1 / 20

PKCS #9 v2.0

PKCS #9 v2.0. Magnus Nyström RSA Laboratories PKCS Workshop, 1999. Background. Historically, PKCS #9 has specified selected attributes They have been used in PKCS #6, PKCS #7 and PKCS #10

emory
Download Presentation

PKCS #9 v2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKCS #9 v2.0 Magnus Nyström RSA Laboratories PKCS Workshop, 1999

  2. Background • Historically, PKCS #9 has specified selected attributes • They have been used in PKCS #6, PKCS #7 and PKCS #10 • With increasing popularity for LDAP-accessible directories, more attributes (and a supporting object class) were needed

  3. Overview of differences from v1: • Two new (auxiliary) object classes: • pkcsEntity • naturalPerson • New attributes for use with these classes (e.g. “pseudonym”) • Some other new attributes: • Random nonce • Sequence number

  4. Overview of differences, cont.. • Some older attributes have been updated (DirectoryString, internationalization) • “Compilable” ASN.1 module included • Collected undocumented OIDs and attributes defined elsewhere • BNF Schema summary included for easier integration in LDAP services

  5. The pkcsEntity object class • pkcsEntity OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {PKCS9AttributeSet} ID pkcs-9-oc-pkcsEntity }

  6. The PKCS9AttributeSet • PKCS9AttributeSet ATTRIBUTE ::= { userPKCS12 | pKCS15Token | encryptedPrivateKeyInfo, …}

  7. The userPKCS12Attribute • Intended to store PKCS #12 PFX PDUs in directories • Multi-valued

  8. The pKCS15Token attribute • Intended for storage of PKCS #15 soft-tokens in directories (once such tokens are defined in PKCS #15…) • Multi-valued

  9. The encryptedPrivateKeyInfo attribute • Intended for storage of simple encrypted private keys in directories • Note: No (explicit) integrity check! • Multi-valued

  10. The naturalPerson object class • naturalPerson OBJECT-CLASS ::= { SUBCLASS OF {top} KIND auxiliary MAY CONTAIN {NaturalPersonAttributeSet} ID pkcs-9-oc-naturalPerson }

  11. The NaturalPersonAttributeSet • NaturalPersonAttributeSet ATTRIBUTE ::= { emailAddress | unstructuredName | unstructuredAddress | pseudonym | dateOfBirth | placeOfBirth | gender | countryOfCitizenship | countryOfResidence, …}

  12. The pseudonym attribute • Useful attribute in distinguished names for anonymous (at least in some sense) certificates • Intended to be used in IETF’s qualified certificates • Multi-valued (?)

  13. The dateOfBirth attribute • Specifies the date of birth • Intended to be used in IETF’s qualified certificates • Single-valued...

  14. The placeOfBirth attribute • DirectoryString • Intended to be used in IETF’s qualified certificates • Single-valued...

  15. The gender attribute • Printable string (‘M’ or ‘F’) • Intended to be used in IETF’s qualified certificates • Single-valued

  16. The countryOfCitizenship and countryOfResidence attributes • Printable strings (ISO 3166) • Intended to be used in IETF’s qualified certificates • Multi-valued

  17. Other new attributes • randomNonce: For use in conjunction with signatures to prevent replay attacks. Especially when no signingTime is available. • sequenceNumber: For the same use. Similar to numbering your checks.

  18. Modified (extended) old attributes • unstructuredName, unstructuredAddress, challengePassword, signingDescription: Syntax now extended to allow internationalization (implementations SHOULD use old syntax if possible) • signingTime: updated to be in accordance with S/MIME

  19. Time schedule • If you have any comments - please give them on or before October 25th. • Expect third draft early in November, for a short (2 w) review period (unless major changes) • v2.0 to be published in late November /early December 1999.

  20. Comments & Suggestions • Please send comments to • pkcs-tng@rsasecurity.com or • pkcs-editor@rsasecurity.com

More Related