draft-ietf-netconf-crypto-types-09.txt   draft-ietf-netconf-crypto-types-10.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track H. Wang Intended status: Standards Track H. Wang
Expires: December 22, 2019 Huawei Expires: January 3, 2020 Huawei
June 20, 2019 July 2, 2019
Common YANG Data Types for Cryptography Common YANG Data Types for Cryptography
draft-ietf-netconf-crypto-types-09 draft-ietf-netconf-crypto-types-10
Abstract Abstract
This document defines YANG identities, typedefs, the groupings useful This document defines YANG identities, typedefs, the groupings useful
for cryptographic applications. for cryptographic applications.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Editor instructions are specified elsewhere in this document. Editor instructions are specified elsewhere in this document.
Artwork in this document contains shorthand references to drafts in Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements: progress. Please apply the following replacements:
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2019-06-20" --> the publication date of this draft o "2019-07-02" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix B. Change Log o Appendix B. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2019. This Internet-Draft will expire on January 3, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Crypto Types Module . . . . . . . . . . . . . . . . . . . 3 2. The Crypto Types Module . . . . . . . . . . . . . . . . . . . 3
2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3
2.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 5
3. Security Considerations . . . . . . . . . . . . . . . . . . . 41 3. Security Considerations . . . . . . . . . . . . . . . . . . . 48
3.1. Support for Algorithms . . . . . . . . . . . . . . . . . 41 3.1. Support for Algorithms . . . . . . . . . . . . . . . . . 48
3.2. No Support for CRMF . . . . . . . . . . . . . . . . . . . 42 3.2. No Support for CRMF . . . . . . . . . . . . . . . . . . . 48
3.3. Access to Data Nodes . . . . . . . . . . . . . . . . . . 42 3.3. Access to Data Nodes . . . . . . . . . . . . . . . . . . 48
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50
4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 43 4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 50
4.2. The YANG Module Names Registry . . . . . . . . . . . . . 43 4.2. The YANG Module Names Registry . . . . . . . . . . . . . 50
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.1. Normative References . . . . . . . . . . . . . . . . . . 44 5.1. Normative References . . . . . . . . . . . . . . . . . . 50
5.2. Informative References . . . . . . . . . . . . . . . . . 46 5.2. Informative References . . . . . . . . . . . . . . . . . 53
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 49 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 56
A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping . 49 A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping . 56
A.2. The "generate-certificate-signing-request" Action . . . . 51 A.2. The "generate-certificate-signing-request" Action . . . . 58
A.3. The "certificate-expiration" Notification . . . . . . . . 52 A.3. The "certificate-expiration" Notification . . . . . . . . 59
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 53 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 60
B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 53 B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 60
B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 53 B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 60
B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 53 B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 60
B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 54 B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 61
B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 54 B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 61
B.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 55 B.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 62
B.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 55 B.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 62
B.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 55 B.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 62
B.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 56 B.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 63
B.10. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 56 B.10. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 63
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 56 B.11. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 63
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 63
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 64
1. Introduction 1. Introduction
This document defines a YANG 1.1 [RFC7950] module specifying This document defines a YANG 1.1 [RFC7950] module specifying
identities, typedefs, and groupings useful for cryptography. identities, typedefs, and groupings useful for cryptography.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
skipping to change at page 3, line 31 skipping to change at page 3, line 32
2. The Crypto Types Module 2. The Crypto Types Module
2.1. Tree Diagram 2.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-crypto- This section provides a tree diagram [RFC8340] for the "ietf-crypto-
types" module. Only the groupings as represented, as tree diagrams types" module. Only the groupings as represented, as tree diagrams
have no means to represent identities or typedefs. have no means to represent identities or typedefs.
module: ietf-crypto-types module: ietf-crypto-types
grouping symmetric-key-grouping: grouping symmetric-key-grouping
+---- algorithm encryption-algorithm-t +-- algorithm encryption-algorithm-t
+---- (key-type) +-- (key-type)
+--:(key) +--:(key)
| +---- key? binary | +-- key? binary
+--:(hidden-key) +--:(hidden-key)
+---- hidden-key? empty +-- hidden-key? empty
grouping public-key-grouping: grouping public-key-grouping
+---- algorithm asymmetric-key-algorithm-t +-- algorithm asymmetric-key-algorithm-t
+---- public-key binary +-- public-key binary
grouping asymmetric-key-pair-grouping: grouping asymmetric-key-pair-grouping
+---- algorithm asymmetric-key-algorithm-t +-- algorithm asymmetric-key-algorithm-t
+---- public-key binary +-- public-key binary
+---- (private-key-type) +-- (private-key-type)
+--:(private-key) +--:(private-key)
| +---- private-key? binary | +-- private-key? binary
+--:(hidden-private-key) +--:(hidden-private-key)
+---- hidden-private-key? empty +-- hidden-private-key? empty
grouping trust-anchor-cert-grouping: grouping trust-anchor-cert-grouping
+---- cert? trust-anchor-cert-cms +-- cert? trust-anchor-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +-- expiration-date yang:date-and-time
grouping trust-anchor-certs-grouping: grouping trust-anchor-certs-grouping
+---- cert* trust-anchor-cert-cms +-- cert* trust-anchor-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +-- expiration-date yang:date-and-time
grouping end-entity-cert-grouping: grouping end-entity-cert-grouping
+---- cert? end-entity-cert-cms +-- cert? end-entity-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +-- expiration-date yang:date-and-time
grouping end-entity-certs-grouping: grouping end-entity-certs-grouping
+---- cert* end-entity-cert-cms +-- cert* end-entity-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +-- expiration-date yang:date-and-time
grouping asymmetric-key-pair-with-cert-grouping: grouping asymmetric-key-pair-with-cert-grouping
+---- algorithm +-- algorithm
| asymmetric-key-algorithm-t | asymmetric-key-algorithm-t
+---- public-key binary +-- public-key binary
+---- (private-key-type) +-- (private-key-type)
| +--:(private-key) | +--:(private-key)
| | +---- private-key? binary | | +-- private-key? binary
| +--:(hidden-private-key) | +--:(hidden-private-key)
| +---- hidden-private-key? empty | +-- hidden-private-key? empty
+---- cert? end-entity-cert-cms +-- cert? end-entity-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time | +-- expiration-date yang:date-and-time
+---x generate-certificate-signing-request +---x generate-certificate-signing-request
+---- input +---w input
| +---w subject binary | +---w subject binary
| +---w attributes? binary | +---w attributes? binary
+---- output +--ro output
+--ro certificate-signing-request binary +--ro certificate-signing-request binary
grouping asymmetric-key-pair-with-certs-grouping: grouping asymmetric-key-pair-with-certs-grouping
+---- algorithm +-- algorithm
| asymmetric-key-algorithm-t | asymmetric-key-algorithm-t
+---- public-key binary +-- public-key binary
+---- (private-key-type) +-- (private-key-type)
| +--:(private-key) | +--:(private-key)
| | +---- private-key? binary | | +-- private-key? binary
| +--:(hidden-private-key) | +--:(hidden-private-key)
| +---- hidden-private-key? empty | +-- hidden-private-key? empty
+---- certificates +-- certificates
| +---- certificate* [name] | +-- certificate* [name]
| +---- name string | +-- name? string
| +---- cert? end-entity-cert-cms | +-- cert? end-entity-cert-cms
| +---n certificate-expiration | +---n certificate-expiration
| +--ro expiration-date ietf-yang-types:date-and-time | +-- expiration-date yang:date-and-time
+---x generate-certificate-signing-request +---x generate-certificate-signing-request
+---- input +---w input
| +---w subject binary | +---w subject binary
| +---w attributes? binary | +---w attributes? binary
+---- output +--ro output
+--ro certificate-signing-request binary +--ro certificate-signing-request binary
2.2. YANG Module 2.2. YANG Module
This module has normative references to [RFC2404], [RFC3565], This module has normative references to [RFC2404], [RFC3565],
[RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC4309], [RFC4494], [RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC4309], [RFC4494],
[RFC4543], [RFC4868], [RFC5280], [RFC5652], [RFC5656], [RFC6187], [RFC4543], [RFC4868], [RFC5280], [RFC5652], [RFC5656], [RFC6187],
[RFC6991], [RFC7919], [RFC8268], [RFC8332], [RFC8341], [RFC8422], [RFC6991], [RFC7919], [RFC8268], [RFC8332], [RFC8341], [RFC8422],
[RFC8446], and [ITU.X690.2015]. [RFC8446], and [ITU.X690.2015].
This module has an informational reference to [RFC2986], [RFC3174], This module has an informational reference to [RFC2986], [RFC3174],
[RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507], [RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507],
[RFC8017], [RFC8032], [RFC8439]. [RFC8017], [RFC8032], [RFC8439].
<CODE BEGINS> file "ietf-crypto-types@2019-06-20.yang" <CODE BEGINS> file "ietf-crypto-types@2019-07-02.yang"
module ietf-crypto-types { module ietf-crypto-types {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
prefix ct; prefix ct;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
skipping to change at page 6, line 26 skipping to change at page 6, line 27
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.; itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2019-06-20 { revision 2019-07-02 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: Common YANG Data Types for Cryptography"; "RFC XXXX: Common YANG Data Types for Cryptography";
} }
/**************************************/ /**************************************/
/* Identities for Hash Algorithms */ /* Identities for Hash Algorithms */
/**************************************/ /**************************************/
skipping to change at page 7, line 34 skipping to change at page 7, line 36
reference reference
"RFC 6234: US Secure Hash Algorithms."; "RFC 6234: US Secure Hash Algorithms.";
} }
enum sha-512 { enum sha-512 {
value 5; value 5;
description description
"The SHA-512 algorithm."; "The SHA-512 algorithm.";
reference reference
"RFC 6234: US Secure Hash Algorithms."; "RFC 6234: US Secure Hash Algorithms.";
} }
enum shake-128 {
value 6;
description
"The SHA3 algorithm with 128-bits output.";
reference
"National Institute of Standards and Technology,
SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions, FIPS PUB 202, DOI
10.6028/NIST.FIPS.202, August 2015.";
}
enum shake-224 {
value 7;
description
"The SHA3 algorithm with 224-bits output.";
reference
"National Institute of Standards and Technology,
SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions, FIPS PUB 202, DOI
10.6028/NIST.FIPS.202, August 2015.";
}
enum shake-256 {
value 8;
description
"The SHA3 algorithm with 256-bits output.";
reference
"National Institute of Standards and Technology,
SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions, FIPS PUB 202, DOI
10.6028/NIST.FIPS.202, August 2015.";
}
enum shake-384 {
value 9;
description
"The SHA3 algorithm with 384-bits output.";
reference
"National Institute of Standards and Technology,
SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions, FIPS PUB 202, DOI
10.6028/NIST.FIPS.202, August 2015.";
}
enum shake-512 {
value 10;
description
"The SHA3 algorithm with 384-bits output.";
reference
"National Institute of Standards and Technology,
SHA-3 Standard: Permutation-Based Hash and
Extendable-Output Functions, FIPS PUB 202, DOI
10.6028/NIST.FIPS.202, August 2015.";
}
} }
} }
default "0"; default "0";
description description
"The uint16 filed shall be set by individual protocol families "The uint16 filed shall be set by individual protocol families
according to the hash algorithm value assigned by IANA. The according to the hash algorithm value assigned by IANA. The
setting is optional and by default is 0. The enumeration setting is optional and by default is 0. The enumeration
filed is set to the selected hash algorithm."; filed is set to the selected hash algorithm.";
} }
skipping to change at page 9, line 4 skipping to change at page 10, line 8
description description
"The RSA algorithm using a 7680-bit key."; "The RSA algorithm using a 7680-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
enum rsa15360 { enum rsa15360 {
value 6; value 6;
description description
"The RSA algorithm using a 15360-bit key."; "The RSA algorithm using a 15360-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
enum secp192r1 { enum secp192r1 {
value 7; value 7;
description description
"The ECDSA algorithm using a NIST P192 Curve."; "The asymmetric algorithm using a NIST P192 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms. Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480: RFC 5480:
Elliptic Curve Cryptography Subject Public Key Elliptic Curve Cryptography Subject Public Key
Information."; Information.";
} }
enum secp224r1 { enum secp224r1 {
value 8; value 8;
description description
"The ECDSA algorithm using a NIST P224 Curve."; "The asymmetric algorithm using a NIST P224 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms. Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480: RFC 5480:
Elliptic Curve Cryptography Subject Public Key Elliptic Curve Cryptography Subject Public Key
Information."; Information.";
} }
enum secp256r1 { enum secp256r1 {
value 9; value 9;
description description
"The ECDSA algorithm using a NIST P256 Curve."; "The asymmetric algorithm using a NIST P256 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms. Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480: RFC 5480:
Elliptic Curve Cryptography Subject Public Key Elliptic Curve Cryptography Subject Public Key
Information."; Information.";
} }
enum secp384r1 { enum secp384r1 {
value 10; value 10;
description description
"The ECDSA algorithm using a NIST P384 Curve."; "The asymmetric algorithm using a NIST P384 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms. Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480: RFC 5480:
Elliptic Curve Cryptography Subject Public Key Elliptic Curve Cryptography Subject Public Key
Information."; Information.";
} }
enum secp521r1 { enum secp521r1 {
value 11; value 11;
description description
"The ECDSA algorithm using a NIST P521 Curve."; "The asymmetric algorithm using a NIST P521 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms. Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480: RFC 5480:
Elliptic Curve Cryptography Subject Public Key Elliptic Curve Cryptography Subject Public Key
Information."; Information.";
} }
enum x25519 {
value 12;
description
"The asymmetric algorithm using a x.25519 Curve.";
reference
"RFC 7748:
Elliptic Curves for Security.";
}
enum x448 {
value 13;
description
"The asymmetric algorithm using a x.448 Curve.";
reference
"RFC 7748:
Elliptic Curves for Security.";
}
} }
} }
default "0"; default "0";
description description
"The uint16 filed shall be set by individual protocol "The uint16 filed shall be set by individual protocol
families according to the asymmetric key algorithm value families according to the asymmetric key algorithm value
assigned by IANA. The setting is optional and by default assigned by IANA. The setting is optional and by default
is 0. The enumeration filed is set to the selected is 0. The enumeration filed is set to the selected
asymmetric key algorithm."; asymmetric key algorithm.";
} }
skipping to change at page 13, line 24 skipping to change at page 14, line 44
enum aes-cmac-128 { enum aes-cmac-128 {
value 14; value 14;
description description
"Generating 128-bit MAC using Advanced Encryption "Generating 128-bit MAC using Advanced Encryption
Standard (AES) Cipher-based Message Authentication Standard (AES) Cipher-based Message Authentication
Code (CMAC)"; Code (CMAC)";
reference reference
"RFC 4494: "RFC 4494:
The AES-CMAC Algorithm and its Use with IPsec"; The AES-CMAC Algorithm and its Use with IPsec";
} }
enum sha1-des3-kd {
value 15;
description
"Generating MAC using triple DES encryption function";
reference
"RFC 3961:
Encryption and Checksum Specifications for Kerberos
5";
}
} }
} }
default "0"; default "0";
description description
"The uint16 filed shall be set by individual protocol "The uint16 filed shall be set by individual protocol
families according to the mac algorithm value assigned by families according to the mac algorithm value assigned by
IANA. The setting is optional and by default is 0. The IANA. The setting is optional and by default is 0. The
enumeration filed is set to the selected mac algorithm."; enumeration filed is set to the selected mac algorithm.";
} }
skipping to change at page 15, line 14 skipping to change at page 16, line 43
value 6; value 6;
description description
"Encrypt message with AES algorithm in CTR mode with "Encrypt message with AES algorithm in CTR mode with
a key length of 256 bits"; a key length of 256 bits";
reference reference
"RFC 3686: "RFC 3686:
Using Advanced Encryption Standard (AES) Counter Using Advanced Encryption Standard (AES) Counter
Mode with IPsec Encapsulating Security Payload Mode with IPsec Encapsulating Security Payload
(ESP)"; (ESP)";
} }
enum des3-cbc-sha1-kd {
value 7;
description
"Encrypt message with 3DES algorithm in CBC mode
with sha1 function for key derivation";
reference
"RFC 3961:
Encryption and Checksum Specifications for
Kerberos 5";
}
enum rc4-hmac {
value 8;
description
"Encrypt message with rc4 algorithm";
reference
"RFC 4757:
The RC4-HMAC Kerberos Encryption Types Used by
Microsoft Windows";
}
enum rc4-hmac-exp {
value 9;
description
"Encrypt message with rc4 algorithm that is exportable";
reference
"RFC 4757:
The RC4-HMAC Kerberos Encryption Types Used by
Microsoft Windows";
}
} }
} }
default "0"; default "0";
description description
"The uint16 filed shall be set by individual protocol "The uint16 filed shall be set by individual protocol
families according to the encryption algorithm value families according to the encryption algorithm value
assigned by IANA. The setting is optional and by default assigned by IANA. The setting is optional and by default
is 0. The enumeration filed is set to the selected is 0. The enumeration filed is set to the selected
encryption algorithm."; encryption algorithm.";
} }
skipping to change at page 21, line 16 skipping to change at page 23, line 25
"RFC 5656: "RFC 5656:
Elliptic Curve Algorithm Integration in the Secure Elliptic Curve Algorithm Integration in the Secure
Shell Transport Layer Shell Transport Layer
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol The Transport Layer Security (TLS) Protocol
Version 1.3"; Version 1.3";
} }
enum ed25519 { enum ed25519 {
value 15; value 15;
description description
"The signature algorithm using EdDSA as defined in "The signature algorithm using EdDSA with curve x25519";
RFC 8032 or its successors.";
reference reference
"RFC 8032: "RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)"; Edwards-Curve Digital Signature Algorithm (EdDSA)";
} }
enum ed448 { enum ed25519-cts {
value 16; value 16;
description description
"The signature algorithm using EdDSA as defined in "The signature algorithm using EdDSA with curve x25519
RFC 8032 or its successors."; with phflag = 0";
reference reference
"RFC 8032: "RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)"; Edwards-Curve Digital Signature Algorithm (EdDSA)";
} }
enum eccsi { enum ed25519-ph {
value 17; value 17;
description description
"The signature algorithm using EdDSA with curve x25519
with phflag = 1";
reference
"RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
enum ed25519-sha512 {
value 18;
description
"The signature algorithm using EdDSA with curve x25519
and SHA-512 function";
reference
"RFC 8419:
Use of Edwards-Curve Digital Signature Algorithm
(EdDSA) Signatures in the Cryptographic Message
Syntax (CMS)";
}
enum ed448 {
value 19;
description
"The signature algorithm using EdDSA with curve x448";
reference
"RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
enum ed448-ph {
value 20;
description
"The signature algorithm using EdDSA with curve x448
and with PH being SHAKE256(x, 64) and phflag being 1";
reference
"RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
enum ed448-shake256 {
value 21;
description
"The signature algorithm using EdDSA with curve x448
and SHAKE-256 function";
reference
"RFC 8419:
Use of Edwards-Curve Digital Signature Algorithm
(EdDSA) Signatures in the Cryptographic Message
Syntax (CMS)";
}
enum ed448-shake256-len {
value 22;
description
"The signature algorithm using EdDSA with curve x448
and SHAKE-256 function and a customized hash output";
reference
"RFC 8419:
Use of Edwards-Curve Digital Signature Algorithm
(EdDSA) Signatures in the Cryptographic Message
Syntax (CMS)";
}
enum rsa-sha2-256 {
value 23;
description
"The signature algorithm using RSA with SHA2 function
for SSH protocol";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512
in the Secure Shell (SSH) Protocol";
}
enum rsa-sha2-512 {
value 24;
description
"The signature algorithm using RSA with SHA2 function
for SSH protocol";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512
in the Secure Shell (SSH) Protocol";
}
enum eccsi {
value 25;
description
"The signature algorithm using ECCSI signature as "The signature algorithm using ECCSI signature as
defined in RFC 6507."; defined in RFC 6507.";
reference reference
"RFC 6507: "RFC 6507:
Elliptic Curve-Based Certificateless Signatures Elliptic Curve-Based Certificateless Signatures
for Identity-based Encryption (ECCSI)"; for Identity-based Encryption (ECCSI)";
} }
} }
} }
default "0"; default "0";
skipping to change at page 28, line 26 skipping to change at page 32, line 16
} }
enum ecdh-sha2-secp384r1 { enum ecdh-sha2-secp384r1 {
value 29; value 29;
description description
"Elliptic curve-based Diffie Hellman key exchange over "Elliptic curve-based Diffie Hellman key exchange over
curve ecp384r1 and using SHA2 for MAC generation"; curve ecp384r1 and using SHA2 for MAC generation";
reference reference
"RFC 6239: "RFC 6239:
Suite B Cryptographic Suites for Secure Shell (SSH)"; Suite B Cryptographic Suites for Secure Shell (SSH)";
} }
enum rsaes-oaep { enum ecdh-x25519-x9.63-sha256 {
value 30; value 30;
description description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.25519 and using ANSI x9.63 with SHA256 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x25519-x9.63-sha384 {
value 31;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.25519 and using ANSI x9.63 with SHA384 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x25519-x9.63-sha512 {
value 32;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.25519 and using ANSI x9.63 with SHA512 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x25519-hkdf-sha256 {
value 33;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.25519 and using HKDF with SHA256 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x25519-hkdf-sha384 {
value 34;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.25519 and using HKDF with SHA384 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x25519-hkdf-sha512 {
value 35;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.25519 and using HKDF with SHA512 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x448-x9.63-sha256 {
value 36;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.448 and using ANSI x9.63 with SHA256 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x448-x9.63-sha384 {
value 37;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.448 and using ANSI x9.63 with SHA384 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x448-x9.63-sha512 {
value 38;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.448 and using ANSI x9.63 with SHA512 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x448-hkdf-sha256 {
value 39;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.448 and using HKDF with SHA256 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x448-hkdf-sha384 {
value 40;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.448 and using HKDF with SHA384 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum ecdh-x448-hkdf-sha512 {
value 41;
description
"Elliptic curve-based Diffie Hellman key exchange over
curve x.448 and using HKDF with SHA512 as KDF";
reference
"RFC 8418:
Use of the Elliptic Curve Diffie-Hellman Key Agreement
Algorithm with X25519 and X448 in the Cryptographic
Message Syntax (CMS)";
}
enum rsaes-oaep {
value 42;
description
"RSAES-OAEP combines the RSAEP and RSADP primitives with "RSAES-OAEP combines the RSAEP and RSADP primitives with
the EME-OAEP encoding method"; the EME-OAEP encoding method";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: PKCS #1:
RSA Cryptography Specifications Version 2.2."; RSA Cryptography Specifications Version 2.2.";
} }
enum rsaes-pkcs1-v1_5 { enum rsaes-pkcs1-v1_5 {
value 31; value 43;
description description
"RSAES-PKCS1-v1_5 combines the RSAEP and RSADP "RSAES-PKCS1-v1_5 combines the RSAEP and RSADP
primitives with the EME-PKCS1-v1_5 encoding method"; primitives with the EME-PKCS1-v1_5 encoding method";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: PKCS #1:
RSA Cryptography Specifications Version 2.2."; RSA Cryptography Specifications Version 2.2.";
} }
} }
} }
skipping to change at page 56, line 19 skipping to change at page 63, line 19
o Added grouping symmetric-key-grouping o Added grouping symmetric-key-grouping
o Modified 'asymmetric-key-pair-grouping' to have a 'choice' o Modified 'asymmetric-key-pair-grouping' to have a 'choice'
statement for the keystone module to augment into, as well as statement for the keystone module to augment into, as well as
replacing the 'union' with leafs (having different NACM settings. replacing the 'union' with leafs (having different NACM settings.
B.10. 08 to 09 B.10. 08 to 09
o Converting algorithm from identities to enumerations. o Converting algorithm from identities to enumerations.
B.11. 09 to 10
o All of the below changes are to the algorithm enumerations defined
in ietf-crypto-types.
o Add in support for key exchange over x.25519 and x.448 based on
RFC 8418.
o Add in SHAKE-128, SHAKE-224, SHAKE-256, SHAKE-384 and SHAKE 512
o Revise/add in enum of signature algorithm for x25519 and x448
o Add in des3-cbc-sha1 for IPSec
o Add in sha1-des3-kd for IPSec
o Add in definit for rc4-hmac and rc4-hmac-exp. These two
algorithms have been deprecated in RFC 8429. But some existing
draft in i2nsf may still want to use them.
o Add x25519 and x448 curve for asymmetric algorithms
o Add signature algorithms ed25519, ed25519-cts, ed25519ph
o add signature algorithms ed448, ed448ph
o Add in rsa-sha2-256 and rsa-sha2-512 for SSH protocols (rfc8332)
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Martin Bjorklund, on list and in the halls (ordered by last name): Martin Bjorklund,
Nick Hancock, Balazs Kovacs, Juergen Schoenwaelder, Eric Voit, and Nick Hancock, Balazs Kovacs, Juergen Schoenwaelder, Eric Voit, and
Liang Xia. Liang Xia.
Authors' Addresses Authors' Addresses
Kent Watsen Kent Watsen
 End of changes. 49 change blocks. 
97 lines changed or deleted 442 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/