1<?xml version="1.0" encoding="US-ASCII"?>
2
3<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
4<!ENTITY rfc2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
5<!ENTITY rfc3279 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
6<!ENTITY rfc4055 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
7<!ENTITY rfc5280 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
8<!ENTITY rfc5480 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
9<!ENTITY rfc5639 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5639.xml">
10<!ENTITY rfc5755 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5755.xml">
11<!ENTITY rfc5758 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5758.xml">
12<!ENTITY rfc5915 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5915.xml">
13<!ENTITY rfc5958 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5958.xml">
14<!ENTITY rfc7468 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7468.xml">
15<!ENTITY rfc7748 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml">
16<!ENTITY rfc8174 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
17<!ENTITY eddsa   SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml">
18<!ENTITY iana SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.schaad-curdle-oid-registry.xml">
19]>
20
21<?rfc strict="yes" ?>
22<?rfc compact="no"?>
23<?rfc toc="yes"?>
24<?rfc symrefs="yes"?>
25
26<rfc category="std"
27     ipr="trust200902"
28     docName="draft-ietf-curdle-pkix-10">
29     
30  <front>
31    
32    <title abbrev="Safe curves for X.509">
33      <!-- Remove PH 
34           Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
35-->           
36      Algorithm Identifiers for Ed25519, Ed448, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
37    </title>
38    
39    <author fullname="Simon Josefsson" initials="S." surname="Josefsson">
40      <organization>SJD AB</organization>
41      <address>
42        <email>simon@josefsson.org</email>
43      </address>
44    </author>
45
46    <author fullname="Jim Schaad" initials="J" surname="Schaad">
47      <organization>August Cellars</organization>
48      <address>
49        <email>ietf@augustcellars.com</email>
50      </address>
51    </author>
52
53    <date/>
54
55    <keyword>Elliptic Curve Cryptography, Curve25519, Curve448,
56    Goldilocks, X.509, PKIX, PKI, OID, ASN.1, EdDSA,
57    Ed25519, Ed448, X25519, X448</keyword>
58
59    <abstract>
60
61      <t>This document specifies algorithm identifiers and ASN.1
62      encoding formats for Elliptic Curve constructs using the curve25519 and curve448 curves.
63      <!-- Remove ph
64           The signature algorithms covered are Ed25519, Ed25519ph, Ed448 and Ed448ph.
65           -->
66      The signature algorithms covered are Ed25519 and Ed448.
67      The key agreement algorithm covered are X25519 and X448.
68      The encoding for Public Key, Private Key and EdDSA digital signature structures is provided.
69      </t>
70
71    </abstract>
72
73  </front>
74
75  <middle>
76
77    <section title="Introduction">
78
79      <t>
80        In <xref target="RFC7748"/>, the elliptic curves curve25519
81      and curve448 are described.  They are designed with performance
82      and security in mind.  The curves may be used for Diffie-Hellman
83      and Digital Signature operations.
84      </t>
85
86      <t>
87        <xref target="RFC7748"/> describes the operations on these curves for the Diffie-Hellman operation.
88        A convention has developed that when these two curves are used with the Diffie-Hellman operation, they are referred to as X25519 and X448.
89        This RFC defines the ASN.1 Object Identifiers (OIDs) for the operations X25519 and X448 along with the associated parameters.
90        The use of these OIDs is described for public and private keys.
91      </t>
92        
93
94      <t>
95        In <xref target="RFC8032"/> the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448.
96        EdDSA has defined two modes, the PureEdDSA mode without pre-hashing, and the HashEdDSA mode with pre-hashing.
97        <!-- Remove pre-hash
98             The Ed25519ph and Ed448ph algorithm definitions specify the one-way hash function that is used for pre-hashing.
99             The convention used for identifying the algorithm/curve combinations are to use the Ed25519 and Ed448 for the PureEdDSA mode, with Ed25519ph and Ed448ph for the HashEdDSA mode.
100             -->
101        The convention used for identifying the algorithm/curve combinations is to use "Ed25519" and "Ed448" for the PureEdDSA mode.
102        The document does not provide the conventions needed for the pre-hash versions of the signature algorithm.
103        The use of the OIDs is described for public keys, private keys and signatures.
104      </t>
105
106      <t>
107        <xref target="RFC8032"/> additionally defined the concept of a context.
108        Contexts can be used to differentiate signatures generated for different purposes with the same key.
109        The use of contexts is not defined in this document for the following reasons:
110        <list style="symbols">
111          <t>The current implementations of Ed25519 do not support the use of contexts, thus if specified it will potentially delay the use of these algorithms further.</t>
112          <t>
113            The EdDSA algorithms  are the only IETF algorithms that currently support the use of contexts, however there is a possibility that there will be confusion between which algorithms need to have separate keys and which do not.
114            This may result in a decrease of security for those other algorithms.
115          </t>
116          <t>
117            There are still ongoing discussions among the cryptographic community about how effective the use of contexts is for preventing attacks.
118          </t>
119          <t>
120            There needs to be discussions about the correct way to identify when context strings are to be used.
121            It is not clear if different OIDs should be used for different contexts, or the OID should merely note that a context string needs to be provided.
122          </t>
123        </list>
124      </t>
125    </section>
126
127    <section title="Requirements Terminology">
128
129      <t>
130The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
131      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
132      "MAY", and "OPTIONAL" in this document are to be interpreted as
133      described in BCP 14 <xref target="RFC2119" /> <xref target="RFC8174"/> when, and only when, they
134      appear in all capitals, as shown here.
135      </t>
136
137    </section>
138
139    <section title="Curve25519 and Curve448 Algorithm Identifiers">
140
141      <t>Certificates conforming to <xref target="RFC5280"/> can
142      convey a public key for any public key algorithm.  The
143      certificate indicates the algorithm through an algorithm
144      identifier.  This algorithm identifier is an OID and optionally
145      associated parameters.
146      </t>
147      
148      <t>The AlgorithmIdentifier type, which is included for
149      convenience, is defined as follows:</t>
150
151      <figure>
152        <artwork><![CDATA[
153AlgorithmIdentifier  ::=  SEQUENCE  {
154    algorithm   OBJECT IDENTIFIER,
155    parameters  ANY DEFINED BY algorithm OPTIONAL
156}
157]]></artwork>
158      </figure>
159
160      <t>The fields in AlgorithmIdentifier have the following
161      meanings:</t>
162
163      <t><list style="symbols">
164        <t>algorithm identifies the cryptographic algorithm with an
165        object identifier.  Four such OIDs are defined below.</t>
166
167    <t>parameters, which are optional, are the associated
168    parameters for the algorithm identifier in the algorithm
169    field.
170    </t>
171      </list></t>
172
173      <t>
174        <!-- RFC Editor:  I have been told that the following three sentences should be joined together, I tend to think
175             that they are correct as separate items but it is something that a copy editor should look at -->
176    In this document we define four new OIDs for identifying the different curve/algorithm pairs.
177    The curves being curve25519 and curve448.
178    The algorithms being ECDH and EdDSA in pure mode. <!--  and EdDSA in pre-hash mode. -->
179    For all of the OIDs, the parameters MUST be absent.
180      </t>
181
182  <t>
183    It is possible to find systems that require the parameters to be present.
184    This can be either due to a defect in the original 1997 syntax or a programming error where developers never got input where this was not true.
185    The optimal solution is to fix these systems, where this is not possible the problem needs to be restricted to that subsystem and not propigated to the internet.
186  </t>
187      <t>
188        The same algorithm identifiers are used for identifying a public key, identifying a private key and identifying a signature (for the two EdDSA related OIDs).
189        Additional encoding information is provided below for each of these locations.
190      </t>
191
192      <!--  Remove pre-hash algorithms
193        id-Ed25519ph OBJECT IDENTIFIER ::= { 1 3 101 114 }
194        id-Ed448ph   OBJECT IDENTIFIER ::= { 1 3 101 115 }
195      -->
196      
197      <figure>
198        <artwork><![CDATA[
199id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 }
200id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 }
201id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
202id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 }
203]]></artwork>
204      </figure>
205
206      <!--
207      <t>The OID id-Curve25519 refers to Curve25519.  The OID
208      id-Curve448 refers to Curve448.  Both curves are described in
209      <xref target="RFC7748"/>.  The OIDs id-Curve25519ph and
210      id-Curve448ph refers to Curve25519 and Curve448 when used with
211      pre-hashing as Ed25519ph and Ed448ph described in <xref
212      target="RFC8032"/>.</t>
213      
214      <t>The public key value encoded into the ECPoint value is the
215      raw binary values described in <xref target="RFC7748"/>.</t>
216      -->
217
218    </section>
219
220    <section title="Subject Public Key Fields">
221
222      <t>In the X.509 certificate, the subjectPublicKeyInfo field has
223      the SubjectPublicKeyInfo type, which has the following ASN.1
224      syntax:</t>
225
226      <figure>
227        <artwork><![CDATA[
228SubjectPublicKeyInfo  ::=  SEQUENCE  {
229    algorithm         AlgorithmIdentifier,
230    subjectPublicKey  BIT STRING
231}
232]]></artwork>
233      </figure>
234
235      <t>The fields in SubjectPublicKeyInfo have the following meanings:</t>
236
237      <t><list style="symbols">
238        <t>algorithm is the algorithm identifier and parameters for
239        the public key (see above).</t>
240
241        <t>subjectPublicKey contains the byte stream of the public key.
242        The algorithms defined in this document always encode the public key as an exact multiple of 8-bits.
243        </t>
244      </list></t>
245
246      <t>
247        Both <xref target="RFC7748"/> and <xref target="RFC8032"/> define the public key value as being a byte string.
248        It should be noted that the public key is computed differently for each of these documents, thus the same private key will not produce the same public key.
249      </t>
250
251      <t>The following is an example of a public key encoded using the  textual encoding defined in  <xref target="RFC7468"/>.</t>
252
253      <figure>
254<artwork><![CDATA[
255-----BEGIN PUBLIC KEY-----
256MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
257-----END PUBLIC KEY-----      
258]]></artwork>
259      </figure>
260    </section>
261
262    <!--
263    <section title="EdDSA Public Keys">
264
265      <t>Certificates conforming to <xref target="RFC5280"/> may
266      convey a public key for any public key algorithm.  The
267      certificate indicates the algorithm through an algorithm
268      identifier.  This algorithm identifier is an OID and optionally
269      associated parameters.</t>
270
271      <t>This section identify the OID and parameters for the EdDSA
272      algorithm.  Conforming CAs MUST use the identified OIDs when
273      issuing certificates containing EdDSA public keys.  Conforming
274      applications supporting EdDSA MUST, at a minimum, recognize the
275      OID identified in this section.</t>
276
277      <t>The id-EdDSAPublicKey OID is used for identifying EdDSA
278      public keys.</t>
279
280      <figure>
281      <artwork><![CDATA[
282       id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1 3 101 100 }
283       ]]></artwork>
284      </figure>
285
286      <t>The id-EdDSAPublicKey OID is intended to be used in the
287      algorithm field of a value of type AlgorithmIdentifier.</t>
288
289      <t>EdDSA public keys use the parameter field to specify the
290      particular instantiation of EdDSA parameters.  The parameters
291      field have the ASN.1 type EdDSAParameters as follows.</t>
292
293      <figure>
294      <artwork><![CDATA[
295      EdDSAParameters ::= ENUMERATED { ed25519   (1),
296          ed25519ph (2) }
297          ed448     (3) }
298          ed448ph   (4) }
299]]></artwork>
300     </figure>
301
302      <t>The EdDSAParameters enumeration may be extended in the
303      future.</t>
304
305      <t>The "ed25519" and "ed448" values correspond to the PureEdDSA
306      variants, and the "ed25519ph" and "ed448ph" values correspond to
307      the HashEdDSA variants, as discussed in <xref
308      target="RFC8032"/>.</t>
309
310      <t>The raw binary EdDSA public key is encoded directly in the
311      subjectPublicKey BIT STRING object.  Note that unlike some other
312      schemes, there is no additional OCTET STRING encoding step.</t>
313
314</section>
315-->
316    
317    <section title="Key Usage Bits">
318      
319      <t>The intended application for the key is indicated in the
320      keyUsage certificate extension.</t>
321
322      <t>
323        If the keyUsage extension is present in a certificate that indicates
324        id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST
325        be present:
326      </t>
327
328      <figure><artwork>
329        keyAgreement;
330      </artwork></figure>
331
332      <t>
333        one of the following MAY also be present:
334      </t>
335
336      <t>
337        <figure><artwork>
338          encipherOnly; or
339          decipherOnly.
340          </artwork>
341        </figure>
342      </t>
343
344      <t>
345        If the keyUsage extension is present in an end-entity
346        <!-- Remove pre-hash
347      certificate that indicates id-EdDSA25519, id-EdDSA25519ph, id-EdDSA448 or id-EdDSA448ph
348        -->
349      certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension
350      MUST contain one or both of the following values:</t>
351
352      <figure>
353        <artwork><![CDATA[
354        nonRepudiation; and
355        digitalSignature.
356]]></artwork>
357      </figure>
358
359      <t>If the keyUsage extension is present in a certification
360      authority certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension
361      MUST contain one or more of the following values:</t>
362
363      <figure>
364<artwork><![CDATA[
365       nonRepudiation;
366       digitalSignature;
367       keyCertSign; and
368       cRLSign.
369       ]]></artwork>
370      </figure>
371
372        <!-- Remove pre-hash
373        <t>
374        CAs MUST NOT use the pre-hash versions of the EdDSA algorithms for the creation of certificates or CRLs.
375        This is implied by the fact that those algorithms are not listed in the previous paragraph.
376        Additionally OCSP responders SHOULD NOT use the pre-hash versions of the EdDSA algorithms when generating OCSP responses.
377        No restriction is placed on generation of OCSP requests.
378        </t>
379
380
381      <t>
382        AAs MUST NOT use the pre-hash versions of the EdDSA algorithms for the creation of attribute certificates or attribute CRLs <xref target="RFC5755"/>.
383      </t>
384
385      <t>
386        The decision to require the use of pure mode balances the higher security of having a single failure point against the possibility that constrained devices, such as Hardware Security Modules (HSMs), may be unable to check signatures on CRLs due to the amount of memory required to hold the entire CRL in memory at one time.
387        This concern can be addressed by CAs using CRL distribution points, combined with segmenting the certificates issued so that the length of any segmented CRL is not "too long" even if a large percentage of the certificates are revoked.
388        The definition of "too long" is going to be highly dependent on what constrained device is being used, it can be on the order of single or low double digit kilobytes.
389      </t>
390        -->
391        
392
393    </section>
394
395    <section title="EdDSA Signatures">
396
397      <t>
398        Signatures can be placed in a number of different ASN.1 structures.
399        The top level structure for a certificate is given below as being illustrative of how signatures are frequently encoded with an algorithm identifier and a location for the signature.
400      </t>
401
402
403      <figure>
404<artwork><![CDATA[
405   Certificate  ::=  SEQUENCE  {
406        tbsCertificate       TBSCertificate,
407        signatureAlgorithm   AlgorithmIdentifier,
408        signatureValue       BIT STRING  }
409]]></artwork>
410      </figure>
411
412      <t>
413        The same algorithm identifiers are used for signatures as are used for public keys.
414        When used to identify signature algorithms, the parameters MUST be absent.
415      </t>
416
417      <t>The data to be signed is prepared for EdDSA.  Then, a private
418      key operation is performed to generate the signature value.
419      This value is the opaque value ENC(R) || ENC(S) described in
420      section 3.3 of <xref target="RFC8032"/>.
421      
422      The octet string representing the signature is encoded directly in the BIT STRING without adding any additional ASN.1 wrapping.
423      For the Certificate structure, the signature value is wrapped in the "signatureValue" BIT STRING field.
424      </t>
425
426      <!-- Remove Prehash
427      <t>
428        When the pre-hash versions of the EdDSA signature algorithms are used, the hash function used for the pre-hash is defined by the algorithm.
429        This means that the pre-hash function is implicitly included in the algorithm identifier rather than being explicit as done in <xref target="RFC3279"/>.
430        </t>
431        -->
432
433      
434    </section>
435
436    <section title="Private Key Format">
437
438      <t>
439        <xref target="RFC5958">Asymmetric Key Packages</xref> describes how to encode a private key in a structure that both identifies what algorithm the private key is for, but allows for the public key and additional attributes about the key to be included as well.
440        For illustration, the ASN.1 structure OneAsymmetricKey is replicated below.
441        The algorithm specific details of how a private key is encoded is left for the document describing the algorithm itself.
442      </t>
443      
444      <figure>
445        <artwork><![CDATA[
446OneAsymmetricKey ::= SEQUENCE {
447   version Version,
448   privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
449   privateKey PrivateKey,
450   attributes [0] IMPLICIT Attributes OPTIONAL,
451   ...,
452   [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
453   ...
454}
455
456PrivateKey ::= OCTET STRING
457
458PublicKey ::= BIT STRING
459]]></artwork>
460      </figure>
461
462      <t>
463        For the keys defined in this document, the private key is always an opaque byte sequence.
464        The ASN.1 type CurvePrivateKey is defined in this document to hold the byte sequence.
465        Thus when encoding a OneAsymmetricKey object, the private key is wrapped in an CurvePrivateKey object and wrapped by the OCTET STRING of the "privateKey" field.
466      </t>
467
468      <figure>
469      <artwork><![CDATA[
470CurvePrivateKey ::= OCTET STRING
471]]></artwork>
472      </figure>
473      
474      <t>
475To encode a EdDSA, X25519 or X448 private key, the
476"privateKey" field will hold the encoded private key.
477The "privateKeyAlgorithm" field uses the AlgorithmIdentifier structure.
478The structure is encoded as defined above.
479If present, the "publicKey" field will hold the encoded key as defined in <xref target="RFC7748"/> and <xref target="RFC8032"/>.
480      </t>
481
482      <t>The following is an example of a private key encoded using the textual encoding defined in  <xref target="RFC7468"/>.</t>
483
484      <figure>
485<artwork><![CDATA[
486-----BEGIN PRIVATE KEY-----
487MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
488-----END PRIVATE KEY-----
489]]></artwork>
490      </figure>
491
492      <t>
493        The following example, in addition to encoding the private key, additionally has an attribute included as well as the public key.
494        As with the prior example, the textual  encoding defined in <xref target="RFC7468"/> is used.
495      </t>
496      <figure>
497        <artwork><![CDATA[
498-----BEGIN PRIVATE KEY-----
499MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
500oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
501Z9w7lshQhqowtrbLDFw4rXAxZuE=
502-----END PRIVATE KEY------]]></artwork>
503      </figure>
504
505      <t>
506        NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey that is defined in <xref target="RFC7748"/>.
507        This means that they will not accept a private key structure which contains the public key field.
508        This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key.
509      </t>
510    </section>
511
512    <section title="Human Readable Algorithm Names">
513
514      <t>For the purpose of consistent cross-implementation naming,
515      this section establishes human readable names for the algorithms
516      specified in this document.  Implementations SHOULD use these
517      names when referring to the algorithms.  If there is a strong
518      reason to deviate from these names -- for example, if the
519      implementation has a different naming convention and wants to
520      maintain internal consistency -- it is encouraged to deviate as
521      little as possible from the names given here.</t>
522
523      <t>Use the string "ECDH" when referring to a public key of type "X25519" or "X448" when the curve is not known or relevant.</t>
524
525      <t>When the curve is known, use the more specific string of "X25519" or "X448".</t>
526      
527      
528      <t>Use the string "EdDSA" when referring to a signing public key or
529      signature when the curve is not known or relevant.</t>
530
531      <t>When the curve is known, use a more specific
532      string. 
533      For the id-Ed25519 value use the string "Ed25519".
534      <!-- Remove pre-hash
535      For
536      the id-EdDSA25519ph value use the string "Ed25519ph".  --> For id-Ed448
537      use "Ed448".  <!-- Remvoe prehash For id-EdDSA448ph use "Ed448ph".--></t>
538      
539    </section>
540
541    <section title="ASN.1 Module" anchor="module">
542
543      <t>For reference purposes, the ASN.1 syntax is presented as an
544      ASN.1 module here.</t>
545
546      <figure>
547<artwork><![CDATA[
548-- ASN.1 Module
549
550Safecurves-pkix-0 -- TBD - IANA assigned module OID
551
552DEFINITIONS EXPLICIT TAGS ::=
553BEGIN
554
555IMPORTS
556  SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
557  KeyUsage, AlgorithmIdentifier
558  FROM AlgorithmInformation-2009 
559    {iso(1) identified-organization(3) dod(6) internet(1) security(5)
560    mechanisms(5) pkix(7) id-mod(0)
561    id-mod-algorithmInformation-02(58)}
562
563  mda-sha512
564  FROM PKIX1-PSS-OAEP-Algorithms-2009
565    { iso(1) identified-organization(3) dod(6) internet(1)
566      security(5) mechanisms(5) pkix(7) id-mod(0)
567      id-mod-pkix1-rsa-pkalgs-02(54) }
568
569  kwa-aes128-wrap, kwa-aes256-wrap
570  FROM CMSAesRsaesOaep-2009
571    { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
572      smime(16) modules(0) id-mod-cms-aes-02(38) }
573  ;
574    
575
576id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
577
578id-X25519        OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
579id-X448          OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
580id-Ed25519       OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
581id-Ed448         OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
582
583
584 sa-Ed25519 SIGNATURE-ALGORITHM ::= {
585    IDENTIFIER id-Ed25519
586     PARAMS ARE absent
587     PUBLIC-KEYS {pk-Ed25519}
588     SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
589 }
590
591 pk-Ed25519 PUBLIC-KEY ::= {
592     IDENTIFIER id-Ed25519
593     -- KEY no ASN.1 wrapping --
594     PARAMS ARE absent
595     CERT-KEY-USAGE {digitalSignature, nonRepudiation,
596                     keyCertSign, cRLSign}
597     PRIVATE-KEY CurvePrivateKey
598 }
599
600 kaa-X25519 KEY-AGREE ::= {
601     IDENTIFIER id-X25519
602     PARAMS ARE absent
603     PUBLIC-KEYS {pk-X25519}
604     UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
605     SMIME-CAPS {
606        TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
607        IDENTIFIED BY id-X25519 }
608 }
609
610 pk-X25519 PUBLIC-KEY ::= {
611     IDENTIFIER id-X25519
612     -- KEY no ASN.1 wrapping --
613     PARAMS ARE absent
614     CERT-KEY-USAGE { keyAgreement }
615     PRIVATE-KEY CurvePrivateKey
616 }
617
618 KeyWrapAlgorithms KEY-WRAP ::= {
619     kwa-aes128-wrap | kwa-aes256-wrap,
620     ...
621 }
622     
623 kaa-X448 KEY-AGREE ::= {
624     IDENTIFIER id-X448
625     PARAMS ARE absent
626     PUBLIC-KEYS {pk-X448}
627     UKM -- TYPE no ASN.1 wrapping  -- ARE preferredPresent
628     SMIME-CAPS {
629        TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
630        IDENTIFIED BY id-X448 }
631 }
632
633 pk-X448 PUBLIC-KEY ::= {
634     IDENTIFIER id-X448
635     -- KEY no ASN.1 wrapping --
636     PARAMS ARE absent
637     CERT-KEY-USAGE { keyAgreement }
638     PRIVATE-KEY CurvePrivateKey
639 }
640
641CurvePrivateKey ::= OCTET STRING
642    
643                                 
644END
645]]></artwork>
646      </figure>
647
648    </section>
649
650    <section title="Examples">
651
652      <t>This section contains illustrations of EdDSA public keys and
653      certificates, illustrating parameter choices.</t>
654
655
656      <section title="Example Ed25519 Public Key">
657
658<t>An example of a Ed25519 public key:</t>
659
660<figure>
661  <artwork><![CDATA[
662      Public Key Information:
663          Public Key Algorithm: Ed25519
664          Algorithm Security Level: High
665
666      Public Key Usage:
667      
668      Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
669      
670      -----BEGIN PUBLIC KEY-----
671      MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
672      -----END PUBLIC KEY-----
673]]></artwork>
674</figure>
675      
676      </section>
677
678      <section title="Example X25519 Certificate">
679
680<t>An example of a self issued PKIX certificate using Ed25519 to sign a X25519 public key would be:</t>
681
682<figure>
683  <artwork><![CDATA[
684  0 300: SEQUENCE {
685  4 223:   SEQUENCE {
686  7   3:     [0] {
687  9   1:       INTEGER 2
688       :       }
689 12   8:     INTEGER 56 01 47 4A 2A 8D C3 30
690 22   5:     SEQUENCE {
691 24   3:       OBJECT IDENTIFIER
692       :         Ed 25519 signature algorithm { 1 3 101 112 }
693       :       }
694 29  25:     SEQUENCE {
695 31  23:       SET {
696 33  21:         SEQUENCE {
697 35   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
698 40  14:           UTF8String 'IETF Test Demo'
699       :           }
700       :         }
701       :       }
702 56  30:     SEQUENCE {
703 58  13:       UTCTime 01/08/2016 12:19:24 GMT
704 73  13:       UTCTime 31/12/2040 23:59:59 GMT
705       :       }
706 88  25:     SEQUENCE {
707 90  23:       SET {
708 92  21:         SEQUENCE {
709 94   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
710 99  14:           UTF8String 'IETF Test Demo'
711       :           }
712       :         }
713       :       }
714115  42:     SEQUENCE {
715117   5:       SEQUENCE {
716119   3:         OBJECT IDENTIFIER
717       :           ECDH 25519 key agreement { 1 3 101 110 }
718       :         }
719124  33:       BIT STRING
720       :         85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
721       :         0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
722       :       }
723159  69:     [3] {
724161  67:       SEQUENCE {
725163  15:         SEQUENCE {
726165   3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
727170   1:           BOOLEAN TRUE
728173   5:           OCTET STRING, encapsulates {
729175   3:             SEQUENCE {
730177   1:               BOOLEAN FALSE
731       :               }
732       :             }
733       :           }
734180  14:         SEQUENCE {
735182   3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
736187   1:           BOOLEAN FALSE
737190   4:           OCTET STRING, encapsulates {
738192   2:             BIT STRING 3 unused bits
739       :               '10000'B (bit 4)
740       :             }
741       :           }
742196  32:         SEQUENCE {
743198   3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
744203   1:           BOOLEAN FALSE
745206  22:           OCTET STRING, encapsulates {
746208  20:             OCTET STRING
747       :               9B 1F 5E ED ED 04 33 85 E4 F7 BC 62 3C 59 75
748       :               B9 0B C8 BB 3B
749       :             }
750       :           }
751       :         }
752       :       }
753       :     }
754230   5:   SEQUENCE {
755232   3:     OBJECT IDENTIFIER
756       :       Ed 25519 signature algorithm { 1 3 101 112 }
757       :     }
758237  65:   BIT STRING
759       :     AF 23 01 FE DD C9 E6 FF C1 CC A7 3D 74 D6 48 A4
760       :     39 80 82 CD DB 69 B1 4E 4D 06 EC F8 1A 25 CE 50
761       :     D4 C2 C3 EB 74 6C 4E DD 83 46 85 6E C8 6F 3D CE
762       :     1A 18 65 C5 7A C2 7B 50 A0 C3 50 07 F5 E7 D9 07
763       :   }
764      
765-----BEGIN CERTIFICATE-----
766MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX
767N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD
768DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj
769ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg
770BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v
771/BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg
772w1AH9efZBw==
773-----END CERTIFICATE-----
774]]></artwork>
775</figure>
776
777      </section>
778
779      <section title="Examples of Ed25519 Private Key">
780        <t>
781          An example of an Ed25519 private key without the public key:
782        </t>
783    
784      <figure>
785<artwork><![CDATA[
786-----BEGIN PRIVATE KEY-----
787MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
788-----END PRIVATE KEY-----
789]]></artwork>
790      </figure>
791
792      <t>The same item dumped as ASN.1 yields:
793      </t>
794
795      <figure><artwork>
796 0 30   46: SEQUENCE {
797 2 02    1:   INTEGER 0
798 5 30    5:   SEQUENCE {
799 7 06    3:     OBJECT IDENTIFIER
800          :       Ed 25519 signature algorithm { 1 3 101 112 }
801          :     }
80212 04   34:   OCTET STRING
803          :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
804          :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
805          :     58 42
806          :   }
807          </artwork>
808      </figure>
809
810      <t>
811        Note that the value of the private key is:
812      </t>
813
814      <figure><artwork>
815D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD
8163A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42
817</artwork></figure>
818
819
820        <t>
821          An example of the same Ed25519 private key encoded with an attribute and the public key:
822        </t>
823    
824      <figure>
825<artwork><![CDATA[
826-----BEGIN PRIVATE KEY-----
827MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
828oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
829Z9w7lshQhqowtrbLDFw4rXAxZuE=
830-----END PRIVATE KEY-----
831]]></artwork>
832      </figure>
833
834      <t>The same item dumped as ASN.1 yields:
835      </t>
836
837      <figure><artwork>
838  0 114: SEQUENCE {
839  2   1:   INTEGER 1
840  5   5:   SEQUENCE {
841  7   3:     OBJECT IDENTIFIER '1 3 101 112'
842       :     }
843 12  34:   OCTET STRING, encapsulates {
844       :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
845       :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
846       :     58 42
847       :     }
848 48  31:   [0] {
849 50  29:     SEQUENCE {
850 52  10:       OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20'
851 64  15:       SET {
852 66  13:         UTF8String 'Curdle Chairs'
853       :         }
854       :       }
855       :     }
85681  33:   [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B
857              96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66
858              E1
859       :   }
860          </artwork>
861      </figure>
862
863    </section>
864  </section>
865  
866    <section anchor="ack"
867             title="Acknowledgments">
868
869      <t>Text and/or inspiration were drawn from <xref
870      target="RFC5280"/>, <xref target="RFC3279"/>, <xref
871      target="RFC4055"/>, <xref target="RFC5480"/>, and <xref
872      target="RFC5639"/>.</t>
873
874      <t>The following people discussed the document and provided
875      feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick
876      Andrews, Rob Stradling, James Manger, Nikos Mavrogiannopoulos,
877      Russ Housley, David Benjamin, Brian Smith, and Alex Wilson.</t>
878
879      <t>A big thank you to Symantec for kindly donating the OIDs used
880      in this draft.</t>
881      
882    </section>
883
884    <section title="IANA Considerations">
885
886      <t>
887        IANA is requested to assign a module OID from the "SMI for PKIX Module Identifier" registry for the ASN.1 module in <xref target="module"/>.
888      </t>
889
890      <t>
891 The OIDs are being independently registered in the IANA registry "SMI Security for Cryptographic Algorithms" in  <xref target="I-D.schaad-curdle-oid-registry"/>.
892      </t>
893
894    </section>
895
896    <section anchor="Security" title="Security Considerations">
897
898      <t>
899        The security considerations of <xref target='RFC5280' />, <xref target="RFC7748"/>, and <xref target="RFC8032"/> apply accordingly.
900      </t>
901
902      <t>
903        The procedures for going from a private key to a public key are different for when used with Diffie-Hellman and when used with Edwards Signatures.
904        This means that the same public key cannot be used for both ECDH and EdDSA.
905      </t>
906
907      <!--
908      <t>
909        In the original design of Ed25519 signatures, there was a known attack between the pure and the pre-hash version of the signatures.
910        This has since been corrected in the final version of the design.
911        The initial problem meant that there was a known attack, and therefore a known reason to forbid the use of Ed25519 keys with the Ed25519ph signature scheme and visa versa.
912        With the change in the design this attack has been prevented.
913        This does not mean that the same Ed25519 key should be used with both schemes, there still may be attacks where collisions can be found.
914        For this reason, the same keys are not to be used for the pure and pre-hash versions of the scheme.
915        This applies to both curve 25519 and curve 448.
916        </t>
917        -->
918
919    </section>
920
921  </middle>
922
923  <back>
924
925    <references title="Normative References">
926
927      &rfc2119;
928      &rfc5280;
929      &rfc5480;
930      &rfc7748;
931      &eddsa;
932      &rfc5958;
933      &rfc8174;
934
935    </references>
936
937    <references title="Informative References">
938
939      &rfc3279;
940      &rfc4055;
941      &rfc5639;
942      <!-- Remove for pre-hash
943           &rfc5755;
944           -->
945<!--      &rfc5758; -->
946<!--      &rfc5915; -->
947&rfc7468;
948&iana;
949
950    </references>
951
952    <section title="Invalid Encodings">
953      <t>
954        There are a number of things that need to be dealt with when a new key part is decoded and imported into the system.
955        A partial list of these includes:
956        <list style="symbols">
957          <t>
958            ASN.1 encoding errors:
959            Two items are highlighted here.
960            First, the use of an OCTET STRING rather than a BIT STRING for the public key.
961            This was an incorrect copy of the structure from <xref target="RFC5958"/> which was corrected before publication.
962            However, any early implementation may have this wrong.
963            Second, the value of the version field is required to be 0 if the publicKey is absent and 1 if present.
964            This is called out in <xref target="RFC5958"/> but is not duplicated in the main text.
965          </t>
966          <t>
967            Key encoding errors:
968            Both <xref target="RFC7748"/> and <xref target="RFC8032"/> have formatting requirements for keys that need to be enforced.
969            In some cases the enforcement is done at the time of importing, for example doing masking or a mod p operation.
970            In other cases the enforcement is done by rejecting the keys and having an import failure.
971          </t>
972          <t>
973            Key mismatch errors: If a public key is provided, it may not agree with the private key either because it is wrong or the wrong algorithm was used.
974          </t>
975        </list>
976      </t>
977
978      <t>
979        Some systems are also going to be stricter on what they accept.
980        As stated in <xref target="RFC5958"/>, BER decoding of OneAsymmetricKey objects is a requirement for compliance.
981        Despite this requirement, some acceptors will only decode DER formats.
982        The following is a BER encoding of a private key, as such is is valid, but it may not be accepted by many systems.
983      </t>
984
985      <figure><artwork>
986-----BEGIN PRIVATE KEY-----
987MIACAQAwgAYDK2VwAAAEIgQg1O5y2/kTWErVttjx92n4rTr+fCjL8dT74Jeoj0R1W
988EIAAA==
989-----END PRIVATE KEY-----      
990      </artwork></figure>
991
992
993
994      <t>
995        What follows here is a brief sampling of some incorrect keys.
996      </t>
997
998      <t>
999        In the following example, the private key does not match the masking requirements for X25519.
1000        For this example the top bits are set to zero and the bottom three bits are set to 001.
1001      </t>
1002
1003      <figure><artwork>
1004-----BEGIN PRIVATE KEY-----
1005MFMCAQEwBQYDK2VuBCIEIPj///////////////////////////////////////8/oS
1006MDIQCEfA0sN1I082XmYJVRh6NzWg92E9FgnTpqTYxTrqpaIg==
1007-----END PRIVATE KEY-----
1008      </artwork></figure>
1009
1010      <t>
1011        In the following examples, the key is the wrong length because an all zero byte has been removed.
1012        In one case the first byte has been removed, in the other case the last byte has been removed.
1013      </t>
1014
1015      <figure><artwork>
1016-----BEGIN PRIVATE KEY-----
1017MFICAQEwBQYDK2VwBCIEIC3GfeUYbZGTAhwLEE2cbvJL7ivTlcy17VottfN6L8HwoS
1018IDIADBfk2Lv/J8H7YYwj/OmIcDx++jzVkKrKwS0/HjyQyM
1019-----END PRIVATE KEY-----
1020      </artwork></figure>
1021
1022      <figure><artwork>
1023-----BEGIN PRIVATE KEY-----
1024MFICAQEwBQYDK2VwBCIEILJXn1VaLqvausjUaZexwI/ozmOFjfEk78KcYN+7hsNJoS
1025IDIACdQhJwzi/MCGcsQeQnIUh2JFybDxSrZxuLudJmpJLk
1026-----END PRIVATE KEY-----
1027      </artwork></figure>
1028
1029
1030    </section>
1031  </back>
1032</rfc>
  • <?xml version="1.0" encoding="US-ASCII"?>
  • <!DOCTYPE rfc SYSTEM "rfc2629.dtd">
  • <?rfc strict="yes" ?>
  • <?rfc compact="yes"?>
  • <?rfc subcompact="no"?>
  • <?rfc compact="no"?>
  • <?rfc toc="yes"?>
  • <?rfc symrefs="yes"?>
  • <rfc category="std" ipr="trust200902" docName="draft-ietf-curdle-pkix-10" obsoletes="" updates="" submissionType="IETF" {http://www.w3.org/XML/1998/namespace}lang="en" consensus="yes" number="8410">
    • <front>
      • <title abbrev="Safe curves for X.509" abbrev="Safe Curves for X.509">
        • <--  Remove PH 
                     Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
           -->
        • Algorithm Identifiers for Ed25519, Ed448, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
        • Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure
        • </title>
      • <author fullname="Simon Josefsson" initials="S." surname="Josefsson">
        • <organization>
          • SJD AB
          • </organization>
        • <address>
          • <email>
            • simon@josefsson.org
            • </email>
          • </address>
        • </author>
      • <author fullname="Jim Schaad" initials="J" surname="Schaad">
        • <organization>
          • August Cellars
          • </organization>
        • <address>
          • <email>
            • ietf@augustcellars.com
            • </email>
          • </address>
        • </author>
      • <date month="July" year="2018"/>
      • <keyword>
        • Elliptic Curve Cryptography, Curve25519, Curve448, Goldilocks, X.509, PKIX, PKI, OID, ASN.1, EdDSA, Ed25519, Ed448, X25519, X448
        • </keyword>
      • <abstract>
        • <t>
          • This document specifies algorithm identifiers and ASN.1 encoding formats for Elliptic Curve constructs using the curve25519 and curve448 curves.
          • <--  Remove ph
                       The signature algorithms covered are Ed25519, Ed25519ph, Ed448 and Ed448ph.
                        -->
          • The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithm covered are X25519 and X448. The encoding for Public Key, Private Key and EdDSA digital signature structures is provided.
          • This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.
          • </t>
        • </abstract>
      • </front>
    • <middle>
      • <section title="Introduction" numbered="true" toc="default">
        • <t>
          • In <xref target="RFC7748" format="default" pageno="false"/>, the elliptic curves curve25519 and curve448 are described. They are designed with performance and security in mind. The curves may be used for Diffie-Hellman and Digital Sdigital signature operations. , the elliptic curves curve25519 and curve448 are described. They are designed with performance and security in mind. The curves may be used for Diffie-Hellman and Digital Signature operations. digital signature operations.
          • </t>
        • <t>
          • <xref target="RFC7748" format="default" pageno="false"/> describes the operations on these curves for the Diffie-Hellman operation. A convention has developed that when these two curves are used with the Diffie-Hellman operation, they are referred to as X25519 and X448. This RFC defines the ASN.1 Object Identifiers (OIDs) for the operations X25519 and X448 along with the associated parameters. The use of these OIDs is described for public and private keys. describes the operations on these curves for the Diffie-Hellman operation. A convention has developed that when these two curves are used with the Diffie-Hellman operation, they are referred to as X25519 and X448. This RFC defines the ASN.1 Object Identifiers (OIDs) for the operations X25519 and X448 along with the associated parameters. The use of these OIDs is described for public and private keys.
          • </t>
        • <t>
          • In <xref target="RFC8032" format="default" pageno="false"/> the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448. EdDSA has defined two modes, the PureEdDSA mode without pre-hashing, and the HashEdDSA mode with pre-hashing. the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448. EdDSA has defined two modes, the PureEdDSA mode without pre-hashing, and the HashEdDSA mode with pre-hashing.
          • <--  Remove pre-hash
                         The Ed25519ph and Ed448ph algorithm definitions specify the one-way hash function that is used for pre-hashing.
                         The convention used for identifying the algorithm/curve combinations are to use the Ed25519 and Ed448 for the PureEdDSA mode, with Ed25519ph and Ed448ph for the HashEdDSA mode.
                          -->
          • The convention used for identifying the algorithm/curve combinations is to use "Ed25519" and "Ed448" for the PureEdDSA mode. The document does not provide the conventions needed for the pre-hash versions of the signature algorithm. The use of the OIDs is described for public keys, private keys and signatures.
          • In <xref target="RFC8032" format="default" pageno="false"/> the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448. EdDSA has defined two modes: the PureEdDSA mode without prehashing and the HashEdDSA mode with prehashing. The convention used for identifying the algorithm/curve combinations is to use "Ed25519" and "Ed448" for the PureEdDSA mode. This document does not provide the conventions needed for the prehash versions of the signature algorithm. The use of the OIDs is described for public keys, private keys and signatures. the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448. EdDSA has defined two modes: the PureEdDSA mode without prehashing and the HashEdDSA mode with prehashing. The convention used for identifying the algorithm/curve combinations is to use "Ed25519" and "Ed448" for the PureEdDSA mode. This document does not provide the conventions needed for the prehash versions of the signature algorithm. The use of the OIDs is described for public keys, private keys and signatures.
          • </t>
        • <t>
          • <xref target="RFC8032" format="default" pageno="false"/> additionally defineds the concept of a context. Contexts can be used to differentiate signatures generated for different purposes with the same key. The use of contexts is not defined in this document for the following reasons: additionally defineds the concept of a context. Contexts can be used to differentiate signatures generated for different purposes with the same key. The use of contexts is not defined in this document for the following reasons:
          • <list style="symbols">
            • <t>
              • The current implementations of Ed25519 do not support the use of contexts,; thus, if specified, it will potentially delay the use of these algorithms further.
              • </t>
            • <t>
              • The EdDSA algorithms areis the only IETF algorithms that currently support that currently supports the use of contexts; however, howethere is a possibility that there will be confusion between which algorithms need to haver there is a possibility that there will be confusion between which separate keys and which do not. This may result in a decrease of security for those other algorithms need to have separate keys and which do not. This may result in a decrease of security for those other algorithms.
              • </t>
            • <t>
              • There are still ongoing discussions among the cryptographic community about how effective the use of contexts is for preventing attacks.
              • </t>
            • <t>
              • There needs to be discussions about the correct way to identify when context strings are to be used. It is not clear if different OIDs should be used for different contexts, or the OID should merely note that a context string needs to be provided.
              • </t>
            • </list>
          • </t>
        • </section>
      • <section title="Requirements Terminology" numbered="true" toc="default">
        • <t>
          • The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119" format="default" pageno="false"/> <xref target="RFC8174" format="default" pageno="false"/> when, and only when, they appear in all capitals, as shown here. when, and only when, they appear in all capitals, as shown here.
          • </t>
        • </section>
      • <section title="Curve25519 and Curve448 Algorithm Identifiers" numbered="true" toc="default">
        • <t>
          • Certificates conforming to <xref target="RFC5280" format="default" pageno="false"/> can convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. This algorithm identifier isAn algorithm identifier consists of an OID and optionally associated parameters. can convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. This algorithm identifier isAn algorithm identifier consists of an OID and optionally associated parameters. parameters.
          • </t>
        • <t>
          • The AlgorithmIdentifier type, which is included for convenience, is defined as follows:
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • AlgorithmIdentifier  ::=  SEQUENCE  {
                  algorithm   OBJECT IDENTIFIER,
                  parameters  ANY DEFINED BY algorithm OPTIONAL
              }
            • </artwork>
          • </figure>
        • <t>
          • The fields in AlgorithmIdentifier have the following meanings:
          • </t>
        • <t>
          • <list style="symbols">
            • <t>
              • algorithm identifies the cryptographic algorithm with an object identifier. Four such OIDs are defined below.
              • </t>
            • <t>
              • parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field.
              • </t>
            • </list>
          • </t>
        • <t>
          • <--  RFC Editor:  I have been told that the following three sentences should be joined together, I tend to think
                         that they are correct as separate items but it is something that a copy editor should look at  -->
          • In this document we define four new OIDs for identifying the different curve/algorithm pairs. The curves being curve25519 and curve448. The algorithms being ECDH and EdDSA in pure mode.
          • <--   and EdDSA in pre-hash mode.  -->
          • For all of the OIDs, the parameters MUST be absent.
          • In this document, we define four new OIDs for identifying the different curve/algorithm pairs: the curves being curve25519 and curve448 and the algorithms being ECDH and EdDSA in pure mode. For all of the OIDs, the parameters MUST be absent.
          • </t>
        • <t>
          • It is possible to find systems that require the parameters to be present. This can be either due todue to either a defect in the original 1997 syntax or a programming error where developers never got input where this was not true. The optimal solution is to fix these systems; where this is not possible, where this is not possible the problem needs to be restricted to that subsystem and not propigated to the iagated to the Internet.
          • </t>
        • <t>
          • The same algorithm identifiers are used for identifying a public key, identifa private keying a private key and identifying, and a signature (for the two EdDSA related OIDs). Additional encoding information is provided below for each of these locations.
          • </t>
        • <--   Remove pre-hash algorithms
                  id-Ed25519ph OBJECT IDENTIFIER ::= { 1 3 101 114 }
                  id-Ed448ph   OBJECT IDENTIFIER ::= { 1 3 101 115 }
                 -->
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 }
              id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 }
              id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
              id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 }
            • </artwork>
          • </figure>
        • <-- 
                <t>The OID id-Curve25519 refers to Curve25519.  The OID
                id-Curve448 refers to Curve448.  Both curves are described in
                <xref target="RFC7748"/>.  The OIDs id-Curve25519ph and
                id-Curve448ph refers to Curve25519 and Curve448 when used with
                pre-hashing as Ed25519ph and Ed448ph described in <xref
                target="RFC8032"/>.</t>
                
                <t>The public key value encoded into the ECPoint value is the
                raw binary values described in <xref target="RFC7748"/>.</t>
                 -->
        • </section>
      • <section title="Subject Public Key Fields" numbered="true" toc="default">
        • <t>
          • In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax:
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • SubjectPublicKeyInfo  ::=  SEQUENCE  {
                  algorithm         AlgorithmIdentifier,
                  subjectPublicKey  BIT STRING
              }
            • </artwork>
          • </figure>
        • <t>
          • The fields in SubjectPublicKeyInfo have the following meanings:
          • </t>
        • <t>
          • <list style="symbols">
            • <t>
              • algorithm is the algorithm identifier and parameters for the public key (see above).
              • </t>
            • <t>
              • subjectPublicKey contains the byte stream of the public key. The algorithms defined in this document always encode the public key as an exact multiple of 8- bits.
              • </t>
            • </list>
          • </t>
        • <t>
          • Both <xref target="RFC7748" format="default" pageno="false"/> and and <xref target="RFC8032" format="default" pageno="false"/> define the public key value as being a byte string. It should be noted that the public key is computed differently for each of these documents; thus, thus the same private key will not produce the same public key. define the public key value as being a byte string. It should be noted that the public key is computed differently for each of these documents; thus, thus the same private key will not produce the same public key.
          • </t>
        • <t>
          • The following is an example of a public key encoded using the textual encoding defined in <xref target="RFC7468" format="default" pageno="false"/>..
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PUBLIC KEY-----
              MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
              -----END PUBLIC KEY-----      
            • </artwork>
          • </figure>
        • </section>
      • <-- 
            <section title="EdDSA Public Keys">

              <t>Certificates conforming to <xref target="RFC5280"/> may
              convey a public key for any public key algorithm.  The
              certificate indicates the algorithm through an algorithm
              identifier.  This algorithm identifier is an OID and optionally
              associated parameters.</t>

              <t>This section identify the OID and parameters for the EdDSA
              algorithm.  Conforming CAs MUST use the identified OIDs when
              issuing certificates containing EdDSA public keys.  Conforming
              applications supporting EdDSA MUST, at a minimum, recognize the
              OID identified in this section.</t>

              <t>The id-EdDSAPublicKey OID is used for identifying EdDSA
              public keys.</t>

              <figure>
              <artwork><![CDATA[
               id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1 3 101 100 }
               ]]></artwork>
              </figure>

              <t>The id-EdDSAPublicKey OID is intended to be used in the
              algorithm field of a value of type AlgorithmIdentifier.</t>

              <t>EdDSA public keys use the parameter field to specify the
              particular instantiation of EdDSA parameters.  The parameters
              field have the ASN.1 type EdDSAParameters as follows.</t>

              <figure>
              <artwork><![CDATA[
              EdDSAParameters ::= ENUMERATED { ed25519   (1),
                  ed25519ph (2) }
                  ed448     (3) }
                  ed448ph   (4) }
        ]]></artwork>
             </figure>

              <t>The EdDSAParameters enumeration may be extended in the
              future.</t>

              <t>The "ed25519" and "ed448" values correspond to the PureEdDSA
              variants, and the "ed25519ph" and "ed448ph" values correspond to
              the HashEdDSA variants, as discussed in <xref
              target="RFC8032"/>.</t>

              <t>The raw binary EdDSA public key is encoded directly in the
              subjectPublicKey BIT STRING object.  Note that unlike some other
              schemes, there is no additional OCTET STRING encoding step.</t>

        </section>
         -->
      • <section title="Key Usage Bits" numbered="true" toc="default">
        • <t>
          • The intended application for the key is indicated in the keyUsage certificate extension.
          • </t>
        • <t>
          • If the keyUsage extension is present in a certificate that indicates id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST be present:
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            •         keyAgreement;
                    
            • </artwork>
          • </figure>
        • <t>
          • one of the following MAY also be present:
          • </t>
        • <t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              •           encipherOnly; or
                          decipherOnly.
                          
              • </artwork>
            • </figure>
          • </t>
        • <t>
          • If the keyUsage extension is present in an end-entity
          • <--  Remove pre-hash
                  certificate that indicates id-EdDSA25519, id-EdDSA25519ph, id-EdDSA448 or id-EdDSA448ph
                     -->
          • If the keyUsage extension is present in an end-entity certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension MUST contain one or both of the following values:
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            •         nonRepudiation; and
                      digitalSignature.
            • </artwork>
          • </figure>
        • <t>
          • If the keyUsage extension is present in a certification authority certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension MUST contain one or more of the following values:
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            •        nonRepudiation;
                     digitalSignature;
                     keyCertSign; and
                     cRLSign.
                     
            • </artwork>
          • </figure>
        • <--  Remove pre-hash
                  <t>
                  CAs MUST NOT use the pre-hash versions of the EdDSA algorithms for the creation of certificates or CRLs.
                  This is implied by the fact that those algorithms are not listed in the previous paragraph.
                  Additionally OCSP responders SHOULD NOT use the pre-hash versions of the EdDSA algorithms when generating OCSP responses.
                  No restriction is placed on generation of OCSP requests.
                  </t>


                <t>
                  AAs MUST NOT use the pre-hash versions of the EdDSA algorithms for the creation of attribute certificates or attribute CRLs <xref target="RFC5755"/>.
                </t>

                <t>
                  The decision to require the use of pure mode balances the higher security of having a single failure point against the possibility that constrained devices, such as Hardware Security Modules (HSMs), may be unable to check signatures on CRLs due to the amount of memory required to hold the entire CRL in memory at one time.
                  This concern can be addressed by CAs using CRL distribution points, combined with segmenting the certificates issued so that the length of any segmented CRL is not "too long" even if a large percentage of the certificates are revoked.
                  The definition of "too long" is going to be highly dependent on what constrained device is being used, it can be on the order of single or low double digit kilobytes.
                </t>
                   -->
        • </section>
      • <section title="EdDSA Signatures" numbered="true" toc="default">
        • <t>
          • Signatures can be placed in a number of different ASN.1 structures. The top level structure for a certificate is given below as being illustrative of how signatures are frequently encoded with an algorithm identifier and a location for the signature.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            •    Certificate  ::=  SEQUENCE  {
                      tbsCertificate       TBSCertificate,
                      signatureAlgorithm   AlgorithmIdentifier,
                      signatureValue       BIT STRING  }
            • </artwork>
          • </figure>
        • <t>
          • The same algorithm identifiers are used for signatures as are used for public keys. When used to identify signature algorithms, the parameters MUST be absent.
          • </t>
        • <t>
          • The data to be signed is prepared for EdDSA. Then, a private key operation is performed to generate the signature value. This value is the opaque value ENC(R) || ENC(S) described in sSection 3.3 of <xref target="RFC8032" format="default" pageno="false"/>. The octet string representing the signature is encoded directly in the BIT STRING without adding any additional ASN.1 wrapping. For the Certificate structure, the signature value is wrapped in the "signatureValue" BIT STRING field. . The octet string representing the signature is encoded directly in the BIT STRING without adding any additional ASN.1 wrapping. For the Certificate structure, the signature value is wrapped in the "signatureValue" BIT STRING field.
          • </t>
        • <--  Remove Prehash
                <t>
                  When the pre-hash versions of the EdDSA signature algorithms are used, the hash function used for the pre-hash is defined by the algorithm.
                  This means that the pre-hash function is implicitly included in the algorithm identifier rather than being explicit as done in <xref target="RFC3279"/>.
                  </t>
                   -->
        • </section>
      • <section title="Private Key Format" numbered="true" toc="default">
        • <t>
          • <xref target="RFC5958" format="default" pageno="false">"Asymmetric Key Packages"</xref> describes how to encode a private key in a structure that both identifies what algorithm the private key is for, but and allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below. The algorithm -specific details of how a private key is encoded isare left for the document describing the algorithm itself. describes how to encode a private key in a structure that both identifies what algorithm the private key is for, but and allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below. The algorithm -specific details of how a private key is encoded isare left for the document describing the algorithm itself.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • OneAsymmetricKey ::= SEQUENCE {
                 version Version,
                 privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
                 privateKey PrivateKey,
                 attributes [0] IMPLICIT Attributes OPTIONAL,
                 ...,
                 [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
                 ...
              }

              PrivateKey ::= OCTET STRING

              PublicKey ::= BIT STRING
            • </artwork>
          • </figure>
        • <t>
          • For the keys defined in this document, the private key is always an opaque byte sequence. The ASN.1 type CurvePrivateKey is defined in this document to hold the byte sequence. Thus, when encoding a OneAsymmetricKey object, the private key is wrapped in an CurvePrivateKey object and wrapped by the OCTET STRING of the "privateKey" field.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • CurvePrivateKey ::= OCTET STRING
            • </artwork>
          • </figure>
        • <t>
          • To encode an EdDSA, X25519, or X448 private key, the "privateKey" field will hold the encoded private key. The "privateKeyAlgorithm" field uses the AlgorithmIdentifier structure. The structure is encoded as defined above. If present, the "publicKey" field will hold the encoded key as defined in <xref target="RFC7748" format="default" pageno="false"/> and and <xref target="RFC8032" format="default" pageno="false"/>. .
          • </t>
        • <t>
          • The following is an example of a private key encoded using the textual encoding defined in <xref target="RFC7468" format="default" pageno="false"/>..
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PRIVATE KEY-----
              MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
              -----END PRIVATE KEY-----
            • </artwork>
          • </figure>
        • <t>
          • The following example, in addition to encoding the private key, additionally has an attribute included as well as the public key. As with the prior example, the textual encoding defined in <xref target="RFC7468" format="default" pageno="false"/> is used. is used.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PRIVATE KEY-----
              MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
              oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
              Z9w7lshQhqowtrbLDFw4rXAxZuE=
              -----END PRIVATE KEY------
            • </artwork>
          • </figure>
        • <t>
          • NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey that is defined in <xref target="RFC7748" format="default" pageno="false"/>. This means that they will not accept a private key structure that contains the public key field. This means a balancing act needs to be done betwhich contains the public key fieldeen being able to do a consistency check on the key pair and widest ability to import the key. . This means that they will not accept a private key structure that contains the public key field. This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key. . This means that they will not accept a private key structure which contains the public key field. This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key.
          • </t>
        • </section>
      • <section title="Human Readable Algorithm Names" title="Human-Readable Algorithm Names" numbered="true" toc="default">
        • <t>
          • For the purpose of consistent cross-implementation naming, this section establishes human -readable names for the algorithms specified in this document. Implementations SHOULD use these names when referring to the algorithms. If there is a strong reason to deviate from these names -- for example, if the implementation has a different naming convention and wants to maintain internal consistency -- it is encouraged to deviate as little as possible from the names given here.
          • </t>
        • <t>
          • Use the string "ECDH" when referring to a public key of type "X25519" or "X448" when the curve is not known or relevant.
          • </t>
        • <t>
          • When the curve is known, use the more specific string of "X25519" or "X448".
          • </t>
        • <t>
          • Use the string "EdDSA" when referring to a signing public key or signature when the curve is not known or relevant.
          • </t>
        • <t>
          • When the curve is known, use a more specific string. For the id-Ed25519 value use the string "Ed25519".
          • <--  Remove pre-hash
                  For
                  the id-EdDSA25519ph value use the string "Ed25519ph".   -->
          • For id-Ed448 use "Ed448".
          • <--  Remvoe prehash For id-EdDSA448ph use "Ed448ph". -->
          • When the curve is known, use a more specific string. For the id-Ed25519 value use the string "Ed25519". For id-Ed448, use "Ed448".
          • </t>
        • </section>
      • <section title="ASN.1 Module" anchor="module" numbered="true" toc="default">
        • <t>
          • For reference purposes, the ASN.1 syntax is presented as an ASN.1 module here.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -- ASN.1 Module

              Safecurves-pkix-
              18
               { iso(1) identified-organization(3) dod(6) internet(1)
               security(5) mechanisms(5) pkix(7) id-mod(
              0 -- TBD - IANA assigned mod) id-mod-safecule OID
              rves-pkix (93)
                

              DEFINITIONS EXPLICIT TAGS ::=
              BEGIN

              IMPORTS
                SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
                KeyUsage, AlgorithmIdentifier
                FROM AlgorithmInformation-2009 
                  {iso(1) identified-organization(3) dod(6) internet(1) security(5)
                  mechanisms(5) pkix(7) id-mod(0)
                  id-mod-algorithmInformation-02(58)}

                mda-sha512
                FROM PKIX1-PSS-OAEP-Algorithms-2009
                  { iso(1) identified-organization(3) dod(6) internet(1)
                    security(5) mechanisms(5) pkix(7) id-mod(0)
                    id-mod-pkix1-rsa-pkalgs-02(54) }

                kwa-aes128-wrap, kwa-aes256-wrap
                FROM CMSAesRsaesOaep-2009
                  { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
                    smime(16) modules(0) id-mod-cms-aes-02(38) }
                ;
                  

              id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }

              id-X25519        OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
              id-X448          OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
              id-Ed25519       OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
              id-Ed448         OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }


               sa-Ed25519 SIGNATURE-ALGORITHM ::= {
                  IDENTIFIER id-Ed25519
                   PARAMS ARE absent
                   PUBLIC-KEYS {pk-Ed25519}
                   SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
               }

               pk-Ed25519 PUBLIC-KEY ::= {
                   IDENTIFIER id-Ed25519
                   -- KEY no ASN.1 wrapping --
                   PARAMS ARE absent
                   CERT-KEY-USAGE {digitalSignature, nonRepudiation,
                                   keyCertSign, cRLSign}
                   PRIVATE-KEY CurvePrivateKey
               }

               kaa-X25519 KEY-AGREE ::= {
                   IDENTIFIER id-X25519
                   PARAMS ARE absent
                   PUBLIC-KEYS {pk-X25519}
                   UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
                   SMIME-CAPS {
                      TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
                      IDENTIFIED BY id-X25519 }
               }

               pk-X25519 PUBLIC-KEY ::= {
                   IDENTIFIER id-X25519
                   -- KEY no ASN.1 wrapping --
                   PARAMS ARE absent
                   CERT-KEY-USAGE { keyAgreement }
                   PRIVATE-KEY CurvePrivateKey
               }

               KeyWrapAlgorithms KEY-WRAP ::= {
                   kwa-aes128-wrap | kwa-aes256-wrap,
                   ...
               }
                   
               kaa-X448 KEY-AGREE ::= {
                   IDENTIFIER id-X448
                   PARAMS ARE absent
                   PUBLIC-KEYS {pk-X448}
                   UKM -- TYPE no ASN.1 wrapping  -- ARE preferredPresent
                   SMIME-CAPS {
                      TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
                      IDENTIFIED BY id-X448 }
               }

               pk-X448 PUBLIC-KEY ::= {
                   IDENTIFIER id-X448
                   -- KEY no ASN.1 wrapping --
                   PARAMS ARE absent
                   CERT-KEY-USAGE { keyAgreement }
                   PRIVATE-KEY CurvePrivateKey
               }

              CurvePrivateKey ::= OCTET STRING
                  
                                               
              END
            • </artwork>
          • </figure>
        • </section>
      • <section title="Examples" numbered="true" toc="default">
        • <t>
          • This section contains illustrations of EdDSA public keys and certificates, illustrating parameter choices.
          • </t>
        • <section title="Example Ed25519 Public Key" numbered="true" toc="default">
          • <t>
            • An example of an Ed25519 public key:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              •       Public Key Information:
                          Public Key Algorithm: Ed25519
                          Algorithm Security Level: High

                      Public Key Usage:
                      
                      Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
                      
                      -----BEGIN PUBLIC KEY-----
                      MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
                      -----END PUBLIC KEY-----
              • </artwork>
            • </figure>
          • </section>
        • <section title="Example X25519 Certificate" numbered="true" toc="default">
          • <t>
            • An example of a self -issued PKIX certificate using Ed25519 to sign an X25519 public key would be:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              •   0 300: SEQUENCE {
                  4 223:   SEQUENCE {
                  7   3:     [0] {
                  9   1:       INTEGER 2
                       :       }
                 12   8:     INTEGER 56 01 47 4A 2A 8D C3 30
                 22   5:     SEQUENCE {
                 24   3:       OBJECT IDENTIFIER
                       :         Ed 25519 signature algorithm { 1 3 101 112 }
                       :       }
                 29  25:     SEQUENCE {
                 31  23:       SET {
                 33  21:         SEQUENCE {
                 35   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
                 40  14:           UTF8String 'IETF Test Demo'
                       :           }
                       :         }
                       :       }
                 56  30:     SEQUENCE {
                 58  13:       UTCTime 01/08/2016 12:19:24 GMT
                 73  13:       UTCTime 31/12/2040 23:59:59 GMT
                       :       }
                 88  25:     SEQUENCE {
                 90  23:       SET {
                 92  21:         SEQUENCE {
                 94   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
                 99  14:           UTF8String 'IETF Test Demo'
                       :           }
                       :         }
                       :       }
                115  42:     SEQUENCE {
                117   5:       SEQUENCE {
                119   3:         OBJECT IDENTIFIER
                       :           ECDH 25519 key agreement { 1 3 101 110 }
                       :         }
                124  33:       BIT STRING
                       :         85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
                       :         0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
                       :       }
                159  69:     [3] {
                161  67:       SEQUENCE {
                163  15:         SEQUENCE {
                165   3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
                170   1:           BOOLEAN TRUE
                173   5:           OCTET STRING, encapsulates {
                175   3:             SEQUENCE {
                177   1:               BOOLEAN FALSE
                       :               }
                       :             }
                       :           }
                180  14:         SEQUENCE {
                182   3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
                187   1:           BOOLEAN FALSE
                190   4:           OCTET STRING, encapsulates {
                192   2:             BIT STRING 3 unused bits
                       :               '10000'B (bit 4)
                       :             }
                       :           }
                196  32:         SEQUENCE {
                198   3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
                203   1:           BOOLEAN FALSE
                206  22:           OCTET STRING, encapsulates {
                208  20:             OCTET STRING
                       :               9B 1F 5E ED ED 04 33 85 E4 F7 BC 62 3C 59 75
                       :               B9 0B C8 BB 3B
                       :             }
                       :           }
                       :         }
                       :       }
                       :     }
                230   5:   SEQUENCE {
                232   3:     OBJECT IDENTIFIER
                       :       Ed 25519 signature algorithm { 1 3 101 112 }
                       :     }
                237  65:   BIT STRING
                       :     AF 23 01 FE DD C9 E6 FF C1 CC A7 3D 74 D6 48 A4
                       :     39 80 82 CD DB 69 B1 4E 4D 06 EC F8 1A 25 CE 50
                       :     D4 C2 C3 EB 74 6C 4E DD 83 46 85 6E C8 6F 3D CE
                       :     1A 18 65 C5 7A C2 7B 50 A0 C3 50 07 F5 E7 D9 07
                       :   }
                      
                -----BEGIN CERTIFICATE-----
                MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX
                N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD
                DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj
                ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg
                BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v
                /BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg
                w1AH9efZBw==
                -----END CERTIFICATE-----
              • </artwork>
            • </figure>
          • </section>
        • <section title="Examples of Ed25519 Private Key" numbered="true" toc="default">
          • <t>
            • An example of an Ed25519 private key without the public key:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              • -----BEGIN PRIVATE KEY-----
                MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
                -----END PRIVATE KEY-----
              • </artwork>
            • </figure>
          • <t>
            • The same item dumped as ASN.1 yields:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              •  0 30   46: SEQUENCE {
                 2 02    1:   INTEGER 0
                 5 30    5:   SEQUENCE {
                 7 06    3:     OBJECT IDENTIFIER
                          :       Ed 25519 signature algorithm { 1 3 101 112 }
                          :     }
                12 04   34:   OCTET STRING
                          :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
                          :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
                          :     58 42
                          :   }
                          
              • </artwork>
            • </figure>
          • <t>
            • Note that the value of the private key is:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              • D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD
                3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42
              • </artwork>
            • </figure>
          • <t>
            • An example of the same Ed25519 private key encoded with an attribute and the public key:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              • -----BEGIN PRIVATE KEY-----
                MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
                oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
                Z9w7lshQhqowtrbLDFw4rXAxZuE=
                -----END PRIVATE KEY-----
              • </artwork>
            • </figure>
          • <t>
            • The same item dumped as ASN.1 yields:
            • </t>
          • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
            • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

              •   0 114: SEQUENCE {
                  2   1:   INTEGER 1
                  5   5:   SEQUENCE {
                  7   3:     OBJECT IDENTIFIER '1 3 101 112'
                       :     }
                 12  34:   OCTET STRING, encapsulates {
                       :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
                       :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
                       :     58 42
                       :     }
                 48  31:   [0] {
                 50  29:     SEQUENCE {
                 52  10:       OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20'
                 64  15:       SET {
                 66  13:         UTF8String 'Curdle Chairs'
                       :         }
                       :       }
                       :     }
                81  33:   [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B
                              96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66
                              E1
                       :   }
                          
              • </artwork>
            • </figure>
          • </section>
        • </section>
      • <section anchor="ack" title="Acknowledgments" numbered="true" toc="default">
        • <t>
          • Text and/or inspiration were drawn from <xref target="RFC5280" format="default" pageno="false"/>, , <xref target="RFC3279" format="default" pageno="false"/>, , <xref target="RFC4055" format="default" pageno="false"/>, , <xref target="RFC5480" format="default" pageno="false"/>, and , and <xref target="RFC5639" format="default" pageno="false"/>..
          • </t>
        • <t>
          • The following people discussed the document and provided feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick Andrews, Rob Stradling, James Manger, Nikos Mavrogiannopoulos, Russ Housley, David Benjamin, Brian Smith, and Alex Wilson.
          • </t>
        • <t>
          • A big thank you to Symantec for kindly donating the OIDs used in this draft.
          • </t>
        • </section>
      • <section title="IANA Considerations" numbered="true" toc="default">
        • <t>
          • IANA is requested to assign a module OID from the "SMI for PKIX Module Identifier" registry for the ASN.1 module in <xref target="module" format="default" pageno="false"/>. .
          • For the ASN.1 module in <xref target="module" format="default" pageno="false"/>, IANA has registered value 93 for "id-mod-safecurves-pkix" in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry. , IANA has registered value 93 for "id-mod-safecurves-pkix" in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry.
          • </t>
        • <t>
          • The OIDs are being independently registered in the IANA registry "SMI Security for Cryptographic Algorithms" in <xref target="I-D.schaad-curdle-oid-registryRFC8411" format="default" pageno="false"/>. .
          • </t>
        • </section>
      • <section anchor="Security" title="Security Considerations" numbered="true" toc="default">
        • <t>
          • The security considerations of <xref target="RFC5280" format="default" pageno="false"/>, , <xref target="RFC7748" format="default" pageno="false"/>, and , and <xref target="RFC8032" format="default" pageno="false"/> apply accordingly. apply accordingly.
          • </t>
        • <t>
          • The procedures for going from a private key to a public key are different for when used with Diffie-Hellman andversus when used with Edwards Signatures. This means that the same public key cannot be used for both ECDH and EdDSA.
          • </t>
        • <-- 
                <t>
                  In the original design of Ed25519 signatures, there was a known attack between the pure and the pre-hash version of the signatures.
                  This has since been corrected in the final version of the design.
                  The initial problem meant that there was a known attack, and therefore a known reason to forbid the use of Ed25519 keys with the Ed25519ph signature scheme and visa versa.
                  With the change in the design this attack has been prevented.
                  This does not mean that the same Ed25519 key should be used with both schemes, there still may be attacks where collisions can be found.
                  For this reason, the same keys are not to be used for the pure and pre-hash versions of the scheme.
                  This applies to both curve 25519 and curve 448.
                  </t>
                   -->
        • </section>
      • </middle>
    • <back>
      • <references title="Normative References">
        • <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quote-title="true">
          • <front>
            • <title>
              • Key words for use in RFCs to Indicate Requirement Levels
              • </title>
            • <author initials="S." surname="Bradner" fullname="S. Bradner">
              • <organization/>
              • </author>
            • <date year="1997" month="March"/>
            • <abstract>
              • <t>
                • In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="BCP" value="14"/>
          • <seriesInfo name="RFC" value="2119"/>
          • <seriesInfo name="DOI" value="10.17487/RFC2119"/>
          • </reference>
        • <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" quote-title="true">
          • <front>
            • <title>
              • Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
              • </title>
            • <author initials="D." surname="Cooper" fullname="D. Cooper">
              • <organization/>
              • </author>
            • <author initials="S." surname="Santesson" fullname="S. Santesson">
              • <organization/>
              • </author>
            • <author initials="S." surname="Farrell" fullname="S. Farrell">
              • <organization/>
              • </author>
            • <author initials="S." surname="Boeyen" fullname="S. Boeyen">
              • <organization/>
              • </author>
            • <author initials="R." surname="Housley" fullname="R. Housley">
              • <organization/>
              • </author>
            • <author initials="W." surname="Polk" fullname="W. Polk">
              • <organization/>
              • </author>
            • <date year="2008" month="May"/>
            • <abstract>
              • <t>
                • This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="5280"/>
          • <seriesInfo name="DOI" value="10.17487/RFC5280"/>
          • </reference>
        • <reference anchor="RFC5480" target="https://www.rfc-editor.org/info/rfc5480" quote-title="true">
          • <front>
            • <title>
              • Elliptic Curve Cryptography Subject Public Key Information
              • </title>
            • <author initials="S." surname="Turner" fullname="S. Turner">
              • <organization/>
              • </author>
            • <author initials="D." surname="Brown" fullname="D. Brown">
              • <organization/>
              • </author>
            • <author initials="K." surname="Yiu" fullname="K. Yiu">
              • <organization/>
              • </author>
            • <author initials="R." surname="Housley" fullname="R. Housley">
              • <organization/>
              • </author>
            • <author initials="T." surname="Polk" fullname="T. Polk">
              • <organization/>
              • </author>
            • <date year="2009" month="March"/>
            • <abstract>
              • <t>
                • This document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279. [STANDARDS-TRACK]
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="5480"/>
          • <seriesInfo name="DOI" value="10.17487/RFC5480"/>
          • </reference>
        • <reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7748" quote-title="true">
          • <front>
            • <title>
              • Elliptic Curves for Security
              • </title>
            • <author initials="A." surname="Langley" fullname="A. Langley">
              • <organization/>
              • </author>
            • <author initials="M." surname="Hamburg" fullname="M. Hamburg">
              • <organization/>
              • </author>
            • <author initials="S." surname="Turner" fullname="S. Turner">
              • <organization/>
              • </author>
            • <date year="2016" month="January"/>
            • <abstract>
              • <t>
                • This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="7748"/>
          • <seriesInfo name="DOI" value="10.17487/RFC7748"/>
          • </reference>
        • <reference anchor="RFC8032" target="https://www.rfc-editor.org/info/rfc8032" quote-title="true">
          • <front>
            • <title>
              • Edwards-Curve Digital Signature Algorithm (EdDSA)
              • </title>
            • <author initials="S." surname="Josefsson" fullname="S. Josefsson">
              • <organization/>
              • </author>
            • <author initials="I." surname="Liusvaara" fullname="I. Liusvaara">
              • <organization/>
              • </author>
            • <date year="2017" month="January"/>
            • <abstract>
              • <t>
                • This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="8032"/>
          • <seriesInfo name="DOI" value="10.17487/RFC8032"/>
          • </reference>
        • <reference anchor="RFC5958" target="https://www.rfc-editor.org/info/rfc5958" quote-title="true">
          • <front>
            • <title>
              • Asymmetric Key Packages
              • </title>
            • <author initials="S." surname="Turner" fullname="S. Turner">
              • <organization/>
              • </author>
            • <date year="2010" month="August"/>
            • <abstract>
              • <t>
                • This document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK]
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="5958"/>
          • <seriesInfo name="DOI" value="10.17487/RFC5958"/>
          • </reference>
        • <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quote-title="true">
          • <front>
            • <title>
              • Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
              • </title>
            • <author initials="B." surname="Leiba" fullname="B. Leiba">
              • <organization/>
              • </author>
            • <date year="2017" month="May"/>
            • <abstract>
              • <t>
                • RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="BCP" value="14"/>
          • <seriesInfo name="RFC" value="8174"/>
          • <seriesInfo name="DOI" value="10.17487/RFC8174"/>
          • </reference>
        • </references>
      • <references title="Informative References">
        • <reference anchor="RFC3279" target="https://www.rfc-editor.org/info/rfc3279" quote-title="true">
          • <front>
            • <title>
              • Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
              • </title>
            • <author initials="L." surname="Bassham" fullname="L. Bassham">
              • <organization/>
              • </author>
            • <author initials="W." surname="Polk" fullname="W. Polk">
              • <organization/>
              • </author>
            • <author initials="R." surname="Housley" fullname="R. Housley">
              • <organization/>
              • </author>
            • <date year="2002" month="April"/>
            • <abstract>
              • <t>
                • This document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures are used to sign certificates and certificate revocation list (CRLs). Certificates include the public key of the named subject. [STANDARDS-TRACK]
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="3279"/>
          • <seriesInfo name="DOI" value="10.17487/RFC3279"/>
          • </reference>
        • <reference anchor="RFC4055" target="https://www.rfc-editor.org/info/rfc4055" quote-title="true">
          • <front>
            • <title>
              • Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
              • </title>
            • <author initials="J." surname="Schaad" fullname="J. Schaad">
              • <organization/>
              • </author>
            • <author initials="B." surname="Kaliski" fullname="B. Kaliski">
              • <organization/>
              • </author>
            • <author initials="R." surname="Housley" fullname="R. Housley">
              • <organization/>
              • </author>
            • <date year="2005" month="June"/>
            • <abstract>
              • <t>
                • This document supplements RFC 3279. It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI). Encoding formats, algorithm identifiers, and parameter formats are specified. [STANDARDS-TRACK]
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="4055"/>
          • <seriesInfo name="DOI" value="10.17487/RFC4055"/>
          • </reference>
        • <reference anchor="RFC5639" target="https://www.rfc-editor.org/info/rfc5639" quote-title="true">
          • <front>
            • <title>
              • Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation
              • </title>
            • <author initials="M." surname="Lochter" fullname="M. Lochter">
              • <organization/>
              • </author>
            • <author initials="J." surname="Merkle" fullname="J. Merkle">
              • <organization/>
              • </author>
            • <date year="2010" month="March"/>
            • <abstract>
              • <t>
                • This memo proposes several elliptic curve domain parameters over finite prime fields for use in cryptographic applications. The domain parameters are consistent with the relevant international standards, and can be used in X.509 certificates and certificate revocation lists (CRLs), for Internet Key Exchange (IKE), Transport Layer Security (TLS), XML signatures, and all applications or protocols based on the cryptographic message syntax (CMS). This document is not an Internet Standards Track specification; it is published for informational purposes.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="5639"/>
          • <seriesInfo name="DOI" value="10.17487/RFC5639"/>
          • </reference>
        • <--  Remove for pre-hash
                     &rfc5755;
                      -->
        • <--       &rfc5758;  -->
        • <--       &rfc5915;  -->
        • <reference anchor="RFC7468" target="https://www.rfc-editor.org/info/rfc7468" quote-title="true">
          • <front>
            • <title>
              • Textual Encodings of PKIX, PKCS, and CMS Structures
              • </title>
            • <author initials="S." surname="Josefsson" fullname="S. Josefsson">
              • <organization/>
              • </author>
            • <author initials="S." surname="Leonard" fullname="S. Leonard">
              • <organization/>
              • </author>
            • <date year="2015" month="April"/>
            • <abstract>
              • <t>
                • This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="RFC" value="7468"/>
          • <seriesInfo name="DOI" value="10.17487/RFC7468"/>
          • </reference>
        • <-- &iana;draft-schaad-curdle-oid-registry-03; in AUTH48 as RFC8411  -->
        • <reference anchor="I-D.schaad-curdle-oid-registry" anchor="RFC8411" quote-title="true" target="http://www.rfc-editor.org/info/rfc8411">
          • <front>
            • <title>
              • IANA Registration for new Cryptographic Algorithm Object Identifier Range
              • IANA Registration for the Cryptographic Algorithm Object Identifier Range
              • </title>
            • <author initials="J" surname="Schaad" fullname="Jim Schaad">
              • <organization/>
              • </author>
            • <author initials="R" surname="Andrews" fullname="Rick Andrews">
              • <organization/>
              • </author>
            • <date month="January" month="July" day="25" year="2018"/>
            • <abstract>
              • <t>
                • When the Curdle Security Working Group was chartered, a range of object identifiers was donated by DigiCert, Inc. for the purpose of registering the Edwards Elliptic Curve key agreement and signature algorithms. This donated set of OIDs allowed for shorter values than would be possible using the existing S/MIME or PKIX arcs. This document describes the range of identifiers that were assigned in that donated range, transfers control of that range to IANA, and establishes IANA allocation policies for any future assignments within that range.
                • </t>
              • </abstract>
            • </front>
          • <seriesInfo name="Internet-Draft" name="RFC" value="draft-schaad-curdle-oid-registry-03" value="8411"/>
          • <seriesInfo name="DOI" value="10.17487/RFC8411"/>
          • <format type="TXT" target="http://www.ietf.org/internet-drafts/draft-schaad-curdle-oid-registry-03.txt"/>
          • </reference>
        • </references>
      • <section title="Invalid Encodings" numbered="true" toc="default">
        • <t>
          • There are a number of things that need to be dealt with when a new key part is decoded and imported into the system. A partial list of these includes:
          • <list style="symbols">
            • <-- [rfced] Please clarify this sentence. Does it mean the following or otherwise?

              Current:
                 This was an incorrect copy of the structure from [RFC5958],
                 which was corrected before publication.

              Perhaps:
                This was a copy of an incorrect structure that was in 
                the Internet-Draft; the structure is correct in [RFC5958]. 

              Or:
                This was a copy of incorrect structure that was in a draft 
                of the document that later became [RFC5958]; the structure is 
                correct in the RFC.
               -->
            • <t>
              • ASN.1 encoding errors: Two items are highlighted here. First, the use of an OCTET STRING rather than a BIT STRING for the public key. Thise use of OCTET STRING was an incorrect copy of the structure from copy error that existed in a previous draft version of this document; the structure is correct in <xref target="RFC5958" format="default" pageno="false"/> . Howhichever, any early implementation may have this was corrected before publication. Howeverrong. Second, any early implementation may have this wrong. Second, the value of the version field is required to be 0 if the publicKey is absent and 1 if present. This is called out in which was corrected before publication. However, any early implementation may have this wrong. Second, the value of the version field is required to be 0 if the publicKey is absent and 1 if present. This is called out in <xref target="RFC5958" format="default" pageno="false"/> but is not duplicated in the main text. but is not duplicated in the main text. , but was not duplicated above. , but was not duplicated above.
              • </t>
            • <t>
              • Key encoding errors: Both <xref target="RFC7748" format="default" pageno="false"/> and and <xref target="RFC8032" format="default" pageno="false"/> have formatting requirements for keys that need to be enforced. In some cases, the enforcement is done at the time of importing, for example, doing masking or a mod p operation. In other cases, the enforcement is done by rejecting the keys and having an import failure. have formatting requirements for keys that need to be enforced. In some cases, the enforcement is done at the time of importing, for example, doing masking or a mod p operation. In other cases, the enforcement is done by rejecting the keys and having an import failure.
              • </t>
            • <t>
              • Key mismatch errors: If a public key is provided, it may not agree with the private key either because either it is wrong or the wrong algorithm was used.
              • </t>
            • </list>
          • </t>
        • <t>
          • Some systems are also going to be stricter on what they accept. As stated in <xref target="RFC5958" format="default" pageno="false"/>, BER decoding of OneAsymmetricKey objects is a requirement for compliance. Despite this requirement, some acceptors will only decode DER formats. The following is a BER encoding of a private key, as such is; it is valid, but it may not be accepted by many systems. , BER decoding of OneAsymmetricKey objects is a requirement for compliance. Despite this requirement, some acceptors will only decode DER formats. The following is a BER encoding of a private key; it is valid, as sbuch is is valid, but it may not be accepted by many systems.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PRIVATE KEY-----
              MIACAQAwgAYDK2VwAAAEIgQg1O5y2/kTWErVttjx92n4rTr+fCjL8dT74Jeoj0R1W
              EIAAA==
              -----END PRIVATE KEY-----      
                    
            • </artwork>
          • </figure>
        • <t>
          • What follows here is a brief sampling of some incorrect keys.
          • </t>
        • <t>
          • In the following example, the private key does not match the masking requirements for X25519. For this example, the top bits are set to zero and the bottom three bits are set to 001.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PRIVATE KEY-----
              MFMCAQEwBQYDK2VuBCIEIPj///////////////////////////////////////8/oS
              MDIQCEfA0sN1I082XmYJVRh6NzWg92E9FgnTpqTYxTrqpaIg==
              -----END PRIVATE KEY-----
                    
            • </artwork>
          • </figure>
        • <t>
          • In the following examples, the key is the wrong length because an all -zero byte has been removed. In one case, the first byte has been removed,; in the other case, the last byte has been removed.
          • </t>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PRIVATE KEY-----
              MFICAQEwBQYDK2VwBCIEIC3GfeUYbZGTAhwLEE2cbvJL7ivTlcy17VottfN6L8HwoS
              IDIADBfk2Lv/J8H7YYwj/OmIcDx++jzVkKrKwS0/HjyQyM
              -----END PRIVATE KEY-----
                    
            • </artwork>
          • </figure>
        • <figure title="" suppress-title="false" align="left" alt="" width="" height="">
          • <artwork {http://www.w3.org/XML/1998/namespace}space="preserve" name="" type="" align="left" alt="" width="" height="">

            • -----BEGIN PRIVATE KEY-----
              MFICAQEwBQYDK2VwBCIEILJXn1VaLqvausjUaZexwI/ozmOFjfEk78KcYN+7hsNJoS
              IDIACdQhJwzi/MCGcsQeQnIUh2JFybDxSrZxuLudJmpJLk
              -----END PRIVATE KEY-----
                    
            • </artwork>
          • </figure>
        • </section>
      • <section title="Acknowledgments" numbered="no" toc="default">
        • <t>
          • Text and/or inspiration were drawn from <xref target="RFC5280" format="default" pageno="false"/>, , <xref target="RFC3279" format="default" pageno="false"/>, , <xref target="RFC4055" format="default" pageno="false"/>, , <xref target="RFC5480" format="default" pageno="false"/>, and , and <xref target="RFC5639" format="default" pageno="false"/>..
          • </t>
        • <t>
          • The following people discussed the document and provided feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick Andrews, Rob Stradling, James Manger, Nikos Mavrogiannopoulos, Russ Housley, David Benjamin, Brian Smith, and Alex Wilson.
          • </t>
        • <t>
          • A big thank you to Symantec for kindly donating the OIDs used in this document.
          • </t>
        • </section>
      • </back>
    • </rfc>
1<?xml version="1.0" encoding="US-ASCII"?>
2
3<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
4<!ENTITY rfc2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
5<!ENTITY rfc3279 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
6<!ENTITY rfc4055 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
7<!ENTITY rfc5280 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
8<!ENTITY rfc5480 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
9<!ENTITY rfc5639 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5639.xml">
10<!ENTITY rfc5755 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5755.xml">
11<!ENTITY rfc5758 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5758.xml">
12<!ENTITY rfc5915 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5915.xml">
13<!ENTITY rfc5958 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5958.xml">
14<!ENTITY rfc7468 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7468.xml">
15<!ENTITY rfc7748 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml">
16<!ENTITY rfc8174 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
17<!ENTITY eddsa   SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml">
18]>
19
20<?rfc strict="yes" ?>
21<?rfc compact="yes"?>
22<?rfc subcompact="no"?>
23<?rfc toc="yes"?>
24<?rfc symrefs="yes"?>
25
26<rfc submissionType="IETF" category="std" consensus="yes"
27     ipr="trust200902"
28     number="8410">
29     
30  <front>
31    
32    <title abbrev="Safe Curves for X.509">
33        
34      Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure
35    </title>
36    
37    <author fullname="Simon Josefsson" initials="S." surname="Josefsson">
38      <organization>SJD AB</organization>
39      <address>
40        <email>simon@josefsson.org</email>
41      </address>
42    </author>
43
44    <author fullname="Jim Schaad" initials="J" surname="Schaad">
45      <organization>August Cellars</organization>
46      <address>
47        <email>ietf@augustcellars.com</email>
48      </address>
49    </author>
50
51    <date month="July" year="2018"/>
52
53    <keyword>Elliptic Curve Cryptography, Curve25519, Curve448,
54    Goldilocks, X.509, PKIX, PKI, OID, ASN.1, EdDSA,
55    Ed25519, Ed448, X25519, X448</keyword>
56
57    <abstract>
58
59      <t>This document specifies algorithm identifiers and ASN.1
60      encoding formats for elliptic curve constructs using the
61      curve25519 and curve448 curves.  The signature algorithms
62      covered are Ed25519 and Ed448.  The key agreement algorithms
63      covered are X25519 and X448.  The encoding for public key,
64      private key, and Edwards-curve Digital Signature Algorithm
65      (EdDSA) structures is provided.
66      </t>
67
68    </abstract>
69
70  </front>
71
72  <middle>
73
74    <section title="Introduction">
75
76      <t>
77        In <xref target="RFC7748"/>, the elliptic curves curve25519
78      and curve448 are described.  They are designed with performance
79      and security in mind.  The curves may be used for Diffie-Hellman
80      and digital signature operations.
81      </t>
82
83      <t>
84        <xref target="RFC7748"/> describes the operations on these
85        curves for the Diffie-Hellman operation.  A convention has
86        developed that when these two curves are used with the
87        Diffie-Hellman operation, they are referred to as X25519 and
88        X448.  This RFC defines the ASN.1 Object Identifiers (OIDs)
89        for the operations X25519 and X448 along with the associated
90        parameters.  The use of these OIDs is described for public and
91        private keys.
92      </t>
93        
94
95      <t>
96        In <xref target="RFC8032"/> the elliptic curve signature
97        system Edwards-curve Digital Signature Algorithm (EdDSA) is
98        described along with a recommendation for the use of the
99        curve25519 and curve448.  EdDSA has defined two modes: the
100        PureEdDSA mode without prehashing and the HashEdDSA mode
101        with prehashing.  The convention used for identifying the
102        algorithm/curve combinations is to use "Ed25519" and "Ed448"
103        for the PureEdDSA mode.  This document does not provide the
104        conventions needed for the prehash versions of the signature
105        algorithm.  The use of the OIDs is described for public keys,
106        private keys and signatures.
107      </t>
108
109      <t>
110        <xref target="RFC8032"/> additionally defines the concept of a
111        context.  Contexts can be used to differentiate signatures
112        generated for different purposes with the same key.  The use
113        of contexts is not defined in this document for the following
114        reasons:
115        <list style="symbols">
116          <t>The current implementations of Ed25519 do not support the
117          use of contexts; thus, if specified, it will potentially delay
118          the use of these algorithms further.</t>
119          <t>
120            EdDSA is the only IETF algorithm that
121            currently supports the use of contexts; however, there is a
122            possibility that there will be confusion between which
123            algorithms need to have separate keys and which do not.
124            This may result in a decrease of security for those other
125            algorithms.
126          </t>
127          <t>
128            There are still ongoing discussions among the
129            cryptographic community about how effective the use of
130            contexts is for preventing attacks.
131          </t>
132          <t>
133            There needs to be discussions about the correct way to
134            identify when context strings are to be used.  It is not
135            clear if different OIDs should be used for different
136            contexts or the OID should merely note that a context
137            string needs to be provided.
138          </t>
139        </list>
140      </t>
141    </section>
142
143    <section title="Requirements Terminology">
144
145      <t>
146The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
147"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
148"OPTIONAL" in this document are to be interpreted as described in BCP
14914 <xref target="RFC2119" /> <xref target="RFC8174"/> when, and only
150when, they appear in all capitals, as shown here.
151      </t>
152
153    </section>
154
155    <section title="Curve25519 and Curve448 Algorithm Identifiers">
156
157      <t>Certificates conforming to <xref target="RFC5280"/> can
158      convey a public key for any public key algorithm.  The
159      certificate indicates the algorithm through an algorithm
160      identifier.  An algorithm identifier consists of an OID and optional parameters.
161      </t>
162      
163      <t>The AlgorithmIdentifier type, which is included for
164      convenience, is defined as follows:</t>
165
166      <figure>
167        <artwork><![CDATA[
168AlgorithmIdentifier  ::=  SEQUENCE  {
169    algorithm   OBJECT IDENTIFIER,
170    parameters  ANY DEFINED BY algorithm OPTIONAL
171}
172]]></artwork>
173      </figure>
174
175      <t>The fields in AlgorithmIdentifier have the following
176      meanings:</t>
177
178      <t><list style="symbols">
179        <t>algorithm identifies the cryptographic algorithm with an
180        object identifier.  Four such OIDs are defined below.</t>
181
182    <t>parameters, which are optional, are the associated
183    parameters for the algorithm identifier in the algorithm
184    field.
185    </t>
186      </list></t>
187
188      <t>
189
190    In this document, we define four new OIDs for identifying the
191    different curve/algorithm pairs: the curves being curve25519 and
192    curve448 and the algorithms being ECDH and EdDSA in pure mode.  For all of the OIDs, the
193    parameters MUST be absent.
194      </t>
195
196  <t>
197    It is possible to find systems that require the parameters to be
198    present.  This can be due to either a defect in the original 1997
199    syntax or a programming error where developers never got input
200    where this was not true.  The optimal solution is to fix these
201    systems; where this is not possible, the problem needs to be
202    restricted to that subsystem and not propagated to the Internet.
203  </t>
204      <t>
205        The same algorithm identifiers are used for identifying a
206        public key, a private key, and a
207        signature (for the two EdDSA related OIDs).  Additional
208        encoding information is provided below for each of these
209        locations.
210      </t>
211
212      
213      <figure>
214        <artwork><![CDATA[
215id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 }
216id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 }
217id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
218id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 }
219]]></artwork>
220      </figure>
221
222    </section>
223
224    <section title="Subject Public Key Fields">
225
226      <t>In the X.509 certificate, the subjectPublicKeyInfo field has
227      the SubjectPublicKeyInfo type, which has the following ASN.1
228      syntax:</t>
229
230      <figure>
231        <artwork><![CDATA[
232SubjectPublicKeyInfo  ::=  SEQUENCE  {
233    algorithm         AlgorithmIdentifier,
234    subjectPublicKey  BIT STRING
235}
236]]></artwork>
237      </figure>
238
239      <t>The fields in SubjectPublicKeyInfo have the following
240      meanings:</t>
241
242      <t><list style="symbols">
243        <t>algorithm is the algorithm identifier and parameters for
244        the public key (see above).</t>
245
246        <t>subjectPublicKey contains the byte stream of the public key.
247        The algorithms defined in this document always encode the public key as an exact multiple of 8 bits.
248        </t>
249      </list></t>
250
251      <t>
252        Both <xref target="RFC7748"/> and <xref target="RFC8032"/>
253        define the public key value as being a byte string.  It should
254        be noted that the public key is computed differently for each
255        of these documents; thus, the same private key will not produce
256        the same public key.
257      </t>
258
259      <t>The following is an example of a public key encoded using the
260      textual encoding defined in <xref target="RFC7468"/>.</t>
261
262      <figure>
263<artwork><![CDATA[
264-----BEGIN PUBLIC KEY-----
265MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
266-----END PUBLIC KEY-----      
267]]></artwork>
268      </figure>
269    </section>
270    
271    <section title="Key Usage Bits">
272      
273      <t>The intended application for the key is indicated in the
274      keyUsage certificate extension.</t>
275
276      <t>
277        If the keyUsage extension is present in a certificate that indicates
278        id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST
279        be present:
280      </t>
281
282      <figure><artwork>
283        keyAgreement;
284      </artwork></figure>
285
286      <t>
287        one of the following MAY also be present:
288      </t>
289
290      <t>
291        <figure><artwork>
292          encipherOnly; or
293          decipherOnly.
294          </artwork>
295        </figure>
296      </t>
297
298      <t>
299        If the keyUsage extension is present in an end-entity
300        certificate that indicates id-Ed25519 or id-Ed448, then the
301        keyUsage extension MUST contain one or both of the following
302        values:</t>
303
304      <figure>
305        <artwork><![CDATA[
306        nonRepudiation; and
307        digitalSignature.
308]]></artwork>
309      </figure>
310
311      <t>If the keyUsage extension is present in a certification
312      authority certificate that indicates id-Ed25519 or id-Ed448,
313      then the keyUsage extension MUST contain one or more of the
314      following values:</t>
315
316      <figure>
317<artwork><![CDATA[
318       nonRepudiation;
319       digitalSignature;
320       keyCertSign; and
321       cRLSign.
322       ]]></artwork>
323      </figure>
324
325        
326
327    </section>
328
329    <section title="EdDSA Signatures">
330
331      <t>
332        Signatures can be placed in a number of different ASN.1
333        structures.  The top level structure for a certificate is
334        given below as being illustrative of how signatures are
335        frequently encoded with an algorithm identifier and a location
336        for the signature.
337      </t>
338
339
340      <figure>
341<artwork><![CDATA[
342   Certificate  ::=  SEQUENCE  {
343        tbsCertificate       TBSCertificate,
344        signatureAlgorithm   AlgorithmIdentifier,
345        signatureValue       BIT STRING  }
346]]></artwork>
347      </figure>
348
349      <t>
350        The same algorithm identifiers are used for signatures as are
351        used for public keys.  When used to identify signature
352        algorithms, the parameters MUST be absent.
353      </t>
354
355      <t>The data to be signed is prepared for EdDSA.  Then, a private
356      key operation is performed to generate the signature value.
357      This value is the opaque value ENC(R) || ENC(S) described in
358      Section 3.3 of <xref target="RFC8032"/>.
359      
360      The octet string representing the signature is encoded directly
361      in the BIT STRING without adding any additional ASN.1 wrapping.
362      For the Certificate structure, the signature value is wrapped in
363      the "signatureValue" BIT STRING field.
364      </t>
365      
366    </section>
367
368    <section title="Private Key Format">
369
370      <t>
371        <xref target="RFC5958">"Asymmetric Key Packages"</xref>
372        describes how to encode a private key in a structure that both
373        identifies what algorithm the private key is for and allows
374        for the public key and additional attributes about the key to
375        be included as well.  For illustration, the ASN.1 structure
376        OneAsymmetricKey is replicated below.  The algorithm-specific
377        details of how a private key is encoded are left for the
378        document describing the algorithm itself.
379      </t>
380      
381      <figure>
382        <artwork><![CDATA[
383OneAsymmetricKey ::= SEQUENCE {
384   version Version,
385   privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
386   privateKey PrivateKey,
387   attributes [0] IMPLICIT Attributes OPTIONAL,
388   ...,
389   [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
390   ...
391}
392
393PrivateKey ::= OCTET STRING
394
395PublicKey ::= BIT STRING
396]]></artwork>
397      </figure>
398
399      <t>
400        For the keys defined in this document, the private key is
401        always an opaque byte sequence.  The ASN.1 type
402        CurvePrivateKey is defined in this document to hold the byte
403        sequence.  Thus, when encoding a OneAsymmetricKey object, the
404        private key is wrapped in a CurvePrivateKey object and
405        wrapped by the OCTET STRING of the "privateKey" field.
406      </t>
407
408      <figure>
409      <artwork><![CDATA[
410CurvePrivateKey ::= OCTET STRING
411]]></artwork>
412      </figure>
413      
414      <t>
415To encode an EdDSA, X25519, or X448 private key, the "privateKey"
416field will hold the encoded private key.  The "privateKeyAlgorithm"
417field uses the AlgorithmIdentifier structure.  The structure is
418encoded as defined above.  If present, the "publicKey" field will hold
419the encoded key as defined in <xref target="RFC7748"/> and <xref
420target="RFC8032"/>.
421      </t>
422
423      <t>The following is an example of a private key encoded using
424      the textual encoding defined in <xref target="RFC7468"/>.</t>
425
426      <figure>
427<artwork><![CDATA[
428-----BEGIN PRIVATE KEY-----
429MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
430-----END PRIVATE KEY-----
431]]></artwork>
432      </figure>
433
434      <t>
435        The following example, in addition to encoding the private
436        key, has an attribute included as well as the
437        public key.  As with the prior example, the textual encoding
438        defined in <xref target="RFC7468"/> is used.
439      </t>
440      <figure>
441        <artwork><![CDATA[
442-----BEGIN PRIVATE KEY-----
443MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
444oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
445Z9w7lshQhqowtrbLDFw4rXAxZuE=
446-----END PRIVATE KEY------]]></artwork>
447      </figure>
448
449      <t>
450        NOTE: There exist some private key import functions that have
451        not picked up the new ASN.1 structure OneAsymmetricKey that is
452        defined in <xref target="RFC7748"/>.  This means that they
453        will not accept a private key structure that contains the
454        public key field.  This means a balancing act needs to be done
455        between being able to do a consistency check on the key pair
456        and widest ability to import the key.
457      </t>
458    </section>
459
460    <section title="Human-Readable Algorithm Names">
461
462      <t>For the purpose of consistent cross-implementation naming,
463      this section establishes human-readable names for the algorithms
464      specified in this document.  Implementations SHOULD use these
465      names when referring to the algorithms.  If there is a strong
466      reason to deviate from these names -- for example, if the
467      implementation has a different naming convention and wants to
468      maintain internal consistency -- it is encouraged to deviate as
469      little as possible from the names given here.</t>
470
471      <t>Use the string "ECDH" when referring to a public key of type
472      "X25519" or "X448" when the curve is not known or relevant.</t>
473
474      <t>When the curve is known, use the more specific string of
475      "X25519" or "X448".</t>
476      
477      
478      <t>Use the string "EdDSA" when referring to a signing public key or
479      signature when the curve is not known or relevant.</t>
480
481      <t>When the curve is known, use a more specific
482      string. 
483      For the id-Ed25519 value use the string "Ed25519". For id-Ed448,
484      use "Ed448".</t>
485      
486    </section>
487
488    <section title="ASN.1 Module" anchor="module">
489
490      <t>For reference purposes, the ASN.1 syntax is presented as an
491      ASN.1 module here.</t>
492
493      <figure>
494<artwork><![CDATA[
495-- ASN.1 Module
496
497Safecurves-pkix-18
498 { iso(1) identified-organization(3) dod(6) internet(1)
499 security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-safecurves-pkix (93)
500  
501DEFINITIONS EXPLICIT TAGS ::=
502BEGIN
503
504IMPORTS
505  SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
506  KeyUsage, AlgorithmIdentifier
507  FROM AlgorithmInformation-2009 
508    {iso(1) identified-organization(3) dod(6) internet(1) security(5)
509    mechanisms(5) pkix(7) id-mod(0)
510    id-mod-algorithmInformation-02(58)}
511
512  mda-sha512
513  FROM PKIX1-PSS-OAEP-Algorithms-2009
514    { iso(1) identified-organization(3) dod(6) internet(1)
515      security(5) mechanisms(5) pkix(7) id-mod(0)
516      id-mod-pkix1-rsa-pkalgs-02(54) }
517
518  kwa-aes128-wrap, kwa-aes256-wrap
519  FROM CMSAesRsaesOaep-2009
520    { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
521      smime(16) modules(0) id-mod-cms-aes-02(38) }
522  ;
523    
524
525id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
526
527id-X25519        OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
528id-X448          OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
529id-Ed25519       OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
530id-Ed448         OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
531
532
533 sa-Ed25519 SIGNATURE-ALGORITHM ::= {
534    IDENTIFIER id-Ed25519
535     PARAMS ARE absent
536     PUBLIC-KEYS {pk-Ed25519}
537     SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
538 }
539
540 pk-Ed25519 PUBLIC-KEY ::= {
541     IDENTIFIER id-Ed25519
542     -- KEY no ASN.1 wrapping --
543     PARAMS ARE absent
544     CERT-KEY-USAGE {digitalSignature, nonRepudiation,
545                     keyCertSign, cRLSign}
546     PRIVATE-KEY CurvePrivateKey
547 }
548
549 kaa-X25519 KEY-AGREE ::= {
550     IDENTIFIER id-X25519
551     PARAMS ARE absent
552     PUBLIC-KEYS {pk-X25519}
553     UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
554     SMIME-CAPS {
555        TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
556        IDENTIFIED BY id-X25519 }
557 }
558
559 pk-X25519 PUBLIC-KEY ::= {
560     IDENTIFIER id-X25519
561     -- KEY no ASN.1 wrapping --
562     PARAMS ARE absent
563     CERT-KEY-USAGE { keyAgreement }
564     PRIVATE-KEY CurvePrivateKey
565 }
566
567 KeyWrapAlgorithms KEY-WRAP ::= {
568     kwa-aes128-wrap | kwa-aes256-wrap,
569     ...
570 }
571     
572 kaa-X448 KEY-AGREE ::= {
573     IDENTIFIER id-X448
574     PARAMS ARE absent
575     PUBLIC-KEYS {pk-X448}
576     UKM -- TYPE no ASN.1 wrapping  -- ARE preferredPresent
577     SMIME-CAPS {
578        TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
579        IDENTIFIED BY id-X448 }
580 }
581
582 pk-X448 PUBLIC-KEY ::= {
583     IDENTIFIER id-X448
584     -- KEY no ASN.1 wrapping --
585     PARAMS ARE absent
586     CERT-KEY-USAGE { keyAgreement }
587     PRIVATE-KEY CurvePrivateKey
588 }
589
590CurvePrivateKey ::= OCTET STRING
591    
592                                 
593END
594]]></artwork>
595      </figure>
596
597    </section>
598
599    <section title="Examples">
600
601      <t>This section contains illustrations of EdDSA public keys and
602      certificates, illustrating parameter choices.</t>
603
604
605      <section title="Example Ed25519 Public Key">
606
607<t>An example of an Ed25519 public key:</t>
608
609<figure>
610  <artwork><![CDATA[
611      Public Key Information:
612          Public Key Algorithm: Ed25519
613          Algorithm Security Level: High
614
615      Public Key Usage:
616      
617      Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
618      
619      -----BEGIN PUBLIC KEY-----
620      MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
621      -----END PUBLIC KEY-----
622]]></artwork>
623</figure>
624      
625      </section>
626
627      <section title="Example X25519 Certificate">
628
629<t>An example of a self-issued PKIX certificate using Ed25519 to sign
630an X25519 public key would be:</t>
631
632<figure>
633  <artwork><![CDATA[
634  0 300: SEQUENCE {
635  4 223:   SEQUENCE {
636  7   3:     [0] {
637  9   1:       INTEGER 2
638       :       }
639 12   8:     INTEGER 56 01 47 4A 2A 8D C3 30
640 22   5:     SEQUENCE {
641 24   3:       OBJECT IDENTIFIER
642       :         Ed 25519 signature algorithm { 1 3 101 112 }
643       :       }
644 29  25:     SEQUENCE {
645 31  23:       SET {
646 33  21:         SEQUENCE {
647 35   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
648 40  14:           UTF8String 'IETF Test Demo'
649       :           }
650       :         }
651       :       }
652 56  30:     SEQUENCE {
653 58  13:       UTCTime 01/08/2016 12:19:24 GMT
654 73  13:       UTCTime 31/12/2040 23:59:59 GMT
655       :       }
656 88  25:     SEQUENCE {
657 90  23:       SET {
658 92  21:         SEQUENCE {
659 94   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
660 99  14:           UTF8String 'IETF Test Demo'
661       :           }
662       :         }
663       :       }
664115  42:     SEQUENCE {
665117   5:       SEQUENCE {
666119   3:         OBJECT IDENTIFIER
667       :           ECDH 25519 key agreement { 1 3 101 110 }
668       :         }
669124  33:       BIT STRING
670       :         85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
671       :         0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
672       :       }
673159  69:     [3] {
674161  67:       SEQUENCE {
675163  15:         SEQUENCE {
676165   3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
677170   1:           BOOLEAN TRUE
678173   5:           OCTET STRING, encapsulates {
679175   3:             SEQUENCE {
680177   1:               BOOLEAN FALSE
681       :               }
682       :             }
683       :           }
684180  14:         SEQUENCE {
685182   3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
686187   1:           BOOLEAN FALSE
687190   4:           OCTET STRING, encapsulates {
688192   2:             BIT STRING 3 unused bits
689       :               '10000'B (bit 4)
690       :             }
691       :           }
692196  32:         SEQUENCE {
693198   3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
694203   1:           BOOLEAN FALSE
695206  22:           OCTET STRING, encapsulates {
696208  20:             OCTET STRING
697       :               9B 1F 5E ED ED 04 33 85 E4 F7 BC 62 3C 59 75
698       :               B9 0B C8 BB 3B
699       :             }
700       :           }
701       :         }
702       :       }
703       :     }
704230   5:   SEQUENCE {
705232   3:     OBJECT IDENTIFIER
706       :       Ed 25519 signature algorithm { 1 3 101 112 }
707       :     }
708237  65:   BIT STRING
709       :     AF 23 01 FE DD C9 E6 FF C1 CC A7 3D 74 D6 48 A4
710       :     39 80 82 CD DB 69 B1 4E 4D 06 EC F8 1A 25 CE 50
711       :     D4 C2 C3 EB 74 6C 4E DD 83 46 85 6E C8 6F 3D CE
712       :     1A 18 65 C5 7A C2 7B 50 A0 C3 50 07 F5 E7 D9 07
713       :   }
714      
715-----BEGIN CERTIFICATE-----
716MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX
717N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD
718DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj
719ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg
720BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v
721/BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg
722w1AH9efZBw==
723-----END CERTIFICATE-----
724]]></artwork>
725</figure>
726
727      </section>
728
729      <section title="Examples of Ed25519 Private Key">
730        <t>
731          An example of an Ed25519 private key without the public key:
732        </t>
733    
734      <figure>
735<artwork><![CDATA[
736-----BEGIN PRIVATE KEY-----
737MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
738-----END PRIVATE KEY-----
739]]></artwork>
740      </figure>
741
742      <t>The same item dumped as ASN.1 yields:
743      </t>
744
745      <figure><artwork>
746 0 30   46: SEQUENCE {
747 2 02    1:   INTEGER 0
748 5 30    5:   SEQUENCE {
749 7 06    3:     OBJECT IDENTIFIER
750          :       Ed 25519 signature algorithm { 1 3 101 112 }
751          :     }
75212 04   34:   OCTET STRING
753          :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
754          :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
755          :     58 42
756          :   }
757          </artwork>
758      </figure>
759
760      <t>
761        Note that the value of the private key is:
762      </t>
763
764      <figure><artwork>
765D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD
7663A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42
767</artwork></figure>
768
769
770        <t>
771          An example of the same Ed25519 private key encoded with an attribute and the public key:
772        </t>
773    
774      <figure>
775<artwork><![CDATA[
776-----BEGIN PRIVATE KEY-----
777MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
778oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
779Z9w7lshQhqowtrbLDFw4rXAxZuE=
780-----END PRIVATE KEY-----
781]]></artwork>
782      </figure>
783
784      <t>The same item dumped as ASN.1 yields:
785      </t>
786
787      <figure><artwork>
788  0 114: SEQUENCE {
789  2   1:   INTEGER 1
790  5   5:   SEQUENCE {
791  7   3:     OBJECT IDENTIFIER '1 3 101 112'
792       :     }
793 12  34:   OCTET STRING, encapsulates {
794       :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
795       :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
796       :     58 42
797       :     }
798 48  31:   [0] {
799 50  29:     SEQUENCE {
800 52  10:       OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20'
801 64  15:       SET {
802 66  13:         UTF8String 'Curdle Chairs'
803       :         }
804       :       }
805       :     }
80681  33:   [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B
807              96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66
808              E1
809       :   }
810          </artwork>
811      </figure>
812
813    </section>
814  </section>
815
816    <section title="IANA Considerations">
817
818      <t>
819      For the ASN.1 module in <xref target="module"/>, IANA has registered
820      value 93 for "id-mod-safecurves-pkix" in the "SMI
821      Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry.
822      </t>
823
824      <t>
825 The OIDs are being independently registered in the IANA
826 registry "SMI Security for Cryptographic Algorithms" in <xref
827 target="RFC8411"/>.
828      </t>
829
830
831    </section>
832
833    <section anchor="Security" title="Security Considerations">
834
835      <t>
836        The security considerations of <xref target='RFC5280'/>,
837        <xref target="RFC7748"/>, and <xref target="RFC8032"/> apply
838        accordingly.
839      </t>
840
841      <t>
842        The procedures for going from a private key to a public key
843        are different when used with Diffie-Hellman versus when used
844        with Edwards Signatures.  This means that the same public key
845        cannot be used for both ECDH and EdDSA.
846      </t>
847
848
849    </section>
850
851  </middle>
852
853  <back>
854
855    <references title="Normative References">
856
857      &rfc2119;
858      &rfc5280;
859      &rfc5480;
860      &rfc7748;
861      &eddsa;
862      &rfc5958;
863      &rfc8174;
864
865    </references>
866
867    <references title="Informative References">
868
869      &rfc3279;
870      &rfc4055;
871      &rfc5639;
872
873&rfc7468;
874<!--&iana;draft-schaad-curdle-oid-registry-03; in AUTH48 as RFC8411 -->
875
876
877
878<reference anchor='RFC8411' target='http://www.rfc-editor.org/info/rfc8411'>
879<front>
880<title>IANA Registration for the Cryptographic Algorithm Object Identifier Range</title>
881
882<author initials='J' surname='Schaad' fullname='Jim Schaad'>
883    <organization />
884</author>
885
886<author initials='R' surname='Andrews' fullname='Rick Andrews'>
887    <organization />
888</author>
889
890<date month='July' year='2018' />
891
892<abstract><t>When the Curdle Security Working Group was chartered, a range of object identifiers was donated by DigiCert, Inc. for the purpose of registering the Edwards Elliptic Curve key agreement and signature algorithms.  This donated set of OIDs allowed for shorter values than would be possible using the existing S/MIME or PKIX arcs.  This document describes the range of identifiers that were assigned in that donated range, transfers control of that range to IANA, and establishes IANA allocation policies for any future assignments within that range.</t></abstract>
893
894</front>
895
896<seriesInfo name='RFC' value='8411' />
897<seriesInfo name="DOI" value="10.17487/RFC8411"/>
898
899</reference>
900
901
902    </references>
903
904    <section title="Invalid Encodings">
905      <t>
906        There are a number of things that need to be dealt with when a
907        new key part is decoded and imported into the system.  A
908        partial list of these includes:
909        <list style="symbols">
910
911<!--[rfced] Please clarify this sentence. Does it mean the following or otherwise?
912
913Current:
914   This was an incorrect copy of the structure from [RFC5958],
915   which was corrected before publication.
916
917Perhaps:
918  This was a copy of an incorrect structure that was in 
919  the Internet-Draft; the structure is correct in [RFC5958]. 
920
921Or:
922  This was a copy of incorrect structure that was in a draft 
923  of the document that later became [RFC5958]; the structure is 
924  correct in the RFC.
925-->
926
927
928
929          <t>
930            ASN.1 encoding errors: Two items are highlighted here.
931            First, the use of an OCTET STRING rather than a BIT STRING
932            for the public key.  The use of OCTET STRING was a copy error that existed in a previous draft version of this document; the structure is correct in <xref target="RFC5958"/>.  However, any early
933            implementation may have this wrong.  Second, the value of
934            the version field is required to be 0 if the publicKey is
935            absent and 1 if present.  This is called out in <xref
936            target="RFC5958"/>, but was not duplicated above.
937          </t>
938          <t>
939            Key encoding errors: Both <xref target="RFC7748"/> and
940            <xref target="RFC8032"/> have formatting requirements for
941            keys that need to be enforced.  In some cases, the
942            enforcement is done at the time of importing, for example,
943            doing masking or a mod p operation.  In other cases, the
944            enforcement is done by rejecting the keys and having an
945            import failure.
946          </t>
947          <t>
948            Key mismatch errors: If a public key is provided, it may
949            not agree with the private key because either it is wrong
950            or the wrong algorithm was used.
951          </t>
952        </list>
953      </t>
954
955      <t>
956        Some systems are also going to be stricter on what they
957        accept.  As stated in <xref target="RFC5958"/>, BER decoding
958        of OneAsymmetricKey objects is a requirement for compliance.
959        Despite this requirement, some acceptors will only decode DER
960        formats.  The following is a BER encoding of a private key; 
961        it is valid, but it may not be accepted by many systems.
962      </t>
963
964      <figure><artwork>
965-----BEGIN PRIVATE KEY-----
966MIACAQAwgAYDK2VwAAAEIgQg1O5y2/kTWErVttjx92n4rTr+fCjL8dT74Jeoj0R1W
967EIAAA==
968-----END PRIVATE KEY-----      
969      </artwork></figure>
970
971
972
973      <t>
974        What follows here is a brief sampling of some incorrect keys.
975      </t>
976
977      <t>
978        In the following example, the private key does not match the
979        masking requirements for X25519.  For this example, the top
980        bits are set to zero and the bottom three bits are set to 001.
981      </t>
982
983      <figure><artwork>
984-----BEGIN PRIVATE KEY-----
985MFMCAQEwBQYDK2VuBCIEIPj///////////////////////////////////////8/oS
986MDIQCEfA0sN1I082XmYJVRh6NzWg92E9FgnTpqTYxTrqpaIg==
987-----END PRIVATE KEY-----
988      </artwork></figure>
989
990      <t>
991        In the following examples, the key is the wrong length because
992        an all-zero byte has been removed.  In one case, the first byte
993        has been removed; in the other case, the last byte has been
994        removed.
995      </t>
996
997      <figure><artwork>
998-----BEGIN PRIVATE KEY-----
999MFICAQEwBQYDK2VwBCIEIC3GfeUYbZGTAhwLEE2cbvJL7ivTlcy17VottfN6L8HwoS
1000IDIADBfk2Lv/J8H7YYwj/OmIcDx++jzVkKrKwS0/HjyQyM
1001-----END PRIVATE KEY-----
1002      </artwork></figure>
1003
1004      <figure><artwork>
1005-----BEGIN PRIVATE KEY-----
1006MFICAQEwBQYDK2VwBCIEILJXn1VaLqvausjUaZexwI/ozmOFjfEk78KcYN+7hsNJoS
1007IDIACdQhJwzi/MCGcsQeQnIUh2JFybDxSrZxuLudJmpJLk
1008-----END PRIVATE KEY-----
1009      </artwork></figure>
1010
1011
1012    </section>
1013
1014        <section title="Acknowledgments" numbered="no">
1015
1016      <t>Text and/or inspiration were drawn from <xref
1017      target="RFC5280"/>, <xref target="RFC3279"/>, <xref
1018      target="RFC4055"/>, <xref target="RFC5480"/>, and <xref
1019      target="RFC5639"/>.</t>
1020
1021      <t>The following people discussed the document and provided
1022      feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick
1023      Andrews, Rob Stradling, James Manger, Nikos Mavrogiannopoulos,
1024      Russ Housley, David Benjamin, Brian Smith, and Alex Wilson.</t>
1025
1026      <t>A big thank you to Symantec for kindly donating the OIDs used
1027      in this document.</t>
1028      
1029    </section>
1030  </back>
1031</rfc>

mirror server hosted at Truenetwork, Russian Federation.