Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
draft-ietf-curdle-pkix-01

The information below is for an old version of the document
Document Type Active Internet-Draft (curdle WG)
Last updated 2016-08-19
Replaces draft-ietf-curdle-pkix-newcurves, draft-ietf-curdle-pkix-eddsa
Stream IETF
Intended RFC status (None)
Formats plain text pdf html bibtex
Additional URLs
- Mailing list discussion
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       S. Josefsson
Internet-Draft                                                    SJD AB
Intended status: Standards Track                               J. Schaad
Expires: February 16, 2017                                August Cellars
                                                         August 15, 2016

Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and
      X448 for use in the Internet X.509 Public Key Infrastructure
                       draft-ietf-curdle-pkix-01

Abstract

   This document specify algorithm identifiers and ASN.1 encoding
   formats for Elliptical Curve constructs using the Curve25519 and
   Curve448 curves.  The signature algorithms covered are Ed25519,
   Ed25519ph, Ed448 and Ed448ph.  The key agreement algorithm covered
   are X25519 and X448.  The Encoding for Public Key, Private Key and
   EdDSA digital signature structures is provided.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 16, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Josefsson & Schaad      Expires February 16, 2017               [Page 1]
Internet-Draft            Safe curves for X.509              August 2016

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Terminology  . . . . . . . . . . . . . . . . . .   3
   3.  Curve25519 and Curve448 Algorithm Identifiers . . . . . . . .   3
   4.  Subject Public Key Fields . . . . . . . . . . . . . . . . . .   4
   5.  Key Usage Bits  . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  EdDSA Signatures  . . . . . . . . . . . . . . . . . . . . . .   5
   7.  Private Key Format  . . . . . . . . . . . . . . . . . . . . .   6
   8.  Human Readable Algorithm Names  . . . . . . . . . . . . . . .   7
   9.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . . . .   8
   10. Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  10
     10.1.  Example Ed25519 Public Key . . . . . . . . . . . . . . .  10
     10.2.  Example X25519 Certificate . . . . . . . . . . . . . . .  11
     10.3.  Example Ed25519 Private Key  . . . . . . . . . . . . . .  13
   11. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  13
   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   13. Security Considerations . . . . . . . . . . . . . . . . . . .  13
   14. References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     14.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     14.2.  Informative References . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   In [RFC7748], the elliptic curves Curve25519 and Curve448 are
   described.  They are designed with performance and security in mind.
   The curves may be used for Diffie-Hellman and Digital Signature
   operations.  A convention has developed that when these two curves
   are used with the Diffie-Hellman operation, they are referred to as
   X25519 and X448.

   In [I-D.irtf-cfrg-eddsa] the elliptic curve signature system EdDSA is
   described and the recommended choice of curves Ed25519/Ed448 are
   chosen.  EdDSA has defined two modes, the PureEdDSA mode without pre-
   hashing, and the HashEdDSA mode with pre-hashing.  Unlike other
   digital signature algorithms, the Ed25519ph and Ed448ph algorithm
   definitions specify the one-way hash function that is used.  Attacks
   have been described when the same key is used with and without pre-
   hashing for Ed25519, so a single key MUST NOT be used for both modes.
   The convention used for identifying the algorithm/curve combinations
Show full document text