6032
PROPOSED STANDARD
Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type
Authors: S. Turner, R. Housley
Date: December 2010
Working Group: NON WORKING GROUP
Stream: IETF
Abstract
This document defines the Cryptographic Message Syntax (CMS) encrypted key package content type, which can be used to encrypt a content that includes a key package, such as a symmetric key package or an asymmetric key package. It is transport independent. CMS can be used to digitally sign, digest, authenticate, or further encrypt this content type. It is designed to be used with the CMS Content Constraints (CCC) extension, which does not constrain the EncryptedData, EnvelopedData, and AuthEnvelopedData. [STANDARDS-TRACK]
RFC 6032
PROPOSED STANDARD
Internet Engineering Task Force (IETF) S. Turner
Request for Comments: 6032 IECA
Category: Standards Track R. Housley
ISSN: 2070-1721 Vigil Security
December 2010
<span class="h1">Cryptographic Message Syntax (CMS)</span>
<span class="h1">Encrypted Key Package Content Type</span>
Abstract
This document defines the Cryptographic Message Syntax (CMS)
encrypted key package content type, which can be used to encrypt a
content that includes a key package, such as a symmetric key package
or an asymmetric key package. It is transport independent. CMS can
be used to digitally sign, digest, authenticate, or further encrypt
this content type. It is designed to be used with the CMS Content
Constraints (CCC) extension, which does not constrain the
EncryptedData, EnvelopedData, and AuthEnvelopedData.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="https://www.rfc-editor.org/info/rfc6032">http://www.rfc-editor.org/info/rfc6032</a>.
<span class="grey">Turner & Housley Standards Track [Page 1]</span><span id="page-2" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Cryptographic Message Syntax (CMS) specification [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>]
defines mechanisms to digitally sign, digest, authenticate, or
encrypt arbitrary message content. Many specifications define
content types intended for use with CMS. [<a href="./rfc6031" title=""Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type"">RFC6031</a>] and [<a href="./rfc5958" title=""Asymmetric Key Packages"">RFC5958</a>]
define symmetric key package and asymmetric key package content types
that can be signed or encrypted using CMS. CMS allows the
composition of complex messages with an arbitrary number of layers.
CMS has been augmented by several specifications ([<a href="./rfc3274" title=""Compressed Data Content Type for Cryptographic Message Syntax (CMS)"">RFC3274</a>],
[<a href="./rfc4073" title=""Protecting Multiple Contents with the Cryptographic Message Syntax (CMS)"">RFC4073</a>], and [<a href="./rfc5083" title=""Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type"">RFC5083</a>]) that define additional mechanisms to enable
creation of messages of arbitrary depth and breadth using a variety
of authentication, encryption, and compression techniques.
The CMS Content Constraints (CCC) certificate extension [<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>]
defines an authorization mechanism that allows recipients to
determine whether the originator of an authenticated CMS content type
is authorized to produce messages of that type. CCC is used to
authorize CMS-protected content. CCC cannot be used to constrain the
following structures that are used to provide layers of protection:
SignedData, EnvelopedData, EncryptedData, DigestData, CompressedData,
AuthenticatedData, ContentCollection, ContentWithAttributes, or
AuthEnvelopedData.
Using the existing CMS mechanisms, producers of authenticated
plaintext key packages can be authorized by including a CCC extension
containing the appropriate content type in the producer's
certificate. However, these mechanisms cannot be used to authorize
the producers of encrypted key material. In some key management
systems, encrypted key packages are exchanged between entities that
cannot decrypt the key package. The encrypted key package itself may
<span class="grey">Turner & Housley Standards Track [Page 2]</span><span id="page-3" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
be authenticated and passed to another entity. In these cases,
checking the authorization of the producer of the encrypted key
package may be desired at the intermediate points.
This document defines the encrypted key package content type, which
can be used to encrypt a content that includes a key package, such as
a symmetric key package [<a href="./rfc6031" title=""Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type"">RFC6031</a>] or an asymmetric key package
[<a href="./rfc5958" title=""Asymmetric Key Packages"">RFC5958</a>]. It is transport independent. The Cryptographic Message
Syntax (CMS) [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>] can be used to digitally sign, digest,
authenticate, or further encrypt this content type.
The encrypted key package content type is designed for use with
[<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>]. To authorize an originator's public key to originate an
encrypted key package, the object identifier associated with the
encrypted key package content type is included in the originator's
public key certificate CCC certificate extension. For CCC to
function, originators encapsulate the encrypted key package in a
SignedData, EnvelopedData, or AuthEnvelopedData; then, during
certificate path validation, the recipient determines whether the
originator is authorized to originate the encrypted key package.
In [<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>] terminology, the encrypted key package is a leaf node.
Additional authorization checks may be required once the key package
is decrypted. For example, the key package shown below consists of a
SignedData layer that encapsulates an encrypted key package that
encapsulates a SignedData layer containing a symmetric key package.
A recipient capable of decrypting the key package would perform the
following steps prior to accepting the encapsulated symmetric key
material:
o Verify the signature on the outer SignedData layer per
[<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>].
o Build and validate a certification path of the outer signer and
confirm the outer signer is authorized to produce the encrypted
key package per [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] and [<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>].
o Decrypt the encrypted key package.
o Verify the signature on the inner SignedData layer per
[<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>].
o Build and validate a certification path to the signer of the
inner SignedData and confirm the inner signer is authorized to
produce the symmetric key package per [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] and [<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>].
As specified in [<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>], the validator may use the attributes
and public keys returned from the second step as inputs for this
CMS content constraints processing.
<span class="grey">Turner & Housley Standards Track [Page 3]</span><span id="page-4" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
o Use the symmetric key material.
+--------------------------------------+
| ContentInfo |
| |
| +----------------------------------+ |
| | SignedData | |
| | | |
| | +------------------------------+ | |
| | | EncryptedKeyPackage | | |
| | | (encrypted) | | |
| | | | | |
| | | +-------------------------+ | | |
| | | | SignedData | | | |
| | | | | | | |
| | | | +---------------------+ | | | |
| | | | | SymmetricKeyPackage | | | | |
| | | | +---------------------+ | | | |
| | | +-------------------------+ | | |
| | +------------------------------+ | |
| +----------------------------------+ |
+--------------------------------------+
In the example, authorization of the SymmetricKeyPackage originator
need not require an intermediate SignedData layer. For example, if
the AuthEnvelopedData option within an EncryptedKeyPackage were used,
the second authorization check would be performed beginning with the
authEnveloped field.
This document also defines an unprotected attribute, Content
Decryption Key Identifier, for use with EncryptedData.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Terminology</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. ASN.1 Syntax Notation</span>
The key package is defined using the ASN.1 [<a href="#ref-X.680">X.680</a>], [<a href="#ref-X.681">X.681</a>], [<a href="#ref-X.682">X.682</a>],
and [<a href="#ref-X.683">X.683</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Encrypted Key Package</span>
The encrypted key package content type is used to encrypt a content
that includes a key package. This content type is usually used to
provide encryption of a key package or a signed key package. This
<span class="grey">Turner & Housley Standards Track [Page 4]</span><span id="page-5" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
content type makes use of the CMS EncryptedData content type
[<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>], the CMS EnvelopedData content type [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>], or the CMS
AuthEnvelopedData content type [<a href="./rfc5083" title=""Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type"">RFC5083</a>] depending on the fields that
are needed for key management. The difference between the encrypted
key package content type and these three protecting content types is
the object identifier and one tag; otherwise, the encrypted key
package content type is the same as the selected protecting content
type, which is either EncryptedData, EnvelopedData, or
AuthEnvelopedData.
The encrypted key package content type has the following syntax:
ct-encrypted-key-package CONTENT-TYPE ::=
{ TYPE EncryptedKeyPackage
IDENTIFIED BY id-ct-KP-encryptedKeyPkg }
id-ct-KP-encryptedKeyPkg OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) dod(2) infosec(1) formats(2)
key-package-content-types(78) 2 }
EncryptedKeyPackage ::= CHOICE {
encrypted EncryptedData,
enveloped [0] EnvelopedData,
authEnveloped [1] AuthEnvelopedData }
The EncryptedData structure is used for simple symmetric encryption,
where the sender and the receiver already share the necessary
encryption key. The EncryptedData structure carries an encryption
algorithm identifier, and an unprotected attribute can be used to
carry an encryption key identifier if one is needed (see <a href="#section-3">Section 3</a>).
See [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>] for further discussion of the EncryptedData fields.
The EnvelopedData structure is used for encryption, where transferred
key management information enables decryption by the receiver.
Encryption details depend on the key management algorithm used. In
addition to the key management information, the EnvelopedData
structure carries an encryption algorithm identifier. See [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>]
for further discussion of the EnvelopedData fields.
The AuthEnvelopedData structure is used for authenticated encryption,
and it includes key management information in a manner similar to
EnvelopedData. Encryption details depend on the key management
algorithm used. In addition to the key management information, the
AuthEnvelopedData structure carries a message authentication code
that covers the content as well as authenticated attributes. See
[<a href="./rfc5083" title=""Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type"">RFC5083</a>] for further discussion of the AuthEnvelopedData fields.
<span class="grey">Turner & Housley Standards Track [Page 5]</span><span id="page-6" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
Implementations of this document MUST support the EnvelopedData
choice, SHOULD support the EncryptedData choice, and MAY support the
AuthEnvelopedData.
Implementations that support EnvelopedData and EncryptedData to
encapsulate with this content type MUST support an
EncryptedKeyPackage that encapsulates either a SignedData [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>]
that further encapsulates a SymmetricKeyPackage [<a href="./rfc6031" title=""Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type"">RFC6031</a>] or a
SignedData that further encapsulates an AsymmetricKeyPackage
[<a href="./rfc5958" title=""Asymmetric Key Packages"">RFC5958</a>]. Implementations that support AuthEnvelopedData to
encapsulate with this content type MUST support an
EncryptedKeyPackage that encapsulates either a SymmetricKeyPackage
[<a href="./rfc6031" title=""Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type"">RFC6031</a>] or an AsymmetricKeyPackage [<a href="./rfc5958" title=""Asymmetric Key Packages"">RFC5958</a>]. It is OPTIONAL for
implementations that support AuthEnvelopedData to encapsulate with
this content type to support an EncryptedKeyPackage that encapsulates
either a SignedData [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>] that further encapsulates a
SymmetricKeyPackage [<a href="./rfc6031" title=""Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type"">RFC6031</a>] or a SignedData that further
encapsulates an AsymmetricKeyPackage [<a href="./rfc5958" title=""Asymmetric Key Packages"">RFC5958</a>]. Likewise,
implementations that process this content type to decrypt the
encapsulated data MUST support an EncryptedKeyPackage that
encapsulates either a SignedData that further encapsulates a
SymmetricKeyPackage or a SignedData that further encapsulates an
AsymmetricKeyPackage. An EncryptedKeyPackage content type MUST
contain at least one SymmetricKeyPackage or AsymmetricKeyPackage.
Implementations MAY support additional encapsulating layers.
Note that interoperability between an originator and a recipient that
do not support the same innermost content (e.g., originator supports
AsymmetricKeyPackage while recipient supports SymmetricKeyPackage) is
not a concern as originators should be aware of the recipient's
capabilities; however, the mechanism for the exchange of the
recipient's capabilities is beyond the scope of this document.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Content Decryption Key Identifier</span>
The content-decryption-key-identifier attribute can be used to
identify the symmetric keying material that is needed for decryption
of the EncryptedData content if there is any ambiguity. The
ATTRIBUTE definition is taken from [<a href="./rfc5912" title=""New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)"">RFC5912</a>]. There MUST be only one
instance of the content-decryption-key-identifier attribute and there
MUST be only one value for the content-decryption-key-identifier
attribute.
<span class="grey">Turner & Housley Standards Track [Page 6]</span><span id="page-7" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
The content-decryption-key-identifier attribute has the following
syntax:
aa-content-decrypt-key-identifier ATTRIBUTE ::= {
TYPE ContentDecryptKeyID
IDENTIFIED BY id-aa-KP-contentDecryptKeyID }
id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
dod(2) infosec(1) attributes(5) 66 }
ContentDecryptKeyID ::= OCTET STRING
The content decryption key identifier contains an OCTET STRING, and
this syntax does not impose any particular structure on the
identifier value.
Due to multiple layers of encryption, the content-decryption-key-
identifier attribute can appear in more than one location in the
overall key package. When there are multiple occurrences of the
content-decryption-key-identifier attribute, each occurrence is
evaluated independently. Each one is used to identify the needed
keying material for that layer of encryption.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>
Implementers of this protocol are strongly encouraged to consider
generally accepted principles of secure key management when
integrating this capability within an overall security architecture.
The security considerations from [<a href="./rfc5083" title=""Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type"">RFC5083</a>], [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>], [<a href="./rfc5911" title=""New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME"">RFC5911</a>],
[<a href="./rfc5912" title=""New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)"">RFC5912</a>], [<a href="./rfc5958" title=""Asymmetric Key Packages"">RFC5958</a>], and [<a href="./rfc6031" title=""Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type"">RFC6031</a>] apply. If the CCC extension is
used as an authorization mechanism, then the security considerations
from [<a href="./rfc6010" title=""Cryptographic Message Syntax (CMS) Content Constraints Extension"">RFC6010</a>] also apply.
The encrypted key package content type might not provide proof of
origin if the content encryption algorithm does not support
authenticated key exchange. To provide proof of origin for this
content, another security protocol needs to be used. This is the
reason that support for encapsulating the SymmetricKeyPackage and
AsymmetricKeyPackage with a SignedData content type from [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>] is
required for the EnvelopedData and EncryptedData choices.
When this content type is used the CMS SignedData [<a href="./rfc5652" title=""Cryptographic Message Syntax (CMS)"">RFC5652</a>]
validation rules MUST be used. The PKCS #7 [<a href="./rfc2315" title=""PKCS #7: Cryptographic Message Syntax Version 1.5"">RFC2315</a>] validation
rules MUST NOT be used.
<span class="grey">Turner & Housley Standards Track [Page 7]</span><span id="page-8" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. IANA Considerations</span>
This document makes use of object identifiers to identify a CMS
content type, a CMS attribute, and the ASN.1 module; all found in
<a href="#appendix-A">Appendix A</a>. All OIDs are registered in an arc delegated by RSADSI to
the SMIME Working Group.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. References</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC5083">RFC5083</a>] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", <a href="./rfc5083">RFC 5083</a>,
November 2007.
[<a id="ref-RFC5280">RFC5280</a>] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", <a href="./rfc5280">RFC 5280</a>, May 2008.
[<a id="ref-RFC5652">RFC5652</a>] Housley, R., "Cryptographic Message Syntax (CMS)", STD
70, <a href="./rfc5652">RFC 5652</a>, September 2009.
[<a id="ref-RFC5911">RFC5911</a>] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
Cryptographic Message Syntax (CMS) and S/MIME", <a href="./rfc5911">RFC 5911</a>,
June 2010.
[<a id="ref-RFC5912">RFC5912</a>] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", <a href="./rfc5912">RFC 5912</a>,
June 2010.
[<a id="ref-RFC5958">RFC5958</a>] Turner, S., "Asymmetric Key Packages", <a href="./rfc5958">RFC 5958</a>, August
2010.
[<a id="ref-RFC6010">RFC6010</a>] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic
Message Syntax (CMS) Content Constraints Extension", <a href="./rfc6010">RFC</a>
<a href="./rfc6010">6010</a>, September 2010.
[<a id="ref-RFC6031">RFC6031</a>] Turner, S. and R. Housley, "Cryptographic Message Syntax
(CMS) Symmetric Key Package Content Type", <a href="./rfc6031">RFC 6031</a>,
December 2010.
[<a id="ref-X.680">X.680</a>] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002.
Information Technology - Abstract Syntax Notation One.
<span class="grey">Turner & Housley Standards Track [Page 8]</span><span id="page-9" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
[<a id="ref-X.681">X.681</a>] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002.
Information Technology - Abstract Syntax Notation One:
Information Object Specification.
[<a id="ref-X.682">X.682</a>] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002.
Information Technology - Abstract Syntax Notation One:
Constraint Specification.
[<a id="ref-X.683">X.683</a>] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002.
Information Technology - Abstract Syntax Notation One:
Parameterization of ASN.1 Specifications.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Informative References</span>
[<a id="ref-RFC2315">RFC2315</a>] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", <a href="./rfc2315">RFC 2315</a>, March 1998.
[<a id="ref-RFC3274">RFC3274</a>] Gutmann, P., "Compressed Data Content Type for
Cryptographic Message Syntax (CMS)", <a href="./rfc3274">RFC 3274</a>, June 2002.
[<a id="ref-RFC4073">RFC4073</a>] Housley, R., "Protecting Multiple Contents with the
Cryptographic Message Syntax (CMS)", <a href="./rfc4073">RFC 4073</a>, May 2005.
<span class="grey">Turner & Housley Standards Track [Page 9]</span><span id="page-10" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. ASN.1 Module</span>
This appendix provides the normative ASN.1 [<a href="#ref-X.680">X.680</a>] definitions for
the structures described in this specification using ASN.1, as
defined in [<a href="#ref-X.680">X.680</a>] through [<a href="#ref-X.683">X.683</a>].
EncryptedKeyPackageModuleV1
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-encryptedKeyPkgV1(51) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL --
IMPORTS
-- From New SMIME ASN.1 [<a href="./rfc5911" title=""New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME"">RFC5911</a>]
EncryptedData, EnvelopedData, CONTENT-TYPE
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004-02(41) }
-- From New SMIME ASN.1 [<a href="./rfc5911" title=""New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME"">RFC5911</a>]
AuthEnvelopedData
FROM CMS-AuthEnvelopedData-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData-02(43) }
-- From New PKIX ASN.1 [<a href="./rfc5912" title=""New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)"">RFC5912</a>]
ATTRIBUTE
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
;
ContentSet CONTENT-TYPE ::= {
ct-encrypted-key-package,
... -- Expect additional content types --
}
<span class="grey">Turner & Housley Standards Track [Page 10]</span><span id="page-11" ></span>
<span class="grey"><a href="./rfc6032">RFC 6032</a> CMS Encrypted Key Package Content Type December 2010</span>
ct-encrypted-key-package CONTENT-TYPE ::=
{ TYPE EncryptedKeyPackage
IDENTIFIED BY id-ct-KP-encryptedKeyPkg }
id-ct-KP-encryptedKeyPkg OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
dod(2) infosec(1) formats(2) key-package-content-types(78) 2 }
EncryptedKeyPackage ::= CHOICE {
encrypted EncryptedData,
enveloped [0] EnvelopedData,
authEnveloped [1] AuthEnvelopedData }
aa-content-decrypt-key-identifier ATTRIBUTE ::= {
TYPE ContentDecryptKeyID
IDENTIFIED BY id-aa-KP-contentDecryptKeyID }
id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
dod(2) infosec(1) attributes(5) 66 }
ContentDecryptKeyID ::= OCTET STRING
END
Authors' Addresses
Sean Turner
IECA, Inc.
3057 Nutley Street, Suite 106
Fairfax, VA 22031
USA
EMail: [email protected]
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: [email protected]
Turner & Housley Standards Track [Page 11]
Annotations
Select text to annotate