Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 3279
Document Type RFC - Proposed Standard (May 2002; Errata)
Authors Russ Housley  , Tim Polk  , Lawrence Bassham 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3279 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR 2 References Referenced by Nits 
Network Working Group                                            W. Polk
Request for Comments: 3279                                          NIST
Obsoletes: 2528                                               R. Housley
Category: Standards Track                               RSA Laboratories
                                                              L. Bassham
                                                                    NIST
                                                              April 2002

                   Algorithms and Identifiers for the
                Internet X.509 Public Key Infrastructure
       Certificate and Certificate Revocation List (CRL) Profile

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document specifies algorithm identifiers and ASN.1 encoding
   formats for digital signatures and subject public keys used in the
   Internet X.509 Public Key Infrastructure (PKI).  Digital signatures
   are used to sign certificates and certificate revocation list (CRLs).
   Certificates include the public key of the named subject.

Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . .   2
   2  Algorithm Support . . . . . . . . . . . . . . . . . . . .   3
   2.1  One-Way Hash Functions  . . . . . . . . . . . . . . . .   3
   2.1.1  MD2 One-Way Hash Functions  . . . . . . . . . . . . .   3
   2.1.2  MD5 One-Way Hash Functions  . . . . . . . . . . . . .   4
   2.1.3  SHA-1 One-Way Hash Functions  . . . . . . . . . . . .   4
   2.2  Signature Algorithms  . . . . . . . . . . . . . . . . .   4
   2.2.1  RSA Signature Algorithm . . . . . . . . . . . . . . .   5
   2.2.2  DSA Signature Algorithm . . . . . . . . . . . . . . .   6
   2.2.3  Elliptic Curve Digital Signature Algorithm  . . . . .   7
   2.3  Subject Public Key Algorithms . . . . . . . . . . . . .   7
   2.3.1  RSA Keys  . . . . . . . . . . . . . . . . . . . . . .   8
   2.3.2  DSA Signature Keys  . . . . . . . . . . . . . . . . .   9
   2.3.3  Diffie-Hellman Key Exchange Keys  . . . . . . . . . .  10

Polk, et al.                Standards Track                     [Page 1]
RFC 3279               Algorithms and Identifiers             April 2002

   2.3.4  KEA Public Keys . . . . . . . . . . . . . . . . . . .  11
   2.3.5  ECDSA and ECDH Public Keys  . . . . . . . . . . . . .  13
   3  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .  18
   4  References  . . . . . . . . . . . . . . . . . . . . . . .  24
   5  Security Considerations . . . . . . . . . . . . . . . . .  25
   6  Intellectual Property Rights  . . . . . . . . . . . . . .  26
   7  Author Addresses  . . . . . . . . . . . . . . . . . . . .  26
   8  Full Copyright Statement  . . . . . . . . . . . . . . . .  27

1  Introduction

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC 2119].

   This document specifies algorithm identifiers and ASN.1 [X.660]
   encoding formats for digital signatures and subject public keys used
   in the Internet X.509 Public Key Infrastructure (PKI).  This
   specification supplements [RFC 3280], "Internet X.509 Public Key
   Infrastructure:  Certificate and Certificate Revocation List (CRL)
   Profile."  Implementations of this specification MUST also conform to
   RFC 3280.

   This specification defines the contents of the signatureAlgorithm,
   signatureValue, signature, and subjectPublicKeyInfo fields within
   Internet X.509 certificates and CRLs.

   This document identifies one-way hash functions for use in the
   generation of digital signatures.  These algorithms are used in
   conjunction with digital signature algorithms.

   This specification describes the encoding of digital signatures
   generated with the following cryptographic algorithms:

      * Rivest-Shamir-Adelman (RSA);
      * Digital Signature Algorithm (DSA); and
      * Elliptic Curve Digital Signature Algorithm (ECDSA).

   This document specifies the contents of the subjectPublicKeyInfo
   field in Internet X.509 certificates.  For each algorithm, the
   appropriate alternatives for the the keyUsage extension are provided.
   This specification describes encoding formats for public keys used
   with the following cryptographic algorithms:

      * Rivest-Shamir-Adelman (RSA);
      * Digital Signature Algorithm (DSA);
      * Diffie-Hellman (DH);
      * Key Encryption Algorithm (KEA);

Polk, et al.                Standards Track                     [Page 2]
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools