as a mechanism to | truncating it to 256 bits"; | |||

provide data origin authentication"; | reference | |||

reference | "RFC 4868: | |||

"RFC 4543: | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | |||

The Use of Galois Message Authentication Code (GMAC) in | IPsec"; | |||

IPsec ESP and AH"; | } | |||

} | ||||

identity aes-cmac-96 { | identity aes-128-gmac { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC using Advanced Encryption Standard (AES) | "Generating MAC using the Advanced Encryption Standard (AES) | |||

Cipher-based Message Authentication Code (CMAC)"; | Galois Message Authentication Code (GMAC) as a mechanism to | |||

reference | provide data origin authentication"; | |||

"RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; | reference | |||

} | "RFC 4543: | |||

The Use of Galois Message Authentication Code (GMAC) in | ||||

IPsec ESP and AH"; | ||||

} | ||||

identity aes-cmac-128 { | identity aes-192-gmac { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC using Advanced Encryption Standard (AES) | "Generating MAC using the Advanced Encryption Standard (AES) | |||

Cipher-based Message Authentication Code (CMAC)"; | Galois Message Authentication Code (GMAC) as a mechanism to | |||

reference | provide data origin authentication"; | |||

"RFC 4493: The AES-CMAC Algorithm"; | reference | |||

} | "RFC 4543: | |||

identity mac-aes-128-ccm { | The Use of Galois Message Authentication Code (GMAC) in | |||

base "mac-algorithm"; | IPsec ESP and AH"; | |||

description | ||||

"Generating MAC using Advanced Encryption Standard (AES) in | ||||

CCM (Counter with CBC-MAC) mode (AES CCM)"; | ||||

reference | ||||

"RFC 4309: | ||||

Using Advanced Encryption Standard (AES) CCM Mode with | ||||

IPsec Encapsulating Security Payload (ESP)"; | ||||

} | ||||

identity mac-aes-192-ccm { | } | |||

base "mac-algorithm"; | ||||

description | ||||

"Generating MAC using Advanced Encryption Standard (AES) in | ||||

CCM (Counter with CBC-MAC) mode (AES CCM)"; | ||||

reference | ||||

"RFC 4309: | ||||

Using Advanced Encryption Standard (AES) CCM Mode with | ||||

IPsec Encapsulating Security Payload (ESP)"; | ||||

} | ||||

identity mac-aes-256-ccm { | identity aes-256-gmac { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC using Advanced Encryption Standard (AES) in | "Generating MAC using the Advanced Encryption Standard (AES) | |||

CCM (Counter with CBC-MAC) mode (AES CCM)"; | Galois Message Authentication Code (GMAC) as a mechanism to | |||

reference | provide data origin authentication"; | |||

"RFC 4309: | reference | |||

Using Advanced Encryption Standard (AES) CCM Mode with | "RFC 4543: | |||

IPsec Encapsulating Security Payload (ESP)"; | The Use of Galois Message Authentication Code (GMAC) in | |||

} | IPsec ESP and AH"; | |||

} | ||||

identity mac-aes-128-gcm { | identity aes-cmac-96 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC when using Advanced Encryption Standard (AES) | "Generating MAC using Advanced Encryption Standard (AES) | |||

GCM mode for encryption"; | Cipher-based Message Authentication Code (CMAC)"; | |||

reference | reference | |||

"RFC 4106: | "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | } | |||

Security Payload (ESP)"; | ||||

} | ||||

identity mac-aes-192-gcm { | identity aes-cmac-128 { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

description | description | |||

"Generating MAC when using Advanced Encryption Standard (AES) | "Generating MAC using Advanced Encryption Standard (AES) | |||

GCM mode for encryption"; | Cipher-based Message Authentication Code (CMAC)"; | |||

reference | reference | |||

"RFC 4106: | "RFC 4493: The AES-CMAC Algorithm"; | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | } | |||

Security Payload (ESP)"; | ||||

} | ||||

identity mac-aes-256-gcm { | /********************************************/ | |||

base "mac-algorithm"; | /* Identities for Encryption Algorithms */ | |||

description | /********************************************/ | |||

"Generating MAC when using Advanced Encryption Standard (AES) | ||||

GCM mode for encryption"; | ||||

reference | ||||

"RFC 4106: | ||||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | ||||

Security Payload (ESP)"; | ||||

} | ||||

identity mac-chacha20-poly1305 { | identity encryption-algorithm { | |||

base "mac-algorithm"; | description | |||

description | "A base identity for encryption algorithm."; | |||

"Generating MAC using poly1305 algorithm"; | } | |||

reference | ||||

"RFC 7539: ChaCha20 and Poly1305 for IETF Protocols"; | ||||

} | ||||

/*******************************************************/ | identity aes-128-cbc { | |||

/* Identities for Symmetric Key Encryption Algorithms*/ | base "encryption-algorithm"; | |||

/*******************************************************/ | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | ||||

length of 128 bits"; | ||||

reference | ||||

"RFC 3565: | ||||

Use of the Advanced Encryption Standard (AES) Encryption | ||||

Algorithm in Cryptographic Message Syntax (CMS)"; | ||||

} | ||||

identity symmetric-key-encryption-algorithm { | identity aes-192-cbc { | |||

description | base "encryption-algorithm"; | |||

"A base identity for encryption algorithm."; | description | |||

} | "Encrypt message with AES algorithm in CBC mode with a key | |||

length of 192 bits"; | ||||

reference | ||||

"RFC 3565: | ||||

Use of the Advanced Encryption Standard (AES) Encryption | ||||

Algorithm in Cryptographic Message Syntax (CMS)"; | ||||

} | ||||

identity aes-128-cbc { | identity aes-256-cbc { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | "Encrypt message with AES algorithm in CBC mode with a key | |||

length of 128 bits"; | length of 256 bits"; | |||

reference | reference | |||

"RFC 3565: | "RFC 3565: | |||

Use of the Advanced Encryption Standard (AES) Encryption | Use of the Advanced Encryption Standard (AES) Encryption | |||

Algorithm in Cryptographic Message Syntax (CMS)"; | Algorithm in Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

identity aes-192-cbc { | identity aes-128-ctr { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | "Encrypt message with AES algorithm in CTR mode with a key | |||

length of 192 bits"; | length of 128 bits"; | |||

reference | reference | |||

"RFC 3565: | "RFC 3686: | |||

Use of the Advanced Encryption Standard (AES) Encryption | Using Advanced Encryption Standard (AES) Counter Mode with | |||

Algorithm in Cryptographic Message Syntax (CMS)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-256-cbc { | identity aes-192-ctr { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | "Encrypt message with AES algorithm in CTR mode with a key | |||

length of 256 bits"; | length of 192 bits"; | |||

reference | reference | |||

"RFC 3565: | "RFC 3686: | |||

Use of the Advanced Encryption Standard (AES) Encryption | Using Advanced Encryption Standard (AES) Counter Mode with | |||

Algorithm in Cryptographic Message Syntax (CMS)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-128-ctr { | identity aes-256-ctr { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CTR mode with a key | "Encrypt message with AES algorithm in CTR mode with a key | |||

length of 128 bits"; | length of 256 bits"; | |||

reference | reference | |||

"RFC 3686: | "RFC 3686: | |||

Using Advanced Encryption Standard (AES) Counter Mode with | Using Advanced Encryption Standard (AES) Counter Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-192-ctr { | /****************************************************/ | |||

base "symmetric-key-encryption-algorithm"; | /* Identities for Encryption and MAC Algorithms */ | |||

description | /****************************************************/ | |||

"Encrypt message with AES algorithm in CTR mode with a key | ||||

length of 192 bits"; | ||||

reference | ||||

"RFC 3686: | ||||

Using Advanced Encryption Standard (AES) Counter Mode with | ||||

IPsec Encapsulating Security Payload (ESP)"; | ||||

} | ||||

identity aes-256-ctr { | identity encryption-and-mac-algorithm { | |||

base "symmetric-key-encryption-algorithm"; | description | |||

description | "A base identity for encryption and MAC algorithm."; | |||

"Encrypt message with AES algorithm in CTR mode with a key | } | |||

length of 256 bits"; | ||||

reference | identity aes-128-ccm { | |||

"RFC 3686: | base "encryption-and-mac-algorithm"; | |||

Using Advanced Encryption Standard (AES) Counter Mode with | description | |||

IPsec Encapsulating Security Payload (ESP)"; | "Encrypt message with AES algorithm in CCM mode with a key | |||

} | length of 128 bits; it can also be used for generating MAC"; | |||

reference | ||||

"RFC 4309: | ||||

Using Advanced Encryption Standard (AES) CCM Mode with | ||||

IPsec Encapsulating Security Payload (ESP)"; | ||||

} | ||||

identity enc-aes-128-ccm { | identity aes-192-ccm { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-and-mac-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CCM mode with a key | "Encrypt message with AES algorithm in CCM mode with a key | |||

length of 128 bits"; | length of 192 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4309: | "RFC 4309: | |||

Using Advanced Encryption Standard (AES) CCM Mode with IPsec | Using Advanced Encryption Standard (AES) CCM Mode with | |||

Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity enc-aes-192-ccm { | identity aes-256-ccm { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-and-mac-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CCM mode with a key | "Encrypt message with AES algorithm in CCM mode with a key | |||

length of 192 bits"; | length of 256 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4309: | "RFC 4309: | |||

Using Advanced Encryption Standard (AES) CCM Mode with IPsec | Using Advanced Encryption Standard (AES) CCM Mode with | |||

Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity enc-aes-256-ccm { | identity aes-128-gcm { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-and-mac-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in CCM mode with a key | "Encrypt message with AES algorithm in GCM mode with a key | |||

length of 256 bits"; | length of 128 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4309: | "RFC 4106: | |||

Using Advanced Encryption Standard (AES) CCM Mode with IPsec | The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | |||

Encapsulating Security Payload (ESP)"; | Security Payload (ESP)"; | |||

} | } | |||

identity enc-aes-128-gcm { | identity aes-192-gcm { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-and-mac-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in GCM mode with a key | "Encrypt message with AES algorithm in GCM mode with a key | |||

length of 128 bits"; | length of 192 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4106: | "RFC 4106: | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | |||

Security Payload (ESP)"; | Security Payload (ESP)"; | |||

} | ||||

} | identity mac-aes-256-gcm { | |||

base "encryption-and-mac-algorithm"; | ||||

description | ||||

"Encrypt message with AES algorithm in GCM mode with a key | ||||

length of 128 bits; it can also be used for generating MAC"; | ||||

reference | ||||

"RFC 4106: | ||||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | ||||

Security Payload (ESP)"; | ||||

} | ||||

identity enc-aes-192-gcm { | identity chacha20-poly1305 { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-and-mac-algorithm"; | |||

description | description | |||

"Encrypt message with AES algorithm in GCM mode with a key | "Encrypt message with chacha20 algorithm and generate MAC with | |||

length of 192 bits"; | POLY1305; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4106: | "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | } | |||

Security Payload (ESP)"; | ||||

} | ||||

identity enc-aes-256-gcm { | /******************************************/ | |||

base "symmetric-key-encryption-algorithm"; | /* Identities for signature algorithm */ | |||

description | /******************************************/ | |||

"Encrypt message with AES algorithm in GCM mode with a key | ||||

length of 256 bits"; | ||||

reference | ||||

"RFC 4106: | ||||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | ||||

Security Payload (ESP)"; | ||||

} | ||||

identity enc-chacha20-poly1305 { | identity signature-algorithm { | |||

base "symmetric-key-encryption-algorithm"; | description | |||

description | "A base identity for asymmetric key encryption algorithm."; | |||

"Encrypt message with chacha20 algorithm and generate MAC with | } | |||

POLY1305"; | ||||

reference | ||||

"RFC 7539: ChaCha20 and Poly1305 for IETF Protocols"; | ||||

} | ||||

/******************************************/ | identity dsa-sha1 { | |||

/* Identities for signature algorithm */ | base "signature-algorithm"; | |||

/******************************************/ | description | |||

"The signature algorithm using DSA algorithm with SHA1 hash | ||||

algorithm"; | ||||

reference | ||||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | ||||

} | ||||

identity signature-algorithm { | identity rsassa-pkcs1-sha1 { | |||

description | base "signature-algorithm"; | |||

"A base identity for asymmetric key encryption algorithm."; | description | |||

} | "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 | |||

hash algorithm."; | ||||

reference | ||||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | ||||

} | ||||

identity dsa-sha1 { | identity rsassa-pkcs1-sha256 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using DSA algorithm with SHA1 hash | "The signature algorithm using RSASSA-PKCS1-v1_5 with the | |||

algorithm"; | SHA256 hash algorithm."; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 8332: | |||

} | Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | |||

(SSH) Protocol | ||||

RFC 8446: | ||||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity rsa-pkcs1-sha1 { | identity rsassa-pkcs1-sha384 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 | "The signature algorithm using RSASSA-PKCS1-v1_5 with the | |||

hash algorithm."; | SHA384 hash algorithm."; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 8446: | |||

} | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | ||||

identity rsa-pkcs1-sha256 { | identity rsassa-pkcs1-sha512 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the | "The signature algorithm using RSASSA-PKCS1-v1_5 with the | |||

SHA256 hash algorithm."; | SHA512 hash algorithm."; | |||

reference | reference | |||

"RFC 8332: | "RFC 8332: | |||

Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | |||

(SSH) Protocol | (SSH) Protocol | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsa-pkcs1-sha384 { | identity rsassa-pss-rsae-sha256 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the | "The signature algorithm using RSASSA-PSS with mask generation | |||

SHA384 hash algorithm."; | function 1 and SHA256 hash algorithm. If the public key is | |||

reference | carried in an X.509 certificate, it MUST use the rsaEncryption | |||

"RFC 8446: | OID"; | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | reference | |||

} | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity rsa-pkcs1-sha512 { | identity rsassa-pss-rsae-sha384 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the | "The signature algorithm using RSASSA-PSS with mask generation | |||

SHA512 hash algorithm."; | function 1 and SHA384 hash algorithm. If the public key is | |||

reference | carried in an X.509 certificate, it MUST use the rsaEncryption | |||

"RFC 8332: | OID"; | |||

Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | reference | |||

(SSH) Protocol | "RFC 8446: | |||

RFC 8446: | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | } | |||

} | ||||

identity rsa-pss-rsae-sha256 { | ||||

base "signature-algorithm"; | ||||

description | ||||

"The signature algorithm using RSASSA-PSS with mask generation | ||||

function 1 and SHA256 hash algorithm. If the public key is | ||||

carried in an X.509 certificate, it MUST use the rsaEncryption | ||||

OID"; | ||||

reference | ||||

"RFC 8446: | ||||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity rsa-pss-rsae-sha384 { | identity rsassa-pss-rsae-sha512 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA384 hash algorithm. If the public key is | function 1 and SHA512 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the rsaEncryption | carried in an X.509 certificate, it MUST use the rsaEncryption | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsa-pss-rsae-sha512 { | identity rsassa-pss-pss-sha256 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA512 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the rsaEncryption | carried in an X.509 certificate, it MUST use the RSASSA-PSS | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsa-pss-pss-sha256 { | identity rsassa-pss-pss-sha384 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA256 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the RSASSA-PSS | carried in an X.509 certificate, it MUST use the RSASSA-PSS | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsa-pss-pss-sha384 { | ||||

base "signature-algorithm"; | ||||

description | ||||

"The signature algorithm using RSASSA-PSS with mask generation | ||||

function 1 and SHA256 hash algorithm. If the public key is | ||||

carried in an X.509 certificate, it MUST use the RSASSA-PSS | ||||

OID"; | ||||

reference | ||||

"RFC 8446: | ||||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity rsa-pss-pss-sha512 { | identity rsassa-pss-pss-sha512 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA256 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the RSASSA-PSS | carried in an X.509 certificate, it MUST use the RSASSA-PSS | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdsa-secp256r1-sha256 { | identity ecdsa-secp256r1-sha256 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using ECDSA wtih curve name secp256r1 | "The signature algorithm using ECDSA with curve name secp256r1 | |||

and SHA256 hash algorithm."; | and SHA256 hash algorithm."; | |||

reference | reference | |||

"RFC 5656: Elliptic Curve Algorithm Integration in the | "RFC 5656: Elliptic Curve Algorithm Integration in the | |||

Secure Shell Transport Layer | Secure Shell Transport Layer | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdsa-secp384r1-sha384 { | identity ecdsa-secp384r1-sha384 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using ECDSA wtih curve name secp384r1 | "The signature algorithm using ECDSA with curve name secp384r1 | |||

and SHA384 hash algorithm."; | and SHA384 hash algorithm."; | |||

reference | reference | |||

"RFC 5656: Elliptic Curve Algorithm Integration in the | "RFC 5656: Elliptic Curve Algorithm Integration in the | |||

Secure Shell Transport Layer | Secure Shell Transport Layer | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdsa-secp521r1-sha512 { | ||||

base "signature-algorithm"; | ||||

description | ||||

"The signature algorithm using ECDSA wtih curve name secp521r1 | ||||

and SHA512 hash algorithm."; | ||||

reference | ||||

"RFC 5656: Elliptic Curve Algorithm Integration in the | ||||

Secure Shell Transport Layer | ||||

RFC 8446: | ||||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity x509v3-rsa-pkcs1-sha1 { | identity ecdsa-secp521r1-sha512 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using x509v3-ssh-rsa key format and | "The signature algorithm using ECDSA with curve name secp521r1 | |||

RSASSA-PKCS1-v1_5 with the SHA1 hash algorithm."; | and SHA512 hash algorithm."; | |||

reference | reference | |||

"RFC 6187: | "RFC 5656: Elliptic Curve Algorithm Integration in the | |||

X.509v3 Certificates for Secure Shell Authentication"; | Secure Shell Transport Layer | |||

} | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity x509v3-rsa2048-pkcs1-sha256 { | identity ed25519 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using x509v3-rsa2048-sha256 | "The signature algorithm using EdDSA as defined in RFC 8032 or | |||

key format and RSASSA-PKCS1-v1_5 with the SHA-256 | its successors."; | |||

hash algorithm."; | reference | |||

reference | "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | |||

"RFC 6187: | } | |||

X.509v3 Certificates for Secure Shell Authentication"; | ||||

} | ||||

identity x509v3-ecdsa-secp256r1-sha256 { | identity ed448 { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using x509v3-ecdsa-sha2-secp256r1 key | "The signature algorithm using EdDSA as defined in RFC 8032 or | |||

format and ECDSA algorithm with the SHA-256 hash algorithm."; | its successors."; | |||

reference | reference | |||

"RFC 6187: | "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | |||

X.509v3 Certificates for Secure Shell Authentication"; | } | |||

} | ||||

identity x509v3-ecdsa-secp384r1-sha384 { | identity eccsi { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

description | description | |||

"The signature algorithm using x509v3-ecdsa-sha2-secp384r1 key | "The signature algorithm using ECCSI signature as defined in | |||

format and ECDSA algorithm with the SHA-384 hash algorithm."; | RFC 6507."; | |||

reference | ||||

"RFC 6507: | ||||

Elliptic Curve-Based Certificateless Signatures for | ||||

Identity-based Encryption (ECCSI)"; | ||||

} | ||||

reference | /**********************************************/ | |||

"RFC 6187: | /* Identities for key exchange algorithms */ | |||

X.509v3 Certificates for Secure Shell Authentication"; | /**********************************************/ | |||

} | ||||

identity x509v3-ecdsa-secp521r1-sha512 { | identity key-exchange-algorithm { | |||

base "signature-algorithm"; | description | |||

description | "A base identity for Diffie-Hellman based key exchange | |||

"The signature algorithm using x509v3-ecdsa-sha2-secp521r1 key | algorithm."; | |||

format and ECDSA algorithm with the SHA-512 hash algorithm."; | } | |||

reference | ||||

"RFC 6187: | ||||

X.509v3 Certificates for Secure Shell Authentication"; | ||||

} | ||||

identity ed25519 { | identity psk-only { | |||

base "signature-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"The signature algorithm using EdDSA as defined in RFC 8032 or | "Using Pre-shared key for authentication and key exchange"; | |||

its successors."; | reference | |||

reference | "RFC 4279: | |||

"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | Pre-Shared Key cipher suites for Transport Layer Security | |||

} | (TLS)"; | |||

} | ||||

identity ed448 { | identity dhe-ffdhe2048 { | |||

base "signature-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"The signature algorithm using EdDSA as defined in RFC 8032 or | "Ephemeral Diffie Hellman key exchange with 2048 bit | |||

its successors."; | finite field"; | |||

reference | ||||

"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | ||||

} | ||||

identity eccsi { | reference | |||

base "signature-algorithm"; | "RFC 7919: | |||

description | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

"The signature algorithm using ECCSI signature as defined in | for Transport Layer Security (TLS)"; | |||

RFC 6507."; | } | |||

reference | ||||

"RFC 6507: | ||||

Elliptic Curve-Based Certificateless Signatures for | ||||

Identity-based Encryption (ECCSI)"; | ||||

} | ||||

/**********************************************/ | identity dhe-ffdhe3072 { | |||

/* Identities for key exchange algorithms */ | base "key-exchange-algorithm"; | |||

/**********************************************/ | description | |||

identity key-exchange-algorithm { | "Ephemeral Diffie Hellman key exchange with 3072 bit finite | |||

description | field"; | |||

"A base identity for Diffe-Hellman based key exchange | reference | |||

algorithm."; | "RFC 7919: | |||

} | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | ||||

} | ||||

identity psk-only { | identity dhe-ffdhe4096 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using Pre-shared key for authentication and key exhange"; | "Ephemeral Diffie Hellman key exchange with 4096 bit | |||

reference | finite field"; | |||

"RFC 4279: | reference | |||

Pre-Shared Key Ciphersuites for Transport Layer Security | "RFC 7919: | |||

(TLS)"; | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

} | for Transport Layer Security (TLS)"; | |||

} | ||||

identity dhe-ffdhe2048 { | identity dhe-ffdhe6144 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with 2048 bit | "Ephemeral Diffie Hellman key exchange with 6144 bit | |||

finite field"; | finite field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | } | |||

identity dhe-ffdhe3072 { | identity dhe-ffdhe8192 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with 3072 bit finite | "Ephemeral Diffie Hellman key exchange with 8192 bit | |||

field"; | finite field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | ||||

identity dhe-ffdhe4096 { | } | |||

base "key-exchange-algorithm"; | ||||

description | ||||

"Ephemeral Diffie Hellman key exhange with 4096 bit | ||||

finite field"; | ||||

reference | ||||

"RFC 7919: | ||||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | ||||

for Transport Layer Security (TLS)"; | ||||

} | ||||

identity dhe-ffdhe6144 { | ||||

base "key-exchange-algorithm"; | ||||

description | ||||

"Ephemeral Diffie Hellman key exhange with 6144 bit | ||||

finite field"; | ||||

reference | ||||

"RFC 7919: | ||||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | ||||

for Transport Layer Security (TLS)"; | ||||

} | ||||

identity dhe-ffdhe8192 { | identity psk-dhe-ffdhe2048 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with 8192 bit | "Key exchange using pre-shared key with Diffie-Hellman key | |||

finite field"; | generation mechanism, where the DH group is FFDHE2048"; | |||

reference | reference | |||

"RFC 7919: | "RFC 8446: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

for Transport Layer Security (TLS)"; | } | |||

} | ||||

identity psk-dhe-ffdhe2048 { | identity psk-dhe-ffdhe3072 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechansim, where the DH group is FFDHE2048"; | generation mechanism, where the DH group is FFDHE3072"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe3072 { | identity psk-dhe-ffdhe4096 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechansim, where the DH group is FFDHE3072"; | generation mechanism, where the DH group is FFDHE4096"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe4096 { | identity psk-dhe-ffdhe6144 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechansim, where the DH group is FFDHE4096"; | generation mechanism, where the DH group is FFDHE6144"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe6144 { | identity psk-dhe-ffdhe8192 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechansim, where the DH group is FFDHE6144"; | generation mechanism, where the DH group is FFDHE8192"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe8192 { | identity ecdhe-secp256r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

generation mechansim, where the DH group is FFDHE8192"; | over curve secp256r1"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8422: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

} | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | ||||

identity ecdhe-secp256r1 { | identity ecdhe-secp384r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve secp256r1"; | over curve secp384r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-secp384r1 { | identity ecdhe-secp521r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve secp384r1"; | over curve secp521r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-secp521r1 { | identity ecdhe-x25519 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve secp521r1"; | over curve x25519"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-x448 { | ||||

base "key-exchange-algorithm"; | ||||

description | ||||

"Ephemeral Diffie Hellman key exchange with elliptic group | ||||

over curve x448"; | ||||

reference | ||||

"RFC 8422: | ||||

Elliptic Curve Cryptography (ECC) Cipher Suites for | ||||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | ||||

} | ||||

identity ecdhe-x25519 { | identity psk-ecdhe-secp256r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with elliptic group | "Key exchange using pre-shared key with elliptic group-based | |||

over curve x25519"; | Ephemeral Diffie Hellman key exchange over curve secp256r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8446: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | } | |||

} | ||||

identity ecdhe-x448 { | identity psk-ecdhe-secp384r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Ephemeral Diffie Hellman key exhange with elliptic group | "Key exchange using pre-shared key with elliptic group-based | |||

over curve x448"; | Ephemeral Diffie Hellman key exchange over curve secp384r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8446: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | } | |||

} | ||||

identity psk-ecdhe-secp256r1 { | identity psk-ecdhe-secp521r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exhange over curve secp256r1"; | Ephemeral Diffie Hellman key exchange over curve secp521r1"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-secp384r1 { | identity psk-ecdhe-x25519 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exhange over curve secp384r1"; | Ephemeral Diffie Hellman key exchange over curve x25519"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-secp521r1 { | identity psk-ecdhe-x448 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exhange over curve secp521r1"; | Ephemeral Diffie Hellman key exchange over curve x448"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-x25519 { | identity diffie-hellman-group14-sha1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Using DH group14 and SHA1 for key exchange"; | |||

Ephemeral Diffie Hellman key exhange over curve x25519"; | reference | |||

reference | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||

"RFC 8446: | } | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | ||||

} | ||||

identity psk-ecdhe-x448 { | identity diffie-hellman-group14-sha256 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Using DH group14 and SHA256 for key exchange"; | |||

Ephemeral Diffie Hellman key exhange over curve x448"; | reference | |||

reference | "RFC 8268: | |||

"RFC 8446: | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group14-sha1 { | identity diffie-hellman-group15-sha512 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using DH group14 and SHA1 for key exchange"; | "Using DH group15 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 8268: | |||

} | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | ||||

} | ||||

identity diffie-hellman-group14-sha256 { | identity diffie-hellman-group16-sha512 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using DH group14 and SHA256 for key exchange"; | "Using DH group16 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group15-sha512 { | identity diffie-hellman-group17-sha512 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using DH group15 and SHA512 for key exchange"; | "Using DH group17 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group16-sha512 { | identity diffie-hellman-group18-sha512 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using DH group16 and SHA512 for key exchange"; | "Using DH group18 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group17-sha512 { | identity ecdh-sha2-secp256r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using DH group17 and SHA512 for key exchange"; | "Elliptic curve-based Diffie Hellman key exchange over curve | |||

reference | secp256r1 and using SHA2 for MAC generation"; | |||

"RFC 8268: | reference | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | "RFC 6239: Suite B Cryptographic Suites for Secure Shell | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | (SSH)"; | |||

} | } | |||

identity diffie-hellman-group18-sha512 { | identity ecdh-sha2-secp384r1 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Using DH group18 and SHA512 for key exchange"; | "Elliptic curve-based Diffie Hellman key exchange over curve | |||

reference | secp384r1 and using SHA2 for MAC generation"; | |||

"RFC 8268: | reference | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | "RFC 6239: Suite B Cryptographic Suites for Secure Shell | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | (SSH)"; | |||

} | } | |||

identity ecdh-sha2-secp256r1 { | identity rsaes-oaep { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Elliptic curve-based Diffie Hellman key exhange over curve | "RSAES-OAEP combines the RSAEP and RSADP primitives with the | |||

secp256r1 and using SHA2 for MAC generation"; | EME-OAEP encoding method"; | |||

reference | reference | |||

"RFC 6239: Suite B Cryptographic Suites for Secure Shell (SSH)"; | "RFC 8017: | |||

} | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | ||||

identity ecdh-sha2-secp384r1 { | identity rsaes-pkcs1-v1_5 { | |||

base "key-exchange-algorithm"; | base "key-exchange-algorithm"; | |||

description | description | |||

"Elliptic curve-based Diffie Hellman key exhange over curve | " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives | |||

secp384r1 and using SHA2 for MAC generation"; | with the EME-PKCS1-v1_5 encoding method"; | |||

reference | reference | |||

"RFC 6239: Suite B Cryptographic Suites for Secure Shell (SSH)"; | "RFC 8017: | |||

} | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | ||||

/*********************************************************/ | /**********************************************************/ | |||

/* Typedefs for identityrefs to above base identites */ | /* Typedefs for identityrefs to above base identities */ | |||

/*********************************************************/ | /**********************************************************/ | |||

typedef hash-algorithm-ref { | typedef hash-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "hash-algorithm"; | base "hash-algorithm"; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'hash-algorithm' base identity."; | identityref to the 'hash-algorithm' base identity."; | |||

} | } | |||

typedef signature-algorithm-ref { | typedef signature-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "signature-algorithm"; | base "signature-algorithm"; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'signature-algorithm' base identity."; | identityref to the 'signature-algorithm' base identity."; | |||

} | } | |||

typedef mac-algorithm-ref { | typedef mac-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "mac-algorithm"; | base "mac-algorithm"; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'mac-algorithm' base identity."; | identityref to the 'mac-algorithm' base identity."; | |||

} | } | |||

typedef symmetric-key-encryption-algorithm-ref { | typedef encryption-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "symmetric-key-encryption-algorithm"; | base "encryption-algorithm"; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'symmetric-key-encryption-algorithm' | identityref to the 'encryption-algorithm' | |||

base identity."; | base identity."; | |||

} | } | |||

typedef asymmetric-key-encryption-algorithm-ref { | typedef encryption-and-mac-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "asymmetric-key-encryption-algorithm"; | base "encryption-and-mac-algorithm"; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'asymmetric-key-encryption-algorithm' | identityref to the 'encryption-and-mac-algorithm' | |||

base identity."; | base identity."; | |||

} | } | |||

typedef key-exchange-algorithm-ref { | typedef asymmetric-key-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "key-exchange-algorithm"; | base "asymmetric-key-algorithm"; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'key-exchange-algorithm' base identity."; | identityref to the 'asymmetric-key-algorithm' | |||

} | base identity."; | |||

} | ||||

/***************************************************/ | typedef key-exchange-algorithm-ref { | |||

/* Typedefs for ASN.1 structures from RFC 5280 */ | type identityref { | |||

/***************************************************/ | base "key-exchange-algorithm"; | |||

} | ||||

description | ||||

"This typedef enables importing modules to easily define an | ||||

identityref to the 'key-exchange-algorithm' base identity."; | ||||

} | ||||

typedef x509 { | /***************************************************/ | |||

type binary; | /* Typedefs for ASN.1 structures from RFC 5280 */ | |||

description | /***************************************************/ | |||

"A Certificate structure, as specified in RFC 5280, | ||||

encoded using ASN.1 distinguished encoding rules (DER), | ||||

as specified in ITU-T X.690."; | ||||

reference | ||||

"RFC 5280: | ||||

Internet X.509 Public Key Infrastructure Certificate | ||||

and Certificate Revocation List (CRL) Profile | ||||

ITU-T X.690: | ||||

Information technology - ASN.1 encoding rules: | ||||

Specification of Basic Encoding Rules (BER), | ||||

Canonical Encoding Rules (CER) and Distinguished | ||||

Encoding Rules (DER)."; | ||||

} | ||||

typedef crl { | typedef x509 { | |||

type binary; | type binary; | |||

description | description | |||

"A CertificateList structure, as specified in RFC 5280, | "A Certificate structure, as specified in RFC 5280, | |||

encoded using ASN.1 distinguished encoding rules (DER), | encoded using ASN.1 distinguished encoding rules (DER), | |||

as specified in ITU-T X.690."; | as specified in ITU-T X.690."; | |||

reference | ||||

"RFC 5280: | ||||

Internet X.509 Public Key Infrastructure Certificate | ||||

and Certificate Revocation List (CRL) Profile | ||||

ITU-T X.690: | ||||

Information technology - ASN.1 encoding rules: | ||||

Specification of Basic Encoding Rules (BER), | ||||

Canonical Encoding Rules (CER) and Distinguished | ||||

Encoding Rules (DER)."; | ||||

} | ||||

/***********************************************/ | reference | |||

/* Typedefs for ASN.1 structures from 5652 */ | "RFC 5280: | |||

/***********************************************/ | Internet X.509 Public Key Infrastructure Certificate | |||

and Certificate Revocation List (CRL) Profile | ||||

ITU-T X.690: | ||||

Information technology - ASN.1 encoding rules: | ||||

Specification of Basic Encoding Rules (BER), | ||||

Canonical Encoding Rules (CER) and Distinguished | ||||

Encoding Rules (DER)."; | ||||

} | ||||

typedef cms { | typedef crl { | |||

type binary; | type binary; | |||

description | description | |||

"A ContentInfo structure, as specified in RFC 5652, | "A CertificateList structure, as specified in RFC 5280, | |||

encoded using ASN.1 distinguished encoding rules (DER), | encoded using ASN.1 distinguished encoding rules (DER), | |||

as specified in ITU-T X.690."; | as specified in ITU-T X.690."; | |||

reference | reference | |||

"RFC 5652: | "RFC 5280: | |||

Cryptographic Message Syntax (CMS) | Internet X.509 Public Key Infrastructure Certificate | |||

ITU-T X.690: | and Certificate Revocation List (CRL) Profile | |||

Information technology - ASN.1 encoding rules: | ITU-T X.690: | |||

Specification of Basic Encoding Rules (BER), | Information technology - ASN.1 encoding rules: | |||

Canonical Encoding Rules (CER) and Distinguished | Specification of Basic Encoding Rules (BER), | |||

Encoding Rules (DER)."; | Canonical Encoding Rules (CER) and Distinguished | |||

} | Encoding Rules (DER)."; | |||

} | ||||

typedef data-content-cms { | /***********************************************/ | |||

type cms; | /* Typedefs for ASN.1 structures from 5652 */ | |||

description | /***********************************************/ | |||

"A CMS structure whose top-most content type MUST be the | ||||

data content type, as described by Section 4 in RFC 5652."; | ||||

reference | ||||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | ||||

} | ||||

typedef signed-data-cms { | typedef cms { | |||

type cms; | type binary; | |||

description | description | |||

"A CMS structure whose top-most content type MUST be the | "A ContentInfo structure, as specified in RFC 5652, | |||

signed-data content type, as described by Section 5 in | encoded using ASN.1 distinguished encoding rules (DER), | |||

RFC 5652."; | as specified in ITU-T X.690."; | |||

reference | reference | |||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: | |||

} | Cryptographic Message Syntax (CMS) | |||

ITU-T X.690: | ||||

Information technology - ASN.1 encoding rules: | ||||

Specification of Basic Encoding Rules (BER), | ||||

Canonical Encoding Rules (CER) and Distinguished | ||||

Encoding Rules (DER)."; | ||||

} | ||||

typedef data-content-cms { | ||||

type cms; | ||||

description | ||||

"A CMS structure whose top-most content type MUST be the | ||||

data content type, as described by Section 4 in RFC 5652."; | ||||

reference | ||||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | ||||

} | ||||

typedef enveloped-data-cms { | typedef signed-data-cms { | |||

type cms; | type cms; | |||

description | description | |||

"A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||

enveloped-data content type, as described by Section 6 | signed-data content type, as described by Section 5 in | |||

in RFC 5652."; | RFC 5652."; | |||

reference | reference | |||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

typedef digested-data-cms { | typedef enveloped-data-cms { | |||

type cms; | type cms; | |||

description | description | |||

"A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||

digested-data content type, as described by Section 7 | enveloped-data content type, as described by Section 6 | |||

in RFC 5652."; | in RFC 5652."; | |||

reference | reference | |||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

typedef encrypted-data-cms { | typedef digested-data-cms { | |||

type cms; | type cms; | |||

description | description | |||

"A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||

encrypted-data content type, as described by Section 8 | digested-data content type, as described by Section 7 | |||

in RFC 5652."; | in RFC 5652."; | |||

reference | reference | |||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

typedef authenticated-data-cms { | typedef encrypted-data-cms { | |||

type cms; | type cms; | |||

description | description | |||

"A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||

authenticated-data content type, as described by Section 9 | encrypted-data content type, as described by Section 8 | |||

in RFC 5652."; | in RFC 5652."; | |||

reference | reference | |||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

typedef authenticated-data-cms { | ||||

type cms; | ||||

description | ||||

"A CMS structure whose top-most content type MUST be the | ||||

authenticated-data content type, as described by Section 9 | ||||

in RFC 5652."; | ||||

reference | ||||

"RFC 5652: Cryptographic Message Syntax (CMS)"; | ||||

} | ||||

/***************************************************/ | /***************************************************/ | |||

/* Typedefs for structures related to RFC 4253 */ | /* Typedefs for structures related to RFC 4253 */ | |||

/***************************************************/ | /***************************************************/ | |||

typedef ssh-host-key { | typedef ssh-host-key { | |||

type binary; | type binary; | |||

description | description | |||

"The binary public key data for this SSH key, as | "The binary public key data for this SSH key, as | |||

specified by RFC 4253, Section 6.6, i.e.: | specified by RFC 4253, Section 6.6, i.e.: | |||

string certificate or public key format | string certificate or public key format | |||

identifier | identifier | |||

byte[n] key/certificate data."; | byte[n] key/certificate data."; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer | "RFC 4253: The Secure Shell (SSH) Transport Layer | |||

Protocol"; | Protocol"; | |||

} | } | |||

/*********************************************************/ | /*********************************************************/ | |||

/* Typedefs for ASN.1 structures related to RFC 5280 */ | /* Typedefs for ASN.1 structures related to RFC 5280 */ | |||

/*********************************************************/ | /*********************************************************/ | |||

typedef trust-anchor-cert-x509 { | typedef trust-anchor-cert-x509 { | |||

type x509; | type x509; | |||

description | description | |||

"A Certificate structure that MUST encode a self-signed | "A Certificate structure that MUST encode a self-signed | |||

root certificate."; | root certificate."; | |||

} | } | |||

typedef end-entity-cert-x509 { | typedef end-entity-cert-x509 { | |||

type x509; | type x509; | |||

description | description | |||

"A Certificate structure that MUST encode a certificate | "A Certificate structure that MUST encode a certificate | |||

that is neither self-signed nor having Basic constraint | that is neither self-signed nor having Basic constraint | |||

CA true."; | CA true."; | |||

} | } | |||

/*********************************************************/ | /*********************************************************/ | |||

/* Typedefs for ASN.1 structures related to RFC 5652 */ | /* Typedefs for ASN.1 structures related to RFC 5652 */ | |||

/*********************************************************/ | /*********************************************************/ | |||

typedef trust-anchor-cert-cms { | typedef trust-anchor-cert-cms { | |||

type signed-data-cms; | type signed-data-cms; | |||

description | description | |||

"A CMS SignedData structure that MUST contain the chain of | "A CMS SignedData structure that MUST contain the chain of | |||

X.509 certificates needed to authenticate the certificate | X.509 certificates needed to authenticate the certificate | |||

presented by a client or end-entity. | presented by a client or end-entity. | |||

The CMS MUST contain only a single chain of certificates. | The CMS MUST contain only a single chain of certificates. | |||

The client or end-entity certificate MUST only authenticate | The client or end-entity certificate MUST only authenticate | |||

to last intermediate CA certificate listed in the chain. | to last intermediate CA certificate listed in the chain. | |||

In all cases, the chain MUST include a self-signed root | In all cases, the chain MUST include a self-signed root | |||

certificate. In the case where the root certificate is | certificate. In the case where the root certificate is | |||

itself the issuer of the client or end-entity certificate, | itself the issuer of the client or end-entity certificate, | |||

only one certificate is present. | only one certificate is present. | |||

This CMS structure MAY (as applicable where this type is | This CMS structure MAY (as applicable where this type is | |||

used) also contain suitably fresh (as defined by local | used) also contain suitably fresh (as defined by local | |||

policy) revocation objects with which the device can | policy) revocation objects with which the device can | |||

verify the revocation status of the certificates. | verify the revocation status of the certificates. | |||

This CMS encodes the degenerate form of the SignedData | This CMS encodes the degenerate form of the SignedData | |||

structure that is commonly used to disseminate X.509 | structure that is commonly used to disseminate X.509 | |||

certificates and revocation objects (RFC 5280)."; | certificates and revocation objects (RFC 5280)."; | |||

reference | reference | |||

"RFC 5280: | "RFC 5280: | |||

Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||

and Certificate Revocation List (CRL) Profile."; | and Certificate Revocation List (CRL) Profile."; | |||

} | } | |||

typedef end-entity-cert-cms { | typedef end-entity-cert-cms { | |||

type signed-data-cms; | type signed-data-cms; | |||

description | description | |||

"A CMS SignedData structure that MUST contain the end | "A CMS SignedData structure that MUST contain the end | |||

entity certificate itself, and MAY contain any number | entity certificate itself, and MAY contain any number | |||

of intermediate certificates leading up to a trust | of intermediate certificates leading up to a trust | |||

anchor certificate. The trust anchor certificate | anchor certificate. The trust anchor certificate | |||

MAY be included as well. | MAY be included as well. | |||

The CMS MUST contain a single end entity certificate. | The CMS MUST contain a single end entity certificate. | |||

The CMS MUST NOT contain any spurious certificates. | The CMS MUST NOT contain any spurious certificates. | |||

This CMS structure MAY (as applicable where this type is | This CMS structure MAY (as applicable where this type is | |||

used) also contain suitably fresh (as defined by local | used) also contain suitably fresh (as defined by local | |||

policy) revocation objects with which the device can | policy) revocation objects with which the device can | |||

verify the revocation status of the certificates. | verify the revocation status of the certificates. | |||

This CMS encodes the degenerate form of the SignedData | This CMS encodes the degenerate form of the SignedData | |||

structure that is commonly used to disseminate X.509 | structure that is commonly used to disseminate X.509 | |||

certificates and revocation objects (RFC 5280)."; | certificates and revocation objects (RFC 5280)."; | |||

reference | reference | |||

"RFC 5280: | "RFC 5280: | |||

Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||

and Certificate Revocation List (CRL) Profile."; | and Certificate Revocation List (CRL) Profile."; | |||

} | } | |||

/**********************************************/ | ||||

/* Groupings for keys and/or certificates */ | ||||

/**********************************************/ | ||||

grouping public-key-grouping { | /**********************************************/ | |||

description | /* Groupings for keys and/or certificates */ | |||

"A public key."; | /**********************************************/ | |||

leaf algorithm { | ||||

type asymmetric-key-encryption-algorithm-ref; | ||||

description | ||||

"Identifies the key's algorithm. More specifically, | ||||

this leaf specifies how the 'public-key' binary leaf | ||||

is encoded."; | ||||

reference | ||||

"RFC CCCC: Common YANG Data Types for Cryptography"; | ||||

} | ||||

leaf public-key { | ||||

type binary; | ||||

description | ||||

"A binary that contains the value of the public key. The | ||||

interpretation of the content is defined by the key | ||||

algorithm. For example, a DSA key is an integer, an RSA | ||||

key is represented as RSAPublicKey as defined in | ||||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | ||||

is represented using the 'publicKey' described in | ||||

RFC 5915."; | ||||

reference | ||||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} | ||||

} // end public-key-grouping | ||||

grouping asymmetric-key-pair-grouping { | grouping public-key-grouping { | |||

description | description | |||

"A private/public key pair."; | "A public key."; | |||

uses public-key-grouping; | leaf algorithm { | |||

leaf private-key { | type asymmetric-key-algorithm-ref; | |||

nacm:default-deny-all; | description | |||

type union { | "Identifies the key's algorithm. More specifically, | |||

type binary; | this leaf specifies how the 'public-key' binary leaf | |||

type enumeration { | is encoded."; | |||

enum "permanently-hidden" { | reference | |||

description | "RFC CCCC: Common YANG Data Types for Cryptography"; | |||

"The private key is inaccessible due to being | } | |||

protected by the system (e.g., a cryptographic | leaf public-key { | |||

hardware module). It is not possible to | type binary; | |||

configure a permanently hidden key, as a real | description | |||

private key value must be set. Permanently | "A binary that contains the value of the public key. The | |||

hidden keys cannot be archived or backed up."; | interpretation of the content is defined by the key | |||

} | algorithm. For example, a DSA key is an integer, an RSA | |||

} | key is represented as RSAPublicKey as defined in | |||

} | RFC 8017, and an Elliptic Curve Cryptography (ECC) key | |||

description | is represented using the 'publicKey' described in | |||

"A binary that contains the value of the private key. The | RFC 5915."; | |||

interpretation of the content is defined by the key | reference | |||

algorithm. For example, a DSA key is an integer, an RSA | "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | |||

key is represented as RSAPrivateKey as defined in | RSA Cryptography Specifications Version 2.2. | |||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | RFC 5915: Elliptic Curve Private Key Structure."; | |||

is represented as ECPrivateKey as defined in RFC 5915."; | } | |||

reference | } | |||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} // end private-key | ||||

action generate-hidden-key { | grouping asymmetric-key-pair-grouping { | |||

description | description | |||

"Requests the device to generate a hidden key using the | "A private/public key pair."; | |||

specified asymmetric key algorithm. This action is | uses public-key-grouping; | |||

used to request the system to generate a key that | leaf private-key { | |||

is 'permanently-hidden', perhaps protected by a | nacm:default-deny-all; | |||

cryptographic hardware module. The resulting | type union { | |||

asymmetric key values are considered operational | type binary; | |||

state and hence present only in <operational>."; | type enumeration { | |||

input { | enum "permanently-hidden" { | |||

leaf algorithm { | description | |||

type asymmetric-key-encryption-algorithm-ref; | "The private key is inaccessible due to being | |||

mandatory true; | protected by the system (e.g., a cryptographic | |||

description | hardware module). It is not possible to | |||

"The algorithm to be used when generating the | configure a permanently hidden key, as a real | |||

asymmetric key."; | private key value must be set. Permanently | |||

reference | hidden keys cannot be archived or backed up."; | |||

"RFC CCCC: Common YANG Data Types for Cryptography"; | } | |||

} | } | |||

} | } | |||

} // end generate-hidden-key | description | |||

"A binary that contains the value of the private key. The | ||||

interpretation of the content is defined by the key | ||||

algorithm. For example, a DSA key is an integer, an RSA | ||||

key is represented as RSAPrivateKey as defined in | ||||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | ||||

is represented as ECPrivateKey as defined in RFC 5915."; | ||||

reference | ||||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} // private-key | ||||

action install-hidden-key { | action generate-hidden-key { | |||

description | description | |||

"Requests the device to load the specified values into | "Requests the device to generate a hidden key using the | |||

a hidden key. The resulting asymmetric key values are | specified asymmetric key algorithm. This action is | |||

considered operational state and hence present only in | used to request the system to generate a key that | |||

<operational>."; | is 'permanently-hidden', perhaps protected by a | |||

input { | cryptographic hardware module. The resulting | |||

leaf algorithm { | asymmetric key values are considered operational | |||

type asymmetric-key-encryption-algorithm-ref; | state and hence present only in <operational>."; | |||

mandatory true; | input { | |||

description | leaf algorithm { | |||

"The algorithm to be used when generating the | type asymmetric-key-algorithm-ref; | |||

asymmetric key."; | mandatory true; | |||

reference | description | |||

"RFC CCCC: Common YANG Data Types for Cryptography"; | "The algorithm to be used when generating the | |||

} | asymmetric key."; | |||

leaf public-key { | reference | |||

type binary; | "RFC CCCC: Common YANG Data Types for Cryptography"; | |||

description | } | |||

"A binary that contains the value of the public key. | ||||

The interpretation of the content is defined by the key | ||||

algorithm. For example, a DSA key is an integer, an | ||||

RSA key is represented as RSAPublicKey as defined in | ||||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | ||||

is represented using the 'publicKey' described in | ||||

RFC 5915."; | ||||

reference | ||||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} | ||||

leaf private-key { | ||||

type binary; | ||||

description | ||||

"A binary that contains the value of the private key. | ||||

The interpretation of the content is defined by the key | ||||

algorithm. For example, a DSA key is an integer, an RSA | ||||

key is represented as RSAPrivateKey as defined in | ||||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | ||||

is represented as ECPrivateKey as defined in RFC 5915."; | ||||

reference | ||||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} | ||||

} | ||||

} // end install-hidden-key | ||||

} // end asymmetric-key-pair-grouping | ||||

grouping trust-anchor-cert-grouping { | } | |||

description | } // generate-hidden-key | |||

"A certificate, and a notification for when it might expire."; | ||||

leaf cert { | ||||

type trust-anchor-cert-cms; | ||||

description | ||||

"The binary certificate data for this certificate."; | ||||

reference | ||||

"RFC YYYY: Common YANG Data Types for Cryptography"; | ||||

} | ||||

notification certificate-expiration { | ||||

description | ||||

"A notification indicating that the configured certificate | ||||

is either about to expire or has already expired. When to | ||||

send notifications is an implementation specific decision, | ||||

but it is RECOMMENDED that a notification be sent once a | ||||

month for 3 months, then once a week for four weeks, and | ||||

then once a day thereafter until the issue is resolved."; | ||||

leaf expiration-date { | ||||

type yang:date-and-time; | ||||

mandatory true; | ||||

description | ||||

"Identifies the expiration date on the certificate."; | ||||

} | ||||

} | ||||

} // end trust-anchor-cert-grouping | ||||

grouping end-entity-cert-grouping { | action install-hidden-key { | |||

description | description | |||

"A certificate, and a notification for when it might expire."; | "Requests the device to load the specified values into | |||

leaf cert { | a hidden key. The resulting asymmetric key values are | |||

type end-entity-cert-cms; | considered operational state and hence present only in | |||

description | <operational>."; | |||

"The binary certificate data for this certificate."; | input { | |||

reference | leaf algorithm { | |||

type asymmetric-key-algorithm-ref; | ||||

mandatory true; | ||||

description | ||||

"The algorithm to be used when generating the | ||||

asymmetric key."; | ||||

reference | ||||

"RFC CCCC: Common YANG Data Types for Cryptography"; | ||||

} | ||||

leaf public-key { | ||||

type binary; | ||||

description | ||||

"A binary that contains the value of the public key. | ||||

The interpretation of the content is defined by the key | ||||

algorithm. For example, a DSA key is an integer, an | ||||

RSA key is represented as RSAPublicKey as defined in | ||||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | ||||

is represented using the 'publicKey' described in | ||||

RFC 5915."; | ||||

reference | ||||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} | ||||

leaf private-key { | ||||

type binary; | ||||

description | ||||

"A binary that contains the value of the private key. | ||||

The interpretation of the content is defined by the key | ||||

algorithm. For example, a DSA key is an integer, an RSA | ||||

key is represented as RSAPrivateKey as defined in | ||||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | ||||

is represented as ECPrivateKey as defined in RFC 5915."; | ||||

reference | ||||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | ||||

RSA Cryptography Specifications Version 2.2. | ||||

RFC 5915: Elliptic Curve Private Key Structure."; | ||||

} | ||||

} | ||||

} // install-hidden-key | ||||

} // asymmetric-key-pair-grouping | ||||

grouping trust-anchor-cert-grouping { | ||||

description | ||||

"A certificate, and a notification for when it might expire."; | ||||

leaf cert { | ||||

type trust-anchor-cert-cms; | ||||

description | ||||

"The binary certificate data for this certificate."; | ||||

reference | ||||

"RFC YYYY: Common YANG Data Types for Cryptography"; | "RFC YYYY: Common YANG Data Types for Cryptography"; | |||

} | } | |||

notification certificate-expiration { | notification certificate-expiration { | |||

description | description | |||

"A notification indicating that the configured certificate | "A notification indicating that the configured certificate | |||

is either about to expire or has already expired. When to | is either about to expire or has already expired. When to | |||

send notifications is an implementation specific decision, | send notifications is an implementation specific decision, | |||

but it is RECOMMENDED that a notification be sent once a | but it is RECOMMENDED that a notification be sent once a | |||

month for 3 months, then once a week for four weeks, and | month for 3 months, then once a week for four weeks, and | |||

then once a day thereafter until the issue is resolved."; | then once a day thereafter until the issue is resolved."; | |||

leaf expiration-date { | leaf expiration-date { | |||

type yang:date-and-time; | type yang:date-and-time; | |||

mandatory true; | mandatory true; | |||

description | description | |||

"Identifies the expiration date on the certificate."; | "Identifies the expiration date on the certificate."; | |||

} | } | |||

} | } | |||

} | ||||

} // end end-entity-cert-grouping | grouping end-entity-cert-grouping { | |||

description | ||||

"A certificate, and a notification for when it might expire."; | ||||

leaf cert { | ||||

type end-entity-cert-cms; | ||||

description | ||||

"The binary certificate data for this certificate."; | ||||

reference | ||||

"RFC YYYY: Common YANG Data Types for Cryptography"; | ||||

} | ||||

notification certificate-expiration { | ||||

description | ||||

"A notification indicating that the configured certificate | ||||

is either about to expire or has already expired. When to | ||||

send notifications is an implementation specific decision, | ||||

but it is RECOMMENDED that a notification be sent once a | ||||

month for 3 months, then once a week for four weeks, and | ||||

then once a day thereafter until the issue is resolved."; | ||||

leaf expiration-date { | ||||

type yang:date-and-time; | ||||

mandatory true; | ||||

description | ||||

"Identifies the expiration date on the certificate."; | ||||

} | ||||

} | ||||

} | ||||

grouping asymmetric-key-pair-with-certs-grouping { | grouping asymmetric-key-pair-with-certs-grouping { | |||

description | description | |||

"A private/public key pair and associated certificates."; | "A private/public key pair and associated certificates."; | |||

uses asymmetric-key-pair-grouping; | uses asymmetric-key-pair-grouping; | |||

container certificates { | ||||

description | ||||

"Certificates associated with this asymmetric key. | ||||

More than one certificate supports, for instance, | ||||

a TPM-protected asymmetric key that has both IDevID | ||||

and LDevID certificates associated."; | ||||

list certificate { | ||||

key name; | ||||

description | ||||

"A certificate for this asymmetric key."; | ||||

leaf name { | ||||

type string; | ||||

description | ||||

"An arbitrary name for the certificate. If the name | ||||

matches the name of a certificate that exists | ||||

independently in <operational> (i.e., an IDevID), | ||||

then the 'cert' node MUST NOT be configured."; | ||||

} | container certificates { | |||

uses end-entity-cert-grouping; | description | |||

} // end certificate | "Certificates associated with this asymmetric key. | |||

} // end certificates | More than one certificate supports, for instance, | |||

a TPM-protected asymmetric key that has both IDevID | ||||

and LDevID certificates associated."; | ||||

list certificate { | ||||

key name; | ||||

description | ||||

"A certificate for this asymmetric key."; | ||||

leaf name { | ||||

type string; | ||||

description | ||||

"An arbitrary name for the certificate. If the name | ||||

matches the name of a certificate that exists | ||||

independently in <operational> (i.e., an IDevID), | ||||

then the 'cert' node MUST NOT be configured."; | ||||

action generate-certificate-signing-request { | } | |||

description | uses end-entity-cert-grouping; | |||

"Generates a certificate signing request structure for | } | |||

the associated asymmetric key using the passed subject | } // certificates | |||

and attribute values. The specified assertions need | ||||

to be appropriate for the certificate's use. For | ||||

example, an entity certificate for a TLS server | ||||

SHOULD have values that enable clients to satisfy | ||||

RFC 6125 processing."; | ||||

input { | ||||

leaf subject { | ||||

type binary; | ||||

mandatory true; | ||||

description | ||||

"The 'subject' field per the CertificationRequestInfo | ||||

structure as specified by RFC 2986, Section 4.1 | ||||

encoded using the ASN.1 distinguished encoding | ||||

rules (DER), as specified in ITU-T X.690."; | ||||

reference | action generate-certificate-signing-request { | |||

"RFC 2986: | description | |||

PKCS #10: Certification Request Syntax | "Generates a certificate signing request structure for | |||

Specification Version 1.7. | the associated asymmetric key using the passed subject | |||

ITU-T X.690: | and attribute values. The specified assertions need | |||

Information technology - ASN.1 encoding rules: | to be appropriate for the certificate's use. For | |||

Specification of Basic Encoding Rules (BER), | example, an entity certificate for a TLS server | |||

Canonical Encoding Rules (CER) and Distinguished | SHOULD have values that enable clients to satisfy | |||

Encoding Rules (DER)."; | RFC 6125 processing."; | |||

} | input { | |||

leaf attributes { | leaf subject { | |||

type binary; | type binary; | |||

description | mandatory true; | |||

"The 'attributes' field from the structure | description | |||

CertificationRequestInfo as specified by RFC 2986, | "The 'subject' field per the CertificationRequestInfo | |||

Section 4.1 encoded using the ASN.1 distinguished | structure as specified by RFC 2986, Section 4.1 | |||

encoding rules (DER), as specified in ITU-T X.690."; | encoded using the ASN.1 distinguished encoding | |||

reference | rules (DER), as specified in ITU-T X.690."; | |||

"RFC 2986: | reference | |||

PKCS #10: Certification Request Syntax | "RFC 2986: | |||

Specification Version 1.7. | PKCS #10: Certification Request Syntax | |||

ITU-T X.690: | Specification Version 1.7. | |||

Information technology - ASN.1 encoding rules: | ITU-T X.690: | |||

Specification of Basic Encoding Rules (BER), | Information technology - ASN.1 encoding rules: | |||

Canonical Encoding Rules (CER) and Distinguished | Specification of Basic Encoding Rules (BER), | |||

Encoding Rules (DER)."; | Canonical Encoding Rules (CER) and Distinguished | |||

} | Encoding Rules (DER)."; | |||

} | } | |||

output { | leaf attributes { | |||

leaf certificate-signing-request { | type binary; | |||

type binary; | description | |||

mandatory true; | "The 'attributes' field from the structure | |||

description | CertificationRequestInfo as specified by RFC 2986, | |||

"A CertificationRequest structure as specified by | Section 4.1 encoded using the ASN.1 distinguished | |||

RFC 2986, Section 4.2 encoded using the ASN.1 | encoding rules (DER), as specified in ITU-T X.690."; | |||

distinguished encoding rules (DER), as specified | reference | |||

in ITU-T X.690."; | "RFC 2986: | |||

reference | PKCS #10: Certification Request Syntax | |||

"RFC 2986: | Specification Version 1.7. | |||

PKCS #10: Certification Request Syntax | ITU-T X.690: | |||

Specification Version 1.7. | Information technology - ASN.1 encoding rules: | |||

ITU-T X.690: | Specification of Basic Encoding Rules (BER), | |||

Information technology - ASN.1 encoding rules: | Canonical Encoding Rules (CER) and Distinguished | |||

Specification of Basic Encoding Rules (BER), | Encoding Rules (DER)."; | |||

Canonical Encoding Rules (CER) and Distinguished | } | |||

Encoding Rules (DER)."; | } | |||

output { | ||||

leaf certificate-signing-request { | ||||

type binary; | ||||

mandatory true; | ||||

description | ||||

"A CertificationRequest structure as specified by | ||||

RFC 2986, Section 4.2 encoded using the ASN.1 | ||||

distinguished encoding rules (DER), as specified | ||||

in ITU-T X.690."; | ||||

} | reference | |||

"RFC 2986: | ||||

PKCS #10: Certification Request Syntax | ||||

Specification Version 1.7. | ||||

ITU-T X.690: | ||||

Information technology - ASN.1 encoding rules: | ||||

Specification of Basic Encoding Rules (BER), | ||||

Canonical Encoding Rules (CER) and Distinguished | ||||

Encoding Rules (DER)."; | ||||

} | } | |||

} // end generate-certificate-signing-request | } | |||

} // end asymmetric-key-pair-with-certs-grouping | } // generate-certificate-signing-request | |||

} // asymmetric-key-pair-with-certs-grouping | ||||

} | } | |||

<CODE ENDS> | ||||

<CODE ENDS> | ||||

3. Security Considerations | 3. Security Considerations | |||

In order to use YANG identities for algorithm identifiers, only the | In order to use YANG identities for algorithm identifiers, only the | |||

most commonly used RSA key lengths are supported for the RSA | most commonly used RSA key lengths are supported for the RSA | |||

algorithm. Additional key lengths can be defined in another module | algorithm. Additional key lengths can be defined in another module | |||

or added into a future version of this document. | or added into a future version of this document. | |||

This document limits the number of elliptical curves supported. This | This document limits the number of elliptical curves supported. This | |||

was done to match industry trends and IETF best practice (e.g., | was done to match industry trends and IETF best practice (e.g., | |||

skipping to change at page 40, line 49 ¶ | skipping to change at page 40, line 9 ¶ | |||

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||

Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||

DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||

<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||

[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within | [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within | |||

ESP and AH", RFC 2404, DOI 10.17487/RFC2404, November | ESP and AH", RFC 2404, DOI 10.17487/RFC2404, November | |||

1998, <https://www.rfc-editor.org/info/rfc2404>. | 1998, <https://www.rfc-editor.org/info/rfc2404>. | |||

[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | ||||

Request Syntax Specification Version 1.7", RFC 2986, | ||||

DOI 10.17487/RFC2986, November 2000, | ||||

<https://www.rfc-editor.org/info/rfc2986>. | ||||

[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 | ||||

(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, | ||||

<https://www.rfc-editor.org/info/rfc3174>. | ||||

[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) | [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) | |||

Encryption Algorithm in Cryptographic Message Syntax | Encryption Algorithm in Cryptographic Message Syntax | |||

(CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003, | (CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003, | |||

<https://www.rfc-editor.org/info/rfc3565>. | <https://www.rfc-editor.org/info/rfc3565>. | |||

[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) | [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) | |||

Counter Mode With IPsec Encapsulating Security Payload | Counter Mode With IPsec Encapsulating Security Payload | |||

(ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, | (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, | |||

<https://www.rfc-editor.org/info/rfc3686>. | <https://www.rfc-editor.org/info/rfc3686>. | |||

skipping to change at page 41, line 38 ¶ | skipping to change at page 40, line 38 ¶ | |||

[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key | |||

Ciphersuites for Transport Layer Security (TLS)", | Ciphersuites for Transport Layer Security (TLS)", | |||

RFC 4279, DOI 10.17487/RFC4279, December 2005, | RFC 4279, DOI 10.17487/RFC4279, December 2005, | |||

<https://www.rfc-editor.org/info/rfc4279>. | <https://www.rfc-editor.org/info/rfc4279>. | |||

[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM | [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM | |||

Mode with IPsec Encapsulating Security Payload (ESP)", | Mode with IPsec Encapsulating Security Payload (ESP)", | |||

RFC 4309, DOI 10.17487/RFC4309, December 2005, | RFC 4309, DOI 10.17487/RFC4309, December 2005, | |||

<https://www.rfc-editor.org/info/rfc4309>. | <https://www.rfc-editor.org/info/rfc4309>. | |||

[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The | ||||

AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June | ||||

2006, <https://www.rfc-editor.org/info/rfc4493>. | ||||

[RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96 | [RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96 | |||

Algorithm and Its Use with IPsec", RFC 4494, | Algorithm and Its Use with IPsec", RFC 4494, | |||

DOI 10.17487/RFC4494, June 2006, | DOI 10.17487/RFC4494, June 2006, | |||

<https://www.rfc-editor.org/info/rfc4494>. | <https://www.rfc-editor.org/info/rfc4494>. | |||

[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message | [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message | |||

Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, | Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, | |||

DOI 10.17487/RFC4543, May 2006, | DOI 10.17487/RFC4543, May 2006, | |||

<https://www.rfc-editor.org/info/rfc4543>. | <https://www.rfc-editor.org/info/rfc4543>. | |||

skipping to change at page 42, line 25 ¶ | skipping to change at page 41, line 20 ¶ | |||

[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||

RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||

<https://www.rfc-editor.org/info/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||

[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm | [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm | |||

Integration in the Secure Shell Transport Layer", | Integration in the Secure Shell Transport Layer", | |||

RFC 5656, DOI 10.17487/RFC5656, December 2009, | RFC 5656, DOI 10.17487/RFC5656, December 2009, | |||

<https://www.rfc-editor.org/info/rfc5656>. | <https://www.rfc-editor.org/info/rfc5656>. | |||

[RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key | ||||

Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010, | ||||

<https://www.rfc-editor.org/info/rfc5915>. | ||||

[RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure | [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure | |||

Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, | Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, | |||

March 2011, <https://www.rfc-editor.org/info/rfc6187>. | March 2011, <https://www.rfc-editor.org/info/rfc6187>. | |||

[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | ||||

(SHA and SHA-based HMAC and HKDF)", RFC 6234, | ||||

DOI 10.17487/RFC6234, May 2011, | ||||

<https://www.rfc-editor.org/info/rfc6234>. | ||||

[RFC6239] Igoe, K., "Suite B Cryptographic Suites for Secure Shell | ||||

(SSH)", RFC 6239, DOI 10.17487/RFC6239, May 2011, | ||||

<https://www.rfc-editor.org/info/rfc6239>. | ||||

[RFC6507] Groves, M., "Elliptic Curve-Based Certificateless | ||||

Signatures for Identity-Based Encryption (ECCSI)", | ||||

RFC 6507, DOI 10.17487/RFC6507, February 2012, | ||||

<https://www.rfc-editor.org/info/rfc6507>. | ||||

[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||

RFC 6991, DOI 10.17487/RFC6991, July 2013, | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||

<https://www.rfc-editor.org/info/rfc6991>. | <https://www.rfc-editor.org/info/rfc6991>. | |||

[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | ||||

Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015, | ||||

<https://www.rfc-editor.org/info/rfc7539>. | ||||

[RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman | [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman | |||

Ephemeral Parameters for Transport Layer Security (TLS)", | Ephemeral Parameters for Transport Layer Security (TLS)", | |||

RFC 7919, DOI 10.17487/RFC7919, August 2016, | RFC 7919, DOI 10.17487/RFC7919, August 2016, | |||

<https://www.rfc-editor.org/info/rfc7919>. | <https://www.rfc-editor.org/info/rfc7919>. | |||

[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||

RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||

<https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||

[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | ||||

"PKCS #1: RSA Cryptography Specifications Version 2.2", | ||||

RFC 8017, DOI 10.17487/RFC8017, November 2016, | ||||

<https://www.rfc-editor.org/info/rfc8017>. | ||||

[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | ||||

Signature Algorithm (EdDSA)", RFC 8032, | ||||

DOI 10.17487/RFC8032, January 2017, | ||||

<https://www.rfc-editor.org/info/rfc8032>. | ||||

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||

2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||

May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||

[RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie- | [RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie- | |||

Hellman (DH) Key Exchange (KEX) Groups for Secure Shell | Hellman (DH) Key Exchange (KEX) Groups for Secure Shell | |||

(SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, | (SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, | |||

<https://www.rfc-editor.org/info/rfc8268>. | <https://www.rfc-editor.org/info/rfc8268>. | |||

[RFC8332] Bider, D., "Use of RSA Keys with SHA-256 and SHA-512 in | [RFC8332] Bider, D., "Use of RSA Keys with SHA-256 and SHA-512 in | |||

skipping to change at page 44, line 11 ¶ | skipping to change at page 42, line 22 ¶ | |||

Security (TLS) Versions 1.2 and Earlier", RFC 8422, | Security (TLS) Versions 1.2 and Earlier", RFC 8422, | |||

DOI 10.17487/RFC8422, August 2018, | DOI 10.17487/RFC8422, August 2018, | |||

<https://www.rfc-editor.org/info/rfc8422>. | <https://www.rfc-editor.org/info/rfc8422>. | |||

[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||

Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||

<https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||

5.2. Informative References | 5.2. Informative References | |||

[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | ||||

Request Syntax Specification Version 1.7", RFC 2986, | ||||

DOI 10.17487/RFC2986, November 2000, | ||||

<https://www.rfc-editor.org/info/rfc2986>. | ||||

[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 | ||||

(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, | ||||

<https://www.rfc-editor.org/info/rfc3174>. | ||||

[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||

DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||

<https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||

[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | |||

Certificate Request Message Format (CRMF)", RFC 4211, | Certificate Request Message Format (CRMF)", RFC 4211, | |||

DOI 10.17487/RFC4211, September 2005, | DOI 10.17487/RFC4211, September 2005, | |||

<https://www.rfc-editor.org/info/rfc4211>. | <https://www.rfc-editor.org/info/rfc4211>. | |||

[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The | ||||

AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June | ||||

2006, <https://www.rfc-editor.org/info/rfc4493>. | ||||

[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||

Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | |||

<https://www.rfc-editor.org/info/rfc5056>. | <https://www.rfc-editor.org/info/rfc5056>. | |||

[RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key | ||||

Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010, | ||||

<https://www.rfc-editor.org/info/rfc5915>. | ||||

[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||

the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||

DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||

<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||

[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and | |||

Verification of Domain-Based Application Service Identity | Verification of Domain-Based Application Service Identity | |||

within Internet Public Key Infrastructure Using X.509 | within Internet Public Key Infrastructure Using X.509 | |||

(PKIX) Certificates in the Context of Transport Layer | (PKIX) Certificates in the Context of Transport Layer | |||

Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March | Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March | |||

2011, <https://www.rfc-editor.org/info/rfc6125>. | 2011, <https://www.rfc-editor.org/info/rfc6125>. | |||

[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | ||||

(SHA and SHA-based HMAC and HKDF)", RFC 6234, | ||||

DOI 10.17487/RFC6234, May 2011, | ||||

<https://www.rfc-editor.org/info/rfc6234>. | ||||

[RFC6239] Igoe, K., "Suite B Cryptographic Suites for Secure Shell | ||||

(SSH)", RFC 6239, DOI 10.17487/RFC6239, May 2011, | ||||

<https://www.rfc-editor.org/info/rfc6239>. | ||||

[RFC6507] Groves, M., "Elliptic Curve-Based Certificateless | ||||

Signatures for Identity-Based Encryption (ECCSI)", | ||||

RFC 6507, DOI 10.17487/RFC6507, February 2012, | ||||

<https://www.rfc-editor.org/info/rfc6507>. | ||||

[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | ||||

"PKCS #1: RSA Cryptography Specifications Version 2.2", | ||||

RFC 8017, DOI 10.17487/RFC8017, November 2016, | ||||

<https://www.rfc-editor.org/info/rfc8017>. | ||||

[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital | ||||

Signature Algorithm (EdDSA)", RFC 8032, | ||||

DOI 10.17487/RFC8032, January 2017, | ||||

<https://www.rfc-editor.org/info/rfc8032>. | ||||

[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||

BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||

<https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||

[RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF | ||||

Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, | ||||

<https://www.rfc-editor.org/info/rfc8439>. | ||||

Appendix A. Examples | Appendix A. Examples | |||

A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping | A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping | |||

The following example module has been constructed to illustrate use | The following example module has been constructed to illustrate use | |||

of the "asymmetric-key-pair-with-certs-grouping" grouping defined in | of the "asymmetric-key-pair-with-certs-grouping" grouping defined in | |||

the "ietf-crypto-types" module. | the "ietf-crypto-types" module. | |||

Note that the "asymmetric-key-pair-with-certs-grouping" grouping uses | Note that the "asymmetric-key-pair-with-certs-grouping" grouping uses | |||

both the "asymmetric-key-pair-grouping" and "end-entity-cert- | both the "asymmetric-key-pair-grouping" and "end-entity-cert- | |||

skipping to change at page 48, line 6 ¶ | skipping to change at page 46, line 31 ¶ | |||

</certificates> | </certificates> | |||

</key> | </key> | |||

</keys> | </keys> | |||

A.2. The "generate-hidden-key" Action | A.2. The "generate-hidden-key" Action | |||

The following example illustrates the "generate-hidden-key" action in | The following example illustrates the "generate-hidden-key" action in | |||

use with the NETCONF protocol. | use with the NETCONF protocol. | |||

REQUEST | REQUEST | |||

------- | ||||

<rpc message-id="101" | <rpc message-id="101" | |||

xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||

<action xmlns="urn:ietf:params:xml:ns:yang:1"> | <action xmlns="urn:ietf:params:xml:ns:yang:1"> | |||

<keys xmlns="http://example.com/ns/example-crypto-types-usage"> | <keys xmlns="http://example.com/ns/example-crypto-types-usage"> | |||

<key> | <key> | |||

<name>empty-key</name> | <name>empty-key</name> | |||

<generate-hidden-key> | <generate-hidden-key> | |||

<algorithm | <algorithm | |||

xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||

ct:rsa2048 | ct:rsa2048 | |||

skipping to change at page 48, line 23 ¶ | skipping to change at page 47, line 4 ¶ | |||

<generate-hidden-key> | <generate-hidden-key> | |||

<algorithm | <algorithm | |||

xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||

ct:rsa2048 | ct:rsa2048 | |||

</algorithm> | </algorithm> | |||

</generate-hidden-key> | </generate-hidden-key> | |||

</key> | </key> | |||

</keys> | </keys> | |||

</action> | </action> | |||

</rpc> | </rpc> | |||

RESPONSE | RESPONSE | |||

-------- | ||||

<rpc-reply message-id="101" | <rpc-reply message-id="101" | |||

xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||

<ok/> | <ok/> | |||

</rpc-reply> | </rpc-reply> | |||

A.3. The "install-hidden-key" Action | A.3. The "install-hidden-key" Action | |||

The following example illustrates the "install-hidden-key" action in | The following example illustrates the "install-hidden-key" action in | |||

use with the NETCONF protocol. | use with the NETCONF protocol. | |||

REQUEST | REQUEST | |||

------- | ||||

<rpc message-id="101" | <rpc message-id="101" | |||

xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||

<action xmlns="urn:ietf:params:xml:ns:yang:1"> | <action xmlns="urn:ietf:params:xml:ns:yang:1"> | |||

<keys xmlns="http://example.com/ns/example-crypto-types-usage"> | <keys xmlns="http://example.com/ns/example-crypto-types-usage"> | |||

<key> | <key> | |||

<name>empty-key</name> | <name>empty-key</name> | |||

<install-hidden-key> | <install-hidden-key> | |||

<algorithm | <algorithm | |||

xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||

ct:rsa2048 | ct:rsa2048 | |||

</algorithm> | </algorithm> | |||

<public-key>base64encodedvalue==</public-key> | <public-key>base64encodedvalue==</public-key> | |||

<private-key>base64encodedvalue==</private-key> | <private-key>base64encodedvalue==</private-key> | |||

</install-hidden-key> | </install-hidden-key> | |||

</key> | </key> | |||

</keys> | </keys> | |||

</action> | </action> | |||

</rpc> | </rpc> | |||

RESPONSE | RESPONSE | |||

-------- | ||||

<rpc-reply message-id="101" | <rpc-reply message-id="101" | |||

xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||

<ok/> | <ok/> | |||

</rpc-reply> | </rpc-reply> | |||

A.4. The "generate-certificate-signing-request" Action | A.4. The "generate-certificate-signing-request" Action | |||

The following example illustrates the "generate-certificate-signing- | The following example illustrates the "generate-certificate-signing- | |||

request" action in use with the NETCONF protocol. | request" action in use with the NETCONF protocol. | |||

REQUEST | REQUEST | |||

------- | ||||

<rpc message-id="101" | <rpc message-id="101" | |||

xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||

<action xmlns="urn:ietf:params:xml:ns:yang:1"> | <action xmlns="urn:ietf:params:xml:ns:yang:1"> | |||

<keys xmlns="http://example.com/ns/example-crypto-types-usage"> | <keys xmlns="http://example.com/ns/example-crypto-types-usage"> | |||

<key> | <key> | |||

<name>ex-key-sect571r1</name> | <name>ex-key-sect571r1</name> | |||

<generate-certificate-signing-request> | <generate-certificate-signing-request> | |||

<subject>base64encodedvalue==</subject> | <subject>base64encodedvalue==</subject> | |||

<attributes>base64encodedvalue==</attributes> | <attributes>base64encodedvalue==</attributes> | |||

</generate-certificate-signing-request> | </generate-certificate-signing-request> | |||

</key> | </key> | |||

</keys> | </keys> | |||

</action> | </action> | |||

</rpc> | </rpc> | |||

RESPONSE | RESPONSE | |||

-------- | ||||

<rpc-reply message-id="101" | <rpc-reply message-id="101" | |||

xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> | |||

<certificate-signing-request | <certificate-signing-request | |||

xmlns="http://example.com/ns/example-crypto-types-usage"> | xmlns="http://example.com/ns/example-crypto-types-usage"> | |||

base64encodedvalue== | base64encodedvalue== | |||

</certificate-signing-request> | </certificate-signing-request> | |||

</rpc-reply> | </rpc-reply> | |||

A.5. The "certificate-expiration" Notification | A.5. The "certificate-expiration" Notification | |||

skipping to change at page 51, line 51 ¶ | skipping to change at page 49, line 51 ¶ | |||

o Moved groupings from the draft-ietf-netconf-keystore here. | o Moved groupings from the draft-ietf-netconf-keystore here. | |||

B.3. 01 to 02 | B.3. 01 to 02 | |||

o Removed unwanted "mandatory" and "must" statements. | o Removed unwanted "mandatory" and "must" statements. | |||

o Added many new crypto algorithms (thanks Haiguang!) | o Added many new crypto algorithms (thanks Haiguang!) | |||

o Clarified in asymmetric-key-pair-with-certs-grouping, in | o Clarified in asymmetric-key-pair-with-certs-grouping, in | |||

certificates/certificate/name/description, that if the name MUST | certificates/certificate/name/description, that if the name MUST | |||

not match the name of a certificate that exists independently in | NOT match the name of a certificate that exists independently in | |||

<operational>, enabling certs installed by the manufacturer (e.g., | <operational>, enabling certs installed by the manufacturer (e.g., | |||

an IDevID). | an IDevID). | |||

B.4. 02 to 03 | ||||

o renamed base identity 'asymmetric-key-encryption-algorithm' to | ||||

'asymmetric-key-algorithm'. | ||||

o added new 'asymmetric-key-algorithm' identities for secp192r1, | ||||

secp224r1, secp256r1, secp384r1, and secp521r1. | ||||

o removed 'mac-algorithm' identities for mac-aes-128-ccm, mac-aes- | ||||

192-ccm, mac-aes-256-ccm, mac-aes-128-gcm, mac-aes-192-gcm, mac- | ||||

aes-256-gcm, and mac-chacha20-poly1305. | ||||

o for all -cbc and -ctr identities, renamed base identity | ||||

'symmetric-key-encryption-algorithm' to 'encryption-algorithm'. | ||||

o for all -ccm and -gcm identities, renamed base identity | ||||

'symmetric-key-encryption-algorithm' to 'encryption-and-mac- | ||||

algorithm' and renamed the identity to remove the "enc-" prefix. | ||||

o for all the 'signature-algorithm' based identities, renamed from | ||||

'rsa-*' to 'rsassa-*'. | ||||

o removed all of the "x509v3-" prefixed 'signature-algorithm' based | ||||

identities. | ||||

o added 'key-exchange-algorithm' based identities for 'rsaes-oaep' | ||||

and 'rsaes-pkcs1-v1_5'. | ||||

o renamed typedef 'symmetric-key-encryption-algorithm-ref' to | ||||

'symmetric-key-algorithm-ref'. | ||||

o renamed typedef 'asymmetric-key-encryption-algorithm-ref' to | ||||

'asymmetric-key-algorithm-ref'. | ||||

o added typedef 'encryption-and-mac-algorithm-ref'. | ||||

o Updated copyright date, boilerplate template, affiliation, and | ||||

folding algorithm. | ||||

Acknowledgements | Acknowledgements | |||

The authors would like to thank for following for lively discussions | The authors would like to thank for following for lively discussions | |||

on list and in the halls (ordered by last name): Martin Bjorklund, | on list and in the halls (ordered by last name): Martin Bjorklund, | |||

Balazs Kovacs, Eric Voit, and Liang Xia. | Balazs Kovacs, Eric Voit, and Liang Xia. | |||

Authors' Addresses | Authors' Addresses | |||

Kent Watsen | Kent Watsen | |||

Juniper Networks | Watsen Networks | |||

EMail: kwatsen@juniper.net | EMail: kent+ietf@watsen.net | |||

Wang Haiguang | Wang Haiguang | |||

Huawei | Huawei | |||

EMail: wang.haiguang.shieldlab@huawei.com | EMail: wang.haiguang.shieldlab@huawei.com | |||

End of changes. 211 change blocks. | ||||

1604 lines changed or deleted | | 1612 lines changed or added | ||

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |