rfc9939.original   rfc9939.txt 
Limited Additional Mechanisms for PKIX and SMIME J. Mandel Internet Engineering Task Force (IETF) J. Mandel
Internet-Draft AKAYLA Request for Comments: 9939 AKAYLA
Intended status: Standards Track R. Housley Category: Standards Track R. Housley
Expires: 6 April 2026 Vigil Security ISSN: 2070-1721 Vigil Security
S. Turner S. Turner
sn3rd sn3rd
3 October 2025 February 2026
PKCS #8 Private-Key Information Content Types PKCS #8: Private-Key Information Content Types
draft-ietf-lamps-pkcs8-prikeyinfo-contenttypes-04
Abstract Abstract
This document defines PKCS #8 content types for use with This document defines PKCS #8 content types for use with
PrivateKeyInfo and EncryptedPrivateKeyInfo as specified in RFC 5958. PrivateKeyInfo and EncryptedPrivateKeyInfo as specified in RFC 5958.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at https://github.com/
lamps-wg/pkcs8-PriKeyInfoCt. Status information for this document
may be found at https://datatracker.ietf.org/doc/draft-ietf-lamps-
pkcs8-prikeyinfo-contenttypes/.
Discussion of this document takes place on the Limited Additional
Mechanisms for PKIX and SMIME mailing list (mailto:spasm@ietf.org),
which is archived at https://mailarchive.ietf.org/arch/browse/spasm/.
Subscribe at https://www.ietf.org/mailman/listinfo/spasm/.
Source for this draft and an issue tracker can be found at
https://github.com/lamps-wg/pkcs8-PriKeyInfoCt.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This document is a product of the Internet Engineering Task Force
Task Force (IETF). Note that other groups may also distribute (IETF). It represents the consensus of the IETF community. It has
working documents as Internet-Drafts. The list of current Internet- received public review and has been approved for publication by the
Drafts is at https://datatracker.ietf.org/drafts/current/. Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Internet-Drafts are draft documents valid for a maximum of six months Information about the current status of this document, any errata,
and may be updated, replaced, or obsoleted by other documents at any and how to provide feedback on it may be obtained at
time. It is inappropriate to use Internet-Drafts as reference https://www.rfc-editor.org/info/rfc9939.
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 6 April 2026.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Private-Key Information Content Types . . . . . . . . . . . . 2 2. Private-Key Information Content Types
3. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 3 3. ASN.1 Module
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. References
6.1. Normative References . . . . . . . . . . . . . . . . . . 5 6.1. Normative References
6.2. Informative References . . . . . . . . . . . . . . . . . 6 6.2. Informative References
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6 Acknowledgments
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses
1. Introduction 1. Introduction
The syntax for private-key information was originally described in The syntax for private-key information was originally described in
[RFC5208], and the syntax was later revised by [RFC5958] to include [RFC5208], and the syntax was later revised by [RFC5958] to include
the AsymmetricKeyPackage content type that supports multiple the AsymmetricKeyPackage content type that supports multiple
PrivateKeyInfos. This document defines PKCS #8 content types for use PrivateKeyInfos. This document defines PKCS #8 content types for use
with one PrivateKeyInfo and EncryptedPrivateKeyInfo. These content with one PrivateKeyInfo and one EncryptedPrivateKeyInfo. These
type assignments are needed for PrivateKeyInfo and content type assignments are needed for the PrivateKeyInfo and
EncryptedPrivateKeyInfo to be carried in the Cryptographic Message EncryptedPrivateKeyInfo to be carried in the Cryptographic Message
Syntax (CMS) [RFC5652]. Syntax (CMS) [RFC5652].
Note: A very long time ago, media types for PrivateKeyInfo and Note: A very long time ago, media types for PrivateKeyInfo and
EncryptedPrivateKeyInfo were assigned as application/pkcs8 and EncryptedPrivateKeyInfo were assigned as "application/pkcs8" and
application/pkcs8-encrypted, respectively. "application/pkcs8-encrypted", respectively.
2. Private-Key Information Content Types 2. Private-Key Information Content Types
This section defines a content type for private-key information and This section defines a content type for private-key information and
encrypted private-key information. encrypted private-key information.
The PrivateKeyInfo content type is identified by the following object The PrivateKeyInfo content type is identified by the following object
identifier: identifier:
id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1) id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) TBD1 } smime(16) ct(1) 52 }
The EncryptedPrivateKeyInfo content type is identified by the The EncryptedPrivateKeyInfo content type is identified by the
following object identifier: following object identifier:
id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1) id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) TBD2 } smime(16) ct(1) 53 }
3. ASN.1 Module 3. ASN.1 Module
The ASN.1 module [X680][X690] in this section builds upon the modules The ASN.1 module [X680] [X690] in this section builds upon the
in [RFC5911]. modules in [RFC5911].
<CODE BEGINS> <CODE BEGINS>
PrivateKeyInfoContentTypes PrivateKeyInfoContentTypes
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-pkcs8ContentType(TBD0) } pkcs-9(9) smime(16) modules(0) id-mod-pkcs8ContentType(85) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS ALL -- EXPORTS ALL
IMPORTS IMPORTS
CONTENT-TYPE CONTENT-TYPE
FROM CryptographicMessageSyntax-2009 -- in [RFC5911] FROM CryptographicMessageSyntax-2009 -- in [RFC5911]
skipping to change at page 4, line 37 skipping to change at line 130
PrivateKeyInfoContentTypes CONTENT-TYPE ::= { PrivateKeyInfoContentTypes CONTENT-TYPE ::= {
ct-privateKeyInfo | ct-encrPrivateKeyInfo, ct-privateKeyInfo | ct-encrPrivateKeyInfo,
... -- Expect additional content types -- } ... -- Expect additional content types -- }
ct-privateKeyInfo CONTENT-TYPE ::= { PrivateKeyInfo ct-privateKeyInfo CONTENT-TYPE ::= { PrivateKeyInfo
IDENTIFIED BY id-ct-privateKeyInfo } IDENTIFIED BY id-ct-privateKeyInfo }
id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1) id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) TBD1 } smime(16) ct(1) 52 }
ct-encrPrivateKeyInfo CONTENT-TYPE ::= { EncryptedPrivateKeyInfo ct-encrPrivateKeyInfo CONTENT-TYPE ::= { EncryptedPrivateKeyInfo
IDENTIFIED BY id-ct-encrPrivateKeyInfo } IDENTIFIED BY id-ct-encrPrivateKeyInfo }
id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1) id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) TBD2 } smime(16) ct(1) 53 }
END END
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
The security considerations in [RFC5958] apply here. The security considerations in [RFC5958] apply here.
5. IANA Considerations 5. IANA Considerations
For the private key info content types defined in section Section 2, For each of the private-key information content types defined in
IANA is requested to assign an object identifier (OID) for each of Section 2, IANA has assigned an Object Identifier (OID). The OIDs
the content types. The OIDs for the content types should be for the content types have been allocated in the "SMI Security for S/
alloacted in the "SMI Security for S/MIME CMS Content Type" registry MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry
(1.2.840.113549.1.9.16.1) [IANA-CMS-CTS], and the description should [IANA-CMS-CTS] as follows:
be set to id-ct-privateKeyInfo (TDB1) and id-ct-encrPrivateKeyInfo
(TBD2).
For the ASN.1 Module in Section 3, IANA is requested to assign an +=========+==========================+===========+
object identifier (OID) for the module identifier. The OID for the | Decimal | Description | Reference |
module should be allocated in the "SMI Security for S/MIME Module +=========+==========================+===========+
Identifier" registry (1.2.840.113549.1.9.16.0) [IANA-SMIME-MODS], and | 52 | id-ct-privateKeyInfo | RFC 9939 |
the Description for the new OID should be set to "id-mod- +---------+--------------------------+-----------+
pkcs8ContentType". | 53 | id-ct-encrPrivateKeyInfo | RFC 9939 |
+---------+--------------------------+-----------+
IANA is also requested to update the application/cms entry in the Table 1
"Media Types" registry to add [ RFC-to-be] to the list of RFCs where
Inner Content Types (ICTs) are defined in the "Optional parameters"
and the "Interoperability considerations" sections.
IANA is also requested to update the application/cms entry in the For the ASN.1 module in Section 3, IANA has assigned an OID for the
"Media Types" registry to add the following values to the module identifier. The OID for the module has been allocated in the
"innerContent" list: "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)"
registry [IANA-SMIME-MODS] as follows:
* privateKeyInfo +=========+=========================+===========+
| Decimal | Description | Reference |
+=========+=========================+===========+
| 85 | id-mod-pkcs8ContentType | RFC 9939 |
+---------+-------------------------+-----------+
Table 2
IANA has updated the application/cms registration entry in the "Media
Types" registry by adding RFC 9939 to the "Interoperability
considerations" section and to the list of RFCs where Inner Content
Types (ICTs) are defined (see the "Optional parameters" section) and
by adding the following values to the list of ICTs:
* privateKeyInfo
* encrPrivateKeyInfo * encrPrivateKeyInfo
And, to update the following row in the application/cms entry's IANA has also updated the "Security considerations" section in the
"Security considerations" section: application/csm entry as follows:
+===============+============================================+ +==========+============================================+
| RFC | CMS Protecting Content Type and Algorithms | | RFC | CMS Protecting Content Type and Algorithms |
+===============+============================================+ +==========+============================================+
| [ RFC-to-be ] | privateKeyInfo and encrPrivateKeyInfo | | RFC 9939 | privateKeyInfo and encrPrivateKeyInfo |
+---------------+--------------------------------------------+ +----------+--------------------------------------------+
Table 1 Table 3
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/rfc/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,
DOI 10.17487/RFC5911, June 2010, DOI 10.17487/RFC5911, June 2010,
<https://www.rfc-editor.org/rfc/rfc5911>. <https://www.rfc-editor.org/info/rfc5911>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
DOI 10.17487/RFC5958, August 2010, DOI 10.17487/RFC5958, August 2010,
<https://www.rfc-editor.org/rfc/rfc5958>. <https://www.rfc-editor.org/info/rfc5958>.
[X680] ITU-T, "Information technology -- Abstract Syntax Notation [X680] ITU-T, "Information technology - Abstract Syntax Notation
One (ASN.1): Specification of basic notation", ITU-T One (ASN.1): Specification of basic notation", ITU-T
Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, Recommendation X.680, ISO/IEC 8824-1:2021, February 2021,
<https://www.itu.int/rec/T-REC-X.680>. <https://www.itu.int/rec/T-REC-X.680>.
[X690] ITU-T, "Information technology -- ASN.1 encoding rules: [X690] ITU-T, "Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1-2021, (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021,
February 2021, <https://www.itu.int/rec/T-REC-X.690>. February 2021, <https://www.itu.int/rec/T-REC-X.690>.
6.2. Informative References 6.2. Informative References
[IANA-CMS-CTS] [IANA-CMS-CTS]
"SMI Security for S/MIME CMS Content Type", n.d., IANA, "SMI Security for S/MIME CMS Content Type
<https://www.iana.org/assignments/smi-numbers/smi- (1.2.840.113549.1.9.16.1)",
numbers.xhtml#security-smime-1>. <https://www.iana.org/assignments/smi-numbers>.
[IANA-SMIME-MODS] [IANA-SMIME-MODS]
"SMI Security for S/MIME Module Identifier", n.d., IANA, "SMI Security for S/MIME Module Identifier
<https://www.iana.org/assignments/smi-numbers/smi- (1.2.840.113549.1.9.16.0)",
numbers.xhtml#security-smime-0>. <https://www.iana.org/assignments/smi-numbers>.
[RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8: [RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8:
Private-Key Information Syntax Specification Version 1.2", Private-Key Information Syntax Specification Version 1.2",
RFC 5208, DOI 10.17487/RFC5208, May 2008, RFC 5208, DOI 10.17487/RFC5208, May 2008,
<https://www.rfc-editor.org/rfc/rfc5208>. <https://www.rfc-editor.org/info/rfc5208>.
Acknowledgments Acknowledgments
Thanks to John Gray, Deb Cooley, Mohamed Boucadair, Orie Steele, and Thanks to John Gray, Deb Cooley, Mohamed Boucadair, Orie Steele, and
Éric Vyncke for reviewing the document and providing comments. Éric Vyncke for reviewing the document and providing comments.
Authors' Addresses Authors' Addresses
Joe Mandel Joe Mandel
AKAYLA, Inc. AKAYLA, Inc.
Email: joe@akayla.com Email: joe@akayla.com
Russ Housley Russ Housley
Vigil Security, LLC Vigil Security, LLC
Email: housley@vigilsec.com Email: housley@vigilsec.com
Sean Turner Sean Turner
sn3rd sn3rd
 End of changes. 37 change blocks. 
106 lines changed or deleted 98 lines changed or added

This html diff was produced by rfcdiff 1.48.