Independent Submission P. Timmel Request for Comments: 7906 National Security Agency Category: Informational R. Housley ISSN: 2070-1721 Vigil Security S. Turner IECA June 2016
Independent Submission P. Timmel Request for Comments: 7906 National Security Agency Category: Informational R. Housley ISSN: 2070-1721 Vigil Security S. Turner IECA June 2016
NSA's Cryptographic Message Syntax (CMS) Key Management Attributes
NSA的加密消息语法(CMS)密钥管理属性
Abstract
摘要
This document defines key management attributes used by the National Security Agency (NSA). The attributes can appear in asymmetric and/or symmetric key packages as well as the Cryptographic Message Syntax (CMS) content types that subsequently envelope the key packages. Key packages described in RFCs 5958 and 6031 are examples of where these attributes can be used.
本文件定义了国家安全局(NSA)使用的关键管理属性。这些属性可以出现在非对称和/或对称密钥包以及随后封装密钥包的加密消息语法(CMS)内容类型中。RFCs 5958和6031中描述的关键包是可以使用这些属性的示例。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7906.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7906.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................3 1.1. Attribute Locations ........................................3 1.2. ASN.1 Notation .............................................4 1.3. Terminology ................................................5 2. CMS-Defined Attributes ..........................................6 3. Community Identifiers ...........................................7 4. Key Province Attribute ..........................................8 5. Binary Signing Time .............................................8 6. Manifest ........................................................9 7. Key Algorithm ...................................................9 8. User Certificate ...............................................11 9. Key Package Receivers ..........................................11 10. TSEC Nomenclature .............................................13 11. Key Purpose ...................................................16 12. Key Use .......................................................17 13. Transport Key .................................................20 14. Key Distribution Period .......................................20 15. Key Validity Period ...........................................22 16. Key Duration ..................................................23 17. Classification ................................................24 17.1. Security Label ...........................................25 18. Split Key Identifier ..........................................29 19. Key Package Type ..............................................30 20. Signature Usage ...............................................30 21. Other Certificate Format ......................................33 22. PKI Path ......................................................34 23. Useful Certificates ...........................................35 24. Key Wrap Algorithm ............................................35 25. Content Decryption Key Identifier .............................36 25.1. Content Decryption Key Identifier: Symmetric Key and Symmetric ............................................36 25.2. Content Decryption Key Identifier: Unprotected ...........37 26. Certificate Pointers ..........................................37 27. CRL Pointers ..................................................38 28. Key Package Identifier and Receipt Request ....................38 29. Additional Error Codes ........................................39 30. Processing Key Package Attribute Values and CMS Content Constraints ...........................................39 31. Attribute Scope ...............................................41 32. Security Considerations .......................................48 33. References ....................................................48 33.1. Normative References .....................................48 33.2. Informative References ...................................51 Appendix A. ASN.1 Module ..........................................52 Authors' Addresses ................................................68
1. Introduction ....................................................3 1.1. Attribute Locations ........................................3 1.2. ASN.1 Notation .............................................4 1.3. Terminology ................................................5 2. CMS-Defined Attributes ..........................................6 3. Community Identifiers ...........................................7 4. Key Province Attribute ..........................................8 5. Binary Signing Time .............................................8 6. Manifest ........................................................9 7. Key Algorithm ...................................................9 8. User Certificate ...............................................11 9. Key Package Receivers ..........................................11 10. TSEC Nomenclature .............................................13 11. Key Purpose ...................................................16 12. Key Use .......................................................17 13. Transport Key .................................................20 14. Key Distribution Period .......................................20 15. Key Validity Period ...........................................22 16. Key Duration ..................................................23 17. Classification ................................................24 17.1. Security Label ...........................................25 18. Split Key Identifier ..........................................29 19. Key Package Type ..............................................30 20. Signature Usage ...............................................30 21. Other Certificate Format ......................................33 22. PKI Path ......................................................34 23. Useful Certificates ...........................................35 24. Key Wrap Algorithm ............................................35 25. Content Decryption Key Identifier .............................36 25.1. Content Decryption Key Identifier: Symmetric Key and Symmetric ............................................36 25.2. Content Decryption Key Identifier: Unprotected ...........37 26. Certificate Pointers ..........................................37 27. CRL Pointers ..................................................38 28. Key Package Identifier and Receipt Request ....................38 29. Additional Error Codes ........................................39 30. Processing Key Package Attribute Values and CMS Content Constraints ...........................................39 31. Attribute Scope ...............................................41 32. Security Considerations .......................................48 33. References ....................................................48 33.1. Normative References .....................................48 33.2. Informative References ...................................51 Appendix A. ASN.1 Module ..........................................52 Authors' Addresses ................................................68
This document defines key management attributes used by the National Security Agency (NSA). The attributes can appear in asymmetric and/or symmetric key packages as well as the Cryptographic Message Syntax (CMS) content types that subsequently envelope the key packages.
本文件定义了国家安全局(NSA)使用的关键管理属性。这些属性可以出现在非对称和/或对称密钥包以及随后封装密钥包的加密消息语法(CMS)内容类型中。
This document contains definitions for new attributes as well as previously defined attributes. References are provided to the previously defined attributes; however, their definitions are included herein for convenience.
本文档包含新属性和以前定义的属性的定义。参考先前定义的属性;然而,为了方便起见,此处包含了它们的定义。
CMS allows for arbitrary nesting of content types. Attributes are also supported in various locations in content types and key packages, which are themselves content types (see Section 1.1). An implementation that supports all of the possibilities would be extremely complex. Instead of implementing the full flexibility supported by this document, some devices may choose to support one or more templates, which is a profile for a combination of CMS content type(s), key package, and attribute(s); see Section 19.
CMS允许任意嵌套内容类型。在内容类型和关键包中的不同位置也支持属性,它们本身就是内容类型(请参见第1.1节)。支持所有可能性的实现将极其复杂。一些设备可能会选择支持一个或多个模板,而不是实现本文档支持的全部灵活性,这是CMS内容类型、密钥包和属性组合的配置文件;见第19节。
There are a number of CMS content types that support attributes SignedData [RFC5652], EnvelopedData [RFC5652], EncryptedData [RFC5652], AuthenticatedData [RFC5652], and AuthEnvelopedData [RFC5083] as well as ContentWithAttributes [RFC4073]. There are also a number of other content types defined with CONTENT-TYPE [RFC6268] that support attributes including AsymmetricKeyPackage [RFC5958] and SymmetricKeyPackage [RFC6031].
有许多CMS内容类型支持属性SignedData[RFC5652]、EnvelopedData[RFC5652]、EncryptedData[RFC5652]、AuthenticatedData[RFC5652]和AuthEnvelopedData[RFC5083]以及ContentWithAttributes[RFC4073]。还有许多使用content-TYPE[RFC6268]定义的其他内容类型,它们支持包括AsymmetricKeyPackage[RFC5958]和SymmetricKeyPackage[RFC6031]在内的属性。
CMS defines a number of "protecting content types" -- SignedData [RFC5652], EnvelopedData [RFC5652], EncryptedData [RFC5652], AuthenticatedData [RFC5652], and AuthEnvelopedData [RFC5083] -- that provide some type of security service. There are also other CMS content types -- Data [RFC5652], ContentWithAttributes [RFC4073], and ContentCollection [RFC4073] -- that provide no security service.
CMS定义了许多“保护内容类型”——SignedData[RFC5652]、EnvelopedData[RFC5652]、EncryptedData[RFC5652]、AuthenticatedData[RFC5652]和AuthEnvelopedData[RFC5083]——它们提供某种类型的安全服务。还有其他CMS内容类型——数据[RFC5652]、ContentWithAttributes[RFC4073]和ContentCollection[RFC4073]——不提供安全服务。
There are also different kinds of attributes in these content types:
这些内容类型中还有不同类型的属性:
o SignedData supports two kinds of attributes: signed and unsigned attributes in the signedAttrs and unsignedAttrs fields, respectively.
o SignedData支持两种属性:signedAttrs和unsignedAttrs字段中的signed和unsigned属性。
o EnvelopedData and EncryptedData each support one kind of attribute: unprotected attributes in the unprotectedAttrs field.
o EnvelopedData和EncryptedData都支持一种属性:unprotectedAttrs字段中的UnprotectedAttributes。
o AuthEnvelopedData supports two kinds of attributes: authenticated and unauthenticated attributes in the authAttrs and unauthAttrs fields, respectively. Both of these attributes are also unprotected (i.e., they are not encrypted); therefore, when referring to AuthEnvelopedData attributes, they are authenticated&unprotected and unauthenticated&unprotected. For this specification, unauthenticated attributes MUST NOT be included.
o AuthEnvelopedData支持两种类型的属性:authAttrs和unauthAttrs字段中的authenticated和UnauthAuthenticated属性。这两个属性也不受保护(即,它们未加密);因此,在引用AuthEnvelopedData属性时,它们是经过身份验证且未受保护的,而未经身份验证且未受保护的。对于本规范,不得包含未经验证的属性。
o AuthenticatedData supports two kinds of attributes: authenticated and unauthenticated attributes in the authAttrs and unauthAttrs fields, respectively. For this specification, unauthenticated attributes MUST NOT be included.
o AuthenticatedData支持两种属性:authAttrs和unauthAttrs字段中的authenticated和unauthenticated属性。对于本规范,不得包含未经验证的属性。
o ContentWithAttributes supports one kind of attribute: content attributes in the attrs field.
o ContentWithAttributes支持一种属性:属性字段中的内容属性。
o AsymmetricKeyPackage supports one kind of attribute: asymmetric key attributes in the attributes field. If an attribute appears as part of an asymmetric key package, it SHOULD appear in the attributes field of the AsymmetricKeyPackage.
o AsymmetricKeyPackage支持一种属性:属性字段中的非对称密钥属性。如果某个属性显示为非对称密钥包的一部分,则该属性应显示在非对称密钥包的属性字段中。
o SymmetricKeyPackage supports two kinds of attributes: symmetric key and symmetric key package attributes in the sKeyAttrs and sKeyPkgAttrs fields, respectively. Note that [RFC6031] prohibits the same attribute from appearing in both locations in the same SymmetricKeyPackage.
o SymmetricKeyPackage支持两种属性:分别在sKeyAttrs和SkeypkAttrs字段中的对称密钥和对称密钥包属性。请注意,[RFC6031]禁止同一属性出现在同一SymmetricKeyPackage中的两个位置。
Note that this specification updates the following information object sets SignedAttributesSet, UnsignedAttributes, UnprotectedEnvAttributes, UnprotectedEncAttributes, AuthAttributeSet, UnauthAttributeSet, AuthEnvDataAttributeSet, UnauthEnvDataAttributeSet, and ContentAttributeSet from [RFC6268] as well as OneAsymmetricKeyAttributes from [RFC5958], SKeyPkgAttributes from [RFC6031], and SKeyAttributes from [RFC6031] to constrain the permissible locations for attributes. See Appendix A for the ASN.1 for the information object sets.
请注意,本规范更新了[RFC6268]中的以下信息对象集SignedAttributeSet、UnsignedAttributes、UnprotectedAttributes、UnprotectedAttributes、AuthAttributeSet、UnauthDataAttributeSet、UnauthEndataAttributeSet和ContentAttributeSet,以及[RFC5958]中的OneAsymmetricKeyAttributes,[RFC6031]中的SKeyPkgAttributes和[RFC6031]中的SKeyAttributes约束属性的允许位置。有关对象集的信息,请参见ASN.1的附录A。
The attributes defined in this document use 2002 ASN.1 [X.680] [X.681] [X.682] [X.683]. The attributes MUST be DER [X.690] encoded.
本文件中定义的属性使用2002 ASN.1[X.680][X.681][X.682][X.683]。属性必须进行DER[X.690]编码。
Each of the attributes has a single attribute value instance in the values set. Even though the syntax is defined as a set, there MUST be exactly one instance of AttributeValue present. Further, the SignedAttributes, UnsignedAttributes, UnprotectedAttributes, AuthAttributes, and UnauthAttributes are also defined as a set, and
每个属性在值集中都有一个属性值实例。即使语法定义为一个集合,也必须只存在一个AttributeValue实例。此外,SignedAttribute、UnsignedAttribute、UnprotectedAttribute、AuthAttributes和UnauthAttributes也定义为一个集合,并且
this set MUST include only one instance of any particular type of attribute. That is, any object identifier appearing in AttributeType MUST only appear one time in the set of attributes.
此集合只能包含任何特定类型属性的一个实例。也就是说,AttributeType中出现的任何对象标识符在属性集中只能出现一次。
SignedData, EnvelopedData, EncryptedData, AuthenticatedData, AuthEnvelopedData, and ContentWithAttributes were originally defined using the 1988 version of ASN.1. These definitions were updated to the 2008 version of ASN.1 by [RFC6268]. None of the new 2008 ASN.1 tokens are used; this allows 2002 compilers to compile 2008 ASN.1. AsymmetricKeyPackage and SymmetricKeyPackage are defined using the 2002 ASN.1.
SignedData、EnvelopedData、EncryptedData、AuthenticatedData、AuthEnvelopedData和ContentWithAttributes最初是使用1988年版本的ASN.1定义的。[RFC6268]将这些定义更新至2008年版ASN.1。没有使用新的2008 ASN.1代币;这允许2002编译器编译2008 ASN.1。AsymmetricKeyPackage和SymmetricKeyPackage是使用2002 ASN.1定义的。
[RFC5652] and [RFC2634] define generally useful attributes for CMS using the 1988 version of ASN.1. These definitions were updated to the 2008 version of ASN.1 by [RFC6268] and the 2002 version of ASN.1 by [RFC5911], respectively. [RFC4108] and [RFC6019] also defined attributes using the 1988 version of ASN.1, which this document uses. Both were updated by [RFC5911] to the 2002 ASN.1. Refer to [RFC2634], [RFC4108], [RFC5652], and [RFC6019] for the attribute's semantics, but refer to [RFC5911] or [RFC6268] for the attribute's ASN.1 syntax.
[RFC5652]和[RFC2634]使用ASN.1的1988版本定义了CMS通常有用的属性。这些定义分别由[RFC6268]和[RFC5911]更新至2008版ASN.1和2002版ASN.1。[RFC4108]和[RFC6019]还使用本文档使用的1988版ASN.1定义了属性。[RFC5911]将二者更新为2002年ASN.1。有关属性的语义,请参阅[RFC2634]、[RFC4108]、[RFC5652]和[RFC6019],但有关属性的ASN.1语法,请参阅[RFC5911]或[RFC6268]。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照RFC 2119[RFC2119]中的说明进行解释。
Attribute Scope: The scope of an attribute is the compilation of keying material to which the attribute value is assigned. The scope of each attribute is determined by its placement within the key package or content collection. See Section 31.
属性范围:属性的范围是将属性值指定给的关键帧材质的编译。每个属性的范围由其在密钥包或内容集合中的位置决定。见第31节。
SIR: Source Intermediary Receiver is a model with three entities:
SIR:源中间接收器是一个具有三个实体的模型:
o A source initiates the delivery of a key to one or more receivers. It may wrap or encrypt the key for delivery. This is expected to be the common case, since a cleartext key is vulnerable to exposure and compromise. If the sender is to encrypt the key for delivery, it must know how to encrypt the key so that the receiver(s) can decrypt it. A sender may also carry out any of the functions of an intermediary.
o 源向一个或多个接收器发送密钥。它可以包装或加密密钥以进行传递。这是常见的情况,因为明文密钥容易暴露和泄露。如果发送方要加密密钥以进行传递,那么它必须知道如何加密密钥,以便接收方能够解密密钥。发送者也可以执行中间人的任何职能。
* The original key package creators are sometimes referred to as key source authorities. These entities create the symmetric and/or asymmetric key package and apply the initial CMS protecting layer, which is normally a SignedData
* 原始密钥包创建者有时称为密钥源权限。这些实体创建对称和/或非对称密钥包,并应用初始CMS保护层,该保护层通常是签名数据
but sometimes an AuthenticatedData. This initial CMS protecting layer is maintained through any intermediary for the receivers of the key package to ensure that receivers can validate the key source authority.
但有时是经过身份验证的数据。该初始CMS保护层通过密钥包接收者的任何中介进行维护,以确保接收者能够验证密钥源授权。
o An intermediary does not have access to the cleartext key. An intermediary may perform source authentication on key packages and may append or remove management information related to the package. It may encapsulate the encrypted key packages in larger packages that contain other user data destined for later intermediaries or receivers.
o 中间人无权访问明文密钥。中介可以对密钥包执行源身份验证,并可以附加或删除与该包相关的管理信息。它可以将加密密钥包封装在更大的包中,其中包含发送给后来的中介或接收者的其他用户数据。
o A receiver has access to the cleartext key. If the received key package is encrypted, it can unwrap or decrypt the encrypted key to obtain the cleartext key. A receiver may be the final destination of the cryptographic product. An element that acts as a receiver and is not the final destination of the key package may also act as a sender or as an intermediary. After receiving a key, a receiver may encrypt the received key for local storage.
o 接收者可以访问明文密钥。如果收到的密钥包是加密的,它可以打开或解密加密的密钥以获得明文密钥。接收器可以是加密产品的最终目的地。充当接收方而不是密钥包最终目的地的元素也可以充当发送方或中介。在接收到密钥之后,接收器可以对接收到的密钥进行加密以用于本地存储。
NOTE: As noted in Section 1, a receiver can be tailored to support a particular combination of CMS content type(s), key package, and attribute(s) resulting in less-complex implementations. All of these tailored receivers can be supported by a common key management infrastructure that uses this specification; this also can yield efficiencies in generation and provisioning. Senders and intermediaries that have to understand multiple tailored receivers get the efficiency of a common specification language and modular implementation, as opposed to needing stove-piped processing for each different receiver.
注:如第1节所述,接收器可定制为支持CMS内容类型、密钥包和属性的特定组合,从而实现较不复杂的实现。所有这些定制的接收器都可以由使用此规范的公共密钥管理基础设施支持;这还可以提高发电和资源调配的效率。必须理解多个定制接收器的发送者和中介体可以获得通用规范语言和模块化实现的效率,而不是需要对每个不同接收器进行炉管处理。
The following attributes are defined for [RFC5652]:
为[RFC5652]定义了以下属性:
o content-type [RFC5652] [RFC5911] [RFC6268] uniquely specifies the CMS content type. This attribute MUST be included as a signed, authenticated, or authenticated&unprotected attribute.
o 内容类型[RFC5652][RFC5911][RFC6268]唯一指定CMS内容类型。此属性必须作为已签名、已验证或已验证和未保护的属性包含。
o message-digest [RFC5652] [RFC5911] [RFC6268] is the message digest of the encapsulated content calculated using the signer's message digest algorithm. As specified in [RFC5652], it must be included as a signed attribute and an authenticated attribute; as specified in [RFC5652], it must not be an unsigned attribute, unauthenticated attribute, or unprotected
o 消息摘要[RFC5652][RFC5911][RFC6268]是使用签名者的消息摘要算法计算的封装内容的消息摘要。如[RFC5652]所述,必须将其作为已签名属性和已验证属性包含;如[RFC5652]中所述,它不能是未签名的属性、未经身份验证的属性或未受保护的属性
attribute; as specified in [RFC5083], it should not be included as an authenticated&unprotected attribute in AuthEnvelopedData. This attribute MUST NOT be included elsewhere.
属性如[RFC5083]中所述,它不应作为AuthEnvelopedData中的已验证和未保护属性包含。此属性不能包含在其他位置。
o content-hints [RFC2634] [RFC5911] [RFC6268] identifies the innermost content when multiple layers of encapsulation have been applied. Every instance of SignedData, AuthenticatedData, and AuthEnvelopedData that does not directly encapsulate a SymmetricKeyPackage, an AsymmetricKeyPackage, or an EncryptedKeyPackage [RFC6032] MUST include this attribute.
o 内容提示[RFC2634][RFC5911][RFC6268]在应用多层封装时标识最里面的内容。未直接封装SymmetricKeyPackage、AsymmetricKeyPackage或EncryptedKeyPackage[RFC6032]的SignedData、AuthenticatedData和AuthEnvelopedData的每个实例都必须包含此属性。
The community-identifiers attribute, defined in [RFC4108] and [RFC5911], lists the communities that are authorized recipients of the signed content. It can appear as a signed, authenticated, authenticated&unprotected, or content attribute. This attribute MUST be supported.
[RFC4108]和[RFC5911]中定义的社区标识符属性列出了作为已签名内容的授权收件人的社区。它可以显示为已签名、已验证、已验证和未保护或内容属性。必须支持此属性。
The 2002 ASN.1 syntax for the community-identifiers attribute is included for convenience:
为了方便起见,包含了社区标识符属性的2002 ASN.1语法:
aa-communityIdentifiers ATTRIBUTE ::= { TYPE CommunityIdentifiers IDENTIFIED BY id-aa-communityIdentifiers }
aa-communityIdentifiers ATTRIBUTE ::= { TYPE CommunityIdentifiers IDENTIFIED BY id-aa-communityIdentifiers }
id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 40 }
id-aa-communityIdentifiers OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 40 }
CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier
CommunityIdentifiers ::= SEQUENCE OF CommunityIdentifier
CommunityIdentifier ::= CHOICE { communityOID OBJECT IDENTIFIER, hwModuleList HardwareModules }
CommunityIdentifier ::= CHOICE { communityOID OBJECT IDENTIFIER, hwModuleList HardwareModules }
HardwareModules ::= SEQUENCE { hwType OBJECT IDENTIFIER, hwSerialEntries SEQUENCE OF HardwareSerialEntry }
HardwareModules ::= SEQUENCE { hwType OBJECT IDENTIFIER, hwSerialEntries SEQUENCE OF HardwareSerialEntry }
HardwareSerialEntry ::= CHOICE { all NULL, single OCTET STRING, block SEQUENCE { low OCTET STRING, high OCTET STRING } }
HardwareSerialEntry ::= CHOICE { all NULL, single OCTET STRING, block SEQUENCE { low OCTET STRING, high OCTET STRING } }
Consult [RFC4108] for the attribute's semantics.
有关属性的语义,请参阅[RFC4108]。
The key-province-v2 attribute identifies the scope, range, or jurisdiction in which the key is to be used. The key-province-v2 attribute MUST be present as a signed attribute or an authenticated attribute in the innermost CMS protection content type that provides authentication (i.e., SignedData, AuthEnvelopedData, or AuthenticatedData) and encapsulates a symmetric key package or an asymmetric key package.
key-province-v2属性标识要在其中使用密钥的范围、范围或辖区。key-province-v2属性必须在提供身份验证(即SignedData、AuthEnvelopedData或AuthenticatedData)并封装对称密钥包或非对称密钥包的最内层CMS保护内容类型中以签名属性或身份验证属性的形式存在。
The key-province attribute has the following syntax:
“关键省”属性具有以下语法:
aa-keyProvince-v2 ATTRIBUTE ::= { TYPE KeyProvinceV2 IDENTIFIED BY id-aa-KP-keyProvinceV2 }
aa-keyProvince-v2 ATTRIBUTE ::= { TYPE KeyProvinceV2 IDENTIFIED BY id-aa-KP-keyProvinceV2 }
id-aa-KP-keyProvinceV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 71 }
id-aa-KP-keyProvinceV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 71 }
KeyProvinceV2 ::= OBJECT IDENTIFIER
KeyProvinceV2 ::= OBJECT IDENTIFIER
The binary-signing-time attribute, defined in [RFC6019] and [RFC6268], specifies the time at which the signature or the Message Authentication Code (MAC) was applied to the encapsulated content. It can appear as a signed, authenticated, or authenticated&unprotected attribute.
[RFC6019]和[RFC6268]中定义的二进制签名时间属性指定签名或消息验证码(MAC)应用于封装内容的时间。它可以显示为已签名、已验证或已验证且未受保护的属性。
The 2002 ASN.1 syntax is included for convenience:
为了方便起见,包含了2002 ASN.1语法:
aa-binarySigningTime ATTRIBUTE ::= { TYPE BinarySigningTime IDENTIFIED BY id-aa-binarySigningTime }
aa-binarySigningTime ATTRIBUTE ::= { TYPE BinarySigningTime IDENTIFIED BY id-aa-binarySigningTime }
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 46 }
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 46 }
BinarySigningTime ::= BinaryTime
BinarySigningTime ::= BinaryTime
BinaryTime ::= INTEGER (0..MAX)
BinaryTime ::= INTEGER (0..MAX)
Consult [RFC6019] for the binary-signing-time attribute's semantics.
有关二进制签名时间属性的语义,请参阅[RFC6019]。
The manifest attribute lists the short titles of all the Transmission Security Nomenclature (TSEC-Nomenclature) attributes from inner key packages. It MUST only appear as an outermost signed, authenticated, or authenticated&unprotected attribute. If a short title is repeated in inner packages, it need only appear once in the manifest attribute. The manifest attribute MUST NOT appear in the same level as the TSEC-Nomenclature from Section 10.
manifest属性列出了内部密钥包中所有传输安全术语(TSEC术语)属性的简短标题。它只能显示为最外层的已签名、已验证或已验证&未保护属性。如果短标题在内部包中重复,它只需在manifest属性中出现一次。清单属性不得与第10节中的TSEC术语出现在同一级别。
The manifest attribute has the following syntax:
manifest属性具有以下语法:
aa-manifest ATTRIBUTE ::= { TYPE Manifest IDENTIFIED BY id-aa-KP-manifest }
aa-manifest ATTRIBUTE ::= { TYPE Manifest IDENTIFIED BY id-aa-KP-manifest }
id-aa-KP-manifest OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 72 }
id-aa-KP-manifest OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 72 }
Manifest ::= SEQUENCE SIZE (1..MAX) OF ShortTitle
Manifest ::= SEQUENCE SIZE (1..MAX) OF ShortTitle
The key-algorithm attribute indirectly specifies the size and format of the keying material in the skey field of a symmetric key package, which is defined in [RFC6031]. It can appear as a symmetric key, symmetric key package, signed, authenticated, authenticated&unprotected, or content attribute. If this attribute appears as a signed attribute, then all of the keying material within the SignedData content MUST be associated with the same algorithm. If this attribute appears as an authenticated or authenticated&unprotected attribute, then all of the keying material within the AuthenticatedData or AuthEnvelopedData content type MUST be associated with the same algorithm. If this attribute appears as a content attribute, then all of the keying material within the collection MUST be associated with the same algorithm. If both the key-wrap-algorithm (Section 24) and key-algorithm attributes apply to an sKey, then the key-algorithm attribute refers to the decrypted value of sKey rather than to the content of sKey itself. This attribute MUST be supported.
“密钥算法”属性间接指定对称密钥包的skey字段中的密钥材质的大小和格式,该字段在[RFC6031]中定义。它可以显示为对称密钥、对称密钥包、已签名、已验证、已验证和未保护或内容属性。如果此属性显示为已签名属性,则SignedData内容中的所有键控材质必须与同一算法关联。如果此属性显示为“已验证”或“已验证&未保护”属性,则AuthenticatedData或AuthEnvelopedData内容类型中的所有键控材料必须与同一算法关联。如果此属性显示为内容属性,则集合中的所有关键帧材质必须与同一算法关联。如果密钥包裹算法(第24节)和密钥算法属性都适用于sKey,则密钥算法属性指的是sKey的解密值,而不是sKey本身的内容。必须支持此属性。
The key-algorithm attribute has the following syntax:
“关键算法”属性具有以下语法:
aa-keyAlgorithm ATTRIBUTE ::= { TYPE KeyAlgorithm IDENTIFIED BY id-kma-keyAlgorithm }
aa-keyAlgorithm ATTRIBUTE ::= { TYPE KeyAlgorithm IDENTIFIED BY id-kma-keyAlgorithm }
id-kma-keyAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 1 }
id-kma-keyAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 1 }
KeyAlgorithm ::= SEQUENCE { keyAlg OBJECT IDENTIFIER, checkWordAlg [1] OBJECT IDENTIFIER OPTIONAL, crcAlg [2] OBJECT IDENTIFIER OPTIONAL }
KeyAlgorithm ::= SEQUENCE { keyAlg OBJECT IDENTIFIER, checkWordAlg [1] OBJECT IDENTIFIER OPTIONAL, crcAlg [2] OBJECT IDENTIFIER OPTIONAL }
The fields in the key-algorithm attribute have the following semantics:
“关键算法”属性中的字段具有以下语义:
o keyAlg specifies the size and format of the keying material.
o keyAlg指定关键帧材质的大小和格式。
o If the particular key format supports more than one check-word algorithm, then the OPTIONAL checkWordAlg identifier indicates which check-word algorithm was used to generate the check word that is present. If the check-word algorithm is implied by the key algorithm, then the checkWordAlg field SHOULD be omitted.
o 如果特定关键字格式支持多个检查字算法,则可选的检查字ALG标识符指示使用哪个检查字算法生成当前的检查字。如果关键字算法暗示了检查字算法,则应省略checkWordAlg字段。
o If the particular key format supports more than one Cyclic Redundancy Check (CRC) algorithm, then the OPTIONAL crcAlg identifier indicates which CRC algorithm was used to generate the value that is present. If the CRC algorithm is implied by the key algorithm, then the crcAlg field SHOULD be omitted.
o 如果特定密钥格式支持多个循环冗余校验(CRC)算法,则可选crcAlg标识符指示使用哪个CRC算法生成当前值。如果密钥算法隐含CRC算法,则应省略crcAlg字段。
The keyAlg identifier, the checkWordAlg identifier, and the crcAlg identifier are object identifiers. The use of an object identifier accommodates any algorithm from any registry.
keyAlg标识符、checkWordAlg标识符和crcAlg标识符是对象标识符。对象标识符的使用适应了来自任何注册表的任何算法。
The format of the keying material in the skey field of a symmetric key package will not match this attribute if the keying material is split (see Section 18 for a discussion of the split-identifier attribute). In this situation, this attribute identifies the format of the keying material once the two splits are combined.
如果分割键控材质,对称密钥包的skey字段中键控材质的格式将与此属性不匹配(有关分割标识符属性的讨论,请参阅第18节)。在这种情况下,一旦两个拆分合并,该属性将标识关键帧材质的格式。
Due to multiple layers of encapsulation or the use of content collections, the key-algorithm attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the key-algorithm attribute within the same scope, the keyAlg field MUST match in all instances. The OPTIONAL checkWordAlg and crcAlg fields can be omitted in the key-algorithm attribute when it appears as a signed, authenticated, authenticated&unprotected, or content attribute. However, if these optional fields are present, they MUST also match the other occurrences within the same scope. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,密钥算法属性可以出现在整个密钥包中的多个位置。当同一范围内多次出现“关键算法”属性时,所有实例中的“关键算法”字段都必须匹配。当密钥算法属性显示为已签名、已验证、已验证和未保护或内容属性时,可以在密钥算法属性中省略可选的checkWordAlg和crcAlg字段。但是,如果存在这些可选字段,则它们还必须与同一范围内的其他匹配项相匹配。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The user-certificate attribute specifies the type, format, and value of an X.509 certificate and is used in asymmetric key package's attributes field. This attribute can appear as an asymmetric key attribute. This attribute MUST NOT appear in an asymmetric key package attributes field that includes the other-certificate-formats attribute. Symmetric key packages do not contain any certificates, so the user-certificate attribute MUST NOT appear in a symmetric key package. The user-certificate attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute. This attribute MUST be supported.
用户证书属性指定X.509证书的类型、格式和值,并在非对称密钥包的属性字段中使用。此属性可以显示为非对称密钥属性。此属性不得出现在包含“其他证书格式”属性的非对称密钥包属性字段中。对称密钥包不包含任何证书,因此用户证书属性不得出现在对称密钥包中。用户证书属性不得显示为已签名、已验证、已验证和未保护或内容属性。必须支持此属性。
The syntax is taken from [X.509] but redefined using the ATTRIBUTE CLASS from [RFC5912]. The user-certificate attribute has the following syntax:
语法取自[X.509],但使用[RFC5912]中的属性类重新定义。用户证书属性具有以下语法:
aa-userCertificate ATTRIBUTE ::= { TYPE Certificate EQUALITY MATCHING RULE certificateExactMatch IDENTIFIED BY id-at-userCertificate }
aa-userCertificate ATTRIBUTE ::= { TYPE Certificate EQUALITY MATCHING RULE certificateExactMatch IDENTIFIED BY id-at-userCertificate }
id-at-userCertificate OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 36 }
id-at-userCertificate OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 36 }
Since the user-certificate attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute, an asymmetric key package cannot include multiple occurrences of the user-certificate attribute within the same scope. Receivers MUST reject any asymmetric key package in which the user-certificate attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute.
由于用户证书属性不得显示为已签名、已验证、已验证和未保护或内容属性,因此非对称密钥包不能在同一范围内包含多次出现的用户证书属性。接收方必须拒绝任何非对称密钥包,其中用户证书属性显示为已签名、已验证、已验证&未保护或内容属性。
The key-package-receivers-v2 attribute indicates the intended audience for the key package. The key-package-receivers-v2 attribute is not intended for access control decisions; rather, intermediate systems may use this attribute to make routing and relaying decisions. If the receiver is not listed, it will not be able to decrypt the package; therefore, the receiver SHOULD reject the key package if the key-package-receivers-v2 attribute is present and they are not listed as an intended receiver. The key-package-receivers-v2 attribute can be used as a signed, authenticated, authenticated&unprotected, or content attribute. If the key-package-receivers-v2 attribute is associated with a collection, then the named receivers MUST be able to receive all of the key packages within the collection. This attribute MUST be supported.
key-package-receivers-v2属性表示密钥包的目标受众。key-package-receivers-v2属性不用于访问控制决策;相反,中间系统可以使用此属性来进行路由和中继决策。如果接收方未列出,则无法解密该包;因此,如果key-package-receivers-v2属性存在,并且未将其列为预期的接收方,则接收方应拒绝密钥包。key-package-receivers-v2属性可以用作已签名、已验证、已验证&未保护或内容属性。如果key-package-receivers-v2属性与集合相关联,则指定的接收者必须能够接收集合中的所有密钥包。必须支持此属性。
The key-package-receivers-v2 attribute has the following syntax:
key-package-receivers-v2属性具有以下语法:
aa-keyPackageReceivers-v2 ATTRIBUTE ::= { TYPE KeyPkgReceiversV2 IDENTIFIED BY id-kma-keyPkgReceiversV2 }
aa-keyPackageReceivers-v2 ATTRIBUTE ::= { TYPE KeyPkgReceiversV2 IDENTIFIED BY id-kma-keyPkgReceiversV2 }
id-kma-keyPkgReceiversV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 16 }
id-kma-keyPkgReceiversV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 16 }
KeyPkgReceiversV2 ::= SEQUENCE SIZE (1..MAX) OF KeyPkgReceiver
KeyPkgReceiversV2 ::= SEQUENCE SIZE (1..MAX) OF KeyPkgReceiver
KeyPkgReceiver ::= CHOICE { sirEntity [0] SIREntityName, community [1] CommunityIdentifier }
KeyPkgReceiver ::= CHOICE { sirEntity [0] SIREntityName, community [1] CommunityIdentifier }
The key-package-receivers-v2 attribute contains a list of receiver identifiers. The receiver identifier is either a SIREntityName [RFC7191] or a CommunityIdentifier (see Section 3). The SIREntityName syntax does not impose any particular structure on the receiver identifier, but it does require registration of receiver identifier types. The nameType ensures that two receiver identifiers of different types that contain the same values are not interpreted as equivalent. Name types are expected to be defined that represent several different granularities. For example, one name type will represent the receiver organization. At a finer granularity, the name type will identify a specific cryptographic device, perhaps using a manufacturer identifier and serial number.
key-package-receivers-v2属性包含接收器标识符的列表。接收器标识符是sirentyname[RFC7191]或CommunityIdentifier(参见第3节)。SIREntityName语法不会对接收方标识符施加任何特定结构,但它确实需要注册接收方标识符类型。nameType确保包含相同值的两个不同类型的接收器标识符不会被解释为等效。应定义代表几种不同粒度的名称类型。例如,一个名称类型将表示接收方组织。在更细的粒度上,名称类型将标识特定的加密设备,可能使用制造商标识符和序列号。
If a receiver does not recognize a particular nameType or a community identifier, then keying material within the scope of the unrecognized nameType or community identifier MUST NOT be used in any manner. However, the receiver need not discard the associated key package. Since many cryptographic devices are programmable, a different firmware load may recognize the nameType. Likewise, a change in the configuration may lead to the recognition of a previously unrecognized community identifier. Therefore, the receiver may retain the key package, but refuse to use it for anything with a firmware load that does not recognize the nameType or a configuration that does not recognize the community identifier.
如果接收者不识别特定的nameType或社区标识符,则不得以任何方式使用未识别的nameType或社区标识符范围内的键控材料。然而,接收器不需要丢弃相关联的密钥包。由于许多加密设备是可编程的,不同的固件加载可能会识别名称类型。同样,配置中的更改可能导致识别以前无法识别的社区标识符。因此,接收方可以保留密钥包,但拒绝将其用于任何固件加载无法识别名称类型或配置无法识别社区标识符的情况。
Whenever a key package is saved for later processing due to an unrecognized nameType or community identifier, subsequent processing MUST NOT rely on any checks that were made the first time the key package processing was attempted. That is, the subsequent processing MUST include the full complement of checks. Further, a receipt for the packages MUST NOT be generated unless all of these checks are successfully completed.
每当由于无法识别的名称类型或社区标识符而保存密钥包以供以后处理时,后续处理不得依赖于首次尝试密钥包处理时进行的任何检查。也就是说,后续处理必须包括完整的检查。此外,除非所有这些检查都成功完成,否则不得生成包裹收据。
Due to multiple layers of encapsulation or the use of content collections, the key-package-receivers-v2 attribute can appear in more than one location in the overall key package. When that happens, each occurrence is evaluated independently.
由于多层封装或使用内容集合,key-package-receivers-v2属性可以出现在整个key包中的多个位置。发生这种情况时,将独立评估每个事件。
In a content collection, each member of the collection might contain its own signed, authenticated, authenticated&unprotected, or content attribute that includes a key-package-receivers-v2 attribute. In this situation, each member of the collection is evaluated separately, and any member that includes an acceptable receiver SHOULD be retained. Other members can be rejected or retained for later processing with a different firmware load.
在内容集合中,集合的每个成员都可能包含自己的已签名、已验证、已验证和未保护的内容属性,或者包含key-package-receivers-v2属性的内容属性。在这种情况下,集合中的每个成员都要单独评估,包括可接受接收人的任何成员都应该保留。其他成员可以被拒绝或保留,以便以后使用不同的固件加载进行处理。
The Telecommunications Security Nomenclature (TSEC-Nomenclature) attribute provides the name for a piece of keying material, which always includes a printable string called a "short title" (see below). The TSEC-Nomenclature attribute also contains other identifiers when the shortTitle is insufficient to uniquely name a particular piece of keying material. This attribute can appear as a symmetric key, symmetric key package, asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If this attribute appears in the sKeyAttrs field, the editionID, registerID, and segmentID attribute fields MUST NOT be ranges. If this attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, all of the keying material within the associated content MUST have the same shortTitle, and the attribute value MUST contain only a shortTitle. That is, when this attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, all of the optional fields MUST be absent. If this attribute is associated with a collection, all of the keying material within the collection MUST have the same shortTitle; however, the editionID, registerID, and segmentID will be different for each key package in the collection. This attribute MUST be supported.
电信安全命名法(TSEC命名法)属性提供一段键入材料的名称,该材料始终包括一个称为“短标题”的可打印字符串(见下文)。当shortTitle不足以唯一命名特定的键控材料时,“TSEC命名法”属性还包含其他标识符。此属性可以显示为对称密钥、对称密钥包、非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果此属性出现在sKeyAttrs字段中,则editionID、registerID和segmentID属性字段不能是范围。如果此属性显示为已签名、已验证、已验证和未保护或内容属性,则关联内容中的所有键控材料必须具有相同的shortTitle,并且属性值必须仅包含shortTitle。也就是说,当此属性显示为已签名、已验证、已验证&未保护或内容属性时,所有可选字段都必须不存在。如果此属性与集合关联,则集合中的所有键控材质必须具有相同的shortTitle;但是,集合中每个密钥包的editionID、registerID和segmentID将不同。必须支持此属性。
The TSEC-Nomenclature attribute has the following syntax:
TSEC命名法属性具有以下语法:
aa-tsecNomenclature ATTRIBUTE ::= { TYPE TSECNomenclature IDENTIFIED BY id-kma-TSECNomenclature }
aa-tsecNomenclature ATTRIBUTE ::= { TYPE TSECNomenclature IDENTIFIED BY id-kma-TSECNomenclature }
id-kma-TSECNomenclature OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 3 }
id-kma-TSECNomenclature OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 3 }
TSECNomenclature ::= SEQUENCE { shortTitle ShortTitle, editionID EditionID OPTIONAL, registerID RegisterID OPTIONAL, segmentID SegmentID OPTIONAL }
TSECNomenclature ::= SEQUENCE { shortTitle ShortTitle, editionID EditionID OPTIONAL, registerID RegisterID OPTIONAL, segmentID SegmentID OPTIONAL }
ShortTitle ::= PrintableString
ShortTitle ::= PrintableString
EditionID ::= CHOICE { char CHOICE { charEdition [1] CharEdition, charEditionRange [2] CharEditionRange } num CHOICE { numEdition [3] NumEdition, numEditionRange [4] NumEditionRange } }
EditionID ::= CHOICE { char CHOICE { charEdition [1] CharEdition, charEditionRange [2] CharEditionRange } num CHOICE { numEdition [3] NumEdition, numEditionRange [4] NumEditionRange } }
CharEdition ::= PrintableString
CharEdition ::= PrintableString
CharEditionRange ::= SEQUENCE { firstCharEdition CharEdition, lastCharEdition CharEdition }
CharEditionRange ::= SEQUENCE { firstCharEdition CharEdition, lastCharEdition CharEdition }
NumEdition ::= INTEGER (0..308915776)
NumEdition ::= INTEGER (0..308915776)
NumEditionRange ::= SEQUENCE { firstNumEdition NumEdition, lastNumEdition NumEdition }
NumEditionRange ::= SEQUENCE { firstNumEdition NumEdition, lastNumEdition NumEdition }
RegisterID ::= CHOICE { register [5] Register, registerRange [6] RegisterRange }
RegisterID ::= CHOICE { register [5] Register, registerRange [6] RegisterRange }
Register ::= INTEGER (0..2147483647)
Register ::= INTEGER (0..2147483647)
RegisterRange ::= SEQUENCE { firstRegister Register, lastRegister Register }
RegisterRange ::= SEQUENCE { firstRegister Register, lastRegister Register }
SegmentID ::= CHOICE { segmentNumber [7] SegmentNumber, segmentRange [8] SegmentRange }
SegmentID ::= CHOICE { segmentNumber [7] SegmentNumber, segmentRange [8] SegmentRange }
SegmentNumber ::= INTEGER (1..127)
SegmentNumber ::= INTEGER (1..127)
SegmentRange ::= SEQUENCE { firstSegment SegmentNumber, lastSegment SegmentNumber }
SegmentRange ::= SEQUENCE { firstSegment SegmentNumber, lastSegment SegmentNumber }
The fields in the TSEC-Nomenclature attribute have the following semantics:
TSEC术语属性中的字段具有以下语义:
o The shortTitle consists of up to 32 alphanumeric characters. shortTitle processing always uses the value in its entirety.
o 短标题最多由32个字母数字字符组成。shortTitle处理始终使用整个值。
o The editionID is OPTIONAL, and the editionIdentifier is used to distinguish accountable items. The editionID consists of either six alphanumeric characters or an integer. When present, the editionID is either a single value or a range. The integer encoding should be used when it is important to keep key package size to a minimum.
o editionID是可选的,editionIdentifier用于区分责任项目。editionID由六个字母数字字符或一个整数组成。存在时,editionID为单个值或范围。当将密钥包大小保持在最小值很重要时,应使用整数编码。
o The registerID is OPTIONAL. For electronic keying material, the registerID is usually omitted. The registerID is an accounting number assigned to identify Communications Security (COMSEC) material. The registerID is either a single value or a range.
o registerID是可选的。对于电子键控材料,通常省略寄存器ID。registerID是分配用于识别通信安全(COMSEC)材料的会计编号。registerID是单个值或范围。
o The segmentID is OPTIONAL, and it distinguishes the individual symmetric keys delivered in one edition. A unique segmentNumber is assigned to each key in an edition. The segmentNumber is set to one for the first item in each edition, and it is incremented by one for each additional item within that edition. The segmentID is either a single value or a range.
o segmentID是可选的,它区分一个版本中交付的各个对称密钥。为版本中的每个键指定一个唯一的段号。对于每个版本中的第一个项目,segmentNumber设置为1,对于该版本中的每个附加项目,segmentNumber增加1。segmentID是单个值或范围。
The order that the keying material will appear in the key package is illustrated by the following example: a cryptographic device may require fresh keying material every day, an edition represents the keying material for a single month, and the segments represent the keying material for a day within that month. Consider a key package that contains the keying material for July and August; it will contain keying material for 62 days. The keying material will appear in the following order: Edition 1, Segment 1; Edition 1, Segment 2; Edition 1, Segment 3; ...; Edition 1, Segment 31; Edition 2, Segment 1; Edition 2, Segment 2; Edition 2, Segment 3; ...; Edition 2, Segment 31.
The order that the keying material will appear in the key package is illustrated by the following example: a cryptographic device may require fresh keying material every day, an edition represents the keying material for a single month, and the segments represent the keying material for a day within that month. Consider a key package that contains the keying material for July and August; it will contain keying material for 62 days. The keying material will appear in the following order: Edition 1, Segment 1; Edition 1, Segment 2; Edition 1, Segment 3; ...; Edition 1, Segment 31; Edition 2, Segment 1; Edition 2, Segment 2; Edition 2, Segment 3; ...; Edition 2, Segment 31.
Due to multiple layers of encapsulation or the use of content collections, the TSEC-Nomenclature attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the TSEC-Nomenclature attribute within the same scope, the shortTitle field MUST match in all instances. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或内容集合的使用,TSEC术语属性可以出现在整个密钥包中的多个位置。当同一范围内多次出现TSEC命名属性时,shortTitle字段必须在所有实例中匹配。接收方必须拒绝任何未通过这些一致性检查的密钥包。
When the manifest attribute from Section 6 is included in an outer layer, the ShortTitle field values present in TSEC-Nomenclature attributes MUST be one of the values in the manifest attribute. Receivers MUST reject any key package that fails this consistency check.
当第6节中的清单属性包含在外层时,TSEC术语属性中的ShortTitle字段值必须是清单属性中的值之一。接收方必须拒绝任何未通过此一致性检查的密钥包。
The key-purpose attribute specifies the intended purpose of the key material. It can appear as a symmetric key, symmetric key package, asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If the key-purpose attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then all of the keying material within the associated content MUST have the same key purpose value.
“关键用途”属性指定关键材质的预期用途。它可以显示为对称密钥、对称密钥包、非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果密钥目的属性显示为已签名、已验证、已验证和未保护或内容属性,则关联内容中的所有密钥材料必须具有相同的密钥目的值。
The key-purpose attribute has the following syntax:
“关键用途”属性具有以下语法:
aa-keyPurpose ATTRIBUTE ::= { TYPE KeyPurpose IDENTIFIED BY id-kma-keyPurpose }
aa-keyPurpose ATTRIBUTE ::= { TYPE KeyPurpose IDENTIFIED BY id-kma-keyPurpose }
id-kma-keyPurpose OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 13 }
id-kma-keyPurpose OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 13 }
KeyPurpose ::= ENUMERATED { n-a (0), -- Not Applicable A (65), -- Operational B (66), -- Compatible Multiple Key L (76), -- Logistics Combinations M (77), -- Maintenance R (82), -- Reference S (83), -- Sample T (84), -- Training V (86), -- Developmental X (88), -- Exercise Z (90), -- "On the Air" Testing ... -- Expect additional key purpose values -- }
KeyPurpose ::= ENUMERATED { n-a (0), -- Not Applicable A (65), -- Operational B (66), -- Compatible Multiple Key L (76), -- Logistics Combinations M (77), -- Maintenance R (82), -- Reference S (83), -- Sample T (84), -- Training V (86), -- Developmental X (88), -- Exercise Z (90), -- "On the Air" Testing ... -- Expect additional key purpose values -- }
Due to multiple layers of encapsulation or the use of content collections, the key-purpose attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the key-purpose attribute within the same scope, all fields within the attribute MUST contain exactly the same values. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,key purpose属性可以出现在整个key package中的多个位置。当在同一范围内多次出现key purpose属性时,该属性内的所有字段必须包含完全相同的值。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The key-use attribute specifies the intended use of the key material. It can appear as a symmetric key, symmetric key package, asymmetric, signed, authenticated, authenticated&unprotected, or content attribute. If the key-use attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then all of the keying material within the associated content MUST have the same key use value.
“关键点使用”属性指定关键点材质的预期用途。它可以显示为对称密钥、对称密钥包、非对称、已签名、已验证、已验证和未保护或内容属性。如果密钥使用属性显示为已签名、已验证、已验证&未保护或内容属性,则关联内容中的所有密钥材料必须具有相同的密钥使用值。
The key-use attribute has the following syntax:
密钥使用属性具有以下语法:
aa-key-Use ATTRIBUTE ::= { TYPE KeyUse IDENTIFIED BY id-kma-keyUse }
aa-key-Use ATTRIBUTE ::= { TYPE KeyUse IDENTIFIED BY id-kma-keyUse }
id-kma-keyUse OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 14 }
id-kma-keyUse OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 14 }
KeyUse ::= ENUMERATED { n-a (0), -- Not applicable ffk (1), -- FIREFLY/CROSSTALK Key (Basic Format) kek (2), -- Key Encryption Key kpk (3), -- Key Production Key msk (4), -- Message Signature Key qkek (5), -- QUADRANT Key Encryption Key tek (6), -- Traffic Encryption Key tsk (7), -- Transmission Security Key trkek (8), -- Transfer Key Encryption Key nfk (9), -- Netted FIREFLY Key effk (10), -- FIREFLY Key (Enhanced Format) ebfk (11), -- FIREFLY Key (Enhanceable Basic Format) aek (12), -- Algorithm Encryption Key wod (13), -- Word of Day kesk (246), -- Key Establishment Key eik (247), -- Entity Identification Key ask (248), -- Authority Signature Key kmk (249), -- Key Modifier Key rsk (250), -- Revocation Signature Key csk (251), -- Certificate Signature Key sak (252), -- Symmetric Authentication Key rgk (253), -- Random Generation Key cek (254), -- Certificate Encryption Key exk (255), -- Exclusion Key ... -- Expect additional key use values -- }
KeyUse ::= ENUMERATED { n-a (0), -- Not applicable ffk (1), -- FIREFLY/CROSSTALK Key (Basic Format) kek (2), -- Key Encryption Key kpk (3), -- Key Production Key msk (4), -- Message Signature Key qkek (5), -- QUADRANT Key Encryption Key tek (6), -- Traffic Encryption Key tsk (7), -- Transmission Security Key trkek (8), -- Transfer Key Encryption Key nfk (9), -- Netted FIREFLY Key effk (10), -- FIREFLY Key (Enhanced Format) ebfk (11), -- FIREFLY Key (Enhanceable Basic Format) aek (12), -- Algorithm Encryption Key wod (13), -- Word of Day kesk (246), -- Key Establishment Key eik (247), -- Entity Identification Key ask (248), -- Authority Signature Key kmk (249), -- Key Modifier Key rsk (250), -- Revocation Signature Key csk (251), -- Certificate Signature Key sak (252), -- Symmetric Authentication Key rgk (253), -- Random Generation Key cek (254), -- Certificate Encryption Key exk (255), -- Exclusion Key ... -- Expect additional key use values -- }
The values for the key-use attribute have the following semantics:
键使用属性的值具有以下语义:
o ffk: A FIREFLY/CROSSTALK key is used to establish a Key Establishment Key (KEK) or a Transmission Encryption Key (TEK) between two parties. The KEK or TEK generated from the exchange is used with a symmetric encryption algorithm. This key use value is associated with keys in the basic format.
o ffk:FIREFLY/CROSSTALK密钥用于在双方之间建立密钥建立密钥(KEK)或传输加密密钥(TEK)。交换生成的KEK或TEK与对称加密算法一起使用。此密钥使用值与基本格式的密钥相关联。
o kek: A Key Encryption Key is used to encrypt or decrypt other keys for transmission or storage.
o kek:密钥加密密钥用于加密或解密用于传输或存储的其他密钥。
o kpk: A Key Production Key is used to initialize a keystream generator for the production of other electronically generated keys.
o kpk:密钥生成密钥用于初始化密钥流生成器以生成其他电子生成的密钥。
o msk: A Message Signature Key is used in a digital signature process that operates on a message to assure message source authentication, message integrity, and non-repudiation.
o msk:消息签名密钥用于对消息进行操作的数字签名过程,以确保消息源身份验证、消息完整性和不可否认性。
o qkek: QUADRANT Key Encryption Key is one part of a tamper-resistance solution.
o qkek:象限密钥加密密钥是防篡改解决方案的一部分。
o tek: A Traffic Encryption Key is used to encrypt plaintext, to superencrypt previously encrypted data, and/or to decrypt ciphertext.
o tek:流量加密密钥用于加密明文、对先前加密的数据进行超级加密和/或解密密文。
o tsk: A Transmission Security Key is used to protect transmissions from interception and exploitation by means other than cryptanalysis.
o tsk:传输安全密钥用于保护传输不被截获和利用,而不是通过密码分析。
o trkek: Transfer Key Encryption Key. The keys used to protect communications with an intermediary.
o trkek:传输密钥加密密钥。用于保护与中间人通信的密钥。
o nfk: A Netted FIREFLY Key is a FIREFLY key that has an edition number associated with it. When rekeyed, it is incremented, preventing communications with FIREFLY key of previous editions. This edition number is maintained within a universal edition.
o nfk:网状萤火虫密钥是一个版本号与之关联的萤火虫密钥。重新设置密钥时,它将递增,从而阻止与以前版本的FIREFLY密钥通信。此版本号保存在通用版本中。
o effk: Enhanced FIREFLY Key is used to establish a KEK or a TEK between two parties. The KEK or TEK generated from an exchange is used with a symmetric encryption algorithm. This key use value is associated with keys in the enhanced format.
o effk:增强型FIREFLY密钥用于在双方之间建立KEK或TEK。交换生成的KEK或TEK与对称加密算法一起使用。此密钥使用值与增强格式的密钥相关联。
o ebfk: Enhanceable Basic FIREFLY Key is used to establish a KEK or a TEK between two parties. The KEK or TEK generated from an exchange is used with a symmetric encryption algorithm. This key use value is associated with keys in the enhanceable basic format.
o ebfk:增强型基本FIREFLY密钥用于在双方之间建立KEK或TEK。交换生成的KEK或TEK与对称加密算法一起使用。此密钥使用值与可增强基本格式的密钥相关联。
o aek: An Algorithm Encryption Key is used to encrypt or decrypt an algorithm implementation as well as other functionality in the implementation.
o aek:算法加密密钥用于加密或解密算法实现以及实现中的其他功能。
o wod: A key used to generate the Word of the Day (WOD).
o wod:用于生成每日单词(wod)的键。
o kesk: A Key Establishment Key is an asymmetric key set (e.g., public/private/parameters) used to enable the establishment of symmetric key(s) between entities.
o kesk:密钥建立密钥是用于在实体之间建立对称密钥的非对称密钥集(例如,公共/私有/参数)。
o eik: An Entity Identification Key is an asymmetric key set (e.g., public/private/parameters) used to identify one entity to another for access control and other similar purposes.
o eik:实体标识密钥是一个非对称密钥集(例如,公共/私有/参数),用于将一个实体标识给另一个实体,用于访问控制和其他类似目的。
o ask: An Authority Signature Key is an asymmetric key set (e.g., public/private/parameters) used by designated authorities to sign objects such as Trust Anchor Management Protocol (TAMP) messages and firmware packages.
o ask:授权签名密钥是一个非对称密钥集(例如,公共/私有/参数),由指定的授权机构用于对对象(如信任锚管理协议(TAMP)消息和固件包)进行签名。
o kmk: A Key Modifier Key is a symmetric key used to modify the results of the process that forms a symmetric key from a public key exchange process.
o kmk:密钥修改器密钥是一个对称密钥,用于修改从公钥交换过程形成对称密钥的过程的结果。
o rsk: A Revocation Signature Key is an asymmetric key set (e.g., public/private/parameters) used to sign and authenticate revocation lists and compromised key lists.
o rsk:撤销签名密钥是一个非对称密钥集(例如,公共/私有/参数),用于对撤销列表和受损密钥列表进行签名和验证。
o csk: A Certificate Signature Key is an asymmetric key set (e.g., public/private/parameters) used to sign and authenticate public key certificates.
o csk:证书签名密钥是用于签名和验证公钥证书的非对称密钥集(例如,公共/私有/参数)。
o sak: A Symmetric Authentication Key is used in a MAC algorithm to provide message integrity. Differs from a Message Signature Key in that it is symmetric key material and it does not provide source authentication or non-repudiation.
o sak:在MAC算法中使用对称身份验证密钥来提供消息完整性。与消息签名密钥的不同之处在于,它是对称密钥材料,不提供源身份验证或不可否认性。
o rgk: Random Generation Key is a key used to seed a deterministic pseudorandom number generator.
o rgk:随机生成密钥是用于为确定性伪随机数生成器种子的密钥。
o cek: A Certificate Encryption Key is used to encrypt public key certificates to support privacy.
o cek:证书加密密钥用于加密公钥证书以支持隐私。
o exk: An Exclusion Key is a symmetric key used to cryptographically subdivide a single large security domain into smaller segregated domains.
o exk:排除密钥是一种对称密钥,用于以加密方式将单个大型安全域细分为较小的隔离域。
Due to multiple layers of encapsulation or the use of content collections, the key-use attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the key-use attribute within the same scope, all fields within the attribute MUST contain exactly the same values. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,密钥使用属性可以出现在整个密钥包中的多个位置。在同一范围内多次出现key use属性时,该属性内的所有字段必须包含完全相同的值。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The transport-key attribute identifies whether an asymmetric key is a transport key or an operational key (i.e., whether or not the key can be used as is). It can appear as an asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If the transport-key attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then all of the keying material within the associated content MUST have the same operational/transport key material.
传输密钥属性标识非对称密钥是传输密钥还是操作密钥(即,密钥是否可以按原样使用)。它可以显示为非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果传输密钥属性显示为已签名、已验证、已验证和未保护或内容属性,则关联内容中的所有密钥材料必须具有相同的操作/传输密钥材料。
aa-transportKey ATTRIBUTE ::= { TYPE TransOp IDENTIFIED BY id-kma-transportKey }
aa-transportKey ATTRIBUTE ::= { TYPE TransOp IDENTIFIED BY id-kma-transportKey }
id-kma-transportKey OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 15 }
id-kma-transportKey OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 15 }
TransOp ::= ENUMERATED { transport (1), operational (2) }
TransOp ::= ENUMERATED { transport (1), operational (2) }
Due to multiple layers of encapsulation or the use of content collections, the transport-key attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the transport-key attribute within the same scope, all fields within the attribute MUST contain exactly the same values. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,传输密钥属性可以出现在整个密钥包中的多个位置。当传输密钥属性在同一范围内多次出现时,该属性内的所有字段必须包含完全相同的值。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The key-distribution-period attribute indicates the period of time that the keying material is intended for distribution. Keying material is often distributed before it is intended to be used. Time
“关键帧分发周期”属性表示关键帧材质要分发的时间段。键控材料通常在打算使用之前分发。时间
of day must be represented in Coordinated Universal Time (UTC). It can appear as a symmetric key, symmetric key package, asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If the key-distribution-period attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then all of the keying material within the content MUST have the same key distribution period.
日期必须以协调世界时(UTC)表示。它可以显示为对称密钥、对称密钥包、非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果密钥分发周期属性显示为已签名、已验证、已验证和未保护或内容属性,则内容中的所有密钥材料必须具有相同的密钥分发周期。
The key-distribution-period attribute has the following syntax:
“密钥分发周期”属性具有以下语法:
aa-keyDistributionPeriod ATTRIBUTE ::= { TYPE KeyDistPeriod IDENTIFIED BY id-kma-keyDistPeriod }
aa-keyDistributionPeriod ATTRIBUTE ::= { TYPE KeyDistPeriod IDENTIFIED BY id-kma-keyDistPeriod }
id-kma-keyDistPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 5 }
id-kma-keyDistPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 5 }
KeyDistPeriod ::= SEQUENCE { doNotDistBefore [0] BinaryTime OPTIONAL, doNotDistAfter BinaryTime }
KeyDistPeriod ::= SEQUENCE { doNotDistBefore [0] BinaryTime OPTIONAL, doNotDistAfter BinaryTime }
BinaryTime ::= INTEGER
BinaryTime ::= INTEGER
The fields in the key-distribution-period attribute have the following semantics:
“密钥分发周期”属性中的字段具有以下语义:
o The doNotDistBefore field is OPTIONAL, and when it is present, the keying material SHOULD NOT be distributed before the date and time provided.
o doNotDistBefore字段是可选的,当它存在时,不应在提供的日期和时间之前分发键控材料。
o The doNotDistAfter field is REQUIRED, and the keying material SHOULD NOT be distributed after the date and time provided.
o doNotDistAfter字段是必需的,键入材料不应在提供的日期和时间之后分发。
When the key-distribution-period attribute is associated with a collection of keying material, the distribution period applies to all of the keys in the collection. None of the keying material in the collection SHOULD be distributed outside the indicated period.
当“关键帧分发周期”属性与关键帧材质集合关联时,分发周期将应用于集合中的所有关键帧。集合中的任何键控材料都不应在指定期限之外分发。
Due to multiple layers of encapsulation or the use of content collections, the key-distribution-period attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the key-distribution-period attribute within the same scope, all of the included attribute fields MUST contain exactly the same value. However, if the doNotDistBefore field is absent in an inner layer, a value MAY appear in an outer layer because the outer layer constrains the inner layer. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,密钥分发周期属性可以出现在整个密钥包中的多个位置。当密钥分发周期属性在同一范围内多次出现时,所有包含的属性字段必须包含完全相同的值。但是,如果内层中没有doNotDistBefore字段,则外层中可能会出现一个值,因为外层约束内层。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The key-validity-period attribute indicates the period of time that the keying material is intended for use. Time of day MUST be represented in Coordinated Universal Time (UTC). It can appear as a symmetric key, symmetric key package, asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If the key-validity-period attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then all of the keying material within the content MUST have the same key validity period.
“关键帧有效期”属性表示关键帧材质的预期使用时间。一天中的时间必须以协调世界时(UTC)表示。它可以显示为对称密钥、对称密钥包、非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果密钥有效期属性显示为已签名、已验证、已验证和未保护或内容属性,则内容中的所有密钥材料必须具有相同的密钥有效期。
The key-validity-period attribute has the following syntax:
“密钥有效期”属性具有以下语法:
aa-keyValidityPeriod ATTRIBUTE ::= { TYPE KeyValidityPeriod IDENTIFIED BY id-kma-keyValidityPeriod }
aa-keyValidityPeriod ATTRIBUTE ::= { TYPE KeyValidityPeriod IDENTIFIED BY id-kma-keyValidityPeriod }
id-kma-keyValidityPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 6 }
id-kma-keyValidityPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 6 }
KeyValidityPeriod ::= SEQUENCE { doNotUseBefore BinaryTime, doNotUseAfter BinaryTime OPTIONAL }
KeyValidityPeriod ::= SEQUENCE { doNotUseBefore BinaryTime, doNotUseAfter BinaryTime OPTIONAL }
BinaryTime ::= INTEGER
BinaryTime ::= INTEGER
The fields in the key-validity-period attribute have the following semantics:
“密钥有效期”属性中的字段具有以下语义:
o The doNotUseBefore field is REQUIRED, and the keying material SHOULD NOT be used before the date and time provided.
o 不使用之前字段是必需的,并且在提供的日期和时间之前不应使用键控材料。
o The doNotUseAfter field is OPTIONAL, and when it is present, the keying material SHOULD NOT be used after the date and time provided.
o doNotUseAfter字段是可选的,如果存在,则不应在提供的日期和时间之后使用键控材料。
For a key package that is being used for rekey, the doNotUseAfter field MAY be required by some templates even though the syntax is OPTIONAL.
对于用于重新设置密钥的密钥包,某些模板可能需要doNotUseAfter字段,即使语法是可选的。
When the key-validity-period attribute is associated with a collection of keying material, the validity period applies to all of the keys in the collection. None of the keying material in the collection SHOULD be used outside the indicated period.
当“关键帧有效期”属性与关键帧材质集合关联时,有效期将应用于集合中的所有关键帧。集合中的任何键控材料均不得在指定期限之外使用。
The key-validity-period attribute described in this section and the key-duration attribute described in the next section provide complementary functions. The key-validity-period attribute provides explicit date and time values, which indicate the beginning and ending of the keying material usage period. The key-duration attribute provides the maximum length of time that the keying material SHOULD be used. If both attributes are provided, this duration MAY occur at any time within the specified period, but the limits imposed by both attributes SHOULD be honored.
本节中描述的密钥有效期属性和下一节中描述的密钥持续时间属性提供了补充功能。“关键有效期”属性提供明确的日期和时间值,指示关键材料使用期的开始和结束。“关键帧持续时间”属性提供应使用关键帧材质的最大时间长度。如果提供了这两个属性,则此持续时间可能在指定时间段内的任何时间发生,但应遵守这两个属性施加的限制。
Due to multiple layers of encapsulation or the use of content collections, the key-validity-period attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the key-validity-period attribute within the same scope, all of the included attribute fields MUST contain exactly the same value. However, if the doNotUseAfter field is absent in an inner layer, a value MAY appear in an outer layer. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,密钥有效期属性可以出现在整个密钥包中的多个位置。当密钥有效期属性在同一范围内多次出现时,所有包含的属性字段必须包含完全相同的值。但是,如果内层中没有doNotUseAfter字段,则外层中可能会出现一个值。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The key-duration attribute indicates the maximum period of time that the keying material is intended for use. The date and time that the duration begins is not specified, but the maximum amount of time that the keying material can be used to provide security services is specified. It can appear as a symmetric key, symmetric key package, asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If the key-duration attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then all of the keying material within the content MUST have the same key duration.
“关键帧持续时间”属性表示关键帧材质预期使用的最长时间段。未指定持续时间开始的日期和时间,但指定了键控材料可用于提供安全服务的最长时间。它可以显示为对称密钥、对称密钥包、非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果密钥持续时间属性显示为已签名、已验证、已验证和未保护或内容属性,则内容中的所有密钥材料必须具有相同的密钥持续时间。
The key-duration attribute has the following syntax:
“密钥持续时间”属性具有以下语法:
aa-keyDurationPeriod ATTRIBUTE ::= { TYPE KeyDuration IDENTIFIED BY id-kma-keyDuration }
aa-keyDurationPeriod ATTRIBUTE ::= { TYPE KeyDuration IDENTIFIED BY id-kma-keyDuration }
id-kma-keyDuration OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 7 }
id-kma-keyDuration OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 7 }
KeyDuration ::= CHOICE { hours [0] INTEGER (1..ub-KeyDuration-hours), days INTEGER (1..ub-KeyDuration-days), weeks [1] INTEGER (1..ub-KeyDuration-weeks), months [2] INTEGER (1..ub-KeyDuration-months), years [3] INTEGER (1..ub-KeyDuration-years) }
KeyDuration ::= CHOICE { hours [0] INTEGER (1..ub-KeyDuration-hours), days INTEGER (1..ub-KeyDuration-days), weeks [1] INTEGER (1..ub-KeyDuration-weeks), months [2] INTEGER (1..ub-KeyDuration-months), years [3] INTEGER (1..ub-KeyDuration-years) }
ub-KeyDuration-hours INTEGER ::= 96 ub-KeyDuration-days INTEGER ::= 732 ub-KeyDuration-weeks INTEGER ::= 104 ub-KeyDuration-months INTEGER ::= 72 ub-KeyDuration-years INTEGER ::= 100
ub-KeyDuration-hours INTEGER ::= 96 ub-KeyDuration-days INTEGER ::= 732 ub-KeyDuration-weeks INTEGER ::= 104 ub-KeyDuration-months INTEGER ::= 72 ub-KeyDuration-years INTEGER ::= 100
The key-validity-period attribute described in the previous section and the key-duration attribute described in this section provide a complementary function. The relationship between these attributes is described in the previous section.
上一节中描述的密钥有效期属性和本节中描述的密钥持续时间属性提供了一个补充功能。这些属性之间的关系在上一节中描述。
Due to multiple layers of encapsulation or the use of content collections, the key-duration attribute can appear in more than one location in the overall key package. When there are multiple occurrences of the key-duration attribute within the same scope, all of the included attribute fields MUST contain exactly the same value. Receivers MUST reject any key package that fails these consistency checks.
由于多层封装或使用内容集合,密钥持续时间属性可以出现在整个密钥包中的多个位置。在同一范围内多次出现“关键点持续时间”属性时,所有包含的属性字段必须包含完全相同的值。接收方必须拒绝任何未通过这些一致性检查的密钥包。
The classification attribute indicates level of classification. The classification attribute specifies the aggregate classification of the package content. It can appear as a symmetric key, symmetric key package, asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. If the classification attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then the value MUST represent the classification of all of the keying material within the content. Encrypted layers MAY contain content at a higher classification that will be revealed once they are decrypted. If the classification attribute is associated with a collection, then the sensitivity of all the data within the collection MUST be dominated by the classification carried in this attribute.
“分类”属性表示分类级别。“分类”属性指定包内容的聚合分类。它可以显示为对称密钥、对称密钥包、非对称密钥、已签名、已验证、已验证和未保护或内容属性。如果classification属性显示为signed、authenticated、authenticated&unprotected或content属性,则该值必须表示内容中所有键控材料的分类。加密层可能包含解密后将显示的更高分类的内容。如果分类属性与集合关联,则集合中所有数据的敏感性必须由该属性中包含的分类决定。
The classification attribute makes use of the ESSSecurityLabel defined in Section 17.1 as well as [RFC2634] and [RFC5911]. The term "classification" is used in this document, but the term "security label" is used in [RFC2634]. The two terms have the same meaning.
分类属性使用第17.1节中定义的ESSSecurityLabel以及[RFC2634]和[RFC5911]。本文件中使用了术语“分类”,但[RFC2634]中使用了术语“安全标签”。这两个术语的含义相同。
[RFC2634] and [RFC5911] specify an object identifier and syntax for the security label attribute. The same values are used for the classification attribute:
[RFC2634]和[RFC5911]为安全标签属性指定对象标识符和语法。分类属性使用相同的值:
aa-classificationAttribute ATTRIBUTE ::= { TYPE Classification IDENTIFIED BY id-aa-KP-classification }
aa-classificationAttribute ATTRIBUTE ::= { TYPE Classification IDENTIFIED BY id-aa-KP-classification }
id-aa-KP-classification OBJECT IDENTIFIER ::= id-aa-securityLabel
id-aa-KP-classification OBJECT IDENTIFIER ::= id-aa-securityLabel
-- id-aa-securityLabel OBJECT IDENTIFIER ::= { -- iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) -- pkcs-9(9) smime(16) id-aa(2) 2 }
-- id-aa-securityLabel OBJECT IDENTIFIER ::= { -- iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) -- pkcs-9(9) smime(16) id-aa(2) 2 }
Classification ::= ESSSecurityLabel
Classification ::= ESSSecurityLabel
The syntax of ESSSecurityLabel is not repeated here; however, see Section 17.1 for security label conventions that MUST be followed by implementations of this specification. See [RFC2634] for a complete discussion of the semantics and syntax.
此处不重复ESSSecurityLabel的语法;但是,有关本规范实施必须遵循的安全标签约定,请参见第17.1节。有关语义和语法的完整讨论,请参见[RFC2634]。
When the classification attribute appears in more than one location in the overall key package, each occurrence is evaluated independently. The content originator MUST ensure that the classification attribute represents the sensitivity of the plaintext within the content. That is, the classification MUST dominate any other plaintext classification attribute value that is present elsewhere in the overall key package. Note that the classification attribute value may exceed these other plaintext classification attribute values if the other attribute values within the SignerInfo, AuthEnvelopedData, or AuthenticatedData are themselves classified and warrant the higher-security label value.
当分类属性出现在整个密钥包中的多个位置时,将独立评估每个出现。内容发起人必须确保分类属性表示内容中明文的敏感性。也就是说,分类必须支配整个密钥包中其他地方存在的任何其他明文分类属性值。请注意,如果SignerInfo、AuthEnvelopedData或AuthenticatedData中的其他属性值本身已分类,并且保证较高的安全标签值,则分类属性值可能会超过这些其他明文分类属性值。
When the classification attribute appears in more than one location in the overall key package, each security label might be associated with a different security policy. Content originators SHOULD avoid mixing multiple security policies in the same key package whenever possible, since this requires that receivers and intermediaries that check the classification attribute values include support for the union of the security policies that are present. Failure to recognize an included security policy MUST result in rejection of the key package.
当分类属性出现在整个密钥包中的多个位置时,每个安全标签可能与不同的安全策略相关联。内容发起人应尽可能避免在同一密钥包中混合多个安全策略,因为这要求检查分类属性值的接收者和中介机构包括对现有安全策略联合的支持。未能识别包含的安全策略必须导致密钥包被拒绝。
Receivers MUST reject any key package that includes a classification for which the receiver's processing environment is not authorized.
接收方必须拒绝包含接收方处理环境未授权的分类的任何密钥包。
The ESSSecurityLabel ASN.1 type is used to represent the classification. The ESSSecurityLabel is defined in Section 3.2 of [RFC2634]. The syntax definition is repeated here to facilitate discussion:
ESSSecurityLabel ASN.1类型用于表示分类。[RFC2634]第3.2节定义了ESSSecurityLabel。此处重复语法定义以便于讨论:
ESSSecurityLabel ::= SET { security-policy-identifier SecurityPolicyIdentifier, security-classification SecurityClassification OPTIONAL, privacy-mark ESSPrivacyMark OPTIONAL, security-categories SecurityCategories OPTIONAL }
ESSSecurityLabel ::= SET { security-policy-identifier SecurityPolicyIdentifier, security-classification SecurityClassification OPTIONAL, privacy-mark ESSPrivacyMark OPTIONAL, security-categories SecurityCategories OPTIONAL }
ESSPrivacyMark ::= CHOICE { pString PrintableString (SIZE (1..ub-privacy-mark-length)), utf8String UTF8String (SIZE (1..MAX)) }
ESSPrivacyMark ::= CHOICE { pString PrintableString (SIZE (1..ub-privacy-mark-length)), utf8String UTF8String (SIZE (1..MAX)) }
A security policy is a set of criteria for the provision of security services. The security-policy-identifier, which is an object identifier, is used to identify the security policy associated with the security label. It indicates the semantics of the other security label components.
安全策略是提供安全服务的一组标准。安全策略标识符是一个对象标识符,用于标识与安全标签关联的安全策略。它指示其他安全标签组件的语义。
If the key package receiver does not recognize the object identifier in the security-policy-identifier field and the security label includes a security-categories field, then the key package contents MUST NOT be accepted and the enclosed keying material MUST NOT be used. If the key package receiver does not recognize the object identifier in the security-policy-identifier field and the security label does not include a security-categories field, then the key package contents MAY be accepted only if the security-classification field is present and it contains a value from the basic hierarchy as described below.
如果密钥包接收人未识别安全策略标识符字段中的对象标识符,且安全标签包含安全类别字段,则不得接受密钥包内容,也不得使用随附的密钥材料。如果密钥包接收者不识别安全策略标识符字段中的对象标识符,并且安全标签不包括安全类别字段,则仅当安全分类字段存在并且包含如下所述的基本层次结构中的值时,才可以接受密钥包内容。
This specification defines the use of the SecurityClassification field exactly as is it specified in the 1988 edition of ITU-T Recommendation X.411 [X.411], which states in part:
本规范严格按照1988版ITU-T建议X.411[X.411]的规定定义了安全分类字段的使用,其中部分规定:
If present, a security-classification may have one of a hierarchical list of values. The basic security-classification hierarchy is defined in this Recommendation, but the use of these values is defined by the security-policy in force. Additional values of security-classification, and their position in the hierarchy, may also be defined by a security-policy as a local matter or by bilateral agreement. The basic security-classification hierarchy is, in ascending order: unmarked, unclassified, restricted, confidential, secret, top-secret.
如果存在,安全分类可以具有值的分层列表之一。本建议中定义了基本安全分类层次结构,但这些值的使用由现行安全策略定义。安全分类的附加值及其在层次结构中的位置也可以由安全策略作为本地事项或双边协议来定义。基本安全分类层次结构按升序排列:未标记、未分类、受限、机密、机密、绝密。
Implementations MUST support the basic security classification hierarchy. Such implementations MAY also support other security-classification values; however, the placement of additional values in the hierarchy MUST be specified by the security policy.
实现必须支持基本的安全分类层次结构。此类实现还可以支持其他安全分类值;但是,层次结构中附加值的位置必须由安全策略指定。
Implementations MUST NOT make access control decisions based on the privacy-mark. However, information in the privacy-mark can be displayed to human users by devices that have displays to do so. The privacy-mark length MUST NOT exceed 128 characters. The privacy-mark SHALL use the PrintableString choice if all of the characters in the privacy-mark are members of the printable string character set.
实施不得基于隐私标记做出访问控制决策。但是,隐私标记中的信息可以通过具有显示器的设备显示给人类用户。隐私标记长度不得超过128个字符。如果隐私标记中的所有字符都是可打印字符串字符集的成员,则隐私标记应使用可打印字符串选项。
If present, security-categories provide further granularity for the keying material. The security policy in force indicates the permitted syntaxes of any entries in the set of security categories. At most, 64 security categories may be present. The security-categories have ASN.1 type SecurityCategories and further SecurityCategory [RFC5912], which are both repeated here to facilitate discussion:
如果存在,安全类别为键控材料提供了进一步的粒度。有效的安全策略指示安全类别集合中任何条目的允许语法。最多可存在64个安全类别。安全类别有ASN.1类型的安全类别和进一步的安全类别[RFC5912],这两个类别在此处重复以便于讨论:
SecurityCategories ::= SET SIZE (1..ub-security-categories) OF SecurityCategory {{SupportedSecurityCategories}}
SecurityCategories ::= SET SIZE (1..ub-security-categories) OF SecurityCategory {{SupportedSecurityCategories}}
SecurityCategory {SECURITY-CATEGORY:Supported} ::= SEQUENCE { type [0] IMPLICIT SECURITY-CATEGORY. &id({Supported}), value [1] EXPLICIT SECURITY-CATEGORY. &Type({Supported}{@type}) }
SecurityCategory {SECURITY-CATEGORY:Supported} ::= SEQUENCE { type [0] IMPLICIT SECURITY-CATEGORY. &id({Supported}), value [1] EXPLICIT SECURITY-CATEGORY. &Type({Supported}{@type}) }
Four security categories are defined and are referred to as the Restrictive Tag, the Enumerated Tag, the Permissive Tag, and the Informative Tag. Only the Enumerated Tag and Informative Tag are permitted in the classification attribute.
定义了四个安全类别,分别称为限制性标记、枚举标记、允许性标记和信息性标记。分类属性中只允许使用枚举标记和信息标记。
The Enumerated Tag is composed of one or more non-negative integers. Each non-negative integer represents a non-hierarchical security attribute that applies to the labeled content. A security policy might define a large set of security categories attributes, but a particular key package generally contains only a few security categories attributes. In this case, use of the integer representation is intended to minimize the size of the label. Security attributes enumerated by tags of this type could be restrictive (such as compartments) or permissive (such as release permissions). Two object identifiers for the SecurityCategory type field have been defined, one for restrictive and one for permissive. The object identifiers are:
枚举标记由一个或多个非负整数组成。每个非负整数表示应用于标记内容的非层次安全属性。安全策略可能会定义一大组安全类别属性,但特定密钥包通常只包含几个安全类别属性。在这种情况下,使用整数表示的目的是最小化标签的大小。此类型的标记枚举的安全属性可以是限制性的(如分区)或许可性的(如发布权限)。已为SecurityCategory类型字段定义了两个对象标识符,一个用于限制,一个用于许可。对象标识符是:
id-enumeratedRestrictiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 4 }
id-enumeratedRestrictiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 4 }
id-enumeratedPermissiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 1 }
id-enumeratedPermissiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 1 }
With both the restrictive and permissive security category types, the corresponding SecurityCategory value has the following ASN.1 definition:
对于限制性和许可性安全类别类型,相应的SecurityCategory值具有以下ASN.1定义:
EnumeratedTag ::= SEQUENCE { tagName OBJECT IDENTIFIER, attributeList SET OF SecurityAttribute }
EnumeratedTag ::= SEQUENCE { tagName OBJECT IDENTIFIER, attributeList SET OF SecurityAttribute }
SecurityAttribute ::= INTEGER (0..MAX)
SecurityAttribute ::= INTEGER (0..MAX)
Any security policy that makes use of security categories MUST assign object identifiers for each tagName, assign the set of integer values associated with each tagName, and specify the semantic meaning for each integer value. Restrictive security attributes and permissive security attributes SHOULD be associated with different tagName object identifiers.
任何使用安全类别的安全策略都必须为每个标记名分配对象标识符,分配与每个标记名关联的整数值集,并指定每个整数值的语义含义。限制性安全属性和允许性安全属性应与不同的标记名对象标识符相关联。
The Informative Tag is composed of either a) one or more non-negative integers or b) a bit string. Only the integer choice is allowed in this specification. Each non-negative integer represents a non-hierarchical security attribute that applies to the labeled content. Use of the integer representation is intended to minimize the size of the label since a particular key package generally contains only a few security categories attributes, even though a security policy might define a large set of security categories attributes. Security attributes enumerated by tags of this type are informative (i.e., no access control is performed). One object identifier for the SecurityCategory type field has been defined and is as follows:
信息标签由a)一个或多个非负整数或b)一个位字符串组成。本规范中只允许整数选择。每个非负整数表示应用于标记内容的非层次安全属性。使用整数表示的目的是最小化标签的大小,因为特定密钥包通常只包含几个安全类别属性,即使安全策略可能定义一大组安全类别属性。由这种类型的标记枚举的安全属性是信息性的(即,不执行访问控制)。已定义SecurityCategory类型字段的一个对象标识符,如下所示:
id-informativeAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 3 }
id-informativeAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 3 }
The corresponding SecurityCategory value has the following ASN.1 definition:
相应的SecurityCategory值具有以下ASN.1定义:
InformativeTag ::= SEQUENCE { tagName OBJECT IDENTIFIER, attributes FreeFormField }
InformativeTag ::= SEQUENCE { tagName OBJECT IDENTIFIER, attributes FreeFormField }
FreeFormField ::= CHOICE { bitSetAttributes BIT STRING, securityAttributes SET OF SecurityAttribute }
FreeFormField ::= CHOICE { bitSetAttributes BIT STRING, securityAttributes SET OF SecurityAttribute }
Any security policy that makes use of security categories MUST assign object identifiers for each tagName, assign the set of integer values associated with each tagName, and specify the semantic meaning for each integer value.
任何使用安全类别的安全策略都必须为每个标记名分配对象标识符,分配与每个标记名关联的整数值集,并指定每个整数值的语义含义。
The key package originator may include a split-identifier attribute to designate that the keying material contains a split rather than a complete key. It may appear as a symmetric and asymmetric key attribute. The split-identifier attribute MUST NOT appear as a symmetric key package, signed, authenticated, authenticated&unprotected, or content attribute. Split keys have two halves, which are called "A" and "B". The split-identifier attribute indicates which half is included in the key package, and it optionally indicates the algorithm that is needed to combine the two halves. The combine algorithm is OPTIONAL since each key algorithm has a default mechanism for this purpose, and the combine algorithm is present only if the default mechanism is not employed.
密钥包发起人可包括分割标识符属性,以指定密钥材料包含分割而非完整密钥。它可能显示为对称和非对称密钥属性。拆分标识符属性不得显示为对称密钥包、已签名、已验证、已验证和未保护或内容属性。分割键有两部分,分别称为“A”和“B”。split identifier属性表示密钥包中包含了哪一半,还可以选择表示组合这两部分所需的算法。组合算法是可选的,因为每个关键算法都有一个用于此目的的默认机制,并且只有在未使用默认机制的情况下,才会出现组合算法。
The split-identifier attribute has the following syntax:
拆分标识符属性具有以下语法:
aa-splitIdentifier ATTRIBUTE ::= { TYPE SplitID IDENTIFIED BY id-kma-splitID }
aa-splitIdentifier ATTRIBUTE ::= { TYPE SplitID IDENTIFIED BY id-kma-splitID }
id-kma-splitID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 11 }
id-kma-splitID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 11 }
SplitID ::= SEQUENCE { ENUMERATED { a(0), b(1) }, combineAlg AlgorithmIdentifier {COMBINE-ALGORITHM, {CombineAlgorithms}} OPTIONAL }
SplitID ::= SEQUENCE { ENUMERATED { a(0), b(1) }, combineAlg AlgorithmIdentifier {COMBINE-ALGORITHM, {CombineAlgorithms}} OPTIONAL }
In most cases, the default combine algorithm will be employed; it makes this attribute a simple constant that identifies either the "A" or "B" half of the split key. This supports implementation of some key distribution policies.
在大多数情况下,将采用默认的合并算法;它使该属性成为一个简单常量,用于标识分割键的“a”或“B”一半。这支持一些密钥分发策略的实现。
Note that each split might have its own CRC, but the key and the check word are both recovered when the two splits are combined.
请注意,每个拆分都可能有自己的CRC,但当两个拆分合并时,密钥和校验字都会恢复。
Since the split-identifier attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute, a key package cannot include multiple occurrences of the split-identifier
由于拆分标识符属性不得显示为已签名、已验证、已验证和未保护或内容属性,因此密钥包不能包含拆分标识符的多次出现
attribute within the same scope. Receivers MUST reject any key package in which the split-identifier attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute.
属性在同一范围内。接收方必须拒绝任何密钥包,其中拆分标识符属性显示为已签名、已验证、已验证和未保护或内容属性。
The key-package-type attribute is a shorthand method for specifying all aspects of the key package format, including which attributes are present and the structure of the encapsulated content or collection. The key-package-type attribute can be used as a signed, authenticated, authenticated&unprotected, or content attribute.
“密钥包类型”属性是一种用于指定密钥包格式所有方面的速记方法,包括存在哪些属性以及封装内容或集合的结构。密钥包类型属性可以用作已签名、已验证、已验证和未保护或内容属性。
Rather than implementing the full flexibility of this specification, some devices may implement support for one or more specific key package formats instantiating this specification. Those specific formats are called templates and can be identified using a key-package-type attribute.
一些设备可能实现对实例化该规范的一种或多种特定密钥包格式的支持,而不是实现该规范的全部灵活性。这些特定格式称为模板,可以使用key package type属性进行标识。
The key-package-type attribute has the following syntax:
“密钥包类型”属性具有以下语法:
aa-keyPackageType ATTRIBUTE ::= { TYPE KeyPkgType IDENTIFIED BY id-kma-keyPkgType }
aa-keyPackageType ATTRIBUTE ::= { TYPE KeyPkgType IDENTIFIED BY id-kma-keyPkgType }
id-kma-keyPkgType OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 12 }
id-kma-keyPkgType OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 12 }
KeyPkgType ::= OBJECT IDENTIFIER
KeyPkgType ::= OBJECT IDENTIFIER
Due to multiple layers of encapsulation or the use of content collections, the key-package-type attribute can appear in more than one location in the overall key package. When that happens, each occurrence is used independently. Since the receiver is likely to use the key-package-type attribute value as a decoding aid, any error will most likely lead to parsing problems, and these problems could result in many different errors being reported.
由于多层封装或使用内容集合,密钥包类型属性可以出现在整个密钥包中的多个位置。发生这种情况时,每个事件都会单独使用。由于接收者可能使用key package type属性值作为解码辅助,因此任何错误都很可能导致解析问题,并且这些问题可能导致报告许多不同的错误。
The signature-usage attribute identifies the CMS content types that this key can be used to sign, or that are permitted to be signed by the end-entity key in a cert path validated by this key. Symmetric key packages do not contain signature generation or signature validation keying material, so the signature-usage attribute MUST NOT appear in a symmetric key package. For an asymmetric key package, the signature-usage attribute indicates the kind of objects that are to be signed with the private key in the package. However, if the
signature usage属性标识该密钥可用于签名的CMS内容类型,或允许由该密钥验证的证书路径中的终端实体密钥签名的CMS内容类型。对称密钥包不包含签名生成或签名验证密钥材料,因此签名使用属性不得出现在对称密钥包中。对于非对称密钥包,signature usage属性指示要使用包中的私钥进行签名的对象的类型。然而,如果
asymmetric key package contains a Certificate Signature Key, then the signature-usage attribute also indicates what signed objects can be validated using certificates that are signed by the private key in the asymmetric key package. Therefore, the signature-usage attribute also indicates what kind of objects can be signed by the private keys associated with these certificates. The signature-usage attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute.
非对称密钥包包含一个证书签名密钥,那么Signature usage属性还指示可以使用由非对称密钥包中的私钥签名的证书验证哪些已签名对象。因此,SignatureUsage属性还指示与这些证书关联的私钥可以对哪种类型的对象进行签名。签名使用属性不得显示为已签名、已验证、已验证和未保护或内容属性。
The signature-usage attribute has the following syntax:
“签名使用”属性具有以下语法:
aa-signatureUsage-v3 ATTRIBUTE ::= { TYPE SignatureUsage IDENTIFIED BY id-kma-sigUsageV3 }
aa-signatureUsage-v3 ATTRIBUTE ::= { TYPE SignatureUsage IDENTIFIED BY id-kma-sigUsageV3 }
id-kma-sigUsageV3 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 22 }
id-kma-sigUsageV3 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 22 }
SignatureUsage ::= CMSContentConstraints
SignatureUsage ::= CMSContentConstraints
The SignatureUsage structure has the same syntax as the CMSContentConstraints structure from [RFC6010], and it is repeated here for convenience.
SignatureUsage结构与[RFC6010]中的CMSContentConstraints结构具有相同的语法,为方便起见,此处重复该结构。
CMSContentConstraints ::= SEQUENCE SIZE (1..MAX) OF ContentTypeConstraint
CMSContentConstraints ::= SEQUENCE SIZE (1..MAX) OF ContentTypeConstraint
ContentTypeGeneration ::= ENUMERATED { canSource(0), cannotSource(1)}
ContentTypeGeneration ::= ENUMERATED { canSource(0), cannotSource(1)}
ContentTypeConstraint ::= SEQUENCE { contentType CONTENT-TYPE.&id ({ContentSet|ct-Any,...}), canSource ContentTypeGeneration DEFAULT canSource, attrConstraints AttrConstraintList OPTIONAL }
ContentTypeConstraint ::= SEQUENCE { contentType CONTENT-TYPE.&id ({ContentSet|ct-Any,...}), canSource ContentTypeGeneration DEFAULT canSource, attrConstraints AttrConstraintList OPTIONAL }
Constraint { ATTRIBUTE:ConstraintList } ::= SEQUENCE { attrType ATTRIBUTE.&id({ConstraintList}), attrValues SET SIZE (1..MAX) OF ATTRIBUTE. &Type({ConstraintList}{@attrType}) }
Constraint { ATTRIBUTE:ConstraintList } ::= SEQUENCE { attrType ATTRIBUTE.&id({ConstraintList}), attrValues SET SIZE (1..MAX) OF ATTRIBUTE. &Type({ConstraintList}{@attrType}) }
SupportedConstraints ATTRIBUTE ::= {SignedAttributesSet, ... }
SupportedConstraints ATTRIBUTE ::= {SignedAttributesSet, ... }
AttrConstraintList ::= SEQUENCE SIZE (1..MAX) OF Constraint {{ SupportedConstraints }}
AttrConstraintList ::= SEQUENCE SIZE (1..MAX) OF Constraint {{ SupportedConstraints }}
NOTE: SignedAttributesSet is updated by this specification.
注:SignedAttributeSet由本规范更新。
The SignatureUsage contains a type of CMSContentConstraints. One or more ContentTypeConstraint MUST appear in CMSContentConstraints.
SignatureUsage包含一种CMS内容约束。CMSContentConstraints中必须出现一个或多个ContentTypeConstraint。
Within ContentTypeConstraint, the contentType field indicates the encapsulated content type identifier that can be signed with the signature key. A particular content type MUST NOT appear more than once in the list. The CMS protecting content types need not be included in the list of permitted content types as the use of CMS is always authorized (see [RFC6010]).
在ContentTypeConstraint中,contentType字段指示可使用签名密钥签名的封装内容类型标识符。特定内容类型在列表中不得出现多次。CMS保护内容类型不需要包括在允许的内容类型列表中,因为CMS的使用始终是经过授权的(参见[RFC6010])。
Within ContentTypeConstraint, the canSource enumeration indicates whether the signature key can be used to directly sign the indicated content type. If the ContentTypeConstraint is canSource (the default value), then the signature key can be used to directly sign the specified content type. If the ContentTypeConstraint is cannotSource, then the signature key can only be used with the specified content type if it encapsulates a signature that was generated by an originator with a ContentTypeConstraint that is canSource.
在ContentTypeConstraint中,canSource枚举指示签名密钥是否可用于直接对指定的内容类型进行签名。如果ContentTypeConstraint是canSource(默认值),则可以使用签名密钥直接对指定的内容类型进行签名。如果ContentTypeConstraint为cannotSource,则签名密钥只能用于指定的内容类型,前提是它使用canSource的ContentTypeConstraint封装了由发起人生成的签名。
Within ContentTypeList, the attrConstraints OPTIONAL field contains a sequence of constraints specific to the content type. If the attrConstraints field is absent, the signature key can be used to sign the specified content type, without any further checking. If the attrConstraints field is present, then the signature key can only be used to sign the specified content type if all of the constraints for that content type are satisfied. Content type constraints are checked by matching the attribute values in the attrConstraint field against the attribute value in the content. The constraints succeed if the attribute is not present; they fail if the attribute is present and the value is not one of the values provided in attrConstraint.
在ContentTypeList中,attrConstraints可选字段包含特定于内容类型的一系列约束。如果缺少attrConstraints字段,则可以使用签名密钥对指定的内容类型进行签名,而无需进一步检查。如果存在attrConstraints字段,则只有在满足指定内容类型的所有约束时,才能使用签名密钥对该内容类型进行签名。通过将attrConstraint字段中的属性值与内容中的属性值相匹配来检查内容类型约束。如果属性不存在,则约束成功;如果属性存在且该值不是attrConstraint中提供的值之一,则它们将失败。
The fields of attrConstraints implement constraints specific to the content type. The attrType field is an AttributeType, which is an object identifier of a signed attribute carried in the SignerInfo of the content. The attrValues field provides one or more acceptable signed attribute values. It is a set of AttributeValue. For a signed content to satisfy the constraint, the SignerInfo MUST include a signed attribute of the type identified in the attrType field, and the signed attribute MUST contain one of the values in the set carried in attrValues.
attrConstraints字段实现特定于内容类型的约束。attrType字段是AttributeType,它是内容的SignerInfo中所携带的已签名属性的对象标识符。attrValues字段提供一个或多个可接受的带符号属性值。它是一组属性值。要使已签名内容满足约束,SignerInfo必须包含attrType字段中标识的类型的已签名属性,且已签名属性必须包含attrValues中包含的集合中的一个值。
Since the signature-usage attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute, an asymmetric key package cannot include multiple occurrences of the signature-usage attribute within the same scope. Receivers MUST
由于签名使用属性不得显示为已签名、已验证、已验证和未保护或内容属性,因此非对称密钥包不能在同一范围内多次出现签名使用属性。接收者必须
reject any asymmetric key package in which the signature-usage attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute.
拒绝签名使用属性显示为已签名、已验证、已验证和未保护或内容属性的任何非对称密钥包。
The other-certificate-formats attribute specifies the type, format, and value of certificates that are not X.509 public key certificates. Symmetric key packages do not contain any certificates, so the other-certificate-formats attribute MUST NOT appear in a symmetric key package. It SHOULD appear in the attributes field, when the publicKey field is absent and the certificate format is not X.509. This attribute MUST NOT appear in an attributes field that includes the user-certificate attribute from Section 8. The other-certificate-formats attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute.
“其他证书格式”属性指定不是X.509公钥证书的证书的类型、格式和值。对称密钥包不包含任何证书,因此“其他证书格式”属性不得出现在对称密钥包中。当公钥字段不存在且证书格式不是X.509时,它应该出现在属性字段中。此属性不得出现在包含第8节中的用户证书属性的属性字段中。“其他证书格式”属性不得显示为已签名、已验证、已验证和未保护或内容属性。
The other-certificate-formats attribute has the following syntax:
“其他证书格式”属性具有以下语法:
aa-otherCertificateFormats ATTRIBUTE ::= { TYPE CertificateChoices IDENTIFIED BY id-kma-otherCertFormats }
aa-otherCertificateFormats ATTRIBUTE ::= { TYPE CertificateChoices IDENTIFIED BY id-kma-otherCertFormats }
id-kma-otherCertFormats OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 19 }
id-kma-otherCertFormats OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 19 }
CertificateChoices ::= CHOICE { certificate Certificate, extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete v2AttrCert [2] IMPLICIT AttributeCertificateV2, other [3] IMPLICIT OtherCertificateFormat }
CertificateChoices ::= CHOICE { certificate Certificate, extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete v1AttrCert [1] IMPLICIT AttributeCertificateV1, -- Obsolete v2AttrCert [2] IMPLICIT AttributeCertificateV2, other [3] IMPLICIT OtherCertificateFormat }
OtherCertificateFormat ::= SEQUENCE { otherCertFormat OBJECT IDENTIFIER, otherCert ANY DEFINED BY otherCertFormat }
OtherCertificateFormat ::= SEQUENCE { otherCertFormat OBJECT IDENTIFIER, otherCert ANY DEFINED BY otherCertFormat }
The other-certificate-formats attribute makes use of the CertificateChoices field defined in Section 10.2.2 of [RFC5652]. The certificate, extendedCertificate, and v1AttrCert fields MUST be omitted. The v2AttrCert field can include Version 2 Attribute Certificates. The other field can include Enhanced FIREFLY certificates and other as yet undefined certificate formats.
“其他证书格式”属性使用[RFC5652]第10.2.2节中定义的CertificateChoices字段。必须省略certificate、extendedCertificate和v1AttrCert字段。v2AttrCert字段可以包括版本2属性证书。另一个字段可以包括增强的FIREFLY证书和其他尚未定义的证书格式。
Since the other-certificate-formats attribute MUST NOT appear as a signed, authenticated, authenticated&unprotected, or content attribute, an asymmetric key package cannot include multiple occurrences of the other-certificate-formats attribute within the same scope. Receivers MUST reject any asymmetric key package in which the other-certificate-formats attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute.
由于“其他证书格式”属性不能显示为已签名、已验证、已验证和未保护或内容属性,因此非对称密钥包不能在同一范围内多次出现“其他证书格式”属性。接收方必须拒绝任何非对称密钥包,其中其他证书格式属性显示为已签名、已验证、已验证和未保护或内容属性。
The pki-path attribute includes certificates that can aid in the validation of the certificate carried in the user-certificate attribute. Symmetric key packages do not contain any certificates, so the pkiPath attribute MUST NOT appear in a symmetric key package. It can appear as an asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. It can appear in the attributes field, when the publicKey field is absent and the certificate format is X.509. This attribute MUST NOT appear in an AsymmetricKeyPackage that has an other-certificate-formats attribute in the attributes field. If the pki-path attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then the value includes certificates that can be used to construct a certification path to all of the keying material within the content. This attribute MUST be supported.
pki路径属性包括可以帮助验证“用户证书”属性中包含的证书的证书。对称密钥包不包含任何证书,因此pkiPath属性不得出现在对称密钥包中。它可以显示为非对称密钥、已签名、已验证、已验证和未保护或内容属性。当公钥字段不存在且证书格式为X.509时,它可以出现在属性字段中。此属性不得出现在属性字段中具有其他证书格式属性的AsymmetricKeyPackage中。如果pki路径属性显示为已签名、已验证、已验证和未保护或内容属性,则该值包括可用于构造指向内容中所有密钥材料的证书路径的证书。必须支持此属性。
The syntax is taken from [X.509] but redefined using the ATTRIBUTE CLASS from [RFC5912]. The pki-path attribute has the following syntax:
语法取自[X.509],但使用[RFC5912]中的属性类重新定义。pki路径属性具有以下语法:
aa-pkiPath ATTRIBUTE ::= { TYPE PkiPath IDENTIFIED BY id-at-pkiPath }
aa-pkiPath ATTRIBUTE ::= { TYPE PkiPath IDENTIFIED BY id-at-pkiPath }
id-at-pkiPath OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 70 }
id-at-pkiPath OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 70 }
PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate
PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate
The first certificate in the sequence is the subject's parent Certification Authority (CA). The next certificate is that CA's parent, and so on. The end-entity and trust anchor are not included in this attribute.
序列中的第一个证书是主体的父证书颁发机构(CA)。下一个证书是CA的父证书,依此类推。此属性中不包括结束实体和信任锚点。
Due to multiple layers of encapsulation or the use of content collections, the pki-path attribute can appear in more than one location in the overall key package. When that happens, each occurrence is evaluated independently.
由于多层封装或使用内容集合,pki路径属性可能出现在整个密钥包中的多个位置。发生这种情况时,将独立评估每个事件。
The useful-certificates attribute includes certificates that can aid in the validation of certificates associated with other parties with whom secure communications are anticipated. It can appear as an asymmetric key, signed, authenticated, authenticated&unprotected, or content attribute. For an asymmetric key that has an other-certificate-formats attribute (Section 21) in the attributes field, the useful-certificates attribute MUST NOT appear. If the useful-certificates attribute appears as a signed, authenticated, authenticated&unprotected, or content attribute, then the value includes certificates that may be used to validate certificates of others with whom the receiver communicates. This attribute MUST be supported.
“有用的证书”属性包括可以帮助验证与预期安全通信的其他方关联的证书的证书。它可以显示为非对称密钥、已签名、已验证、已验证和未保护或内容属性。对于在属性字段中具有其他证书格式属性(第21节)的非对称密钥,必须不显示有用的证书属性。如果有用证书属性显示为已签名、已验证、已验证和未保护或内容属性,则该值包括可用于验证接收方与之通信的其他人的证书的证书。必须支持此属性。
The useful-certificates attribute has the following syntax:
“有用的证书”属性具有以下语法:
aa-usefulCertificates ATTRIBUTE ::= { TYPE CertificateSet IDENTIFIED BY id-kma-usefulCerts }
aa-usefulCertificates ATTRIBUTE ::= { TYPE CertificateSet IDENTIFIED BY id-kma-usefulCerts }
id-kma-usefulCerts OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 20 }
id-kma-usefulCerts OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 20 }
CertificateSet ::= SET OF CertificateChoices
CertificateSet ::= SET OF CertificateChoices
The useful-certificates attribute makes use of the CertificateSet field defined in Section 10.2.3 of [RFC5652]. Within the CertificateChoices field, the extendedCertificate and v1AttrCert fields MUST always be omitted. If the userCertificate attribute from Section 8 is included, the other field MUST NOT be present. If the other-certificate-formats attribute (Section 21) is included, the certificate field MUST NOT be present.
“有用证书”属性使用[RFC5652]第10.2.3节中定义的证书集字段。在CertificateChoices字段中,必须始终忽略extendedCertificate和v1AttrCert字段。如果包含第8节中的userCertificate属性,则其他字段不得存在。如果包含“其他证书格式”属性(第21节),则证书字段不得存在。
Due to multiple layers of encapsulation or the use of content collections, the useful-certificates attribute can appear in more than one location in the overall key package. When the useful-certificates attribute appears in more than one location in the overall key package, each occurrence is evaluated independently.
由于多层封装或使用内容集合,“有用的证书”属性可以出现在整个密钥包中的多个位置。当“有用的证书”属性出现在整个密钥包中的多个位置时,将独立评估每次出现的证书。
The key-wrap-algorithm attribute identifies a key wrap algorithm with an algorithm identifier. It can appear as a symmetric key or symmetric key package attribute. When this attribute is present in sKeyAttrs, it indicates that the associated sKey field contains a black key, which is an encrypted key, that was wrapped by the
“密钥换行算法”属性使用算法标识符标识密钥换行算法。它可以显示为对称密钥或对称密钥包属性。当此属性出现在sKeyAttrs中时,它表示关联的sKey字段包含一个由
identified algorithm. When this attribute is present in sKeyPkgAttrs, it indicates that every sKey field in that symmetric key package contains a black key and that all keys are wrapped by the same designated algorithm.
识别算法。当此属性出现在sKeyPkgAttrs中时,它表示对称密钥包中的每个sKey字段都包含一个黑色密钥,并且所有密钥都由相同的指定算法包装。
The key-wrap-algorithm attribute has the following syntax:
“密钥换行算法”属性具有以下语法:
aa-keyWrapAlgorithm ATTRIBUTE ::= { TYPE AlgorithmIdentifier{KEY-WRAP, {KeyEncryptionAlgorithmSet}} IDENTIFIED BY id-kma-keyWrapAlgorithm }
aa-keyWrapAlgorithm ATTRIBUTE ::= { TYPE AlgorithmIdentifier{KEY-WRAP, {KeyEncryptionAlgorithmSet}} IDENTIFIED BY id-kma-keyWrapAlgorithm }
id-kma-keyWrapAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 21 }
id-kma-keyWrapAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 21 }
KeyEncryptionAlgorithmSet KEY-WRAP ::= { ... }
KeyEncryptionAlgorithmSet KEY-WRAP ::= { ... }
The content-decryption-key-identifier attribute can appear as an unprotected attribute as well as a symmetric and symmetric key package attribute. The attribute's semantics differ based on the location.
内容解密密钥标识符属性可以显示为未受保护的属性以及对称和对称密钥包属性。属性的语义因位置而异。
25.1. Content Decryption Key Identifier: Symmetric Key and Symmetric Key Package
25.1. 内容解密密钥标识符:对称密钥和对称密钥包
The content-decryption-key-identifier attribute [RFC6032] identifies the keying material needed to decrypt the sKey. It can appear as a symmetric key and symmetric key package attribute. If the key-wrap-algorithm attribute appears in sKeyPkgAttrs, then the corresponding content-decryption-identifier attribute can appear in either sKeyPkgAttrs or sKeyAttrs. If the key-wrap-algorithm attribute (Section 24) appears in sKeyAttrs, then the corresponding content-decryption-identifier attribute MUST appear in sKeyAttrs.
内容解密密钥标识符属性[RFC6032]标识解密sKey所需的密钥材料。它可以显示为对称密钥和对称密钥包属性。如果密钥包裹算法属性出现在SkeypkAttrs中,则相应的内容解密标识符属性可以出现在SkeypkAttrs或sKeyAttrs中。如果密钥包裹算法属性(第24节)出现在sKeyAttrs中,则相应的内容解密标识符属性必须出现在sKeyAttrs中。
The content-decryption-key-identifier attribute in included for convenience:
为方便起见,中包含了内容解密密钥标识符属性:
aa-contentDecryptKeyIdentifier ATTRIBUTE ::= { TYPE ContentDecryptKeyID IDENTIFIED BY id-aa-KP-contentDecryptKeyID }
aa-contentDecryptKeyIdentifier ATTRIBUTE ::= { TYPE ContentDecryptKeyID IDENTIFIED BY id-aa-KP-contentDecryptKeyID }
id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 66 }
id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 66 }
ContentDecryptKeyID ::= OCTET STRING
ContentDecryptKeyID ::= OCTET STRING
The content decryption key identifier contains an octet string, and this syntax does not impose any particular structure on the identifier value.
内容解密密钥标识符包含一个八位字节字符串,此语法不会对标识符值施加任何特定结构。
The content-decryption-key-identifier attribute can be used to identify the keying material that is needed for decryption of the EncryptedData content if there is any ambiguity.
内容解密密钥标识符属性可用于标识加密数据内容解密所需的密钥材料(如果存在任何歧义)。
The content-decryption-key-identifier attribute syntax is found in Section 25.1. The content decryption key identifier contains an octet string, and this syntax does not impose any particular structure on the identifier value.
内容解密密钥标识符属性语法见第25.1节。内容解密密钥标识符包含一个八位字节字符串,此语法不会对标识符值施加任何特定结构。
Due to multiple layers of encryption, the content-decryption-key-identifier attribute can appear in more than one location in the overall key package. When that happens, each occurrence is evaluated independently. Each one is used to identify the needed keying material for that layer of encryption.
由于采用多层加密,内容解密密钥标识符属性可以出现在整个密钥包中的多个位置。发生这种情况时,将独立评估每个事件。每一个都用于识别该加密层所需的密钥材料。
The certificate-pointers attribute can be used to reference one or more certificates that may be helpful in the processing of the content once it is decrypted. Sometimes certificates are omitted if they can be easily fetched. However, an intermediary may have better facilities to perform the fetching than the receiver. The certificate-pointers attribute may be useful in some environments. This attribute can appear as an unprotected and an unauthenticated&unprotected attribute.
“证书指针”属性可用于引用一个或多个证书,这些证书在内容解密后可能有助于内容的处理。有时,如果可以轻松获取证书,则会忽略这些证书。然而,中间人可能比接收人有更好的设施来执行抓取。证书指针属性在某些环境中可能很有用。此属性可以显示为未受保护的属性和未经验证且未受保护的属性。
The certificate-pointers attribute uses the same syntax and semantics as the subject information access certificate extension [RFC5280]. The certificate-pointers attribute has the following syntax:
证书指针属性使用与主题信息访问证书扩展[RFC5280]相同的语法和语义。“证书指针”属性具有以下语法:
aa-certificatePointers ATTRIBUTE ::= { TYPE SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
aa-certificatePointers ATTRIBUTE ::= { TYPE SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) pe(1) 11 }
id-pe-subjectInfoAccess OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) pe(1) 11 }
SubjectInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
SubjectInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
AccessDescription ::= SEQUENCE { accessMethod OBJECT IDENTIFIER, accessLocation GeneralName }
AccessDescription ::= SEQUENCE { accessMethod OBJECT IDENTIFIER, accessLocation GeneralName }
As specified in [RFC5280], the id-ad-caRepository access method can be used to point to a repository where a Certification Authority publishes certificates and Certificate Revocation Lists (CRLs). In this case, the accessLocation field tells how to access the repository. Where the information is available via HTTP, FTP, or the Lightweight Directory Access Protocol (LDAP), accessLocation contains a Uniform Resource Identifier (URI). Where the information is available via the Directory Access Protocol (DAP), accessLocation contains a directory name.
如[RFC5280]中所述,id ad caRepository访问方法可用于指向证书颁发机构发布证书和证书吊销列表(CRL)的存储库。在本例中,accessLocation字段说明如何访问存储库。当信息通过HTTP、FTP或轻量级目录访问协议(LDAP)可用时,accessLocation包含统一资源标识符(URI)。如果信息通过目录访问协议(DAP)可用,则accessLocation包含目录名。
The CRL-pointers attribute can be used to reference one or more CRLs that may be helpful in the processing of the content once it is decrypted. Sometimes CRLs are omitted to conserve space or to ensure that the most recent CRL is obtained when the certificate is validated. However, an intermediary may have better facilities to perform the fetching than the receiver. The CRL-pointers attribute may be useful in some environments. This attribute can appear as an unprotected and unauthenticated&unprotected attribute.
CRL pointers属性可用于引用一个或多个CRL,这些CRL在内容解密后可能有助于处理内容。有时会忽略CRL,以节省空间或确保在验证证书时获得最新的CRL。然而,中间人可能比接收人有更好的设施来执行抓取。CRL指针属性在某些环境中可能很有用。此属性可以显示为未受保护、未经验证和未受保护的属性。
The CRL-pointers attribute has the following syntax:
CRL指针属性具有以下语法:
aa-crlPointers ATTRIBUTE ::= { TYPE GeneralNames IDENTIFIED BY id-aa-KP-crlPointers }
aa-crlPointers ATTRIBUTE ::= { TYPE GeneralNames IDENTIFIED BY id-aa-KP-crlPointers }
id-aa-KP-crlPointers OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 70 }
id-aa-KP-crlPointers OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 70 }
The CRL-pointers attribute uses the GeneralNames syntax from [RFC5280]. Each name describes a different mechanism to obtain the same CRL. Where the information is available via HTTP, FTP, or LDAP, GeneralNames contains a URI. Where the information is available via DAP, GeneralNames contains a directory name.
CRL指针属性使用[RFC5280]中的GeneralNames语法。每个名称描述了获取相同CRL的不同机制。如果信息通过HTTP、FTP或LDAP可用,则GeneralNames包含URI。如果可以通过DAP获得信息,则GeneralNames包含一个目录名。
The key-package-identifier-and-receipt-request attribute from [RFC7191] is also supported. It can appear as a signed attribute, authenticated, authenticated&unprotected, or content attribute.
还支持[RFC7191]中的密钥包标识符和接收请求属性。它可以显示为已签名属性、已验证属性、已验证和未保护属性或内容属性。
This specification also defines three additional extended ErrorCodeChoice object identifiers for the oid field [RFC7191]:
本规范还为oid字段[RFC7191]定义了三个额外的扩展ErrorCodeChoice对象标识符:
id-errorCodes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) errorCodes(22) }
id-errorCodes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) errorCodes(22) }
id-missingKeyType OBJECT IDENTIFIER ::= { id-errorCodes 1 }
id-missingKeyType OBJECT IDENTIFIER ::= { id-errorCodes 1 }
id-privacyMarkTooLong OBJECT IDENTIFIER ::= { id-errorCodes 2 }
id-privacyMarkTooLong OBJECT IDENTIFIER ::= { id-errorCodes 2 }
id-unrecognizedSecurityPolicy OBJECT IDENTIFIER ::= { id-errorCodes 3 }
id-unrecognizedSecurityPolicy OBJECT IDENTIFIER ::= { id-errorCodes 3 }
id-incorrectKeyProvince OBJECT IDENTIFIER ::= { id-errorCodes 4 }
id-incorrectKeyProvince OBJECT IDENTIFIER ::= { id-errorCodes 4 }
missingKeyType indicates that all keying material within a package is of the same type; however, the key-package-type attribute is not specified in sKeyPkgAttrs [RFC6031].
missingKeyType表示一个包装内的所有键控材料属于同一类型;但是,sKeyPkgAttrs[RFC6031]中未指定密钥包类型属性。
privacyMarkTooLong indicates that a classification attribute includes a privacy-mark that exceeds 128 characters in length.
privacyMarkTooLong表示分类属性包含长度超过128个字符的隐私标记。
unrecognizedSecurityPolicy indicates that a security-policy-identifier is not supported.
UnrecognizedSecurity策略表示不支持安全策略标识符。
incorrectKeyProvince indicates that the value of the key-province-v2 attribute in a key package does not match the key province constraint of the trust anchor used to validate the key package.
incorrectKeyProvince表示密钥包中的key-province-v2属性的值与用于验证密钥包的信任锚点的key-province约束不匹配。
Trust anchors may contain constraints for any content type [RFC5934]. When the trust anchor contains constraints for the symmetric key package content type or the asymmetric key package content type, then the constraints provide default values for key package attributes that are not present in the key package and define the set of acceptable values for key package attributes that are present.
信任锚可以包含任何内容类型的约束[RFC5934]。当信任锚点包含对称密钥包内容类型或非对称密钥包内容类型的约束时,这些约束为密钥包中不存在的密钥包属性提供默认值,并为存在的密钥包属性定义一组可接受的值。
When a trust anchor delegates authority by issuing an X.509 certificate, the CMS content constraints certificate extension [RFC6010] may be included to constrain the authorizations. The trust
当信任锚通过颁发X.509证书来授权时,可以包括CMS内容约束证书扩展[RFC6010]来约束授权。信托
anchor and the X.509 certification path provide default values for key package attributes that are not present in the key package and define the set of acceptable of values for key package attributes that are present.
锚定和X.509认证路径为密钥包中不存在的密钥包属性提供默认值,并为存在的密钥包属性定义一组可接受的值。
Constraints on content type usage are represented as attributes.
内容类型使用的约束表示为属性。
The processing procedures for the CMS content constraints certificate extension [RFC6010] are part of the validation of a signed or authenticated object, and the procedures yield three output values: cms_constraints, cms_effective_attributes, and cms_default_attributes. Object validation MUST be performed before processing the key package contents, and these output values are used as part of key package processing. These same output values are easily generated directly from a trust anchor and the key package when no X.509 certification path is involved in validation.
CMS内容约束证书扩展[RFC6010]的处理过程是已签名或已验证对象验证的一部分,该过程产生三个输出值:CMS_约束、CMS_有效_属性和CMS_默认_属性。在处理密钥包内容之前必须执行对象验证,并且这些输出值用作密钥包处理的一部分。当验证中不涉及X.509认证路径时,这些相同的输出值很容易直接从信任锚和密钥包生成。
The cms_effective_attributes provides the set of acceptable values for attributes. Each attribute present in the key package that corresponds to an entry in cms_effective_attributes MUST contain a value that appears in cms_effective_attributes entry. Attributes that do not correspond to an entry in cms_effective_attributes are unconstrained and may contain any value. Correspondence between attributes and cms_effective_attributes is determined by comparing the attribute object identifier to object identifier for each entry in cms_effective_attributes.
cms_有效_属性为属性提供一组可接受的值。与cms_有效_属性中的条目对应的密钥包中的每个属性必须包含出现在cms_有效_属性条目中的值。与cms_effective_属性中的条目不对应的属性是无约束的,可以包含任何值。属性和cms_有效_属性之间的对应关系通过比较属性对象标识符和cms_有效_属性中每个条目的对象标识符来确定。
The cms_default_attributes provides values for attributes that do not appear in the key package. If cms_default_attributes includes only one attribute value for a particular attribute, then that value is used as if it were included in the key package itself. However, if cms_default_attributes includes more than one value for a particular attribute, then the appropriate value remains ambiguous and the key package should be rejected.
cms_default_属性为密钥包中未出现的属性提供值。如果cms_default_attributes仅包含特定属性的一个属性值,则该值的使用将如同它包含在密钥包本身中一样。但是,如果cms_default_属性包含特定属性的多个值,则适当的值仍不明确,并且应拒绝密钥包。
Some attributes can appear in more than one place in the key package, and for this reason, the attribute definitions include consistency checks. These checks are independent of constraints checking. In addition to the consistency checks, each instance of the attribute MUST be checked against the set of cms_effective_attributes, and the key package MUST be rejected if any of the attributes values are not in the set of authorized set of values.
某些属性可以出现在密钥包中的多个位置,因此,属性定义包括一致性检查。这些检查独立于约束检查。除了一致性检查外,还必须根据cms_effective_属性集检查属性的每个实例,如果任何属性值不在授权值集中,则必须拒绝密钥包。
This section provides an example symmetric key package in order to provide a discussion of the scope of attributes. This is an informative section; it is not a normative portion of this specification. Figure 1 provides the example. All of the concepts apply to either a symmetric key package or an asymmetric key package, with the exception of the key-algorithm attribute, which is only applicable to a symmetric key package. Each of the components is labeled with a number inside parentheses for easy reference:
本节提供了一个示例对称密钥包,以讨论属性的范围。这是一个资料性的部分;它不是本规范的规范性部分。图1提供了示例。所有概念都适用于对称密钥包或非对称密钥包,密钥算法属性除外,该属性仅适用于对称密钥包。为便于参考,每个组件都在括号内标有数字:
(1) is the ContentInfo that must be present as the outermost layer of encapsulation. It contains no attributes. It is shown for completeness.
(1) 是必须作为封装的最外层出现的ContentInfo。它不包含任何属性。它显示为完整性。
(2) is a SignedData content type, which includes six signed attributes. Four of the signed attributes are keying material attributes.
(2) 是SignedData内容类型,包括六个已签名属性。四个已签名属性是关键帧材质属性。
(3) is a ContentCollection that includes two encapsulated content types: a ContentWithAttributes and an EncryptedKeyPackage. This content type does not provide any attributes.
(3) 是一个ContentCollection,包含两种封装的内容类型:ContentWithAttributes和EncryptedKeyPackage。此内容类型不提供任何属性。
(4) is a ContentWithAttributes content type. It encapsulates a SignedData content type. Four key material attributes are provided.
(4) 是ContentWithAttributes内容类型。它封装了SignedData内容类型。提供了四个关键材质属性。
(5) is a SignedData content type. It encapsulates a SymmetricKeyPackage content type. Six signed attributes are provided. Four attributes are key material attributes.
(5) 是SignedData内容类型。它封装了SymmetricePackage内容类型。提供了六个签名属性。四个属性是关键材质属性。
(6) is a SymmetricKeyPackage content type, and it includes three key material attributes. Note that the contents of this key package are not encrypted, but the contents are covered by two digital signatures.
(6) 是SymmetricePackage内容类型,它包括三个关键材质属性。请注意,此密钥包的内容未加密,但包含两个数字签名。
(7) is an EncryptedKeyPackage content type. It encapsulates a SignedData content type. This content type provides one unprotected attribute.
(7) 是EncryptedKeyPackage内容类型。它封装了SignedData内容类型。此内容类型提供一个不受保护的属性。
(8) is a SignedData content type. It encapsulates a SymmetricKeyPackage content type. Six signed attributes are provided. Four attributes are key material attributes.
(8) 是SignedData内容类型。它封装了SymmetricePackage内容类型。提供了六个签名属性。四个属性是关键材质属性。
(9) is a SymmetricKeyPackage content type, and it includes three key material attributes. Note that the contents of this key package are encrypted; the plaintext keying material is covered by one digital signature, and the ciphertext keying material is covered by another digital signature.
(9) 是SymmetricePackage内容类型,它包括三个关键材质属性。请注意,此密钥包的内容是加密的;明文密钥材料由一个数字签名覆盖,密文密钥材料由另一个数字签名覆盖。
SignedData content type (2) includes six signed attributes:
SignedData内容类型(2)包括六个签名属性:
o The content-type attribute contains id-ct-contentCollection to indicate the type of the encapsulated content, and it has no further scope.
o content type属性包含id ct contentCollection以指示封装内容的类型,它没有进一步的作用域。
o The message-digest attribute contains the one-way hash value of the encapsulated content; it is needed to validate the digital signature. It has no further scope.
o 消息摘要属性包含封装内容的单向散列值;需要验证数字签名。它没有进一步的范围。
o The classification attribute contains the security label for all of the plaintext in the encapsulated content. Each classification attribute is evaluated separately; it has no further scope. In general, the values of this attribute will match or dominate the security label values in (4), (5), and (6). The value of this attribute might not match or dominate the security label values in (8) and (9) since they are encrypted. It is possible that these various security label values are associated with different security policies. To avoid the processing complexity associated with policy mapping, comparison is not required.
o 分类属性包含封装内容中所有纯文本的安全标签。对每个分类属性分别进行评价;它没有进一步的范围。通常,此属性的值将与(4)、(5)和(6)中的安全标签值匹配或占主导地位。此属性的值可能与(8)和(9)中的安全标签值不匹配或不占主导地位,因为它们是加密的。这些不同的安全标签值可能与不同的安全策略相关联。为了避免与策略映射相关的处理复杂性,不需要进行比较。
o The key-package-receivers-v2 attribute indicates the authorized key package receivers, and it has no further scope. The additional instances of key-package-receivers-v2 attribute embedded in (4) are evaluated without regard to the value of the instance in (2).
o key-package-receivers-v2属性表示已授权的密钥包接收者,它没有进一步的作用域。评估(4)中嵌入的key-package-receivers-v2属性的其他实例,而不考虑(2)中实例的值。
o The key-distribution-period attribute contains two date values: doNotDistBefore and doNotDistAfter. These values must match all others within the same scope, which in this example is the key-distribution-period within (4).
o key distribution period属性包含两个日期值:doNotDistBefore和doNotDistAfter。这些值必须与同一范围内的所有其他值匹配,在本例中,这是(4)中的密钥分发周期。
o The key-package-type attributes indicates the format of the key package, and it has no further scope. The key-package-type attributes values within (5) and (8) are evaluated without regard to the value of this attribute.
o key package type属性表示密钥包的格式,它没有进一步的作用域。对(5)和(8)中的键包类型属性值进行求值,而不考虑该属性的值。
ContentWithAttributes content type (4) includes four attributes:
ContentWithAttributes内容类型(4)包括四个属性:
o The classification attribute contains the security label for all of the plaintext in the encapsulated content. Each classification attribute is evaluated separately; it has no further scope.
o 分类属性包含封装内容中所有纯文本的安全标签。对每个分类属性分别进行评价;它没有进一步的范围。
o The TSEC-Nomenclature attribute includes only the shortTitle field, and the value must match all other instances within the same scope, which appear in (5) and (6). Note that the TSEC-Nomenclature attribute values in (8) and (9) are not in the same scope as the TSEC-Nomenclature attribute that appears in (4).
o TSEC命名法属性仅包括shortTitle字段,该值必须与同一范围内的所有其他实例相匹配,如(5)和(6)所示。请注意,(8)和(9)中的TSEC命名属性值与(4)中出现的TSEC命名属性不在同一范围内。
o The key-package-receivers-v2 attribute indicates the authorized key package receivers, and it has no further scope. The enveloping instance of key-package-receivers-v2 attribute value in (2) is evaluated without regard to the value of this instance in (4), and has no effect on the value of this instance in (4).
o key-package-receivers-v2属性表示已授权的密钥包接收者,它没有进一步的作用域。评估(2)中key-package-receivers-v2属性值的包络实例时,不考虑(4)中该实例的值,并且对(4)中该实例的值没有影响。
o The key-distribution-period attribute contains two date values: doNotDistBefore and doNotDistAfter. These values must match all others within the same scope, which in this example is the key-distribution-period within (2).
o key distribution period属性包含两个日期值:doNotDistBefore和doNotDistAfter。这些值必须与同一范围内的所有其他值匹配,在本例中,这是(2)中的密钥分发周期。
SignedData content type (5) includes six signed attributes:
SignedData内容类型(5)包括六个签名属性:
o The content-type attribute contains id-ct-KP-skeyPackage to indicate the type of the encapsulated content, and it has no further scope.
o content-type属性包含id-ct-KP-skeyPackage以指示封装内容的类型,它没有进一步的作用域。
o The message-digest attribute contains the one-way hash value of the encapsulated content; it is needed to validate the digital signature. It has no further scope.
o 消息摘要属性包含封装内容的单向散列值;需要验证数字签名。它没有进一步的范围。
o The classification attribute contains the security label for all of the plaintext in the encapsulated content. Each classification attribute is evaluated separately; it has no further scope.
o 分类属性包含封装内容中所有纯文本的安全标签。对每个分类属性分别进行评价;它没有进一步的范围。
o The TSEC-Nomenclature attribute includes only the shortTitle field, and the value must match all other instances within the same scope, which appear in (6). Since this is within the scope of (4), these shortTitle field values must match as well. Note that the TSEC-Nomenclature attribute values in (8) and (9) are not in the same scope.
o TSEC Nomenclation属性仅包括shortTitle字段,该值必须与相同范围内的所有其他实例相匹配,如(6)所示。由于这在(4)的范围内,这些shortTitle字段值也必须匹配。请注意,(8)和(9)中的TSEC术语属性值不在同一范围内。
o The key-purpose attribute specifies the purpose of the key material. All occurrences within the scope must have the same value; however, in this example, there are no other occurrences within the scope. The key-purpose attribute value within (8) is evaluated without regard to the value of this attribute.
o “关键用途”属性指定关键材质的用途。范围内的所有事件必须具有相同的值;但是,在此示例中,范围内没有其他事件。评估(8)中的关键用途属性值时,不考虑该属性的值。
o The key-package-type attribute indicates the format of the key package, and it has no further scope. The key-package-type attribute values within (2) and (8) are evaluated without regard to the value of this attribute.
o key-package-type属性表示密钥包的格式,它没有进一步的作用域。计算(2)和(8)中的键包类型属性值时不考虑该属性的值。
SymmetricKeyPackage content type (6) includes three keying material attributes, which could appear in the sKeyPkgAttrs or sKeyAttrs fields:
SymmetricKeyPackage内容类型(6)包括三个关键帧材质属性,它们可能出现在SkeypkAttrs或sKeyAttrs字段中:
o The key-algorithm attribute includes only the keyAlg field, and it must match all other occurrences within the same scope. However, there are no other key-algorithm attribute occurrences in the same scope; the key-algorithm attribute value in (9) is not in the same scope.
o key algorithm属性仅包括keyAlg字段,它必须与同一范围内的所有其他匹配。但是,在同一范围内没有其他关键算法属性出现;(9)中的密钥算法属性值不在同一范围内。
o The classification attribute contains the security label for all of the plaintext in the key package. Each classification attribute is evaluated separately; it has no further scope.
o 分类属性包含密钥包中所有明文的安全标签。对每个分类属性分别进行评价;它没有进一步的范围。
o The TSEC-Nomenclature attribute includes the shortTitle field as well as some of the optional fields. The shortTitle field value must match the values in (4) and (5), since this content type is within their scope. Note that the TSEC-Nomenclature attribute values in (8) and (9) are not in the same scope.
o TSEC术语属性包括shortTitle字段以及一些可选字段。shortTitle字段值必须与(4)和(5)中的值匹配,因为此内容类型在其范围内。请注意,(8)和(9)中的TSEC术语属性值不在同一范围内。
EncryptedKeyPackage content type (7) includes one unprotected attribute, and the encryption will prevent any intermediary that does not have the ability to decrypt the content from making any consistency checks on (8) and (9):
EncryptedKeyPackage内容类型(7)包括一个未受保护的属性,加密将防止任何无法解密内容的中介对(8)和(9)进行任何一致性检查:
o The content-decryption-key-identifier attribute identifies the key that is needed to decrypt the encapsulated content; it has no further scope.
o 内容解密密钥标识符属性标识解密封装内容所需的密钥;它没有进一步的范围。
SignedData content type (8) includes six signed attributes:
SignedData内容类型(8)包括六个签名属性:
o The content-type attribute contains id-ct-KP-skeyPackage to indicate the type of the encapsulated content, and it has no further scope.
o content-type属性包含id-ct-KP-skeyPackage以指示封装内容的类型,它没有进一步的作用域。
o The message-digest attribute contains the one-way hash value of the encapsulated content; it is needed to validate the digital signature. It has no further scope.
o 消息摘要属性包含封装内容的单向散列值;需要验证数字签名。它没有进一步的范围。
o The classification attribute contains the security label for content. Each classification attribute is evaluated separately; it has no further scope.
o “分类”属性包含内容的安全标签。对每个分类属性分别进行评价;它没有进一步的范围。
o The TSEC-Nomenclature attribute includes only the shortTitle field, and the value must match all other instances within the same scope, which appear in (9). Note that the TSEC-Nomenclature attribute values in (4), (5), and (6) are not in the same scope.
o TSEC Nomenclation属性仅包括shortTitle字段,该值必须与相同范围内的所有其他实例相匹配,如(9)所示。注意,(4)、(5)和(6)中的TSEC术语属性值不在同一范围内。
o The key-purpose attribute specifies the purpose of the key material. All occurrences within the scope must have the same value; however, in this example, there are no other occurrences within the scope. The key-purpose attribute value within (5) is evaluated without regard to the value of this attribute.
o “关键用途”属性指定关键材质的用途。范围内的所有事件必须具有相同的值;但是,在此示例中,范围内没有其他事件。评估(5)中的关键用途属性值时,不考虑该属性的值。
o The key-package-type attribute indicates the format of the key package, and it has no further scope. The key-package-type attribute values within (2) and (5) are evaluated without regard to the value of this attribute.
o key-package-type属性表示密钥包的格式,它没有进一步的作用域。计算(2)和(5)中的键包类型属性值时不考虑该属性的值。
SymmetricKeyPackage content type (9) includes three keying material attributes, which could appear in the sKeyPkgAttrs or sKeyAttrs fields:
SymmetricKeyPackage内容类型(9)包括三个关键帧材质属性,它们可能出现在SkeypkAttrs或sKeyAttrs字段中:
o The key-algorithm attribute includes only the keyAlg field, and it must match all other occurrences within the same scope. However, there are no other key-algorithm attribute occurrences in the same scope; the key-algorithm attribute value in (6) is not in the same scope.
o key algorithm属性仅包括keyAlg字段,它必须与同一范围内的所有其他匹配。但是,在同一范围内没有其他关键算法属性出现;(6)中的密钥算法属性值不在同一范围内。
o The classification attribute contains the security label for all of the plaintext in the key package. Each classification attribute is evaluated separately; it has no further scope.
o 分类属性包含密钥包中所有明文的安全标签。对每个分类属性分别进行评价;它没有进一步的范围。
o The TSEC-Nomenclature attribute includes the shortTitle field as well as some of the optional fields. The shortTitle field value must match the values in (8), since this content type is within its scope. Note that the TSEC-Nomenclature attributes values in (4), (5), and (6) are not in the same scope.
o TSEC术语属性包括shortTitle字段以及一些可选字段。shortTitle字段值必须与(8)中的值匹配,因为此内容类型在其范围内。注意,(4)、(5)和(6)中的TSEC术语属性值不在同一范围内。
In summary, the scope of an attribute includes the encapsulated content of the CMS content type in which it appears, and some attributes also require consistency checks with other instances that appear within the encapsulated content. Proper recognition of scope is required to accurately perform attribute processing.
总之,属性的范围包括它出现在其中的CMS内容类型的封装内容,一些属性还需要与封装内容中出现的其他实例进行一致性检查。正确识别范围是准确执行属性处理所必需的。
+------------------------------------------------------------------+ | ContentInfo (1) | |+----------------------------------------------------------------+| || SignedData (2) || ||+--------------------------------------------------------------+|| ||| ContentCollection (3) ||| |||+-----------------------------++-----------------------------+||| |||| ContentWithAttributes (4) || EncryptedKeyPackage (7) |||| ||||+---------------------------+||+---------------------------+|||| ||||| SignedData (5) |||| SignedData (8) ||||| |||||+-------------------------+||||+-------------------------+||||| |||||| SymmetricKeyPackage (6) |||||| SymmetricKeyPackage (9) |||||| |||||| Attributes: |||||| Attributes: |||||| |||||| Key Algorithm |||||| Key Algorithm |||||| |||||| Classification |||||| Classification |||||| |||||| TSEC-Nomenclature |||||| TSEC-Nomenclature |||||| |||||+-------------------------+||||+-------------------------+||||| ||||| Attributes: |||| Attributes: ||||| ||||| Content Type |||| Content Type ||||| ||||| Message Digest |||| Message Digest ||||| ||||| Classification |||| Classification ||||| ||||| TSEC-Nomenclature |||| TSEC-Nomenclature ||||| ||||| Key Purpose |||| Key Purpose ||||| ||||| Key Package Type |||| Key Package Type ||||| ||||+-------------------------- +||+---------------------------+|||| |||| Attributes: || Unprotect Attributes: |||| |||| Classification || Content Decrypt Key ID |||| |||| TSEC-Nomenclature |+-----------------------------+||| |||| Key Package Receivers | ||| |||| Key Distribution Period | ||| |||+-----------------------------+ ||| ||+--------------------------------------------------------------+|| || Attributes: || || Content Type || || Message Digest || || Classification || || Key Package Receivers || || Key Distribution Period || || Key Package Type || |+----------------------------------------------------------------+| +------------------------------------------------------------------+
+------------------------------------------------------------------+ | ContentInfo (1) | |+----------------------------------------------------------------+| || SignedData (2) || ||+--------------------------------------------------------------+|| ||| ContentCollection (3) ||| |||+-----------------------------++-----------------------------+||| |||| ContentWithAttributes (4) || EncryptedKeyPackage (7) |||| ||||+---------------------------+||+---------------------------+|||| ||||| SignedData (5) |||| SignedData (8) ||||| |||||+-------------------------+||||+-------------------------+||||| |||||| SymmetricKeyPackage (6) |||||| SymmetricKeyPackage (9) |||||| |||||| Attributes: |||||| Attributes: |||||| |||||| Key Algorithm |||||| Key Algorithm |||||| |||||| Classification |||||| Classification |||||| |||||| TSEC-Nomenclature |||||| TSEC-Nomenclature |||||| |||||+-------------------------+||||+-------------------------+||||| ||||| Attributes: |||| Attributes: ||||| ||||| Content Type |||| Content Type ||||| ||||| Message Digest |||| Message Digest ||||| ||||| Classification |||| Classification ||||| ||||| TSEC-Nomenclature |||| TSEC-Nomenclature ||||| ||||| Key Purpose |||| Key Purpose ||||| ||||| Key Package Type |||| Key Package Type ||||| ||||+-------------------------- +||+---------------------------+|||| |||| Attributes: || Unprotect Attributes: |||| |||| Classification || Content Decrypt Key ID |||| |||| TSEC-Nomenclature |+-----------------------------+||| |||| Key Package Receivers | ||| |||| Key Distribution Period | ||| |||+-----------------------------+ ||| ||+--------------------------------------------------------------+|| || Attributes: || || Content Type || || Message Digest || || Classification || || Key Package Receivers || || Key Distribution Period || || Key Package Type || |+----------------------------------------------------------------+| +------------------------------------------------------------------+
Figure 1: Example Illustrating Scope of Attributes
图1:说明属性范围的示例
The majority of this specification is devoted to the syntax and semantics of key package attributes. It relies on other specifications, especially [RFC2634], [RFC4073], [RFC4108], [RFC5652], [RFC5911], [RFC5912], [RFC5958], [RFC6010], and [RFC6031]; their security considerations apply here. Additionally, cryptographic algorithms are used with CMS protecting content types as specified in [RFC5959], [RFC6160], [RFC6161], and [RFC6162]; the security considerations from those documents apply here as well.
本规范的大部分内容致力于关键包属性的语法和语义。它依赖于其他规范,特别是[RFC2634]、[RFC4073]、[RFC4108]、[RFC5652]、[RFC5911]、[RFC5912]、[RFC5958]、[RFC6010]和[RFC6031];他们的安全考虑在这里适用。此外,加密算法与[RFC5959]、[RFC6160]、[RFC6161]和[RFC6162]中规定的CMS保护内容类型一起使用;这些文档中的安全注意事项也适用于此处。
This specification also relies upon [RFC5280] for the syntax and semantics of X.509 certificates. Digital signatures provide data integrity or data origin authentication, and encryption provides confidentiality.
本规范还依赖[RFC5280]了解X.509证书的语法和语义。数字签名提供数据完整性或数据源身份验证,加密提供机密性。
Security factors outside the scope of this specification greatly affect the assurance provided. The procedures used by Certification Authorities (CAs) to validate the binding of the subject identity to their public key greatly affect the assurance that ought to be placed in the certificate. This is particularly important when issuing certificates to other CAs.
本规范范围之外的安全因素对所提供的保证有很大影响。证书颁发机构(CA)用于验证主体身份与其公钥的绑定的程序极大地影响了应在证书中放置的保证。这在向其他CA颁发证书时尤为重要。
The CMS AuthenticatedData content type MUST be used with care since a Message Authentication Code (MAC) is used. The same key is needed to generate the MAC or validate the MAC. Thus, any party with access to the key needed to validate the MAC can generate a replacement that will be acceptable to other recipients.
CMS AuthenticatedData内容类型必须小心使用,因为使用了消息身份验证码(MAC)。生成MAC或验证MAC需要相同的密钥。因此,任何能够访问验证MAC所需密钥的一方都可以生成其他接收方可以接受的替换密钥。
In some situations, returning very detailed error information can provide an attacker with insight into the security processing. Where this is a concern, the implementation should return the most generic error code that is appropriate. However, detailed error codes are very helpful during development, debugging, and interoperability testing. For this reason, implementations may want to have a way to configure the use of generic or detailed error codes.
在某些情况下,返回非常详细的错误信息可以让攻击者深入了解安全处理过程。如果这是一个问题,那么实现应该返回最通用的适当错误代码。然而,在开发、调试和互操作性测试期间,详细的错误代码非常有用。因此,实现可能需要一种配置通用或详细错误代码使用的方法。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC2634] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", RFC 2634, DOI 10.17487/RFC2634, June 1999, <http://www.rfc-editor.org/info/rfc2634>.
[RFC2634]Hoffman,P.,Ed.“S/MIME的增强安全服务”,RFC 2634,DOI 10.17487/RFC2634,1999年6月<http://www.rfc-editor.org/info/rfc2634>.
[RFC4073] Housley, R., "Protecting Multiple Contents with the Cryptographic Message Syntax (CMS)", RFC 4073, DOI 10.17487/RFC4073, May 2005, <http://www.rfc-editor.org/info/rfc4073>.
[RFC4073]Housley,R.,“使用加密消息语法(CMS)保护多个内容”,RFC 4073,DOI 10.17487/RFC4073,2005年5月<http://www.rfc-editor.org/info/rfc4073>.
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages", RFC 4108, DOI 10.17487/RFC4108, August 2005, <http://www.rfc-editor.org/info/rfc4108>.
[RFC4108]Housley,R.“使用加密消息语法(CMS)保护固件包”,RFC 4108,DOI 10.17487/RFC4108,2005年8月<http://www.rfc-editor.org/info/rfc4108>.
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type", RFC 5083, DOI 10.17487/RFC5083, November 2007, <http://www.rfc-editor.org/info/rfc5083>.
[RFC5083]Housley,R.“加密消息语法(CMS)认证的信封数据内容类型”,RFC 5083,DOI 10.17487/RFC5083,2007年11月<http://www.rfc-editor.org/info/rfc5083>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<http://www.rfc-editor.org/info/rfc5280>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <http://www.rfc-editor.org/info/rfc5652>.
[RFC5652]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 5652,DOI 10.17487/RFC5652,2009年9月<http://www.rfc-editor.org/info/rfc5652>.
[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, DOI 10.17487/RFC5911, June 2010, <http://www.rfc-editor.org/info/rfc5911>.
[RFC5911]Hoffman,P.和J.Schaad,“用于加密消息语法(CMS)和S/MIME的新ASN.1模块”,RFC 5911,DOI 10.17487/RFC5911,2010年6月<http://www.rfc-editor.org/info/rfc5911>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, DOI 10.17487/RFC5912, June 2010, <http://www.rfc-editor.org/info/rfc5912>.
[RFC5912]Hoffman,P.和J.Schaad,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,DOI 10.17487/RFC5912,2010年6月<http://www.rfc-editor.org/info/rfc5912>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI 10.17487/RFC5958, August 2010, <http://www.rfc-editor.org/info/rfc5958>.
[RFC5958]Turner,S.,“非对称密钥包”,RFC 5958,DOI 10.17487/RFC5958,2010年8月<http://www.rfc-editor.org/info/rfc5958>.
[RFC5959] Turner, S., "Algorithms for Asymmetric Key Package Content Type", RFC 5959, DOI 10.17487/RFC5959, August 2010, <http://www.rfc-editor.org/info/rfc5959>.
[RFC5959]Turner,S.,“非对称密钥包内容类型的算法”,RFC 5959,DOI 10.17487/RFC5959,2010年8月<http://www.rfc-editor.org/info/rfc5959>.
[RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic Message Syntax (CMS) Content Constraints Extension", RFC 6010, DOI 10.17487/RFC6010, September 2010, <http://www.rfc-editor.org/info/rfc6010>.
[RFC6010]Housley,R.,Ashmore,S.,和C.Wallace,“加密消息语法(CMS)内容约束扩展”,RFC 6010,DOI 10.17487/RFC6010,2010年9月<http://www.rfc-editor.org/info/rfc6010>.
[RFC6019] Housley, R., "BinaryTime: An Alternate Format for Representing Date and Time in ASN.1", RFC 6019, DOI 10.17487/RFC6019, September 2010, <http://www.rfc-editor.org/info/rfc6019>.
[RFC6019]Housley,R.,“二进制时间:ASN.1中表示日期和时间的替代格式”,RFC 6019,DOI 10.17487/RFC6019,2010年9月<http://www.rfc-editor.org/info/rfc6019>.
[RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax (CMS) Symmetric Key Package Content Type", RFC 6031, DOI 10.17487/RFC6031, December 2010, <http://www.rfc-editor.org/info/rfc6031>.
[RFC6031]Turner,S.和R.Housley,“加密消息语法(CMS)对称密钥包内容类型”,RFC 6031,DOI 10.17487/RFC60312010年12月<http://www.rfc-editor.org/info/rfc6031>.
[RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type", RFC 6032, DOI 10.17487/RFC6032, December 2010, <http://www.rfc-editor.org/info/rfc6032>.
[RFC6032]Turner,S.和R.Housley,“加密消息语法(CMS)加密密钥包内容类型”,RFC 6032,DOI 10.17487/RFC6032,2010年12月<http://www.rfc-editor.org/info/rfc6032>.
[RFC6160] Turner, S., "Algorithms for Cryptographic Message Syntax (CMS) Protection of Symmetric Key Package Content Types", RFC 6160, DOI 10.17487/RFC6160, April 2011, <http://www.rfc-editor.org/info/rfc6160>.
[RFC6160]Turner,S.“对称密钥包内容类型的加密消息语法(CMS)保护算法”,RFC 6160,DOI 10.17487/RFC6160,2011年4月<http://www.rfc-editor.org/info/rfc6160>.
[RFC6162] Turner, S., "Elliptic Curve Algorithms for Cryptographic Message Syntax (CMS) Asymmetric Key Package Content Type", RFC 6162, DOI 10.17487/RFC6162, April 2011, <http://www.rfc-editor.org/info/rfc6162>.
[RFC6162]Turner,S.“加密消息语法(CMS)非对称密钥包内容类型的椭圆曲线算法”,RFC 6162,DOI 10.17487/RFC6162,2011年4月<http://www.rfc-editor.org/info/rfc6162>.
[RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)", RFC 6268, DOI 10.17487/RFC6268, July 2011, <http://www.rfc-editor.org/info/rfc6268>.
[RFC6268]Schaad,J.和S.Turner,“加密消息语法(CMS)和使用X.509(PKIX)的公钥基础设施的额外新ASN.1模块”,RFC 6268,DOI 10.17487/RFC6268,2011年7月<http://www.rfc-editor.org/info/rfc6268>.
[RFC7191] Housley, R., "Cryptographic Message Syntax (CMS) Key Package Receipt and Error Content Types", RFC 7191, DOI 10.17487/RFC7191, April 2014, <http://www.rfc-editor.org/info/rfc7191>.
[RFC7191]Housley,R.“加密消息语法(CMS)密钥包接收和错误内容类型”,RFC 7191,DOI 10.17487/RFC7191,2014年4月<http://www.rfc-editor.org/info/rfc7191>.
[X.509] ITU-T, "Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks", ITU-T Recommendation X.509 | ISO/IEC 9594-8:2005, 2005.
[X.509]ITU-T,“信息技术-开放系统互连-目录:公钥和属性证书框架”,ITU-T建议X.509 | ISO/IEC 9594-8:2005,2005年。
[X.680] ITU-T, "Information Technology - Abstract Syntax Notation One", ITU-T Recommendation X.680 | ISO/IEC 8824-1:2002, 2002.
[X.680]ITU-T,“信息技术-抽象语法符号1”,ITU-T建议X.680 | ISO/IEC 8824-1:2002。
[X.681] ITU-T, "Information Technology - Abstract Syntax Notation One: Information Object Specification", ITU-T Recommendation X.681 | ISO/IEC 8824-2:2002, 2002.
[X.681]ITU-T,“信息技术-抽象语法符号1:信息对象规范”,ITU-T建议X.681 | ISO/IEC 8824-2:2002。
[X.682] ITU-T, "Information Technology - Abstract Syntax Notation One: Constraint Specification", ITU-T Recommendation X.682 | ISO/IEC 8824-3:2002, 2002.
[X.682]ITU-T,“信息技术-抽象语法符号1:约束规范”,ITU-T建议X.682 | ISO/IEC 8824-3:2002。
[X.683] ITU-T, "Information Technology - Abstract Syntax Notation One: Parameterization of ASN.1 Specifications", ITU-T Recommendation X.683 | ISO/IEC 8824-4:2002, 2002.
[X.683]ITU-T,“信息技术-抽象语法符号1:ASN.1规范的参数化”,ITU-T建议X.683 | ISO/IEC 8824-4:2002。
[X.690] ITU-T, "Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690 | ISO/IEC 8825-1:2002, 2002.
[X.690]ITU-T,“信息技术-ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范”,ITU-T建议X.690 | ISO/IEC 8825-1:2002,2002。
[RFC5934] Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor Management Protocol (TAMP)", RFC 5934, DOI 10.17487/RFC5934, August 2010, <http://www.rfc-editor.org/info/rfc5934>.
[RFC5934]Housley,R.,Ashmore,S.,和C.Wallace,“信任锚管理协议(TAMP)”,RFC 5934,DOI 10.17487/RFC59342010年8月<http://www.rfc-editor.org/info/rfc5934>.
[X.411] ITU-T, "Information technology - Message Handling Systems (MHS): Message Transfer System: Abstract Service Definition and Procedures", ITU-T Recommendation X.411 | ISO/IEC 10021-4:1999, 1999.
[X.411]ITU-T,“信息技术-信息处理系统(MHS):信息传输系统:抽象服务定义和程序”,ITU-T建议X.411 | ISO/IEC 10021-4:1999。
KMAttributes2012 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) modules(0) 39 }
KMAttributes2012 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) modules(0) 39 }
DEFINITIONS IMPLICIT TAGS ::=
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
开始
-- EXPORT ALL
--全部导出
IMPORTS
进口
-- From [RFC5911]
--从[RFC5911]
aa-communityIdentifiers, CommunityIdentifier FROM CMSFirmwareWrapper-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) }
aa-communityIdentifiers, CommunityIdentifier FROM CMSFirmwareWrapper-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) }
-- From [RFC5911]
--从[RFC5911]
aa-contentHint, ESSSecurityLabel, id-aa-securityLabel FROM ExtendedSecurityServices-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006-02(42) }
aa-contentHint, ESSSecurityLabel, id-aa-securityLabel FROM ExtendedSecurityServices-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006-02(42) }
-- From [RFC5911] [RFC5912]
--来自[RFC5911][RFC5912]
AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions, KEY-WRAP FROM AlgorithmInformation-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) }
AlgorithmIdentifier{}, SMIME-CAPS, ParamOptions, KEY-WRAP FROM AlgorithmInformation-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) }
-- From [RFC5912]
--来自[RFC5912]
Name, Certificate FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
Name, Certificate FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
-- From [RFC5912]
--来自[RFC5912]
GeneralNames, SubjectInfoAccessSyntax, id-pe-subjectInfoAccess FROM PKIX1Implicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
GeneralNames, SubjectInfoAccessSyntax, id-pe-subjectInfoAccess FROM PKIX1Implicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
-- FROM [RFC5912]
--来自[RFC5912]
ATTRIBUTE FROM PKIX-CommonTypes-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
ATTRIBUTE FROM PKIX-CommonTypes-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
-- From [RFC6010]
--自[RFC6010]
CMSContentConstraints FROM CMSContentConstraintsCertExtn { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) cmsContentConstr-93(42) }
CMSContentConstraints FROM CMSContentConstraintsCertExtn { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) cmsContentConstr-93(42) }
-- From [RFC6268]
--从[RFC6268]
aa-binarySigningTime, BinaryTime FROM BinarySigningTimeModule-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-binSigningTime-2009(55) }
aa-binarySigningTime, BinaryTime FROM BinarySigningTimeModule-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-binSigningTime-2009(55) }
-- From [RFC6268]
--从[RFC6268]
CertificateChoices, CertificateSet, Attribute {}, aa-contentType, aa-messageDigest FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
CertificateChoices, CertificateSet, Attribute {}, aa-contentType, aa-messageDigest FROM CryptographicMessageSyntax-2010 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }
-- From [RFC7191]
--从[RFC7191]
aa-keyPackageIdentifierAndReceiptRequest, SIREntityName FROM KeyPackageReceiptAndErrorModuleV2 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-keyPkgReceiptAndErrV2(63) }
aa-keyPackageIdentifierAndReceiptRequest, SIREntityName FROM KeyPackageReceiptAndErrorModuleV2 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-keyPkgReceiptAndErrV2(63) }
-- From [X.509]
--自[X.509]
certificateExactMatch FROM CertificateExtensions { joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 4 }
certificateExactMatch FROM CertificateExtensions { joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 4 }
;
;
-- ATTRIBUTES
--属性
-- Replaces SignedAttributesSet information object set from -- [RFC6268].
-- Replaces SignedAttributesSet information object set from -- [RFC6268].
SignedAttributesSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest | aa-contentHint | aa-communityIdentifiers | aa-binarySigningTime | aa-keyProvince-v2 | aa-keyPackageIdentifierAndReceiptRequest | aa-manifest | aa-keyAlgorithm | aa-userCertificate | aa-keyPackageReceivers-v2 | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyPackageType | aa-pkiPath | aa-usefulCertificates, ... }
SignedAttributesSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest | aa-contentHint | aa-communityIdentifiers | aa-binarySigningTime | aa-keyProvince-v2 | aa-keyPackageIdentifierAndReceiptRequest | aa-manifest | aa-keyAlgorithm | aa-userCertificate | aa-keyPackageReceivers-v2 | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyPackageType | aa-pkiPath | aa-usefulCertificates, ... }
-- Replaces UnsignedAttributes from [RFC6268].
--替换[RFC6268]中未签名的属性。
UnsignedAttributes ATTRIBUTE ::= { ... }
UnsignedAttributes ATTRIBUTE ::= { ... }
-- Replaces UnprotectedEnvAttributes from [RFC6268].
--替换[RFC6268]中未受保护的属性。
UnprotectedEnvAttributes ATTRIBUTE ::= { aa-contentDecryptKeyIdentifier | aa-certificatePointers | aa-cRLDistributionPoints, ... }
UnprotectedEnvAttributes ATTRIBUTE ::= { aa-contentDecryptKeyIdentifier | aa-certificatePointers | aa-cRLDistributionPoints, ... }
-- Replaces UnprotectedEncAttributes from [RFC6268].
--从[RFC6268]中替换未受保护的CATTRIBUTES。
UnprotectedEncAttributes ATTRIBUTE ::= { aa-certificatePointers | aa-cRLDistributionPoints, ... }
UnprotectedEncAttributes ATTRIBUTE ::= { aa-certificatePointers | aa-cRLDistributionPoints, ... }
-- Replaces AuthAttributeSet from [RFC6268]
--从[RFC6268]替换AuthAttributeSet
AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest | aa-contentHint | aa-communityIdentifiers | aa-keyProvince-v2 | aa-binarySigningTime | aa-keyPackageIdentifierAndReceiptRequest | aa-manifest | aa-keyAlgorithm | aa-userCertificate | aa-keyPackageReceivers-v2 | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyPackageType | aa-pkiPath | aa-usefulCertificates, ... }
AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest | aa-contentHint | aa-communityIdentifiers | aa-keyProvince-v2 | aa-binarySigningTime | aa-keyPackageIdentifierAndReceiptRequest | aa-manifest | aa-keyAlgorithm | aa-userCertificate | aa-keyPackageReceivers-v2 | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyPackageType | aa-pkiPath | aa-usefulCertificates, ... }
-- Replaces UnauthAttributeSet from [RFC6268]
--替换[RFC6268]中未经授权的属性集
UnauthAttributeSet ATTRIBUTE ::= { ... }
UnauthAttributeSet ATTRIBUTE ::= { ... }
-- Replaces AuthEnvDataAttributeSet from [RFC6268]
--从[RFC6268]替换AuthEnvDataAttributeSet
AuthEnvDataAttributeSet ATTRIBUTE ::= { aa-certificatePointers | aa-cRLDistributionPoints, ... }
AuthEnvDataAttributeSet ATTRIBUTE ::= { aa-certificatePointers | aa-cRLDistributionPoints, ... }
-- Replaces UnauthEnvDataAttributeSet from [RFC6268]
--替换[RFC6268]中未经授权的数据属性集
UnauthEnvDataAttributeSet ATTRIBUTE ::= { ... }
UnauthEnvDataAttributeSet ATTRIBUTE ::= { ... }
-- Replaces OneAsymmetricKeyAttributes from [RFC5958]
--替换[RFC5958]中的OneAsymmetricKeyAttributes
OneAsymmetricKeyAttributes ATTRIBUTE ::= { aa-userCertificate | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-splitIdentifier | aa-signatureUsage-v3 | aa-otherCertificateFormats | aa-pkiPath | aa-usefulCertificates, ... }
OneAsymmetricKeyAttributes ATTRIBUTE ::= { aa-userCertificate | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-splitIdentifier | aa-signatureUsage-v3 | aa-otherCertificateFormats | aa-pkiPath | aa-usefulCertificates, ... }
-- Replaces SKeyPkgAttributes from [RFC6031]
--替换[RFC6031]中的SKeyPkgAttributes
SKeyPkgAttributes ATTRIBUTE ::= { aa-keyAlgorithm | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyWrapAlgorithm | aa-contentDecryptKeyIdentifier, ... }
SKeyPkgAttributes ATTRIBUTE ::= { aa-keyAlgorithm | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyWrapAlgorithm | aa-contentDecryptKeyIdentifier, ... }
-- Replaces SKeyAttributes from [RFC6031]
--替换[RFC6031]中的SkeyAtombates
SKeyAttributes ATTRIBUTE ::= { aa-keyAlgorithm | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-splitIdentifier | aa-keyWrapAlgorithm | aa-contentDecryptKeyIdentifier, ... }
SKeyAttributes ATTRIBUTE ::= { aa-keyAlgorithm | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-splitIdentifier | aa-keyWrapAlgorithm | aa-contentDecryptKeyIdentifier, ... }
-- Replaces ContentAttributeSet from [RFC6268]
--替换[RFC6268]中的ContentAttributeSet
ContentAttributeSet ATTRIBUTE ::= { aa-communityIdentifiers | aa-keyPackageIdentifierAndReceiptRequest | aa-keyAlgorithm | aa-keyPackageReceivers-v2 | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyPackageType | aa-pkiPath | aa-usefulCertificates, ... }
ContentAttributeSet ATTRIBUTE ::= { aa-communityIdentifiers | aa-keyPackageIdentifierAndReceiptRequest | aa-keyAlgorithm | aa-keyPackageReceivers-v2 | aa-tsecNomenclature | aa-keyPurpose | aa-keyUse | aa-transportKey | aa-keyDistributionPeriod | aa-transportKey | aa-keyDistributionPeriod | aa-keyValidityPeriod | aa-keyDurationPeriod | aa-classificationAttribute | aa-keyPackageType | aa-pkiPath | aa-usefulCertificates, ... }
-- Content Type, Message Digest, Content Hint, and Binary Signing -- Time are imported from [RFC6268]. -- Community Identifiers is imported from [RFC5911].
-- Content Type, Message Digest, Content Hint, and Binary Signing -- Time are imported from [RFC6268]. -- Community Identifiers is imported from [RFC5911].
-- Key Province
--重点省
aa-keyProvince-v2 ATTRIBUTE ::= { TYPE KeyProvinceV2 IDENTIFIED BY id-aa-KP-keyProvinceV2 }
aa-keyProvince-v2 ATTRIBUTE ::= { TYPE KeyProvinceV2 IDENTIFIED BY id-aa-KP-keyProvinceV2 }
id-aa-KP-keyProvinceV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 71 }
id-aa-KP-keyProvinceV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 71 }
KeyProvinceV2 ::= OBJECT IDENTIFIER
KeyProvinceV2 ::= OBJECT IDENTIFIER
-- Manifest Attribute
--清单属性
aa-manifest ATTRIBUTE ::= { TYPE Manifest IDENTIFIED BY id-aa-KP-manifest }
aa-manifest ATTRIBUTE ::= { TYPE Manifest IDENTIFIED BY id-aa-KP-manifest }
id-aa-KP-manifest OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 72 }
id-aa-KP-manifest OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 72 }
Manifest ::= SEQUENCE SIZE (1..MAX) OF ShortTitle
Manifest ::= SEQUENCE SIZE (1..MAX) OF ShortTitle
-- Key Algorithm Attribute
--密钥算法属性
aa-keyAlgorithm ATTRIBUTE ::= { TYPE KeyAlgorithm IDENTIFIED BY id-kma-keyAlgorithm }
aa-keyAlgorithm ATTRIBUTE ::= { TYPE KeyAlgorithm IDENTIFIED BY id-kma-keyAlgorithm }
id-kma-keyAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 1 }
id-kma-keyAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 1 }
KeyAlgorithm ::= SEQUENCE { keyAlg OBJECT IDENTIFIER, checkWordAlg [1] OBJECT IDENTIFIER OPTIONAL, crcAlg [2] OBJECT IDENTIFIER OPTIONAL }
KeyAlgorithm ::= SEQUENCE { keyAlg OBJECT IDENTIFIER, checkWordAlg [1] OBJECT IDENTIFIER OPTIONAL, crcAlg [2] OBJECT IDENTIFIER OPTIONAL }
-- User Certificate Attribute
--用户证书属性
aa-userCertificate ATTRIBUTE ::= { TYPE Certificate EQUALITY MATCHING RULE certificateExactMatch IDENTIFIED BY id-at-userCertificate }
aa-userCertificate ATTRIBUTE ::= { TYPE Certificate EQUALITY MATCHING RULE certificateExactMatch IDENTIFIED BY id-at-userCertificate }
id-at-userCertificate OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 36 }
id-at-userCertificate OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 36 }
-- Key Package Receivers Attribute
--密钥包接收器属性
aa-keyPackageReceivers-v2 ATTRIBUTE ::= { TYPE KeyPkgReceiversV2 IDENTIFIED BY id-kma-keyPkgReceiversV2 }
aa-keyPackageReceivers-v2 ATTRIBUTE ::= { TYPE KeyPkgReceiversV2 IDENTIFIED BY id-kma-keyPkgReceiversV2 }
id-kma-keyPkgReceiversV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 16 }
id-kma-keyPkgReceiversV2 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 16 }
KeyPkgReceiversV2 ::= SEQUENCE SIZE (1..MAX) OF KeyPkgReceiver
KeyPkgReceiversV2 ::= SEQUENCE SIZE (1..MAX) OF KeyPkgReceiver
KeyPkgReceiver ::= CHOICE { sirEntity [0] SIREntityName, community [1] CommunityIdentifier }
KeyPkgReceiver ::= CHOICE { sirEntity [0] SIREntityName, community [1] CommunityIdentifier }
-- TSEC Nomenclature Attribute
--术语属性
aa-tsecNomenclature ATTRIBUTE ::= { TYPE TSECNomenclature IDENTIFIED BY id-kma-TSECNomenclature }
aa-tsecNomenclature ATTRIBUTE ::= { TYPE TSECNomenclature IDENTIFIED BY id-kma-TSECNomenclature }
id-kma-TSECNomenclature OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 3 }
id-kma-TSECNomenclature OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 3 }
TSECNomenclature ::= SEQUENCE { shortTitle ShortTitle, editionID EditionID OPTIONAL, registerID RegisterID OPTIONAL, segmentID SegmentID OPTIONAL }
TSECNomenclature ::= SEQUENCE { shortTitle ShortTitle, editionID EditionID OPTIONAL, registerID RegisterID OPTIONAL, segmentID SegmentID OPTIONAL }
ShortTitle ::= PrintableString
ShortTitle ::= PrintableString
EditionID ::= CHOICE { char CHOICE { charEdition [1] CharEdition, charEditionRange [2] CharEditionRange }, num CHOICE { numEdition [3] NumEdition, numEditionRange [4] NumEditionRange } }
EditionID ::= CHOICE { char CHOICE { charEdition [1] CharEdition, charEditionRange [2] CharEditionRange }, num CHOICE { numEdition [3] NumEdition, numEditionRange [4] NumEditionRange } }
CharEdition ::= PrintableString
CharEdition ::= PrintableString
CharEditionRange ::= SEQUENCE { firstCharEdition CharEdition, lastCharEdition CharEdition }
CharEditionRange ::= SEQUENCE { firstCharEdition CharEdition, lastCharEdition CharEdition }
NumEdition ::= INTEGER (0..308915776)
NumEdition ::= INTEGER (0..308915776)
NumEditionRange ::= SEQUENCE { firstNumEdition NumEdition, lastNumEdition NumEdition }
NumEditionRange ::= SEQUENCE { firstNumEdition NumEdition, lastNumEdition NumEdition }
RegisterID ::= CHOICE { register [5] Register, registerRange [6] RegisterRange }
RegisterID ::= CHOICE { register [5] Register, registerRange [6] RegisterRange }
Register ::= INTEGER (0..2147483647)
Register ::= INTEGER (0..2147483647)
RegisterRange ::= SEQUENCE { firstRegister Register, lastRegister Register }
RegisterRange ::= SEQUENCE { firstRegister Register, lastRegister Register }
SegmentID ::= CHOICE { segmentNumber [7] SegmentNumber, segmentRange [8] SegmentRange }
SegmentID ::= CHOICE { segmentNumber [7] SegmentNumber, segmentRange [8] SegmentRange }
SegmentNumber ::= INTEGER (1..127)
SegmentNumber ::= INTEGER (1..127)
SegmentRange ::= SEQUENCE { firstSegment SegmentNumber, lastSegment SegmentNumber }
SegmentRange ::= SEQUENCE { firstSegment SegmentNumber, lastSegment SegmentNumber }
-- Key Purpose Attribute
--关键目的属性
aa-keyPurpose ATTRIBUTE ::= { TYPE KeyPurpose IDENTIFIED BY id-kma-keyPurpose }
aa-keyPurpose ATTRIBUTE ::= { TYPE KeyPurpose IDENTIFIED BY id-kma-keyPurpose }
id-kma-keyPurpose OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 13 }
id-kma-keyPurpose OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 13 }
KeyPurpose ::= ENUMERATED { n-a (0), -- Not Applicable a (65), -- Operational b (66), -- Compatible Multiple Key l (76), -- Logistics Combinations m (77), -- Maintenance r (82), -- Reference s (83), -- Sample t (84), -- Training v (86), -- Developmental x (88), -- Exercise z (90), -- "On the Air" Testing ... -- Expect additional key purpose values -- }
KeyPurpose ::= ENUMERATED { n-a (0), -- Not Applicable a (65), -- Operational b (66), -- Compatible Multiple Key l (76), -- Logistics Combinations m (77), -- Maintenance r (82), -- Reference s (83), -- Sample t (84), -- Training v (86), -- Developmental x (88), -- Exercise z (90), -- "On the Air" Testing ... -- Expect additional key purpose values -- }
-- Key Use Attribute
--密钥使用属性
aa-keyUse ATTRIBUTE ::= { TYPE KeyUse IDENTIFIED BY id-kma-keyUse }
aa-keyUse ATTRIBUTE ::= { TYPE KeyUse IDENTIFIED BY id-kma-keyUse }
id-kma-keyUse OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 14 }
id-kma-keyUse OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 14 }
KeyUse ::= ENUMERATED { n-a (0), -- Not Applicable ffk (1), -- FIREFLY/CROSSTALK Key (Basic Format) kek (2), -- Key Encryption Key kpk (3), -- Key Production Key msk (4), -- Message Signature Key qkek (5), -- QUADRANT Key Encryption Key tek (6), -- Traffic Encryption Key tsk (7), -- Transmission Security Key trkek (8), -- Transfer Key Encryption Key nfk (9), -- Netted FIREFLY Key effk (10), -- FIREFLY Key (Enhanced Format) ebfk (11), -- FIREFLY Key (Enhanceable Basic Format) aek (12), -- Algorithm Encryption Key wod (13), -- Word of Day kesk (246), -- Key Establishment Key eik (247), -- Entity Identification Key ask (248), -- Authority Signature Key kmk (249), -- Key Modifier Key rsk (250), -- Revocation Signature Key csk (251), -- Certificate Signature Key sak (252), -- Symmetric Authentication Key rgk (253), -- Random Generation Key cek (254), -- Certificate Encryption Key exk (255), -- Exclusion Key ... -- Expect additional key use values -- }
KeyUse ::= ENUMERATED { n-a (0), -- Not Applicable ffk (1), -- FIREFLY/CROSSTALK Key (Basic Format) kek (2), -- Key Encryption Key kpk (3), -- Key Production Key msk (4), -- Message Signature Key qkek (5), -- QUADRANT Key Encryption Key tek (6), -- Traffic Encryption Key tsk (7), -- Transmission Security Key trkek (8), -- Transfer Key Encryption Key nfk (9), -- Netted FIREFLY Key effk (10), -- FIREFLY Key (Enhanced Format) ebfk (11), -- FIREFLY Key (Enhanceable Basic Format) aek (12), -- Algorithm Encryption Key wod (13), -- Word of Day kesk (246), -- Key Establishment Key eik (247), -- Entity Identification Key ask (248), -- Authority Signature Key kmk (249), -- Key Modifier Key rsk (250), -- Revocation Signature Key csk (251), -- Certificate Signature Key sak (252), -- Symmetric Authentication Key rgk (253), -- Random Generation Key cek (254), -- Certificate Encryption Key exk (255), -- Exclusion Key ... -- Expect additional key use values -- }
-- Transport Key Attribute
--传输密钥属性
aa-transportKey ATTRIBUTE ::= { TYPE TransOp IDENTIFIED BY id-kma-transportKey }
aa-transportKey ATTRIBUTE ::= { TYPE TransOp IDENTIFIED BY id-kma-transportKey }
id-kma-transportKey OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 15 }
id-kma-transportKey OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 15 }
TransOp ::= ENUMERATED { transport (1), operational (2) }
TransOp ::= ENUMERATED { transport (1), operational (2) }
-- Key Distribution Period Attribute
--密钥分发周期属性
aa-keyDistributionPeriod ATTRIBUTE ::= { TYPE KeyDistPeriod IDENTIFIED BY id-kma-keyDistPeriod }
aa-keyDistributionPeriod ATTRIBUTE ::= { TYPE KeyDistPeriod IDENTIFIED BY id-kma-keyDistPeriod }
id-kma-keyDistPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 5 }
id-kma-keyDistPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 5 }
KeyDistPeriod ::= SEQUENCE { doNotDistBefore [0] BinaryTime OPTIONAL, doNotDistAfter BinaryTime }
KeyDistPeriod ::= SEQUENCE { doNotDistBefore [0] BinaryTime OPTIONAL, doNotDistAfter BinaryTime }
-- Key Validity Period Attribute
--密钥有效期属性
aa-keyValidityPeriod ATTRIBUTE ::= { TYPE KeyValidityPeriod IDENTIFIED BY id-kma-keyValidityPeriod }
aa-keyValidityPeriod ATTRIBUTE ::= { TYPE KeyValidityPeriod IDENTIFIED BY id-kma-keyValidityPeriod }
id-kma-keyValidityPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 6 }
id-kma-keyValidityPeriod OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 6 }
KeyValidityPeriod ::= SEQUENCE { doNotUseBefore BinaryTime, doNotUseAfter BinaryTime OPTIONAL }
KeyValidityPeriod ::= SEQUENCE { doNotUseBefore BinaryTime, doNotUseAfter BinaryTime OPTIONAL }
-- Key Duration Attribute
--密钥持续时间属性
aa-keyDurationPeriod ATTRIBUTE ::= { TYPE KeyDuration IDENTIFIED BY id-kma-keyDuration }
aa-keyDurationPeriod ATTRIBUTE ::= { TYPE KeyDuration IDENTIFIED BY id-kma-keyDuration }
id-kma-keyDuration OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 7 }
id-kma-keyDuration OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 7 }
KeyDuration ::= CHOICE { hours [0] INTEGER (1..ub-KeyDuration-hours), days INTEGER (1..ub-KeyDuration-days), weeks [1] INTEGER (1..ub-KeyDuration-weeks), months [2] INTEGER (1..ub-KeyDuration-months), years [3] INTEGER (1..ub-KeyDuration-years) }
KeyDuration ::= CHOICE { hours [0] INTEGER (1..ub-KeyDuration-hours), days INTEGER (1..ub-KeyDuration-days), weeks [1] INTEGER (1..ub-KeyDuration-weeks), months [2] INTEGER (1..ub-KeyDuration-months), years [3] INTEGER (1..ub-KeyDuration-years) }
ub-KeyDuration-hours INTEGER ::= 96 ub-KeyDuration-days INTEGER ::= 732 ub-KeyDuration-weeks INTEGER ::= 104 ub-KeyDuration-months INTEGER ::= 72 ub-KeyDuration-years INTEGER ::= 100
ub-KeyDuration-hours INTEGER ::= 96 ub-KeyDuration-days INTEGER ::= 732 ub-KeyDuration-weeks INTEGER ::= 104 ub-KeyDuration-months INTEGER ::= 72 ub-KeyDuration-years INTEGER ::= 100
-- Classification Attribute
--分类属性
-- The attribute syntax is imported from [RFC6268]. The term -- "classification" is used in this document, but the term "security -- label" is used in [RFC2634]. The terms have the same meaning.
-- The attribute syntax is imported from [RFC6268]. The term -- "classification" is used in this document, but the term "security -- label" is used in [RFC2634]. The terms have the same meaning.
aa-classificationAttribute ATTRIBUTE ::= { TYPE Classification IDENTIFIED BY id-aa-KP-classification }
aa-classificationAttribute ATTRIBUTE ::= { TYPE Classification IDENTIFIED BY id-aa-KP-classification }
id-aa-KP-classification OBJECT IDENTIFIER ::= id-aa-securityLabel
id-aa-KP-classification OBJECT IDENTIFIER ::= id-aa-securityLabel
Classification ::= ESSSecurityLabel
Classification ::= ESSSecurityLabel
id-enumeratedRestrictiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 4 }
id-enumeratedRestrictiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 4 }
id-enumeratedPermissiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 1 }
id-enumeratedPermissiveAttributes OBJECT IDENTIFIER ::= { 2 16 840 1 101 2 1 8 3 1 }
EnumeratedTag ::= SEQUENCE { tagName OBJECT IDENTIFIER, attributeList SET OF SecurityAttribute }
EnumeratedTag ::= SEQUENCE { tagName OBJECT IDENTIFIER, attributeList SET OF SecurityAttribute }
SecurityAttribute ::= INTEGER (0..MAX)
SecurityAttribute ::= INTEGER (0..MAX)
-- Split Identifier Attribute
--分割标识符属性
aa-splitIdentifier ATTRIBUTE ::= { TYPE SplitID IDENTIFIED BY id-kma-splitID }
aa-splitIdentifier ATTRIBUTE ::= { TYPE SplitID IDENTIFIED BY id-kma-splitID }
id-kma-splitID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 11 }
id-kma-splitID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 11 }
SplitID ::= SEQUENCE { half ENUMERATED { a(0), b(1) }, combineAlg AlgorithmIdentifier {COMBINE-ALGORITHM, {CombineAlgorithms}} OPTIONAL }
SplitID ::= SEQUENCE { half ENUMERATED { a(0), b(1) }, combineAlg AlgorithmIdentifier {COMBINE-ALGORITHM, {CombineAlgorithms}} OPTIONAL }
COMBINE-ALGORITHM ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Params OPTIONAL, ¶mPresence ParamOptions DEFAULT absent, &smimeCaps SMIME-CAPS OPTIONAL } WITH SYNTAX { IDENTIFIER &id [PARAMS [TYPE &Params] ARE ¶mPresence] [SMIME-CAPS &smimeCaps] }
COMBINE-ALGORITHM ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Params OPTIONAL, ¶mPresence ParamOptions DEFAULT absent, &smimeCaps SMIME-CAPS OPTIONAL } WITH SYNTAX { IDENTIFIER &id [PARAMS [TYPE &Params] ARE ¶mPresence] [SMIME-CAPS &smimeCaps] }
CombineAlgorithms COMBINE-ALGORITHM ::= { ... }
CombineAlgorithms COMBINE-ALGORITHM ::= { ... }
-- Key Package Type Attribute
--密钥包类型属性
aa-keyPackageType ATTRIBUTE ::= { TYPE KeyPkgType IDENTIFIED BY id-kma-keyPkgType }
aa-keyPackageType ATTRIBUTE ::= { TYPE KeyPkgType IDENTIFIED BY id-kma-keyPkgType }
id-kma-keyPkgType OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 12 }
id-kma-keyPkgType OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 12 }
KeyPkgType ::= OBJECT IDENTIFIER
KeyPkgType ::= OBJECT IDENTIFIER
-- Signature Usage Attribute
--签名使用属性
aa-signatureUsage-v3 ATTRIBUTE ::= { TYPE SignatureUsage IDENTIFIED BY id-kma-sigUsageV3 }
aa-signatureUsage-v3 ATTRIBUTE ::= { TYPE SignatureUsage IDENTIFIED BY id-kma-sigUsageV3 }
id-kma-sigUsageV3 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 22 }
id-kma-sigUsageV3 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 22 }
SignatureUsage ::= CMSContentConstraints
SignatureUsage ::= CMSContentConstraints
-- Other Certificate Format Attribute
--其他证书格式属性
aa-otherCertificateFormats ATTRIBUTE ::= { TYPE CertificateChoices IDENTIFIED BY id-kma-otherCertFormats }
aa-otherCertificateFormats ATTRIBUTE ::= { TYPE CertificateChoices IDENTIFIED BY id-kma-otherCertFormats }
id-kma-otherCertFormats OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 19 }
id-kma-otherCertFormats OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 19 }
-- PKI Path Attribute
--PKI路径属性
aa-pkiPath ATTRIBUTE ::= { TYPE PkiPath IDENTIFIED BY id-at-pkiPath }
aa-pkiPath ATTRIBUTE ::= { TYPE PkiPath IDENTIFIED BY id-at-pkiPath }
id-at-pkiPath OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 70 }
id-at-pkiPath OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) ds(5) attributes(4) 70 }
PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate
PkiPath ::= SEQUENCE SIZE (1..MAX) OF Certificate
-- Useful Certificates Attribute
--有用证书属性
aa-usefulCertificates ATTRIBUTE ::= { TYPE CertificateSet IDENTIFIED BY id-kma-usefulCerts }
aa-usefulCertificates ATTRIBUTE ::= { TYPE CertificateSet IDENTIFIED BY id-kma-usefulCerts }
id-kma-usefulCerts OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 20 }
id-kma-usefulCerts OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 20 }
-- Key Wrap Attribute
--密钥换行属性
aa-keyWrapAlgorithm ATTRIBUTE ::= { TYPE AlgorithmIdentifier{KEY-WRAP, {KeyEncryptionAlgorithmSet}} IDENTIFIED BY id-kma-keyWrapAlgorithm }
aa-keyWrapAlgorithm ATTRIBUTE ::= { TYPE AlgorithmIdentifier{KEY-WRAP, {KeyEncryptionAlgorithmSet}} IDENTIFIED BY id-kma-keyWrapAlgorithm }
id-kma-keyWrapAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 21 }
id-kma-keyWrapAlgorithm OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) keying-material-attributes(13) 21 }
KeyEncryptionAlgorithmSet KEY-WRAP ::= { ... }
KeyEncryptionAlgorithmSet KEY-WRAP ::= { ... }
-- Content Decryption Key Identifier Attribute
--内容解密密钥标识符属性
aa-contentDecryptKeyIdentifier ATTRIBUTE ::= { TYPE ContentDecryptKeyID IDENTIFIED BY id-aa-KP-contentDecryptKeyID }
aa-contentDecryptKeyIdentifier ATTRIBUTE ::= { TYPE ContentDecryptKeyID IDENTIFIED BY id-aa-KP-contentDecryptKeyID }
id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 66 }
id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes(5) 66 }
ContentDecryptKeyID::= OCTET STRING
ContentDecryptKeyID::= OCTET STRING
-- Certificate Pointers Attribute
--证书指针属性
aa-certificatePointers ATTRIBUTE ::= { TYPE SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
aa-certificatePointers ATTRIBUTE ::= { TYPE SubjectInfoAccessSyntax IDENTIFIED BY id-pe-subjectInfoAccess }
-- CRL Pointers Attribute
--CRL指针属性
aa-cRLDistributionPoints ATTRIBUTE ::= { TYPE GeneralNames IDENTIFIED BY id-aa-KP-crlPointers }
aa-cRLDistributionPoints ATTRIBUTE ::= { TYPE GeneralNames IDENTIFIED BY id-aa-KP-crlPointers }
id-aa-KP-crlPointers OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes (5) 70 }
id-aa-KP-crlPointers OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) attributes (5) 70 }
-- ExtendedErrorCodes
--扩展错误码
id-errorCodes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) errorCodes(22) }
id-errorCodes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) dod(2) infosec(1) errorCodes(22) }
id-missingKeyType OBJECT IDENTIFIER ::= { id-errorCodes 1 }
id-missingKeyType OBJECT IDENTIFIER ::= { id-errorCodes 1 }
id-privacyMarkTooLong OBJECT IDENTIFIER ::= { id-errorCodes 2 }
id-privacyMarkTooLong OBJECT IDENTIFIER ::= { id-errorCodes 2 }
id-unrecognizedSecurityPolicy OBJECT IDENTIFIER ::= { id-errorCodes 3 }
id-unrecognizedSecurityPolicy OBJECT IDENTIFIER ::= { id-errorCodes 3 }
END
终止
Authors' Addresses
作者地址
Paul Timmel National Information Assurance Research Laboratory National Security Agency
保罗·蒂梅尔国家信息保障研究实验室国家安全局
Email: pstimme@nsa.gov
Email: pstimme@nsa.gov
Russ Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 United States
Russ Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,美国,20170
Email: housley@vigilsec.com
Email: housley@vigilsec.com
Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 United States
Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031
Email: turners@ieca.com
Email: turners@ieca.com