The title of the document is: "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure. Certificate and Certificate Revocation List (CRL) Profile".
RFC 4055 [15] supplements RFC 3279 [12] to describe how to use some newer cryptographic algorithms.
Hash-functions
id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 }
id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 }
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }
Mask Generation functions
mgf1SHA-1Identifier AlgorithmIdentifier ::= { id-mgf1, sha1Identifier } mgf1SHA-224Identifier AlgorithmIdentifier ::= { id-mgf1, sha224Identifier } mgf1SHA-256Identifier AlgorithmIdentifier ::= { id-mgf1, sha256Identifier } mgf1SHA-384Identifier AlgorithmIdentifier ::= { id-mgf1, sha384Identifier } mgf1SHA-512Identifier AlgorithmIdentifier ::= { id-mgf1, sha512Identifier }
Signature algorithms
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
Signature suites
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
Annex G (informative):
Abstracts of ISO/IEC 10118-3 and ISO/IEC 9796-2
Abstract of ISO/IEC 10118-3 [3]ISO/IEC 10118-3 [3] specifies the following seven dedicated hash-functions, i.e. specially-designed hash-functions: 1) RIPEMD-160 in clause 7 provides hash-codes of lengths up to 160 bits.
2) RIPEMD-128 in clause 8 provides hash-codes of lengths up to 128 bits. 3) SHA-1 in clause 9 provides hash-codes of lengths up to 160 bits. 4) SHA-256 in clause 10 provides hash-codes of lengths up to 256 bits. 5) SHA-512 in clause 11 provides hash-codes of lengths up to 512 bits. 6) SHA-384 in clause 12 provides hash-codes of a fixed length, 384 bits. 7) WHIRLPOOL in clause 13 provides hash-codes of lengths up to 512 bits.
For each of these dedicated hash-functions, ISO/IEC 10118-3 [3] specifies a round-function that consists of a sequence of sub-functions, a padding method, initializing values, parameters, constants, and an object identifier as normative information, and also specifies several computation examples as informative information.
Abstract of ISO/IEC 9796-2 [17]
ISO/IEC 9796-2 [17] specifies three digital signature schemes giving message recovery, two of which are deterministic (non-randomized) and one of which is randomized. The security of all three schemes is based on the difficulty of factorizing large numbers. All three schemes can provide either total or partial message recovery.
The method for key production for the three signature schemes is specified in ISO/IEC 9796-2 [17]. However,
techniques for key management and for random number generation (as required for the randomized signature scheme), are outside the scope of ISO/IEC 9796-2 [17].
Wherever possible, the second mechanism (Digital signature scheme 2) is RECOMMENDED. However, in
environments where generation of random variables by the signer is deemed infeasible, then Digital signature scheme 3 is RECOMMENDED. Digital signature scheme 1 SHALL only be used in environments where compatibility is required with systems implementing the first edition of this International Standard.
Annex H (informative):
Signature maintenance
An advanced electronic signatures SHOULD be verified according to a signature policy that meets the business needs. There may exist valid reasons under particular circumstances to use a signature policy different from the one which should normally be used. In such a case, the full implications must be understood and carefully weighted by the verifier. A signature policy MAY include constraints about which algorithms and key lengths are deemed appropriate under that policy and/or define a time beyond which the algorithms/keys related to an advanced electronic signature should not be trusted anymore, unless additional security measures are taken.
It may be needed to re-verify advanced electronic signatures (this is called a subsequent verification) well beyond the time they were initially verified. At the time of re-verification, trust anchors and algorithms that were initially defined in the signature policy may not be secure anymore. Additional security measures need to be taken so that this can be done. It may also happen that some keys were secure at the time the initial verification of an advanced electronic signature was performed, but due to some "accident" this is no more the case later on (e.g. due to a key compromise).
In both cases, it is possible to maintain the security of an advanced electronic signature which has already been successfully verified. This may be done with security measures such as:
• the secure archival of both the definition of the signature policy (or an unambiguous reference to it) and all the data initially used to verify the advanced electronic signature according to that signature policy; or
• the secure archival of both the definition of the signature policy and the addition to the advanced electronic signature of other data (e.g. time-stamps) that will allow subsequent verifications.
These measures may be defined in the signature policy itself or "elsewhere" in a set of rules called a "signature maintenance policy" which will allow to maintain the validity of advanced electronic signatures.
When there is an interest to be able to re-verify advanced electronic signatures under a given signature policy at a time where it is possible or likely that the algorithms and key lengths originally used will not be secure anymore, then a signature maintenance process MUST be applied to these advanced electronic signatures. The sooner the process is applied, the better. This process MAY need to be performed again and again when advanced electronic signatures need to be verified during a very long time period.