| Network Working Group | S. Josefsson |
| Internet-Draft | SJD AB |
| Intended status: Informational | June 8, 2015 |
| Expires: December 10, 2015 |
Using EdDSA/Ed25519 in the Internet X.509 Public Key Infrastructure
draft-josefsson-pkix-eddsa-00
This document specify algorithm identifiers and ASN.1 encoding formats for EdDSA/Ed25519 digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKIX) for Certificates and CRLs.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 10, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
In [Ed25519], an elliptic curve signature system EdDSA was introduced, and a recommended choice of curve Ed25519 is chosen. Ed25519 was designed with performance and security in mind. EdDSA and Ed25519 is also described in [I-D.josefsson-eddsa-ed25519].
This RFC defines ASN.1 object identifiers for EdDSA and Ed25519 for use in the Internet X.509 PKI [RFC5280]. This document serves a similar role as [RFC3279] does for RSA (and more), [RFC4055] for RSA-OAEP/PSS, and [RFC5758] for SHA2-based (EC)DSA.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The root of the tree for the object identifiers defined in this specification is given by:
id-EdDSA OBJECT IDENTIFIER ::= { 1.3.6.1.4.1.11591.4.12 }
In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax:
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING
}
The fields in SubjectPublicKeyInfo have the following meanings:
The AlgorithmIdentifier type, which is included for convenience, is defined as follows:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
The fields in AlgorithmIdentifier have the following meanings:
Certificates conforming to [RFC5280] may convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. This algorithm identifier is an OID and optionally associated parameters.
This section identify the OID and parameters for the EdDSA algorithm. Conforming CAs MUST use the identified OIDs when issuing certificates containing EdDSA public keys. Conforming applications supporting EdDSA MUST, at a minimum, recognize the OID identified in this section.
The id-EdDSAPublicKey OID is used for identifying EdDSA public keys.
id-EdDSAPublicKey OBJECT IDENTIFIER ::= { id-EdDSA 1 }
The id-EdDSAPublicKey OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field MUST have ASN.1 type NULL for this algorithm identifier.
[[TODO: We need to clarify the curve choice. I see two options: 1) Let the OID defined here mean Ed25519 directly. 2) Let the OID defined here mean EdDSA, and specify a parameters structure (maybe reusing RFC 3279's EcpkParameters) and another NamedCurve OID to refer to Ed25519. The second is only useful if EdDSA will ever be used with other curves.]]
The EdDSA public key MUST be encoded using the ASN.1 type EdDSAPublicKey:
EdDSAPublicKey ::= OCTET STRING -- LE edwards point
where the value is the little-endian encoded edwards point. The DER encoded EdDSAPublicKey is the value of the BIT STRING subjectPublicKey.
The intended application for the key MAY be indicated in the keyUsage certificate extension.
If the keyUsage extension is present in an end-entity certificate that conveys an EdDSA public key with the id-EdDSAPublicKey object identifier, then the keyUsage extension MUST contain one or both of the following values:
nonRepudiation; and
digitalSignature.
If the keyUsage extension is present in a certification authority certificate that conveys an EdDSA public key with the id-EdDSAPublicKey object identifier, then the keyUsage extension MUST contain one or more of the following values:
nonRepudiation;
digitalSignature;
keyCertSign; and
cRLSign.
Certificates and CRLs conforming to [RFC5280] may be signed with any public key signature algorithm. The certificate or CRL indicates the algorithm through an algorithm identifier which appears in the signatureAlgorithm field within the Certificate or CertificateList. This algorithm identifier is an OID and has optionally associated parameters. For illustration the Certificate structure is reproduced here:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
Also recall the definition of the AlgorithmIdentifier type:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
This document identify an AlgorithmIdentifier OID for EdDSA signatures. No parameters are defined.
The data to be signed is prepared for EdDSA. Then, a private key operation is performed to generate the signature value. This signature value is then ASN.1 encoded as a BIT STRING and included in the Certificate or CertificateList in the signature field.
The id-EdDSASignature OID is used for identifying EdDSA signatures.
id-EdDSASignature OBJECT IDENTIFIER ::= { id-EdDSA 2 }
The id-EdDSASignature OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field MUST have ASN.1 type NULL for this algorithm identifier.
Text and/or inspiration were drawn from [RFC5280], [RFC3279], [RFC4055], [RFC5480], and [RFC5639].
Thanks to Ilari Liusvaara for ideas and discussion.
None.
The security considerations of [RFC5280] and [I-D.josefsson-eddsa-ed25519] apply accordingly.
| [I-D.josefsson-eddsa-ed25519] | Josefsson, S. and N. Moller, "EdDSA and Ed25519", Internet-Draft draft-josefsson-eddsa-ed25519-03, May 2015. |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
| [RFC5280] | Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R. and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. |