New ASN.1 Modules for the Evidence Record Syntax (ERS)Vigil Security, LLC516 Dranesville RoadHerndonVA20170USAhousley@vigilsec.comRed Hound Software, Inc.5112 27th St. NArlingtonVA22207USAcarl@redhoundsoftware.comLTANSlong-term archiveThe Evidence Record Syntax (ERS) and the conventions for including these
evidence records in the Server-based Certificate Validation Protocol
(SCVP) are expressed using ASN.1. This document offers alternative ASN.1
modules that conform to the 2002 version of ASN.1 and employ the
conventions adopted in RFCs 5911, 5912, and 6268. There are no
bits-on-the-wire changes to any of the formats; this is simply a change
to the ASN.1 syntax.Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
. Introduction
. ASN.1 Module for RFC 4998
. ASN.1 Module for RFC 5276
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Authors' Addresses
IntroductionSome developers would like the IETF to use the latest version of ASN.1 in
its standards. This document provides alternative ASN.1 modules to assist
in that goal.The Evidence Record Syntax (ERS) provides two ASN.1 modules: one using the 1988 syntax
, which has been deprecated by
the ITU-T, and another one using the newer syntax , which continues to be maintained
and enhanced. This document provides an alternative ASN.1 module that
follows the conventions established in , , and .In addition, specifies the
mechanism for conveying evidence records in the Server-based Certificate
Validation Protocol (SCVP) .
There is only one ASN.1 module in , and it uses the 1988 syntax . This document provides an alternative ASN.1 module
using the newer syntax and
follows the conventions established in , , and . Note that already includes an alternative ASN.1 module for SCVP
.The original ASN.1 modules get some of their definitions from places
outside the RFC series. Some of the referenced definitions are somewhat
difficult to find. The alternative ASN.1 modules offered in this document
stand on their own when combined with the modules in ,
, and .The alternative ASN.1 modules produce the same bits on the wire as
the original ones.The alternative ASN.1 modules are informative; the original ones
are normative.ASN.1 Module for RFC 4998
ERS-2021
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0)
id-mod-ers(1) id-mod-ers-v2(2) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
ContentInfo
FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
AlgorithmIdentifier{}, DIGEST-ALGORITHM
FROM AlgorithmInformation-2009 -- in [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) }
AttributeSet{}, ATTRIBUTE
FROM PKIX-CommonTypes-2009 -- in [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57) }
;
ltans OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) ltans(11) }
EvidenceRecord ::= SEQUENCE {
version INTEGER { v1(1) },
digestAlgorithms SEQUENCE OF AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}},
cryptoInfos [0] CryptoInfos OPTIONAL,
encryptionInfo [1] EncryptionInfo OPTIONAL,
archiveTimeStampSequence ArchiveTimeStampSequence }
CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF Attribute
ArchiveTimeStamp ::= SEQUENCE {
digestAlgorithm [0] AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}} OPTIONAL,
attributes [1] Attributes OPTIONAL,
reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL,
timeStamp ContentInfo }
PartialHashtree ::= SEQUENCE OF OCTET STRING
Attributes ::= SET SIZE (1..MAX) OF Attribute
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
EncryptionInfo ::= SEQUENCE {
encryptionInfoType ENCINFO-TYPE.&id
({SupportedEncryptionAlgorithms}),
encryptionInfoValue ENCINFO-TYPE.&Type
({SupportedEncryptionAlgorithms}{@encryptionInfoType}) }
ENCINFO-TYPE ::= TYPE-IDENTIFIER
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= { ... }
aa-er-internal ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 49 }
aa-er-external ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-aa(2) 50 }
ERSAttrSet ATTRIBUTE ::= { aa-er-internal | aa-er-external, ... }
Attribute ::= AttributeSet {{ERSAttrSet}}
END
ASN.1 Module for RFC 5276
LTANS-SCVP-EXTENSION-2021
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0)
id-mod-ers-scvp(5) id-mod-ers-scvp-v2(2) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
EXPORTS ALL;
IMPORTS
id-swb, CertBundle, WANT-BACK, AllWantBacks
FROM SCVP-2009 -- in [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-scvp-02(52) }
EvidenceRecord
FROM ERS-2021 -- in [RFC9169]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0)
id-mod-ers(1) id-mod-ers-v2(2) }
;
EvidenceRecordWantBack ::= SEQUENCE {
targetWantBack WANT-BACK.&id ({ExpandedWantBacks}),
evidenceRecord EvidenceRecord OPTIONAL }
EvidenceRecordWantBacks ::= SEQUENCE SIZE (1..MAX) OF
EvidenceRecordWantBack
EvidenceRecords ::= SEQUENCE SIZE (1..MAX) OF EvidenceRecord
ExpandedWantBacks WANT-BACK ::= { AllWantBacks |
NewWantBacks |
ERSWantBacks, ... }
NewWantBacks WANT-BACK ::= { swb-partial-cert-path, ... }
swb-partial-cert-path WANT-BACK ::=
{ CertBundle IDENTIFIED BY id-swb-partial-cert-path }
id-swb-partial-cert-path OBJECT IDENTIFIER ::= { id-swb 15 }
ERSWantBacks WANT-BACK ::= { swb-ers-pkc-cert |
swb-ers-best-cert-path |
swb-ers-partial-cert-path |
swb-ers-revocation-info |
swb-ers-all, ... }
swb-ers-pkc-cert WANT-BACK ::=
{ EvidenceRecord IDENTIFIED BY id-swb-ers-pkc-cert }
id-swb-ers-pkc-cert OBJECT IDENTIFIER ::= { id-swb 16 }
swb-ers-best-cert-path WANT-BACK ::=
{ EvidenceRecord IDENTIFIED BY id-swb-ers-best-cert-path }
id-swb-ers-best-cert-path OBJECT IDENTIFIER ::= { id-swb 17 }
swb-ers-partial-cert-path WANT-BACK ::=
{ EvidenceRecord IDENTIFIED BY id-swb-ers-partial-cert-path }
id-swb-ers-partial-cert-path OBJECT IDENTIFIER ::= { id-swb 18 }
swb-ers-revocation-info WANT-BACK ::=
{ EvidenceRecords IDENTIFIED BY id-swb-ers-revocation-info }
id-swb-ers-revocation-info OBJECT IDENTIFIER ::= { id-swb 19 }
swb-ers-all WANT-BACK ::=
{ EvidenceRecordWantBacks IDENTIFIED BY id-swb-ers-all }
id-swb-ers-all OBJECT IDENTIFIER ::= { id-swb 20 }
END
IANA ConsiderationsIANA has assigned two object identifiers from the
"SMI Security for LTANS Module Identifier" registry to identify
the two ASN.1 modules in this document.The following object identifiers have been assigned:
IANA Object Identifiers
OID Value
Description
Reference
1.3.6.1.5.5.11.0.1.2
id-mod-ers-v2
RFC 9169
1.3.6.1.5.5.11.0.5.2
id-mod-ers-scvp-v2
RFC 9169
Security ConsiderationsPlease see the security considerations in and . This
document makes no changes to the security considerations in those
documents. The ASN.1 modules in this document preserve bits on the wire
as the ASN.1 modules that they replace.ReferencesNormative ReferencesInformation technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notationITU-TEvidence Record Syntax (ERS)In many scenarios, users must be able prove the existence and integrity of data, including digitally signed data, in a common and reproducible way over a long and possibly undetermined period of time. This document specifies the syntax and processing of an Evidence Record, a structure designed to support long-term non-repudiation of existence of data. [STANDARDS-TRACK]Server-Based Certificate Validation Protocol (SCVP)The Server-Based Certificate Validation Protocol (SCVP) allows a client to delegate certification path construction and certification path validation to a server. The path construction or validation (e.g., making sure that none of the certificates in the path are revoked) is performed according to a validation policy, which contains one or more trust anchors. It allows simplification of client implementations and use of a set of predefined validation policies. [STANDARDS-TRACK]Using the Server-Based Certificate Validation Protocol (SCVP) to Convey Long-Term Evidence RecordsThe Server-based Certificate Validation Protocol (SCVP) defines an extensible means of delegating the development and validation of certification paths to a server. It can be used to support the development and validation of certification paths well after the expiration of the certificates in the path by specifying a time of interest in the past. The Evidence Record Syntax (ERS) defines structures, called evidence records, to support the non-repudiation of the existence of data. Evidence records can be used to preserve materials that comprise a certification path such that trust in the certificates can be established after the expiration of the certificates in the path and after the cryptographic algorithms used to sign the certificates in the path are no longer secure. This document describes usage of the SCVP WantBack feature to convey evidence records, enabling SCVP responders to provide preservation evidence for certificates and certificate revocation lists (CRLs). [STANDARDS-TRACK]New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIMEThe Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates some auxiliary ASN.1 modules to conform to the 2008 version of ASN.1; the 1988 ASN.1 modules remain the normative version. There are no bits- on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.Informative ReferencesSpecification of Abstract Syntax Notation One (ASN.1)CCITTCCITT Recommendation X.208Authors' AddressesVigil Security, LLC516 Dranesville RoadHerndonVA20170USAhousley@vigilsec.comRed Hound Software, Inc.5112 27th St. NArlingtonVA22207USAcarl@redhoundsoftware.com