Network Working Group                                       A. Colegrove
Request for Comments: 4534                                     H. Harney
Category: Standards Track                                   SPARTA, Inc.
                                                               June 2006
        
Network Working Group                                       A. Colegrove
Request for Comments: 4534                                     H. Harney
Category: Standards Track                                   SPARTA, Inc.
                                                               June 2006
        

Group Security Policy Token v1

组安全策略令牌v1

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

Abstract

摘要

The Group Security Policy Token is a structure used to specify the security policy and configurable parameters for a cryptographic group, such as a secure multicast group. Because the security of a group is composed of the totality of multiple security services, mechanisms, and attributes throughout the communications infrastructure, an authenticatable representation of the features that must be supported throughout the system is needed to ensure consistent security. This document specifies the structure of such a token.

组安全策略令牌是一种用于为加密组(如安全多播组)指定安全策略和可配置参数的结构。由于组的安全性由整个通信基础设施中的多个安全服务、机制和属性的总和组成,因此需要整个系统必须支持的功能的可认证表示,以确保一致的安全性。本文档指定了此类令牌的结构。

Table of Contents

目录

   1. Introduction ....................................................3
   2. Token Creation and Receipt ......................................4
   3. The Policy Token ................................................5
      3.1. Token Identifiers ..........................................6
      3.2. Registration Policy ........................................6
      3.3. Rekey Policy ...............................................7
      3.4. Group Data Policy ..........................................8
   4. Security Considerations .........................................8
   5. IANA Considerations .............................................8
   6. References.......................................................9
      6.1. Normative References .......................................9
      6.2. Informative References ....................................10
   7. Acknowledgements ...............................................10
   Appendix A. Core Policy Token ASN.1 Module ........................11
   Appendix B. GSAKMPv1 Base Policy ..................................13
      B.1. GSAKMPv1 Registration Policy ..............................13
          B.1.1. Authorization .......................................13
          B.1.2. AccessControl .......................................14
          B.1.3. JoinMechanisms ......................................15
                 B.1.3.1. alaCarte ...................................15
                 B.1.3.2. suite ......................................17
          B.1.4. Transport ...........................................17
      B.2. GSAKMPv1 Registration ASN.1 Module ........................17
      B.3. GSAKMPv1 De-Registration Policy ...........................20
      B.4. GSAKMPv1 De-Registration ASN.1 Module .....................21
      B.5. GSAKMPv1 Rekey Policy .....................................22
           B.5.1. Rekey Authorization ................................22
           B.5.2. Rekey Mechanisms ...................................23
           B.5.3. Rekey Event Definition .............................23
           B.5.4. Rekey Methods ......................................24
                  B.5.4.1 Rekey Method NONE ..........................24
                  B.5.4.2 Rekey Method GSAKMP LKH ....................24
           B.5.5 Rekey Interval ......................................25
           B.5.6 Rekey Reliability ...................................25
                 B.5.6.1 Rekey Reliability Mechanism None ............25
                 B.5.6.2 Rekey Reliability Mechanism Resend ..........25
                 B.5.6.3 Rekey Reliability Mechanism Post ............26
           B.5.7 Distributed Operation Policy ........................26
                 B.5.7.1 No Distributed Operation ....................26
                 B.5.7.2 Autonomous Distributed Mode .................26
      B.6. GSAKMPv1 Rekey Policy ASN.1 Module ........................27
   Appendix C. Data SA Policy ........................................30
      C.1. Generic Data Policy .......................................30
      C.2. Generic Data Policy ASN.1 Module ..........................30
        
   1. Introduction ....................................................3
   2. Token Creation and Receipt ......................................4
   3. The Policy Token ................................................5
      3.1. Token Identifiers ..........................................6
      3.2. Registration Policy ........................................6
      3.3. Rekey Policy ...............................................7
      3.4. Group Data Policy ..........................................8
   4. Security Considerations .........................................8
   5. IANA Considerations .............................................8
   6. References.......................................................9
      6.1. Normative References .......................................9
      6.2. Informative References ....................................10
   7. Acknowledgements ...............................................10
   Appendix A. Core Policy Token ASN.1 Module ........................11
   Appendix B. GSAKMPv1 Base Policy ..................................13
      B.1. GSAKMPv1 Registration Policy ..............................13
          B.1.1. Authorization .......................................13
          B.1.2. AccessControl .......................................14
          B.1.3. JoinMechanisms ......................................15
                 B.1.3.1. alaCarte ...................................15
                 B.1.3.2. suite ......................................17
          B.1.4. Transport ...........................................17
      B.2. GSAKMPv1 Registration ASN.1 Module ........................17
      B.3. GSAKMPv1 De-Registration Policy ...........................20
      B.4. GSAKMPv1 De-Registration ASN.1 Module .....................21
      B.5. GSAKMPv1 Rekey Policy .....................................22
           B.5.1. Rekey Authorization ................................22
           B.5.2. Rekey Mechanisms ...................................23
           B.5.3. Rekey Event Definition .............................23
           B.5.4. Rekey Methods ......................................24
                  B.5.4.1 Rekey Method NONE ..........................24
                  B.5.4.2 Rekey Method GSAKMP LKH ....................24
           B.5.5 Rekey Interval ......................................25
           B.5.6 Rekey Reliability ...................................25
                 B.5.6.1 Rekey Reliability Mechanism None ............25
                 B.5.6.2 Rekey Reliability Mechanism Resend ..........25
                 B.5.6.3 Rekey Reliability Mechanism Post ............26
           B.5.7 Distributed Operation Policy ........................26
                 B.5.7.1 No Distributed Operation ....................26
                 B.5.7.2 Autonomous Distributed Mode .................26
      B.6. GSAKMPv1 Rekey Policy ASN.1 Module ........................27
   Appendix C. Data SA Policy ........................................30
      C.1. Generic Data Policy .......................................30
      C.2. Generic Data Policy ASN.1 Module ..........................30
        
1. Introduction
1. 介绍

The Multicast Group Security Architecture [RFC3740] defines the security infrastructure to support secure group communications. The policy token assumes this architecture in its definition. It defines the enforceable security parameters for a Group Secure Association.

多播组安全体系结构[RFC3740]定义了支持安全组通信的安全基础结构。策略令牌在其定义中采用此体系结构。它为组安全关联定义了可强制执行的安全参数。

The policy token is a verifiable data construct signed by the Group Owner, the entity with the authorization to create security policy. The group controllers in a group will use the policy token to ensure that the mechanisms used to secure the group are correct and to enforce the access control rules for joining members. The group members, who may contribute data to the group or access data from the group, will use the policy token to ensure that the group is owned by a trusted authority. Also, the members may want to verify that the access control rules are adequate to protect the data that the member is submitting to the group.

策略令牌是由组所有者签署的可验证数据构造,组所有者是有权创建安全策略的实体。组中的组控制器将使用策略令牌确保用于保护组的机制正确,并强制加入成员的访问控制规则。可以向组贡献数据或访问组中数据的组成员将使用策略令牌确保组由受信任的机构拥有。此外,成员可能希望验证访问控制规则是否足以保护成员提交给组的数据。

The policy token is specified in ASN.1 [X.208] and is to be DER [X.660] encoded. This specification ability allows the token to easily import group definitions that span different applications and environments. ASN.1 allows the token to specify branches that can be used by any multicast security protocol. Any group can use this policy token structure to specify the use of multiple protocols in securing the group.

ASN.1[X.208]中指定了策略令牌,并将对其进行DER[X.660]编码。此规范功能允许令牌轻松导入跨不同应用程序和环境的组定义。ASN.1允许令牌指定可由任何多播安全协议使用的分支。任何组都可以使用此策略令牌结构来指定在保护组时使用多个协议。

Care was taken in this specification to provide a core level of token specificity that would allow ease of extensibility and flexibility in supporting mechanisms. This was done by using the following abstracted construct:

本规范中小心地提供了一个核心级别的令牌专用性,这将允许在支持机制中易于扩展和灵活。这是通过使用以下抽象结构完成的:

     Mechanism ::= SEQUENCE {
       mechanismIdentifier  OBJECT IDENTIFIER,
       mechanismParameters OCTET STRING
     }
        
     Mechanism ::= SEQUENCE {
       mechanismIdentifier  OBJECT IDENTIFIER,
       mechanismParameters OCTET STRING
     }
        

This construct will allow the use of group mechanisms specified in other documents with the policy token.

此构造将允许使用策略令牌在其他文档中指定的组机制。

The policy token is structured to reflect the MSEC Architecture layers for a Group Security Association. Each of the architectural layers is identified and given a branch in the "Core" token. This allows a high degree of flexibility for future protocol specifications at each architectural layer without the need to change the "Core" policy token, which can then act as a single point of reference for defining secure groups using any mix of protocols for any number of environments.

策略令牌的结构反映了组安全关联的MSEC体系结构层。每个架构层都被标识,并在“核心”标记中给出一个分支。这使得每个体系结构层的未来协议规范具有高度的灵活性,而无需更改“核心”策略令牌,该令牌随后可以作为单个参考点,用于为任意数量的环境使用任意协议组合定义安全组。

2. Token Creation and Receipt
2. 令牌创建和接收

At the time of group creation or whenever the policy of the group is updated, the Group Owner will create a new policy token.

在创建组时或更新组的策略时,组所有者将创建一个新的策略令牌。

To ensure authenticity of the specified policy, the Token MUST be signed by the Group Owner. The signed token MUST be in accordance with the Cryptographic Message Syntax (CMS) [RFC3852] SignedData type.

要确保指定策略的真实性,令牌必须由组所有者签名。签名令牌必须符合加密消息语法(CMS)[RFC3852]签名数据类型。

The content of the SignedData is the token itself. It is represented with the ContentType object identifier of

SignedData的内容就是令牌本身。它由的ContentType对象标识符表示

     id-ct-msec-token    OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.1.1}
        
     id-ct-msec-token    OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.1.1}
        

The CMS sid value of the SignerInfo, which identifies the public key needed to validate the signature, MUST be that of the Group Owner.

SignerInfo的CMS sid值(标识验证签名所需的公钥)必须是组所有者的值。

The signedAttrs field MUST be present. In addition to the minimally required fields of signedAttrs, the signing-time attribute MUST be present.

signedAttrs字段必须存在。除了SignedAttr的最低要求字段外,还必须存在signing time属性。

Upon receipt of a policy token, the recipient MUST check that

收到策略令牌后,收件人必须检查

- the Group Owner, as identified by the sid in the SignerInfo, is the expected entity.

- 由SignerInfo中的sid标识的组所有者是预期的实体。

- the signing-time value is more recent than the signing-time value seen in a previously received policy token for that group, or the policy token is the first token seen by the recipient for that group.

- 签名时间值比之前收到的该组策略令牌中的签名时间值更近,或者策略令牌是收件人看到的该组的第一个令牌。

- the processing of the signature successfully validates in accordance with RFC 3852.

- 签名处理根据RFC 3852成功验证。

- the specified security and communication mechanisms (or at least one mechanism of each choice) are supported and are in compliance with the recipient's local policy.

- 支持指定的安全和通信机制(或每种选择至少一种机制),并符合收件人的本地策略。

3. The Policy Token
3. 策略令牌

The structure of the policy token is as follows:

策略令牌的结构如下所示:

     Token ::= SEQUENCE {
       tokenInfo     TokenID,
       registration  SEQUENCE OF Registration,
       rekey         SEQUENCE OF GroupMngmtProtocol,
       data          SEQUENCE OF DataProtocol
     }
        
     Token ::= SEQUENCE {
       tokenInfo     TokenID,
       registration  SEQUENCE OF Registration,
       rekey         SEQUENCE OF GroupMngmtProtocol,
       data          SEQUENCE OF DataProtocol
     }
        

tokenInfo provides information about the instance of the Policy Token (PT).

tokenInfo提供有关策略令牌(PT)实例的信息。

registration provides a list of acceptable registration and de-registration policy and mechanisms that may be used to manage member-initiated joins and departures from a group. A NULL sequence indicates that the group does not support registration and de-registration of members. A member MUST be able to support at least one set of Registration mechanisms in order to join the group. When multiple mechanisms are present, a member MAY use any of the listed methods. The list is ordered in terms of Group Owner preference. A member MUST choose the highest listed mechanism that local policy supports.

注册提供可接受的注册和注销策略及机制的列表,这些策略和机制可用于管理成员发起的加入和离开组。空序列表示该组不支持成员的注册和注销。成员必须能够支持至少一组注册机制才能加入该组。当存在多个机制时,成员可以使用列出的任何方法。列表按组所有者首选项排序。成员必须选择本地策略支持的最高机制。

rekey provides the rekey protocols that will be used in managing the group. The member MUST be able to accept one of the types of rekey messages listed. The list is ordered in terms of Group Owner preference. A member MUST choose the highest listed mechanism that local policy supports.

rekey提供将用于管理组的rekey协议。成员必须能够接受列出的其中一种类型的密钥更新消息。列表按组所有者首选项排序。成员必须选择本地策略支持的最高机制。

data provides the applications used in the communications between group members. When multiple applications are provided, the order of the list implies the order of encapsulation of the data. A member MUST be able to support all the listed applications and if any choices of mechanisms are provided per application, the member MUST support at least one of the mechanisms.

数据提供组成员之间通信中使用的应用程序。当提供多个应用程序时,列表的顺序意味着数据的封装顺序。成员必须能够支持所有列出的应用程序,如果每个应用程序都提供了任何机制选择,则该成员必须至少支持其中一种机制。

For the registration, rekey, and data fields, implementations encountering unknown protocol identifiers MUST handle this gracefully by providing indicators that an unknown protocol is among the sequence of permissible protocols. If the unknown protocol is the only allowable protocol in the sequence, then the implementation cannot support that field, and the member cannot join the group. It is a matter of local policy whether a join is permitted when an unknown protocol exists among the allowable, known protocols.

对于注册、重设密钥和数据字段,遇到未知协议标识符的实现必须通过提供未知协议在允许协议序列中的指示符来优雅地处理此问题。如果未知协议是序列中唯一允许的协议,则实现无法支持该字段,并且成员无法加入组。当允许的已知协议中存在未知协议时,是否允许加入是本地策略的问题。

Protocols in addition to registration, rekey, and data SHOULD NOT be added to subsequent versions of this Token unless the MSEC architecture changes.

除非MSEC体系结构发生变化,否则不应将注册、重新密钥和数据之外的协议添加到此令牌的后续版本中。

Each data field of the PT is specified further in the following sections.

PT的每个数据字段在以下章节中进一步规定。

3.1. Token Identifiers
3.1. 令牌标识符

tokenInfo explicitly identifies a version of the policy token for a particular group. It is defined as

tokenInfo明确标识特定组的策略令牌版本。它被定义为

     TokenID ::= SEQUENCE {
       tokenDefVersion INTEGER (1),
       groupName       OCTET STRING,
       edition         INTEGER OPTIONAL
     }
        
     TokenID ::= SEQUENCE {
       tokenDefVersion INTEGER (1),
       groupName       OCTET STRING,
       edition         INTEGER OPTIONAL
     }
        

tokenDefVersion is the version of the Group Policy Token Specification. This specification (v1) is represented as one (1). Changes to the structure of the Group Security Policy Token will require an update to this field.

tokenDefVersion是组策略令牌规范的版本。本规范(v1)表示为一(1)。更改组安全策略令牌的结构将需要更新此字段。

groupName is the identifier of the group and MUST be unique relative to the Group Owner.

groupName是组的标识符,相对于组所有者必须是唯一的。

edition is an optional INTEGER indicating the sequence number of the PT. If edition is present, group entities MUST accept a PT only when the value is greater than the last value seen in a valid PT for that group.

版本是一个可选整数,指示PT的序列号。如果存在版本,则只有当值大于该组有效PT中的最后一个值时,组实体才必须接受PT。

The type LifeDate is also defined to provide standard methods of indicating timestamps and intervals in the Tokens.

类型LifeDate还被定义为提供指示令牌中的时间戳和间隔的标准方法。

     LifeDate ::= CHOICE {
       gt       GeneralizedTime,
       utc      UTCTime,
       interval INTEGER
     }
        
     LifeDate ::= CHOICE {
       gt       GeneralizedTime,
       utc      UTCTime,
       interval INTEGER
     }
        
3.2. Registration Policy
3.2. 注册政策

The registration security association (SA) is defined in the MSEC Architecture. During registration, a prospective group member and the group controller will interact to give the group member access to the keys and information it needs to join the group and participate in the group Data SA.

注册安全关联(SA)在MSEC体系结构中定义。在注册期间,潜在的集团成员和集团控制器将进行交互,以允许集团成员访问加入集团和参与集团数据SA所需的密钥和信息。

The de-registration piece allows a current group member to notify the Group Controller Key Server (GC/KS) that it will no longer be participating in the Data SA.

注销件允许当前组成员通知组控制器密钥服务器(GC/KS)它将不再参与数据SA。

     Registration ::= SEQUENCE {
       register    GroupMngmtProtocol,
       de-register GroupMngmtProtocol
     }
        
     Registration ::= SEQUENCE {
       register    GroupMngmtProtocol,
       de-register GroupMngmtProtocol
     }
        

The protocols for registration and de-registration are each specified as

注册和注销协议分别指定为

     GroupMngmtProtocol ::= CHOICE {
       none      NULL,
       supported Protocol
     }
        
     GroupMngmtProtocol ::= CHOICE {
       none      NULL,
       supported Protocol
     }
        
     Protocol ::= SEQUENCE {
       protocol      OBJECT IDENTIFIER,
       protocolInfo  OCTET STRING
     }
        
     Protocol ::= SEQUENCE {
       protocol      OBJECT IDENTIFIER,
       protocolInfo  OCTET STRING
     }
        

For example, register might be specified as the Group Secure Association Key Management Protocol (GSAKMP) [RFC4535] registration protocol. The OBJECT IDENTIFIER TBS would be followed by the parameters used in GSAKMP registration as specified in Appendix B.1.

例如,寄存器可以指定为组安全关联密钥管理协议(GSAKMP)[RFC4535]注册协议。对象标识符TBS后面是附录B.1中规定的GSAKMP注册中使用的参数。

3.3. Rekey Policy
3.3. 换钥匙政策

The Rekey SA is defined in the MSEC Architecture. During the Rekey of a group, several changes can potentially be made:

重置SA在MSEC体系结构中定义。在重新设置组密钥的过程中,可能会进行以下几项更改:

- refresh/change group protection keys,

- 刷新/更改组保护密钥,

- update the policy token,

- 更新策略令牌,

- change the group membership.

- 更改组成员资格。

During Rekey, the membership of the group can be modified as well as refreshing the group traffic protection keys and updating the Policy Token.

在重新设置密钥期间,可以修改组的成员资格,以及刷新组流量保护密钥和更新策略令牌。

This field is also specified as a sequence of protocols that will be used by the GC/KS.

此字段还指定为GC/KS将使用的协议序列。

3.4. Group Data Policy
3.4. 组数据策略

The Data SA is the ultimate consumer of the group keys. The data field will indicate the keys and mechanisms that are to be used in communications between group members. There are several protocols that could make use of group keys, ranging from simple security applications that only need key for encryption and/or integrity protection to more complex configurable security protocols such as IPsec and Secure Real-time Transport Protocol (SRTP) [RFC3711]. The sequencing of the Data SA mechanisms are from "inside" to "outside". That is, the first Data SA defined in a policy token must act on the raw data. Any Data SA specified after that will be applied in turn.

Data SA是组密钥的最终使用者。数据字段将指示组成员之间通信中使用的密钥和机制。有几种协议可以利用组密钥,从只需要密钥进行加密和/或完整性保护的简单安全应用程序到更复杂的可配置安全协议,如IPsec和安全实时传输协议(SRTP)[RFC3711]。数据SA机制的顺序是从“内部”到“外部”。也就是说,策略令牌中定义的第一个数据SA必须作用于原始数据。之后指定的任何数据SA将依次应用。

     DataProtocol ::= Protocol
        
     DataProtocol ::= Protocol
        
4. Security Considerations
4. 安全考虑

This document specifies the structure for a group policy token. As such, the structure as received by a group entity must be verifiably authentic. This policy token uses CMS to apply authentication through digital signatures. The security of this scheme relies upon a secure CMS implementation, choice of signature mechanism of appropriate strength for the group using the policy token, and secure, sufficiently strong keys. Additionally, it relies upon knowledge of a well-known Group Owner as the root of policy enforcement.

此文档指定组策略令牌的结构。因此,集团实体收到的结构必须具有可验证的真实性。此策略令牌使用CMS通过数字签名应用身份验证。该方案的安全性依赖于安全的CMS实现、为使用策略令牌的组选择适当强度的签名机制,以及安全、足够强的密钥。此外,它依赖于众所周知的组所有者的知识作为策略实施的基础。

Furthermore, while the Group Owner may list alternate mechanisms for various functions, the group is only as strong as the weakest accepted mechanisms. As such, the Group Owner is responsible for providing only acceptable security mechanisms.

此外,虽然集团所有人可能会列出各种职能的替代机制,但集团的强大程度仅与最薄弱的公认机制相同。因此,集团所有者只负责提供可接受的安全机制。

5. IANA Considerations
5. IANA考虑

The following object identifiers have been assigned:

已分配以下对象标识符:

- id-ct-msec-token OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.1.1

- id ct msec令牌对象标识符::=1.3.6.1.5.5.12.1.1

- id-securitySuiteOne OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.2.1

- id securitySuiteOne对象标识符::=1.3.6.1.5.5.12.2.1

- id-GSAKMPv1RegistrationProtocol OBJECT IDENTIFIER::= 1.3.6.1.5.5.12.3.1

- id-GSAKMPv1RegistrationProtocol对象标识符::=1.3.6.1.5.5.12.3.1

- id-GSAKMPv1DeRegistrationProtocol OBJECT IDENTIFIER::= 1.3.6.1.5.5.12.3.2

- 对象标识符v13.5.1

- id-GSAKMPv1Rekey OBJECT IDENTIFIER::= 1.3.6.1.5.5.12.3.3

- id-GSAKMPv1Rekey对象标识符::=1.3.6.1.5.5.12.3.3

- id-rekeyNone OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.4.1

- id rekeyNone对象标识符::=1.3.6.1.5.5.12.4.1

- id-rekeyMethodGSAKMPLKH OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.4.2

- id RekeyMethodsAKMPLKH对象标识符::=1.3.6.1.5.5.12.4.2

- id-reliabilityNone OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.5.1

- id可靠性无对象标识符::=1.3.6.1.5.5.12.5.1

- id-reliabilityResend OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.5.2

- id reliabilityResend对象标识符::=1.3.6.1.5.5.12.5.2

- id-reliabilityPost OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.5.3

- id reliabilityPost对象标识符::=1.3.6.1.5.5.12.5.3

- id-subGCKSSchemeNone OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.6.1

- id子GCKSSchemeOne对象标识符::=1.3.6.1.5.5.12.6.1

- id-subGCKSSchemeAutonomous OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.6.2

- id子GCKSSchemeAutonomous对象标识符::=1.3.6.1.5.5.12.6.2

- id-genericDataSA OBJECT IDENTIFIER ::= 1.3.6.1.5.5.12.7.1

- id genericDataSA对象标识符::=1.3.6.1.5.5.12.7.1

The Group Security Policy Token can be extended through specification. Extensions in the form of objects can be registered through IANA. Extensions requiring changes to the protocol structure will require an update to the tokenDefVersion field of the TokenID (see Section 3.1).

组安全策略令牌可以通过规范进行扩展。对象形式的扩展可以通过IANA注册。需要更改协议结构的扩展将需要更新TokenID的tokenDefVersion字段(参见第3.1节)。

6. References
6. 工具书类
6.1. Normative References
6.1. 规范性引用文件

[RFC4535] Harney, H., Meth, U., Colegrove, A., and G. Gross, "GSAKMP: Group Secure Association Key Management Protocol", RFC 4535, June 2006.

[RFC4535]Harney,H.,Meth,U.,Colegrove,A.,和G.Gross,“GSAKMP:组安全关联密钥管理协议”,RFC 45352006年6月。

[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.

2002年4月,福特公司发布了《公共基础设施许可证》和《公共基础设施许可证撤销许可证》(RFC.3280),并于2002年4月发布。

[RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.

[RFC3852]Housley,R.,“加密消息语法(CMS)”,RFC3852,2004年7月。

[X.208] Recommendation X.208, Specification of Abstract Syntax Notation One (ASN.1), 1988.

[X.208]建议X.208,抽象语法符号1规范(ASN.1),1988年。

[X.660] Recommendation X.660, Information Technology ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER), 1997.

[X.660]建议X.660,信息技术ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范,1997年。

6.2. Informative References
6.2. 资料性引用

[HCLM00] Harney, H., Colegrove, A., Lough, P., and U. Meth, "GSAKMP Token Specification", Work in Progress, February 2003.

[HCLM00]Harney,H.,Colegrove,A.,Lough,P.,和U.Meth,“GSAKMP代币规范”,正在进行的工作,2003年2月。

[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, March 2004.

[RFC3711]Baugher,M.,McGrew,D.,Naslund,M.,Carrara,E.,和K.Norrman,“安全实时传输协议(SRTP)”,RFC 37112004年3月。

[RFC3740] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, March 2004.

[RFC3740]Hardjono,T.和B.Weis,“多播组安全架构”,RFC 3740,2004年3月。

[HCM01] H. Harney, A. Colegrove, P. McDaniel, "Principles of Policy in Secure Groups", Proceedings of Network and Distributed Systems Security 2001 Internet Society, San Diego, CA, February 2001.

[HCM01]H.Harney,A.Colegrove,P.McDaniel,“安全群体中的政策原则”,2001年网络和分布式系统安全会议录,加利福尼亚州圣地亚哥,2001年2月。

[HHMCD01] Hardjono, T., Harney, H., McDaniel, P., Colegrove, A., and P. Dinsmore, "Group Security Policy Token: Definition and Payloads", Work in Progress, August 2003.

[HHMDC01]Hardjono,T.,Harney,H.,McDaniel,P.,Colegrove,A.,和P.Dinsmore,“集团安全策略令牌:定义和有效负载”,正在进行的工作,2003年8月。

7. Acknowledgements
7. 致谢

The following individuals deserve recognition and thanks for their contributions, which have greatly improved this specification: Uri Meth, whose knowledge of GSAKMP and tokens was greatly appreciated as well as his help in getting this document submitted; Peter Lough, Thomas Hardjono, Patrick McDaniel, and Pete Dinsmore for their work on earlier versions of policy tokens; George Gross for the impetus to have a well-specified, extensible policy token; and Rod Fleischer for catching implementation issues.

以下个人值得认可和感谢,因为他们的贡献极大地改进了本规范:Uri Meth,非常感谢他对GSAKMP和代币的了解,以及他在提交本文件方面的帮助;Peter Lough、Thomas Hardjono、Patrick McDaniel和Pete Dinsmore在早期版本的政策代币上的工作;乔治·格罗斯(George Gross)提出了一个明确的、可扩展的政策标志;以及罗德·弗莱舍(Rod Fleischer)抓住了实施问题。

The following technical works influenced the design of the Group Security Policy Token: [HCLM00], [HCM01], and [HHMCD01]

以下技术工作影响了组安全策略令牌的设计:[HCLM00]、[HCM01]和[HHMDC01]

Appendix A. Core Policy Token ASN.1 Module
附录A.核心策略令牌ASN.1模块

PolicyToken {1.3.6.1.5.5.12.0.1}

PolicyToken{1.3.6.1.5.5.12.0.1}

   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

   Token ::= SEQUENCE {
     tokenInfo    TokenID,
     registration SEQUENCE OF Registration,
     rekey        SEQUENCE OF GroupMngmtProtocol,
     data         SEQUENCE OF DataProtocol
   }
        
   Token ::= SEQUENCE {
     tokenInfo    TokenID,
     registration SEQUENCE OF Registration,
     rekey        SEQUENCE OF GroupMngmtProtocol,
     data         SEQUENCE OF DataProtocol
   }
        
   ------------------------------------------------------------
       -- Token ID
        
   ------------------------------------------------------------
       -- Token ID
        
   TokenID ::= SEQUENCE {
     tokenDefVersion INTEGER (1),     -- Group Security Policy Token v1
     groupName       OCTET STRING,
     edition         INTEGER OPTIONAL
   }
        
   TokenID ::= SEQUENCE {
     tokenDefVersion INTEGER (1),     -- Group Security Policy Token v1
     groupName       OCTET STRING,
     edition         INTEGER OPTIONAL
   }
        
   LifeDate ::= CHOICE {
     gt       GeneralizedTime,
     utc      UTCTime,
     interval INTEGER
   }
        
   LifeDate ::= CHOICE {
     gt       GeneralizedTime,
     utc      UTCTime,
     interval INTEGER
   }
        
   ------------------------------------------------------------
       -- Registration
        
   ------------------------------------------------------------
       -- Registration
        
   Registration ::= SEQUENCE {
     register    GroupMngmtProtocol,
     de-register GroupMngmtProtocol
   }
        
   Registration ::= SEQUENCE {
     register    GroupMngmtProtocol,
     de-register GroupMngmtProtocol
   }
        
   ------------------------------------------------------------
       -- GroupMngmtProtocol
        
   ------------------------------------------------------------
       -- GroupMngmtProtocol
        
   GroupMngmtProtocol ::= CHOICE {
     none      NULL,
     supported Protocol
   }
        
   GroupMngmtProtocol ::= CHOICE {
     none      NULL,
     supported Protocol
   }
        
   Protocol ::= SEQUENCE {
     protocol     OBJECT IDENTIFIER,
     protocolInfo OCTET STRING
   }
        
   Protocol ::= SEQUENCE {
     protocol     OBJECT IDENTIFIER,
     protocolInfo OCTET STRING
   }
        
   ------------------------------------------------------------
       -- DataProtocol
        
   ------------------------------------------------------------
       -- DataProtocol
        
   DataProtocol ::= Protocol
        
   DataProtocol ::= Protocol
        
   ------------------------------------------------------------
        
   ------------------------------------------------------------
        

END

终止

Appendix B. GSAKMPv1 Base Policy
附录B.GSAKMPv1基本政策

This appendix provides the data structures needed for when GSAKMP exchanges are used as the GroupMngmtProtocol for the registration, de-registration, and/or Rekey SAs. This GSAKMP Base Policy specification assumes familiarity with GSAKMP.

本附录提供了GSAKMP交换用作注册、注销和/或重新注册SAs的GroupMngmtProtocol时所需的数据结构。本GSAKMP基本策略规范假定您熟悉GSAKMP。

B.1. GSAKMPv1 Registration Policy
B.1. GSAKMPv1注册策略

When GSAKMP is used in the Group Management Protocol for registration, the following object identifier is used in the core token.

当在组管理协议中使用GSAKMP进行注册时,在核心令牌中使用以下对象标识符。

     id-GSAKMPv1RegistrationProtocol
                        OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.3.1}
        
     id-GSAKMPv1RegistrationProtocol
                        OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.3.1}
        

The registration policy for GSAKMP provides 1) information on authorizations for group roles, 2) access control information for group members, 3) the mechanisms used in the registration process, and 4) information on what transport the GSAKMP registration exchange will use.

GSAKMP的注册策略提供1)关于组角色授权的信息,2)关于组成员的访问控制信息,3)注册过程中使用的机制,以及4)关于GSAKMP注册交换将使用什么传输的信息。

     GSAKMPv1RegistrationInfo ::= SEQUENCE {
       joinAuthorization JoinAuthorization,
       joinAccessControl SEQUENCE OF AccessControl,
       joinMechanisms    JoinMechanisms,
       transport         Transport
     }
        
     GSAKMPv1RegistrationInfo ::= SEQUENCE {
       joinAuthorization JoinAuthorization,
       joinAccessControl SEQUENCE OF AccessControl,
       joinMechanisms    JoinMechanisms,
       transport         Transport
     }
        
B.1.1. Authorization
B.1.1. 批准

joinAuthorization provides information on who is allowed to be a Group Controller Key Server (GC/KS) and a sub-GC/KS. It also can indicate if there are limitations on who can send data in a group.

joinAuthorization提供有关允许谁作为组控制器密钥服务器(GC/KS)和子GC/KS的信息。它还可以指示在组中谁可以发送数据是否有限制。

     JoinAuthorization ::= SEQUENCE {
       gCKS    GCKSName,
       subGCKS SEQUENCE OF GCKSName OPTIONAL,
       senders SenderAuthorization
     }
        
     JoinAuthorization ::= SEQUENCE {
       gCKS    GCKSName,
       subGCKS SEQUENCE OF GCKSName OPTIONAL,
       senders SenderAuthorization
     }
        

The authorization information is in the form of an access control list indicating entity name and acceptable certification authority information for the entity's certificate.

授权信息以访问控制列表的形式显示实体名称和实体证书的可接受证书颁发机构信息。

     GCKSName ::= SEQUENCE OF UserCAPair
        
     GCKSName ::= SEQUENCE OF UserCAPair
        
     UserCAPair ::= SEQUENCE {
       groupEntity  GSAKMPID,
       cA           CertAuth
     }
        
     UserCAPair ::= SEQUENCE {
       groupEntity  GSAKMPID,
       cA           CertAuth
     }
        

groupEntity is defined by type and value. The types are indicated by integers that correspond to the GSAKMP Identification types. When a portion of a defined name type is filled with an "*", this indicates a wildcard, representing any valid choice for a field. This allows the specification of an authorization rule that is a set of related names.

groupEntity由类型和值定义。这些类型由对应于GSAKMP标识类型的整数表示。当定义的名称类型的一部分用“*”填充时,这表示一个通配符,表示字段的任何有效选择。这允许指定作为一组相关名称的授权规则。

     GSAKMPID ::= SEQUENCE {
       typeValue  INTEGER,
       typeData   OCTET STRING
     }
        
     GSAKMPID ::= SEQUENCE {
       typeValue  INTEGER,
       typeData   OCTET STRING
     }
        

The certificate authority is identified by the X.509 [RFC3280] key identifier.

证书颁发机构由X.509[RFC3280]密钥标识符标识。

     CertAuth ::= KeyIdentifier
        
     CertAuth ::= KeyIdentifier
        

Senders within a group either can be all (indicating no sender restrictions) or can be an explicit list of those members authorized to send data.

组中的发件人可以是全部(表示没有发件人限制),也可以是授权发送数据的成员的明确列表。

     SenderAuthorization ::= CHOICE {
       all     [0] NULL,
       limited [1] EXPLICIT SEQUENCE OF UserCAPair
     }
        
     SenderAuthorization ::= CHOICE {
       all     [0] NULL,
       limited [1] EXPLICIT SEQUENCE OF UserCAPair
     }
        
B.1.2. AccessControl
B.1.2. 访问控制

joinAccessControl provides information on who is allowed to be a Group Member. The access control list is implemented as a set of permissions that the member must satisfy and a list of name rules and the certificate authority that each must satisfy. Additionally, a list of exclusions to the list may be provided.

joinAccessControl提供有关允许谁成为组成员的信息。访问控制列表实现为成员必须满足的一组权限,以及每个成员必须满足的名称规则和证书颁发机构的列表。此外,还可提供该清单的除外条款清单。

     AccessControl ::= SEQUENCE {
       permissions    [1] EXPLICIT SEQUENCE OF Permission OPTIONAL,
       accessRule     [2] EXPLICIT SEQUENCE OF UserCAPair,
       exclusionsRule [3] EXPLICIT SEQUENCE OF UserCAPair OPTIONAL
     }
        
     AccessControl ::= SEQUENCE {
       permissions    [1] EXPLICIT SEQUENCE OF Permission OPTIONAL,
       accessRule     [2] EXPLICIT SEQUENCE OF UserCAPair,
       exclusionsRule [3] EXPLICIT SEQUENCE OF UserCAPair OPTIONAL
     }
        

The permissions initially available are an abstract set of numeric levels that may be interpreted internal to a community.

最初可用的权限是一组抽象的数字级别,可以在社区内部进行解释。

     Permission ::= CHOICE {
       simplePermission [1] SimplePermission
     }
        
     Permission ::= CHOICE {
       simplePermission [1] SimplePermission
     }
        
     SimplePermission ::= ENUMERATED {
       one(1),
       two(2),
       three(3),
       four(4),
       five(5),
       six(6),
       seven(7),
       eight(8),
       nine(9)
     }
        
     SimplePermission ::= ENUMERATED {
       one(1),
       two(2),
       three(3),
       four(4),
       five(5),
       six(6),
       seven(7),
       eight(8),
       nine(9)
     }
        
B.1.3. JoinMechanisms
B.1.3. 接合机构

Allowable GSAKMP mechanism choices for a particular group are specified in joinMechanisms. Any set of JoinMechanism is acceptable from a policy perspective.

JoinMechaniss中指定了特定组允许的GSAKMP机制选择。从策略的角度来看,任何一组机制都是可以接受的。

     JoinMechanisms ::=  SEQUENCE OF JoinMechanism
        
     JoinMechanisms ::=  SEQUENCE OF JoinMechanism
        

Each set of mechanisms used in the GSAKMP Registration may be specified either as an explicitly defined set or as a pre-defined security suite.

GSAKMP注册中使用的每一组机制都可以指定为明确定义的集合或预定义的安全套件。

     JoinMechanism ::= CHOICE {
       alaCarte [0] Mechanisms,
       suite    [1] SecuritySuite
     }
        
     JoinMechanism ::= CHOICE {
       alaCarte [0] Mechanisms,
       suite    [1] SecuritySuite
     }
        
B.1.3.1. alaCarte
B.1.3.1. 阿拉卡特

In an explicitly defined -- or alaCarte -- set, a mechanism is defined for the signature, the key exchange algorithm, the key wrapping algorithm, the type of acknowledgement data, and configuration data for the setting of timeouts.

在显式定义的集合(或alaCarte集合)中,为签名、密钥交换算法、密钥包装算法、确认数据类型和超时设置的配置数据定义了一种机制。

     Mechanisms ::=  SEQUENCE {
       signatureDef   SigDef,
       kEAlg          KEAlg,
       keyWrap        KeyWrap,
       ackData        AckData,
       opInfo         OpInfo
     }
        
     Mechanisms ::=  SEQUENCE {
       signatureDef   SigDef,
       kEAlg          KEAlg,
       keyWrap        KeyWrap,
       ackData        AckData,
       opInfo         OpInfo
     }
        

The signature definition requires specification of the signature algorithm for message signing. The INTEGER that defines the choice corresponds to the GSAKMP Signature type.

签名定义要求指定用于消息签名的签名算法。定义选择的整数对应于GSAKMP签名类型。

   SigDef ::= SEQUENCE {
     sigAlgorithmID  INTEGER,
     hashAlgorithmID INTEGER
   }
        
   SigDef ::= SEQUENCE {
     sigAlgorithmID  INTEGER,
     hashAlgorithmID INTEGER
   }
        

The INTEGER corresponding to hashAlgorithm will map to the GSAKMP Nonce Hash type values. This algorithm is used in computing the combined nonce.

与hashAlgorithm对应的整数将映射到GSAKMP Nonce哈希类型值。该算法用于计算组合nonce。

The key exchange algorithm requires an integer to define the GSAKMP key creation type and may require additional per type data.

密钥交换算法需要一个整数来定义GSAKMP密钥创建类型,并且可能需要额外的每类型数据。

     KEAlg ::= SEQUENCE {
       keyExchangeAlgorithmID   INTEGER,
       keyExchangeAlgorithmData OCTET STRING OPTIONAL
     }
        
     KEAlg ::= SEQUENCE {
       keyExchangeAlgorithmID   INTEGER,
       keyExchangeAlgorithmData OCTET STRING OPTIONAL
     }
        

The keyWrap is the algorithm that is used to wrap the group key(s) and the policy token (if included). The integer corresponds to the GSAKMP encryption type.

密钥封装是用于封装组密钥和策略令牌(如果包括)的算法。整数对应于GSAKMP加密类型。

     KeyWrap ::= INTEGER
        
     KeyWrap ::= INTEGER
        

Data may potentially be returned in a GSAKMP Key Download ACK/Failure message. The type of data required by a group is specified by AckData. No such field is currently supported or required.

数据可能会在GSAKMP密钥下载确认/失败消息中返回。组所需的数据类型由AckData指定。目前不支持或不需要此类字段。

     AckData ::= CHOICE {
       none [0] NULL
     }
        
     AckData ::= CHOICE {
       none [0] NULL
     }
        

OpInfo provides configuration data for the operation of GSAKMP registration. timeOut indicates the elapsed amount of time before a sent message is considered to be misrouted or lost. It is specified as the timestamp type LifeDate, previously defined in the core token. terse informs a GC/KS whether the group should be operated in terse (TRUE) or verbose (FALSE) mode. The optional timestamp field indicates whether a timestamp (TRUE) or a nonce (FALSE) is used for anti-replay protection. If the field is absent, the use of nonces is the default mode for GSAKMP registration.

OpInfo提供GSAKMP注册操作的配置数据。超时表示发送的消息被视为路由错误或丢失之前经过的时间量。它被指定为之前在核心令牌中定义的时间戳类型LifeDate。简明扼要地通知GC/KS该组应在简明扼要(TRUE)还是详细(FALSE)模式下运行。可选的时间戳字段指示时间戳(TRUE)还是nonce(FALSE)用于防重播保护。如果该字段不存在,则使用nonce是GSAKMP注册的默认模式。

   OpInfo ::= SEQUENCE {
     timeOut  LifeDate,
     terse    BOOLEAN,
     timestamp BOOLEAN OPTIONAL
   }
        
   OpInfo ::= SEQUENCE {
     timeOut  LifeDate,
     terse    BOOLEAN,
     timestamp BOOLEAN OPTIONAL
   }
        
B.1.3.2. suite
B.1.3.2. 一套

If the choice of mechanism for the join is a predefined security suite, then it is identified by OBJECT IDENTIFIER (OID). Other security suites may be defined elsewhere by specification and registration of an OID.

如果连接机制的选择是预定义的安全套件,那么它由对象标识符(OID)标识。其他安全套件可通过OID的规范和注册在别处定义。

     SecuritySuite ::= OBJECT IDENTIFIER
        
     SecuritySuite ::= OBJECT IDENTIFIER
        

The OID for security suite 1, as defined within the GSAKMPv1 specification, is

GSAKMPv1规范中定义的安全套件1的OID是

     id-securitySuiteOne  OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.2.1}
        
     id-securitySuiteOne  OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.2.1}
        
B.1.4. Transport
B.1.4. 运输

transport indicates what protocol GSAKMP should ride over. The choice of udpRTJtcpOther indicates that the GSAKMP Request to Join message is carried by UDP and all other group establishment messages are carried by TCP.

传输指示GSAKMP应该使用的协议。选择udpRTJtcpOther表示GSAKMP加入请求消息由UDP承载,所有其他组建立消息由TCP承载。

     Transport ::= CHOICE {
       tcp             [0] NULL,
       udp             [1] NULL,
       udpRTJtcpOther  [2] NULL
     }
        
     Transport ::= CHOICE {
       tcp             [0] NULL,
       udp             [1] NULL,
       udpRTJtcpOther  [2] NULL
     }
        
B.2. GSAKMPv1 Registration ASN.1 Module
B.2. GSAKMPv1注册ASN.1模块

GSAKMPv1RegistrationSA {1.3.6.1.5.5.12.0.2}

GSAKMPv1RegistrationSA{1.3.6.1.5.5.12.0.2}

   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN EXPORTS GCKSName;

开始导出GCKSName;

IMPORTS LifeDate FROM PolicyToken {1.3.6.1.5.5.12.0.1}

从PolicyToken{1.3.6.1.5.5.12.0.1}导入LifeDate

       KeyIdentifier
         FROM PKIX1Implicit88 { iso(1) identified-organization(3)
           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
           id-mod(0) id-pkix1-implicit(19) };
        
       KeyIdentifier
         FROM PKIX1Implicit88 { iso(1) identified-organization(3)
           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
           id-mod(0) id-pkix1-implicit(19) };
        
   id-GSAKMPv1RegistrationProtocol
                      OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.7}
        
   id-GSAKMPv1RegistrationProtocol
                      OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.7}
        
   GSAKMPv1RegistrationInfo ::= SEQUENCE {
     joinAuthorization JoinAuthorization,
     joinAccessControl SEQUENCE OF AccessControl,
     joinMechanisms    JoinMechanisms,
     transport         Transport
   }
        
   GSAKMPv1RegistrationInfo ::= SEQUENCE {
     joinAuthorization JoinAuthorization,
     joinAccessControl SEQUENCE OF AccessControl,
     joinMechanisms    JoinMechanisms,
     transport         Transport
   }
        
   JoinAuthorization ::= SEQUENCE {
     gCKS    GCKSName,
     subGCKS SEQUENCE OF GCKSName OPTIONAL,
     senders SenderAuthorization
   }
        
   JoinAuthorization ::= SEQUENCE {
     gCKS    GCKSName,
     subGCKS SEQUENCE OF GCKSName OPTIONAL,
     senders SenderAuthorization
   }
        
   GCKSName ::= SEQUENCE OF UserCAPair
        
   GCKSName ::= SEQUENCE OF UserCAPair
        
   UserCAPair ::= SEQUENCE {
     groupEntity GSAKMPID,
     cA          CertAuth
   }
        
   UserCAPair ::= SEQUENCE {
     groupEntity GSAKMPID,
     cA          CertAuth
   }
        
   CertAuth ::= KeyIdentifier
        
   CertAuth ::= KeyIdentifier
        
   SenderAuthorization ::= CHOICE {
     all     [0] NULL,
     limited [1] EXPLICIT SEQUENCE OF UserCAPair
   }
        
   SenderAuthorization ::= CHOICE {
     all     [0] NULL,
     limited [1] EXPLICIT SEQUENCE OF UserCAPair
   }
        
   AccessControl ::= SEQUENCE {
     permissions    [1] EXPLICIT SEQUENCE OF Permission OPTIONAL,
     accessRule     [2] EXPLICIT SEQUENCE OF UserCAPair,
     exclusionsRule [3] EXPLICIT SEQUENCE OF UserCAPair OPTIONAL
   }
        
   AccessControl ::= SEQUENCE {
     permissions    [1] EXPLICIT SEQUENCE OF Permission OPTIONAL,
     accessRule     [2] EXPLICIT SEQUENCE OF UserCAPair,
     exclusionsRule [3] EXPLICIT SEQUENCE OF UserCAPair OPTIONAL
   }
        
   Permission ::= CHOICE {
     simplePermission [1] SimplePermission
   }
        
   Permission ::= CHOICE {
     simplePermission [1] SimplePermission
   }
        
   SimplePermission ::= ENUMERATED {
     one(1),
     two(2),
     three(3),
     four(4),
     five(5),
     six(6),
     seven(7),
     eight(8),
     nine(9)
   }
        
   SimplePermission ::= ENUMERATED {
     one(1),
     two(2),
     three(3),
     four(4),
     five(5),
     six(6),
     seven(7),
     eight(8),
     nine(9)
   }
        
   GSAKMPID ::= SEQUENCE {
     typeValue INTEGER,
     typeData  OCTET STRING
   }
        
   GSAKMPID ::= SEQUENCE {
     typeValue INTEGER,
     typeData  OCTET STRING
   }
        
   JoinMechanisms ::=  SEQUENCE OF JoinMechanism
        
   JoinMechanisms ::=  SEQUENCE OF JoinMechanism
        
   JoinMechanism ::= CHOICE {
     alaCarte [0] Mechanisms,
     suite    [1] SecuritySuite
   }
        
   JoinMechanism ::= CHOICE {
     alaCarte [0] Mechanisms,
     suite    [1] SecuritySuite
   }
        
   Mechanisms ::=  SEQUENCE {
     signatureDef SigDef,
     kEAlg        KEAlg,
     keyWrap      KeyWrap,
     ackData      AckData,
     opInfo       OpInfo
   }
        
   Mechanisms ::=  SEQUENCE {
     signatureDef SigDef,
     kEAlg        KEAlg,
     keyWrap      KeyWrap,
     ackData      AckData,
     opInfo       OpInfo
   }
        
   SecuritySuite ::= OBJECT IDENTIFIER
        
   SecuritySuite ::= OBJECT IDENTIFIER
        
   -- SECURITY SUITE ONE --
   id-securitySuiteOne OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.2.1}
        
   -- SECURITY SUITE ONE --
   id-securitySuiteOne OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.2.1}
        
   SigDef ::= SEQUENCE {
     sigAlgorithmID  INTEGER,
     hashAlgorithmID INTEGER
   }
        
   SigDef ::= SEQUENCE {
     sigAlgorithmID  INTEGER,
     hashAlgorithmID INTEGER
   }
        
   KEAlg ::= SEQUENCE {
     keyExchangeAlgorithmID   INTEGER,
     keyExchangeAlgorithmData OCTET STRING OPTIONAL
   }
        
   KEAlg ::= SEQUENCE {
     keyExchangeAlgorithmID   INTEGER,
     keyExchangeAlgorithmData OCTET STRING OPTIONAL
   }
        
   KeyWrap ::= INTEGER
        
   KeyWrap ::= INTEGER
        
   AckData ::= CHOICE {
     none [0] NULL
   }
        
   AckData ::= CHOICE {
     none [0] NULL
   }
        
   OpInfo ::= SEQUENCE {
     timeOut   LifeDate,
     terse     BOOLEAN,
     timestamp BOOLEAN OPTIONAL
   }
        
   OpInfo ::= SEQUENCE {
     timeOut   LifeDate,
     terse     BOOLEAN,
     timestamp BOOLEAN OPTIONAL
   }
        
   Transport ::= CHOICE {
     tcp            [0] NULL,
     udp            [1] NULL,
     udpRTJtcpOther [2] NULL
   }
        
   Transport ::= CHOICE {
     tcp            [0] NULL,
     udp            [1] NULL,
     udpRTJtcpOther [2] NULL
   }
        

END

终止

B.3. GSAKMPv1 De-Registration Policy
B.3. GSAKMPv1取消注册策略

GSAKMP de-registration provides a method to notify a (S-)GC/KS that a member needs to leave a group. When GSAKMP is the de-registration Protocol for the Group, the following object identifier is used in the core token.

GSAKMP取消注册提供了一种通知(S-)GC/KS成员需要离开组的方法。当GSAKMP是组的注销协议时,在核心令牌中使用以下对象标识符。

   id-GSAKMPv1DeRegistrationProtocol    OBJECT IDENTIFIER::=
   {1.3.6.1.5.5.12.3.2}
        
   id-GSAKMPv1DeRegistrationProtocol    OBJECT IDENTIFIER::=
   {1.3.6.1.5.5.12.3.2}
        

The de-registration policy provides the mechanisms needed for the de-registration exchange messages, an indication of whether the exchange is to be done using terse (TRUE) or verbose (FALSE) mode, and the transport used for the GSAKMP de-registration messages.

取消注册策略提供了取消注册交换消息所需的机制,指示是使用简洁(TRUE)还是详细(FALSE)模式进行交换,以及GSAKMP取消注册消息所使用的传输。

     GSAKMPv1DeRegistrationInfo ::= SEQUENCE {
       leaveMechanisms  SEQUENCE OF LeaveMechanisms,
       terse            BOOLEAN,
       transport        Transport
     }
        
     GSAKMPv1DeRegistrationInfo ::= SEQUENCE {
       leaveMechanisms  SEQUENCE OF LeaveMechanisms,
       terse            BOOLEAN,
       transport        Transport
     }
        

The policy dictating the mechanisms needed for the de-registration exchange is defined by leaveMechanisms. This field is specified as

指示注销交换所需机制的策略由机制定义。此字段指定为

     LeaveMechanisms ::= SEQUENCE {
       sigAlgorithm   INTEGER,
       hashAlgorithm  INTEGER,
       cA             KeyIdentifier
     }
        
     LeaveMechanisms ::= SEQUENCE {
       sigAlgorithm   INTEGER,
       hashAlgorithm  INTEGER,
       cA             KeyIdentifier
     }
        

The INTEGER corresponding to sigAlgorithm will map to the GSAKMP Signature type values. This algorithm set is to be used for message signing.

与sigAlgorithm相对应的整数将映射到GSAKMP签名类型值。此算法集将用于消息签名。

The INTEGER corresponding to hashAlgorithm will map to the GSAKMP Nonce Hash type values. This algorithm is used in computing the combined nonce.

与hashAlgorithm对应的整数将映射到GSAKMP Nonce哈希类型值。该算法用于计算组合nonce。

cA represents a trust point off of which the signer's certificate must certify. It is identified by the Public Key Infrastructure for X.509 Certificates (PKIX) KeyIdentifier [RFC3280] type.

cA表示一个信任点,签名者的证书必须对此点进行认证。它由X.509证书(PKIX)密钥标识符[RFC3280]类型的公钥基础结构标识。

transport will provide the expected transport for GSAKMP de-registration messages. Initially, either UDP or TCP will be the policy for a group.

传输将为GSAKMP注销消息提供预期的传输。最初,UDP或TCP将是组的策略。

     Transport ::= CHOICE {
       tcp [0] NULL,
       udp [1] NULL
     }
        
     Transport ::= CHOICE {
       tcp [0] NULL,
       udp [1] NULL
     }
        
B.4. GSAKMPv1 De-Registration ASN.1 Module
B.4. GSAKMPv1注销ASN.1模块

GSAKMPv1DeRegistrationSA {1.3.6.1.5.5.12.0.3}

GSAKMPv1注销A{1.3.6.1.5.5.12.0.3}

   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

     IMPORTS
       KeyIdentifier
         FROM PKIX1Implicit88 { iso(1) identified-organization(3)
           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
           id-mod(0) id-pkix1-implicit(19) };
        
     IMPORTS
       KeyIdentifier
         FROM PKIX1Implicit88 { iso(1) identified-organization(3)
           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
           id-mod(0) id-pkix1-implicit(19) };
        
   id-GSAKMPv1DeRegistrationProtocol
                   OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.3.2}
        
   id-GSAKMPv1DeRegistrationProtocol
                   OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.3.2}
        
   GSAKMPv1DeRegistrationInfo ::= SEQUENCE {
     leaveMechanisms SEQUENCE OF LeaveMechanisms,
     transport       Transport
   }
        
   GSAKMPv1DeRegistrationInfo ::= SEQUENCE {
     leaveMechanisms SEQUENCE OF LeaveMechanisms,
     transport       Transport
   }
        
   LeaveMechanisms ::= SEQUENCE {
     sigAlgorithm  INTEGER,
     hashAlgorithm INTEGER,
     cA            KeyIdentifier
   }
        
   LeaveMechanisms ::= SEQUENCE {
     sigAlgorithm  INTEGER,
     hashAlgorithm INTEGER,
     cA            KeyIdentifier
   }
        
   Transport ::= CHOICE {
     tcp [0] NULL,
     udp [1] NULL
   }
        
   Transport ::= CHOICE {
     tcp [0] NULL,
     udp [1] NULL
   }
        

END

终止

B.5. GSAKMPv1 Rekey Policy
B.5. GSAKMPv1重设密钥策略

When GSAKMP is used as the Rekey Protocol for the Group, the following object identifier should be used in the core token as the rekey protocol:

当GSAKMP用作组的重新密钥协议时,应在核心令牌中使用以下对象标识符作为重新密钥协议:

   id-GSAKMPv1Rekey     OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.0.4}
        
   id-GSAKMPv1Rekey     OBJECT IDENTIFIER::= {1.3.6.1.5.5.12.0.4}
        

The GSAKMP rekey policy provides authorization information, mechanisms for the GSAKMP rekey messages, indicators defining rekey event definitions that define when the GC/KS should send a rekey message, the protocol or method the rekey event will use, the rekey interval that will allow a member to recognize a failure in the rekey process, a reliability indicator that defines the method the rekey will use to increase the likelihood of a rekey delivery (if any), and finally an indication of how subordinate-GC/KSes will handle rekey. This policy also describes the specific rekey policy methods "None" and "GSAKMP LKH REKEY".

GSAKMP密钥更新策略提供授权信息、GSAKMP密钥更新消息机制、定义密钥更新事件定义的指标(定义GC/KS何时应发送密钥更新消息)、密钥更新事件将使用的协议或方法、允许成员识别密钥更新过程中失败的密钥更新间隔,一个可靠性指标,定义了重新钥匙将用于增加重新钥匙交付可能性(如有)的方法,以及下级GC/KSE将如何处理重新钥匙的指示。本政策还描述了具体的重新密钥政策方法“无”和“GSAKMP LKH重新密钥”。

     GSAKMPv1RekeyInfo ::= SEQUENCE {
       authorization  RekeyAuthorization,
       mechanism      RekeyMechanisms,
       rekeyEventDef  RekeyEventDef,
       rekeyMethod    RekeyMethod,
       rekeyInterval  LifeDate,
       reliability    Reliability,
       subGCKSInfo    SubGCKSInfo
     }
        
     GSAKMPv1RekeyInfo ::= SEQUENCE {
       authorization  RekeyAuthorization,
       mechanism      RekeyMechanisms,
       rekeyEventDef  RekeyEventDef,
       rekeyMethod    RekeyMethod,
       rekeyInterval  LifeDate,
       reliability    Reliability,
       subGCKSInfo    SubGCKSInfo
     }
        
B.5.1. Rekey Authorization
B.5.1. 重新密钥授权
      RekeyAuthorization ::= GCKSName
        
      RekeyAuthorization ::= GCKSName
        
B.5.2. Rekey Mechanisms
B.5.2. 更新机制

The policy dictating the mechanisms needed for rekey message processing is defined by RekeyMechanisms. This field is specified as

指示重新设置密钥消息处理所需机制的策略由重新设置密钥机制定义。此字段指定为

     RekeyMechanisms ::= SEQUENCE {
       sigAlgorithm   INTEGER,
       hashAlgorithm  INTEGER
     }
        
     RekeyMechanisms ::= SEQUENCE {
       sigAlgorithm   INTEGER,
       hashAlgorithm  INTEGER
     }
        

The INTEGER corresponding to sigAlgorithm will map to the GSAKMP Signature type values. This algorithm set is to be used for message signing.

与sigAlgorithm相对应的整数将映射到GSAKMP签名类型值。此算法集将用于消息签名。

The INTEGER corresponding to hashAlgorithm will map to the GSAKMP Nonce Hash type values. This algorithm is used in computing the combined nonce.

与hashAlgorithm对应的整数将映射到GSAKMP Nonce哈希类型值。该算法用于计算组合nonce。

B.5.3. Rekey Event Definition
B.5.3. 重设事件定义

Rekey Event Definition provides information to the GC/KS about the system requirements for sending rekey messages. This allows definition of the rekey event in time as well as event-driven characteristics (a number of de-registration notifications as an example), or a combination of the two (e.g., after x de-registrations or 24 hours, whichever comes first).

密钥更新事件定义向GC/KS提供有关发送密钥更新消息的系统要求的信息。这允许及时定义密钥更新事件以及事件驱动特征(例如,大量注销通知)或两者的组合(例如,在x次注销后或24小时后,以先到者为准)。

     RekeyEventDef ::= CHOICE {
       none         [0]  NULL,     -- never rekey
       timeOnly     [1]  LifeDate, -- rekey every x units
       event        [2]  INTEGER,  -- rekey after x events
       timeAndEvent [3]  TimeAndEvent
     }
        
     RekeyEventDef ::= CHOICE {
       none         [0]  NULL,     -- never rekey
       timeOnly     [1]  LifeDate, -- rekey every x units
       event        [2]  INTEGER,  -- rekey after x events
       timeAndEvent [3]  TimeAndEvent
     }
        

The LifeDate specifies the maximum time a group should exist between rekeys. This does not require clock synchronization as this is used with respect to a local clock (a GC/KS clock for sending rekey messages or a member clock for determining whether a message has been missed).

LifeDate指定组在两次密钥更新之间应存在的最长时间。这不需要时钟同步,因为这是针对本地时钟使用的(用于发送密钥更新消息的GC/KS时钟或用于确定消息是否丢失的成员时钟)。

The INTEGER corresponding to the event is an indicator of the number of events a group should sustain before a rekey message is sent. This defines the events between rekeys. An example of a relevant event is de-registration notifications.

与事件相对应的整数是组在发送重新设置密钥消息之前应维持的事件数的指示器。这定义了重键之间的事件。取消注册通知是相关事件的一个示例。

The TimeAndEvent is defined as a couple of the LifeDate and Integer policies.

TimeAndEvent被定义为一对LifeDate和Integer策略。

     TimeAndEvent ::= SEQUENCE {
       time   LifeDate, -- rekey after x units of time OR
       event  INTEGER   -- x events occur
     }
        
     TimeAndEvent ::= SEQUENCE {
       time   LifeDate, -- rekey after x units of time OR
       event  INTEGER   -- x events occur
     }
        
B.5.4. Rekey Methods
B.5.4. 更新方法

The rekey method defines the policy of how the rekey is to be accomplished. This field is specified as

rekey方法定义了如何完成rekey的策略。此字段指定为

     RekeyMethod ::= SEQUENCE {
       rekeyMethodType  OBJECT IDENTIFIER,
       rekeyMethodInfo  OCTET STRING
     }
        
     RekeyMethod ::= SEQUENCE {
       rekeyMethodType  OBJECT IDENTIFIER,
       rekeyMethodInfo  OCTET STRING
     }
        

The rekeyMethodType will define the rekey method to be used by the group.

rekeyMethodType将定义组要使用的rekey方法。

The rekeyMethodInfo will supply the GMs with the information they need to operate in the correct rekey mode.

rekeyMethodInfo将向GMs提供在正确的rekey模式下运行所需的信息。

B.5.4.1. Rekey Method NONE
B.5.4.1. 重新输入方法无

The group defined to work without a rekey protocols supporting it is supported by the rekeyMethodType NONE. There is no RekeyMethodNoneInfo associated with this option.

rekeyMethodType NONE支持定义为在没有支持它的rekey协议的情况下工作的组。没有与此选项关联的RekeyMethodNoneInfo。

     id-rekeyNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.1}
        
     id-rekeyNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.1}
        
     RekeyMethodNoneInfo ::= NULL
        
     RekeyMethodNoneInfo ::= NULL
        
B.5.4.2. Rekey Method GSAKMP LKH
B.5.4.2. 更新方法GSAKMP LKH

The GSAKMP protocol specification defined an interpretation of the Logical Key Hierarchy (LKH) protocol as a rekey method. This method is supported by the following values.

GSAKMP协议规范将逻辑密钥层次(LKH)协议的解释定义为重新密钥方法。以下值支持此方法。

     id-rekeyMethodGSAKMPLKH OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.2}
        
     id-rekeyMethodGSAKMPLKH OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.2}
        
     RekeyMethodGSAKMPLKHInfo ::= INTEGER
        
     RekeyMethodGSAKMPLKHInfo ::= INTEGER
        

The GSAKMP LKH method requires a gsakmp type value for identifying the cryptographic algorithm used to wrap the keys. This value maps to the GSAKMP encryption type.

GSAKMP LKH方法需要GSAKMP类型值来标识用于包装密钥的加密算法。此值映射到GSAKMP加密类型。

B.5.5. Rekey Interval
B.5.5. 重发间隔

Rekey interval defines the maximum delay the GM should see between valid rekeys. This provides a means to ensure the GM is synchronized, from a key management perspective, with the rest of the group. It is defined as a time/date stamp.

重新钥匙间隔定义了GM在有效重新钥匙之间应看到的最大延迟。从关键管理的角度来看,这提供了一种确保GM与集团其他部门同步的方法。它被定义为时间/日期戳。

B.5.6. Rekey Reliability
B.5.6. 重键可靠性

The rekey message in the GSAKMP protocol is a single push message. There are reliability concerns with such non-acknowledged messages (i.e., message exchange). The Reliability policy defines the mechanism used to deal with these concerns.

GSAKMP协议中的rekey消息是一条推送消息。此类未确认消息(即消息交换)存在可靠性问题。可靠性政策定义了用于处理这些问题的机制。

     Reliability ::= SEQUENCE {
       reliabilityMechanism   OBJECT IDENTIFIER,
       reliabilityMechContent OCTET STRING
     }
        
     Reliability ::= SEQUENCE {
       reliabilityMechanism   OBJECT IDENTIFIER,
       reliabilityMechContent OCTET STRING
     }
        

The reliability mechanism is defined by an OBJECT IDENTIFIER and the information needed to operate that mechanism is defined as reliabilityMechContent and is an OCTET STRING (as before).

可靠性机制由对象标识符定义,操作该机制所需的信息被定义为reliabilityMechContent,是一个八位字符串(如前所述)。

B.5.6.1. Rekey Reliability Mechanism None
B.5.6.1. 重新设定可靠性机制无

In networks with adequate reliability, it may not be necessary to use a mechanism to improve reliability of the rekey message. For these networks the ReliabilityMechanism NONE is appropriate.

在具有足够可靠性的网络中,可能不需要使用机制来提高密钥更新消息的可靠性。对于这些网络,可靠性机制NONE是合适的。

     id-reliabilityNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.1}
        
     id-reliabilityNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.1}
        
     ReliabilityContentNone ::= NULL
        
     ReliabilityContentNone ::= NULL
        
B.5.6.2. Rekey Reliability Mechanism Resend
B.5.6.2. 重发密钥可靠性机制

In networks with unknown or questionable reliability, it may be necessary to use a mechanism to improve reliability of the Rekey Message. For these networks, the ReliabilityMechanism RESEND is potentially appropriate. This mechanism has the GC/KS repeatedly sending out the same message.

在可靠性未知或有问题的网络中,可能需要使用一种机制来提高密钥更新消息的可靠性。对于这些网络,可靠性机制重发可能是合适的。此机制使GC/KS重复发送相同的消息。

     id-reliabilityResend OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.2}
        
     id-reliabilityResend OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.2}
        
     ReliabilityResendInfo ::= INTEGER
        
     ReliabilityResendInfo ::= INTEGER
        

The INTEGER value in the ReliabilityResendInfo indicates the number of times the message should be resent.

ReliabilityResendInfo中的整数值表示应重新发送消息的次数。

B.5.6.3. Rekey Reliability Mechanism Post
B.5.6.3. 重键可靠性机制

Another reliability mechanism is to post the rekey message on some service that will make it generally available. This is the reliabilityPost method.

另一种可靠性机制是将重新密钥消息发布到某些服务上,从而使其普遍可用。这是可靠性测试方法。

     id-reliabilityPost OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.3}
        
     id-reliabilityPost OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.3}
        
     ReliabilityContentPost ::= IA5String
        
     ReliabilityContentPost ::= IA5String
        

The IA5String associated with ReliabilityPost is the identifier of the posting site and rekey message.

与ReliabilityPost关联的IA5String是发布站点和重设密钥消息的标识符。

B.5.7. Distributed Operation Policy
B.5.7. 分布式操作策略

The policy dictating the relationships between GC/KS and S-GC/KS for distributed operations is defined as SubGCKSInfo. It is defined as a couple of a subGCKSScheme and some information relating to that Scheme in sGCKSContent.

为分布式操作指定GC/KS和S-GC/KS之间关系的策略定义为SubGCKSInfo。它被定义为一对子GCKSScheme和sGCKSContent中与该Scheme相关的一些信息。

     SubGCKSInfo ::= SEQUENCE {
       subGCKSScheme OBJECT IDENTIFIER,
       sGCKSContent  OCTET STRING
     }
        
     SubGCKSInfo ::= SEQUENCE {
       subGCKSScheme OBJECT IDENTIFIER,
       sGCKSContent  OCTET STRING
     }
        
B.5.7.1. No Distributed Operation
B.5.7.1. 没有分布式操作

If the group is not to use S-GC/KS, then that Scheme would be SGCKSSchemeNone.

如果集团不使用S-GC/KS,则该方案将为SGCKSSchemeNone。

     id-subGCKSSchemeNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.1}
        
     id-subGCKSSchemeNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.1}
        
     SGCKSNoneContent ::= NULL
        
     SGCKSNoneContent ::= NULL
        
B.5.7.2. Autonomous Distributed Mode
B.5.7.2. 自主分布式模式

If the group is to use S-GC/KS as defined in the GSAKMP specification as Autonomous mode, then that scheme would be SGCKSAutonomous.

如果集团使用GSAKMP规范中定义的S-GC/KS作为自治模式,则该方案将是SGCKSAutonomous。

     id-subGCKSSchemeAutonomous
                          OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.2}
        
     id-subGCKSSchemeAutonomous
                          OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.2}
        
     SGCKSAutonomous ::= SEQUENCE {
       authSubs  GCKSName,
       domain    OCTET STRING OPTIONAL
     }
        
     SGCKSAutonomous ::= SEQUENCE {
       authSubs  GCKSName,
       domain    OCTET STRING OPTIONAL
     }
        

The policy information needed for autonomous mode is a list of authorized S-GC/KSes and restrictions on who they may serve. The domain field representing these restrictions is NULL for this version.

自治模式所需的策略信息是授权S-GC/KSE列表以及对其服务对象的限制。对于此版本,表示这些限制的域字段为空。

B.6. GSAKMPv1 Rekey Policy ASN.1 Module
B.6. GSAKMPv1重新设置策略ASN.1模块

GSAKMPv1RekeySA {1.3.6.1.5.5.12.0.4}

GSAKMPv1RekeySA{1.3.6.1.5.5.12.0.4}

   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

     IMPORTS
       GCKSName
         FROM GSAKMPv1RegistrationSA  {1.3.6.1.5.5.12.0.2}
       LifeDate
         FROM PolicyToken  {1.3.6.1.5.5.12.0.1};
        
     IMPORTS
       GCKSName
         FROM GSAKMPv1RegistrationSA  {1.3.6.1.5.5.12.0.2}
       LifeDate
         FROM PolicyToken  {1.3.6.1.5.5.12.0.1};
        
   id-GSAKMPv1Rekey OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.0.4}
        
   id-GSAKMPv1Rekey OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.0.4}
        
   GSAKMPv1RekeyInfo ::= SEQUENCE {
     authorization RekeyAuthorization,
     mechanism     RekeyMechanisms,
     rekeyEventDef RekeyEventDef, -- tells the GCKS when to rekey
     rekeyMethod   RekeyMethod,
     rekeyInterval LifeDate,      -- member knows when to rejoin
     reliability   Reliability,   -- what mech will be used to
                                  --   increase the likelihood
                                  --   of rekey delivery
     subGCKSInfo   SubGCKSInfo    -- what subordinate GCKS needs
   }
        
   GSAKMPv1RekeyInfo ::= SEQUENCE {
     authorization RekeyAuthorization,
     mechanism     RekeyMechanisms,
     rekeyEventDef RekeyEventDef, -- tells the GCKS when to rekey
     rekeyMethod   RekeyMethod,
     rekeyInterval LifeDate,      -- member knows when to rejoin
     reliability   Reliability,   -- what mech will be used to
                                  --   increase the likelihood
                                  --   of rekey delivery
     subGCKSInfo   SubGCKSInfo    -- what subordinate GCKS needs
   }
        
   RekeyAuthorization ::= GCKSName
        
   RekeyAuthorization ::= GCKSName
        
   RekeyMechanisms ::= SEQUENCE {
     sigAlgorithm  INTEGER,
     hashAlgorithm INTEGER
   }
        
   RekeyMechanisms ::= SEQUENCE {
     sigAlgorithm  INTEGER,
     hashAlgorithm INTEGER
   }
        
   RekeyEventDef ::= CHOICE {
     none         [0] NULL,              -- never rekey
     timeOnly     [1] EXPLICIT LifeDate, -- rekey every x units
     event        [2] INTEGER,           -- rekey after x events
     timeAndEvent [3] TimeAndEvent
   }
        
   RekeyEventDef ::= CHOICE {
     none         [0] NULL,              -- never rekey
     timeOnly     [1] EXPLICIT LifeDate, -- rekey every x units
     event        [2] INTEGER,           -- rekey after x events
     timeAndEvent [3] TimeAndEvent
   }
        
   TimeAndEvent ::= SEQUENCE {
     time  LifeDate, -- rekey after x units of time OR
     event INTEGER   -- x events occur
   }
        
   TimeAndEvent ::= SEQUENCE {
     time  LifeDate, -- rekey after x units of time OR
     event INTEGER   -- x events occur
   }
        
   RekeyMethod ::= SEQUENCE {
     rekeyMethodType OBJECT IDENTIFIER,
     rekeyMethodInfo OCTET STRING
   }
        
   RekeyMethod ::= SEQUENCE {
     rekeyMethodType OBJECT IDENTIFIER,
     rekeyMethodInfo OCTET STRING
   }
        

-- REKEY METHOD NONE --

--重新输入方法无--

   id-rekeyNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.1}
        
   id-rekeyNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.1}
        
   RekeyMethodNoneInfo ::= NULL
        
   RekeyMethodNoneInfo ::= NULL
        

-- REKEY METHOD GSAKMP LKH --

--更新方法GSAKMP LKH--

   id-rekeyMethodGSAKMPLKH OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.2}
        
   id-rekeyMethodGSAKMPLKH OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.4.2}
        
   RekeyMethodGSAKMPLKHInfo ::= INTEGER -- gsakmp type value for
                                        --   wrapping mechanism
        
   RekeyMethodGSAKMPLKHInfo ::= INTEGER -- gsakmp type value for
                                        --   wrapping mechanism
        
   Reliability ::= SEQUENCE {
     reliabilityMechanism   OBJECT IDENTIFIER,
     reliabilityMechContent OCTET STRING
   }
        
   Reliability ::= SEQUENCE {
     reliabilityMechanism   OBJECT IDENTIFIER,
     reliabilityMechContent OCTET STRING
   }
        

-- RELIABILITY MECHANISM NONE --

--可靠性机制无--

   id-reliabilityNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.1}
        
   id-reliabilityNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.1}
        
   ReliabilityContentNone ::= NULL
        
   ReliabilityContentNone ::= NULL
        

-- RELIABILITY MECHANISM RESEND --

--可靠性机制重发--

   id-reliabilityResend OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.2}
        
   id-reliabilityResend OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.2}
        
   ReliabilityResendInfo ::= INTEGER -- # of times rekey message should
                                     --   be resent
        
   ReliabilityResendInfo ::= INTEGER -- # of times rekey message should
                                     --   be resent
        

-- RELIABILITY MECHANISM POST --

--岗位可靠性机制--

   id-reliabilityPost OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.3}
        
   id-reliabilityPost OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.5.3}
        
   ReliabilityContentPost ::= IA5String
        
   ReliabilityContentPost ::= IA5String
        
   SubGCKSInfo ::= SEQUENCE {
     subGCKSScheme OBJECT IDENTIFIER,
     sGCKSContent  OCTET STRING
   }
        
   SubGCKSInfo ::= SEQUENCE {
     subGCKSScheme OBJECT IDENTIFIER,
     sGCKSContent  OCTET STRING
   }
        
   id-subGCKSSchemeNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.1}
        
   id-subGCKSSchemeNone OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.1}
        
   SGCKSNoneContent ::= NULL
        
   SGCKSNoneContent ::= NULL
        
   id-subGCKSSchemeAutonomous OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.2}
        
   id-subGCKSSchemeAutonomous OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.6.2}
        
   SGCKSAutonomous ::= SEQUENCE {
     authSubs GCKSName,
     domain   OCTET STRING OPTIONAL
   }
        
   SGCKSAutonomous ::= SEQUENCE {
     authSubs GCKSName,
     domain   OCTET STRING OPTIONAL
   }
        

END

终止

Appendix C. Data SA Policy
附录C.数据SA政策

The Data SA provides the data structures needed for the protection of the data exchanged between group members. This appendix defines the data structures needed for a simple, generic security application making use of fixed security mechanisms. Such a Data SA requires only that keys delivered by the registration and rekey protocols be mapped to the service using them.

数据SA提供保护组成员之间交换的数据所需的数据结构。本附录定义了使用固定安全机制的简单通用安全应用程序所需的数据结构。这样的数据SA只需要将注册和重新密钥协议交付的密钥映射到使用它们的服务。

C.1. Generic Data Policy
C.1. 通用数据策略

The Generic Data Policy has the following identifier:

通用数据策略具有以下标识符:

     id-genericDataSA OBJECT IDENTIFIER :: = {1.3.6.1.5.5.12.7.1}
        
     id-genericDataSA OBJECT IDENTIFIER :: = {1.3.6.1.5.5.12.7.1}
        

If an authentication mechanism is used within the security application, the key identifier (kMKeyID) used in the key management protocol is given, as well as an optional key expiration date. Likewise, if an encryption mechanism is used within the security application, the encryption key identifier is given, as well as an optional key expiration date (keyExpirationDate).

如果在安全应用程序中使用了身份验证机制,则会给出密钥管理协议中使用的密钥标识符(kMKeyID)以及可选的密钥过期日期。同样,如果在安全应用程序中使用加密机制,则会给出加密密钥标识符以及可选密钥过期日期(keyExpirationDate)。

     GenericDataSAInfo ::= SEQUENCE {
       authentication [0] EXPLICIT KeyInfo OPTIONAL,
       encryption     [1] EXPLICIT KeyInfo OPTIONAL
     }
        
     GenericDataSAInfo ::= SEQUENCE {
       authentication [0] EXPLICIT KeyInfo OPTIONAL,
       encryption     [1] EXPLICIT KeyInfo OPTIONAL
     }
        
     KeyInfo ::= SEQUENCE{
       kMKeyID           OCTET STRING,
       keyExpirationDate LifeDate OPTIONAL
     }
        
     KeyInfo ::= SEQUENCE{
       kMKeyID           OCTET STRING,
       keyExpirationDate LifeDate OPTIONAL
     }
        
C.2. Generic Data Policy ASN.1 Module
C.2. 通用数据策略ASN.1模块

GenericDataSA {1.3.6.1.5.5.12.0.5}

一般数据a{1.3.6.1.5.5.12.0.5}

   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

   -- DATA APPLICATION:  Generic
   -- This token specification is for data applications with
   -- fixed security mechanisms.  Such data applications only
   -- need a mapping of management protocol key identification
   -- tags to security service.
        
   -- DATA APPLICATION:  Generic
   -- This token specification is for data applications with
   -- fixed security mechanisms.  Such data applications only
   -- need a mapping of management protocol key identification
   -- tags to security service.
        

IMPORTS LifeDate FROM PolicyToken {1.3.6.1.5.5.12.0.1}

从PolicyToken{1.3.6.1.5.5.12.0.1}导入LifeDate

       KeyIdentifier
         FROM PKIX1Implicit88 { iso(1) identified-organization(3)
           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
           id-mod(0) id-pkix1-implicit(19) };
        
       KeyIdentifier
         FROM PKIX1Implicit88 { iso(1) identified-organization(3)
           dod(6) internet(1) security(5) mechanisms(5) pkix(7)
           id-mod(0) id-pkix1-implicit(19) };
        
   id-genericDataSA OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.7.1}
        
   id-genericDataSA OBJECT IDENTIFIER ::= {1.3.6.1.5.5.12.7.1}
        
   GenericDataSAInfo ::= SEQUENCE {
     authentication [0] EXPLICIT KeyInfo OPTIONAL,
     encryption     [1] EXPLICIT KeyInfo OPTIONAL
   }
        
   GenericDataSAInfo ::= SEQUENCE {
     authentication [0] EXPLICIT KeyInfo OPTIONAL,
     encryption     [1] EXPLICIT KeyInfo OPTIONAL
   }
        
   KeyInfo ::= SEQUENCE{
     kMKeyID           OCTET STRING,
     keyExpirationDate LifeDate OPTIONAL
   }
        
   KeyInfo ::= SEQUENCE{
     kMKeyID           OCTET STRING,
     keyExpirationDate LifeDate OPTIONAL
   }
        

END

终止

Authors' Addresses

作者地址

Andrea Colegrove SPARTA, Inc. 7110 Samuel Morse Drive Columbia, MD 21046

马里兰州哥伦比亚塞缪尔·莫尔斯大道7110号安德里亚·科尔格罗夫斯巴达公司,邮编:21046

Phone: (443) 430-8014 Fax: (443) 430-8163 EMail: acc@sparta.com

电话:(443)430-8014传真:(443)430-8163电子邮件:acc@sparta.com

Hugh Harney SPARTA, Inc. 7110 Samuel Morse Drive Columbia, MD 21046

休·哈尼·斯巴达公司,地址:马里兰州哥伦比亚塞缪尔·莫尔斯大道7110号,邮编:21046

Phone: (443) 430-8032 Fax: (443) 430-8181 EMail: hh@sparta.com

电话:(443)430-8032传真:(443)430-8181电子邮件:hh@sparta.com

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2006).

版权所有(C)互联网协会(2006年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).

RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。