rfc9939.original		rfc9939.txt
	Limited Additional Mechanisms for PKIX and SMIME J. Mandel		Internet Engineering Task Force (IETF) J. Mandel
	Internet-Draft AKAYLA		Request for Comments: 9939 AKAYLA
	Intended status: Standards Track R. Housley		Category: Standards Track R. Housley
	Expires: 6 April 2026 Vigil Security		ISSN: 2070-1721 Vigil Security
	S. Turner		S. Turner
	sn3rd		sn3rd
	3 October 2025		February 2026
	PKCS #8 Private-Key Information Content Types		PKCS #8: Private-Key Information Content Types
	draft-ietf-lamps-pkcs8-prikeyinfo-contenttypes-04
	Abstract		Abstract
	This document defines PKCS #8 content types for use with		This document defines PKCS #8 content types for use with
	PrivateKeyInfo and EncryptedPrivateKeyInfo as specified in RFC 5958.		PrivateKeyInfo and EncryptedPrivateKeyInfo as specified in RFC 5958.
	About This Document
	This note is to be removed before publishing as an RFC.
	The latest revision of this draft can be found at https://github.com/
	lamps-wg/pkcs8-PriKeyInfoCt. Status information for this document
	may be found at https://datatracker.ietf.org/doc/draft-ietf-lamps-
	pkcs8-prikeyinfo-contenttypes/.
	Discussion of this document takes place on the Limited Additional
	Mechanisms for PKIX and SMIME mailing list (mailto:spasm@ietf.org),
	which is archived at https://mailarchive.ietf.org/arch/browse/spasm/.
	Subscribe at https://www.ietf.org/mailman/listinfo/spasm/.
	Source for this draft and an issue tracker can be found at
	https://github.com/lamps-wg/pkcs8-PriKeyInfoCt.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This is an Internet Standards Track document.
	provisions of BCP 78 and BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		This document is a product of the Internet Engineering Task Force
	Task Force (IETF). Note that other groups may also distribute		(IETF). It represents the consensus of the IETF community. It has
	working documents as Internet-Drafts. The list of current Internet-		received public review and has been approved for publication by the
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Internet Engineering Steering Group (IESG). Further information on
			Internet Standards is available in Section 2 of RFC 7841.
	Internet-Drafts are draft documents valid for a maximum of six months		Information about the current status of this document, any errata,
	and may be updated, replaced, or obsoleted by other documents at any		and how to provide feedback on it may be obtained at
	time. It is inappropriate to use Internet-Drafts as reference		https://www.rfc-editor.org/info/rfc9939.
	material or to cite them other than as "work in progress."
	This Internet-Draft will expire on 6 April 2026.
	Copyright Notice		Copyright Notice
	Copyright (c) 2025 IETF Trust and the persons identified as the		Copyright (c) 2026 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents (https://trustee.ietf.org/		Provisions Relating to IETF Documents
	license-info) in effect on the date of publication of this document.		(https://trustee.ietf.org/license-info) in effect on the date of
	Please review these documents carefully, as they describe your rights		publication of this document. Please review these documents
	and restrictions with respect to this document. Code Components		carefully, as they describe your rights and restrictions with respect
	extracted from this document must include Revised BSD License text as		to this document. Code Components extracted from this document must
	described in Section 4.e of the Trust Legal Provisions and are		include Revised BSD License text as described in Section 4.e of the
	provided without warranty as described in the Revised BSD License.		Trust Legal Provisions and are provided without warranty as described
			in the Revised BSD License.
	Table of Contents		Table of Contents
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2		1. Introduction
	2. Private-Key Information Content Types . . . . . . . . . . . . 2		2. Private-Key Information Content Types
	3. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 3		3. ASN.1 Module
	4. Security Considerations . . . . . . . . . . . . . . . . . . . 5		4. Security Considerations
	5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5		5. IANA Considerations
	6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5		6. References
	6.1. Normative References . . . . . . . . . . . . . . . . . . 5		6.1. Normative References
	6.2. Informative References . . . . . . . . . . . . . . . . . 6		6.2. Informative References
	Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6		Acknowledgments
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6		Authors' Addresses
	1. Introduction		1. Introduction
	The syntax for private-key information was originally described in		The syntax for private-key information was originally described in
	[RFC5208], and the syntax was later revised by [RFC5958] to include		[RFC5208], and the syntax was later revised by [RFC5958] to include
	the AsymmetricKeyPackage content type that supports multiple		the AsymmetricKeyPackage content type that supports multiple
	PrivateKeyInfos. This document defines PKCS #8 content types for use		PrivateKeyInfos. This document defines PKCS #8 content types for use
	with one PrivateKeyInfo and EncryptedPrivateKeyInfo. These content		with one PrivateKeyInfo and one EncryptedPrivateKeyInfo. These
	type assignments are needed for PrivateKeyInfo and		content type assignments are needed for the PrivateKeyInfo and
	EncryptedPrivateKeyInfo to be carried in the Cryptographic Message		EncryptedPrivateKeyInfo to be carried in the Cryptographic Message
	Syntax (CMS) [RFC5652].		Syntax (CMS) [RFC5652].
	Note: A very long time ago, media types for PrivateKeyInfo and		Note: A very long time ago, media types for PrivateKeyInfo and
	EncryptedPrivateKeyInfo were assigned as application/pkcs8 and		EncryptedPrivateKeyInfo were assigned as "application/pkcs8" and
	application/pkcs8-encrypted, respectively.		"application/pkcs8-encrypted", respectively.
	2. Private-Key Information Content Types		2. Private-Key Information Content Types
	This section defines a content type for private-key information and		This section defines a content type for private-key information and
	encrypted private-key information.		encrypted private-key information.
	The PrivateKeyInfo content type is identified by the following object		The PrivateKeyInfo content type is identified by the following object
	identifier:		identifier:
	id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1)		id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
	member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)		member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
	smime(16) ct(1) TBD1 }		smime(16) ct(1) 52 }
	The EncryptedPrivateKeyInfo content type is identified by the		The EncryptedPrivateKeyInfo content type is identified by the
	following object identifier:		following object identifier:
	id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1)		id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
	member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)		member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
	smime(16) ct(1) TBD2 }		smime(16) ct(1) 53 }
	3. ASN.1 Module		3. ASN.1 Module
	The ASN.1 module [X680][X690] in this section builds upon the modules		The ASN.1 module [X680] [X690] in this section builds upon the
	in [RFC5911].		modules in [RFC5911].
	<CODE BEGINS>		<CODE BEGINS>
	PrivateKeyInfoContentTypes		PrivateKeyInfoContentTypes
	{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)		{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
	pkcs-9(9) smime(16) modules(0) id-mod-pkcs8ContentType(TBD0) }		pkcs-9(9) smime(16) modules(0) id-mod-pkcs8ContentType(85) }
	DEFINITIONS IMPLICIT TAGS ::=		DEFINITIONS IMPLICIT TAGS ::=
	BEGIN		BEGIN
	-- EXPORTS ALL		-- EXPORTS ALL
	IMPORTS		IMPORTS
	CONTENT-TYPE		CONTENT-TYPE
	FROM CryptographicMessageSyntax-2009 -- in [RFC5911]		FROM CryptographicMessageSyntax-2009 -- in [RFC5911]
	skipping to change at page 4, line 37 ¶		skipping to change at line 130 ¶
	PrivateKeyInfoContentTypes CONTENT-TYPE ::= {		PrivateKeyInfoContentTypes CONTENT-TYPE ::= {
	ct-privateKeyInfo | ct-encrPrivateKeyInfo,		ct-privateKeyInfo | ct-encrPrivateKeyInfo,
	... -- Expect additional content types -- }		... -- Expect additional content types -- }
	ct-privateKeyInfo CONTENT-TYPE ::= { PrivateKeyInfo		ct-privateKeyInfo CONTENT-TYPE ::= { PrivateKeyInfo
	IDENTIFIED BY id-ct-privateKeyInfo }		IDENTIFIED BY id-ct-privateKeyInfo }
	id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1)		id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
	member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)		member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
	smime(16) ct(1) TBD1 }		smime(16) ct(1) 52 }
	ct-encrPrivateKeyInfo CONTENT-TYPE ::= { EncryptedPrivateKeyInfo		ct-encrPrivateKeyInfo CONTENT-TYPE ::= { EncryptedPrivateKeyInfo
	IDENTIFIED BY id-ct-encrPrivateKeyInfo }		IDENTIFIED BY id-ct-encrPrivateKeyInfo }
	id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1)		id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1)
	member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)		member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
	smime(16) ct(1) TBD2 }		smime(16) ct(1) 53 }
	END		END
	<CODE ENDS>		<CODE ENDS>
	4. Security Considerations		4. Security Considerations
	The security considerations in [RFC5958] apply here.		The security considerations in [RFC5958] apply here.
	5. IANA Considerations		5. IANA Considerations
	For the private key info content types defined in section Section 2,		For each of the private-key information content types defined in
	IANA is requested to assign an object identifier (OID) for each of		Section 2, IANA has assigned an Object Identifier (OID). The OIDs
	the content types. The OIDs for the content types should be		for the content types have been allocated in the "SMI Security for S/
	alloacted in the "SMI Security for S/MIME CMS Content Type" registry		MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry
	(1.2.840.113549.1.9.16.1) [IANA-CMS-CTS], and the description should		[IANA-CMS-CTS] as follows:
	be set to id-ct-privateKeyInfo (TDB1) and id-ct-encrPrivateKeyInfo
	(TBD2).
	For the ASN.1 Module in Section 3, IANA is requested to assign an		+=========+==========================+===========+
	object identifier (OID) for the module identifier. The OID for the		| Decimal | Description | Reference |
	module should be allocated in the "SMI Security for S/MIME Module		+=========+==========================+===========+
	Identifier" registry (1.2.840.113549.1.9.16.0) [IANA-SMIME-MODS], and		| 52 | id-ct-privateKeyInfo | RFC 9939 |
	the Description for the new OID should be set to "id-mod-		+---------+--------------------------+-----------+
	pkcs8ContentType".		| 53 | id-ct-encrPrivateKeyInfo | RFC 9939 |
			+---------+--------------------------+-----------+
	IANA is also requested to update the application/cms entry in the		Table 1
	"Media Types" registry to add [ RFC-to-be] to the list of RFCs where
	Inner Content Types (ICTs) are defined in the "Optional parameters"
	and the "Interoperability considerations" sections.
	IANA is also requested to update the application/cms entry in the		For the ASN.1 module in Section 3, IANA has assigned an OID for the
	"Media Types" registry to add the following values to the		module identifier. The OID for the module has been allocated in the
	"innerContent" list:		"SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)"
			registry [IANA-SMIME-MODS] as follows:
	* privateKeyInfo		+=========+=========================+===========+
			| Decimal | Description | Reference |
			+=========+=========================+===========+
			| 85 | id-mod-pkcs8ContentType | RFC 9939 |
			+---------+-------------------------+-----------+
			Table 2
			IANA has updated the application/cms registration entry in the "Media
			Types" registry by adding RFC 9939 to the "Interoperability
			considerations" section and to the list of RFCs where Inner Content
			Types (ICTs) are defined (see the "Optional parameters" section) and
			by adding the following values to the list of ICTs:
			* privateKeyInfo
	* encrPrivateKeyInfo		* encrPrivateKeyInfo
	And, to update the following row in the application/cms entry's		IANA has also updated the "Security considerations" section in the
	"Security considerations" section:		application/csm entry as follows:
	+===============+============================================+		+==========+============================================+
	| RFC | CMS Protecting Content Type and Algorithms |		| RFC | CMS Protecting Content Type and Algorithms |
	+===============+============================================+		+==========+============================================+
	| [ RFC-to-be ] | privateKeyInfo and encrPrivateKeyInfo |		| RFC 9939 | privateKeyInfo and encrPrivateKeyInfo |
	+---------------+--------------------------------------------+		+----------+--------------------------------------------+
	Table 1		Table 3
	6. References		6. References
	6.1. Normative References		6.1. Normative References
	[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,		[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
	RFC 5652, DOI 10.17487/RFC5652, September 2009,		RFC 5652, DOI 10.17487/RFC5652, September 2009,
	<https://www.rfc-editor.org/rfc/rfc5652>.		<https://www.rfc-editor.org/info/rfc5652>.
	[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for		[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
	Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,		Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,
	DOI 10.17487/RFC5911, June 2010,		DOI 10.17487/RFC5911, June 2010,
	<https://www.rfc-editor.org/rfc/rfc5911>.		<https://www.rfc-editor.org/info/rfc5911>.
	[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,		[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
	DOI 10.17487/RFC5958, August 2010,		DOI 10.17487/RFC5958, August 2010,
	<https://www.rfc-editor.org/rfc/rfc5958>.		<https://www.rfc-editor.org/info/rfc5958>.
	[X680] ITU-T, "Information technology -- Abstract Syntax Notation		[X680] ITU-T, "Information technology - Abstract Syntax Notation
	One (ASN.1): Specification of basic notation", ITU-T		One (ASN.1): Specification of basic notation", ITU-T
	Recommendation X.680, ISO/IEC 8824-1:2021, February 2021,		Recommendation X.680, ISO/IEC 8824-1:2021, February 2021,
	<https://www.itu.int/rec/T-REC-X.680>.		<https://www.itu.int/rec/T-REC-X.680>.
	[X690] ITU-T, "Information technology -- ASN.1 encoding rules:		[X690] ITU-T, "Information technology - ASN.1 encoding rules:
	Specification of Basic Encoding Rules (BER), Canonical		Specification of Basic Encoding Rules (BER), Canonical
	Encoding Rules (CER) and Distinguished Encoding Rules		Encoding Rules (CER) and Distinguished Encoding Rules
	(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1-2021,		(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021,
	February 2021, <https://www.itu.int/rec/T-REC-X.690>.		February 2021, <https://www.itu.int/rec/T-REC-X.690>.
	6.2. Informative References		6.2. Informative References
	[IANA-CMS-CTS]		[IANA-CMS-CTS]
	"SMI Security for S/MIME CMS Content Type", n.d.,		IANA, "SMI Security for S/MIME CMS Content Type
	<https://www.iana.org/assignments/smi-numbers/smi-		(1.2.840.113549.1.9.16.1)",
	numbers.xhtml#security-smime-1>.		<https://www.iana.org/assignments/smi-numbers>.
	[IANA-SMIME-MODS]		[IANA-SMIME-MODS]
	"SMI Security for S/MIME Module Identifier", n.d.,		IANA, "SMI Security for S/MIME Module Identifier
	<https://www.iana.org/assignments/smi-numbers/smi-		(1.2.840.113549.1.9.16.0)",
	numbers.xhtml#security-smime-0>.		<https://www.iana.org/assignments/smi-numbers>.
	[RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8:		[RFC5208] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8:
	Private-Key Information Syntax Specification Version 1.2",		Private-Key Information Syntax Specification Version 1.2",
	RFC 5208, DOI 10.17487/RFC5208, May 2008,		RFC 5208, DOI 10.17487/RFC5208, May 2008,
	<https://www.rfc-editor.org/rfc/rfc5208>.		<https://www.rfc-editor.org/info/rfc5208>.
	Acknowledgments		Acknowledgments
	Thanks to John Gray, Deb Cooley, Mohamed Boucadair, Orie Steele, and		Thanks to John Gray, Deb Cooley, Mohamed Boucadair, Orie Steele, and
	Éric Vyncke for reviewing the document and providing comments.		Éric Vyncke for reviewing the document and providing comments.
	Authors' Addresses		Authors' Addresses
	Joe Mandel		Joe Mandel
	AKAYLA, Inc.		AKAYLA, Inc.
	Email: joe@akayla.com		Email: joe@akayla.com
	Russ Housley		Russ Housley
	Vigil Security, LLC		Vigil Security, LLC
	Email: housley@vigilsec.com		Email: housley@vigilsec.com
	Sean Turner		Sean Turner
	sn3rd		sn3rd
End of changes. 37 change blocks.
	106 lines changed or deleted		98 lines changed or added
This html diff was produced by rfcdiff 1.48.