📄 rfc2802.txt
字号:
>
Content Description
Algorithm: A list of algorithms used for signing, digest computation,
and canonicalization.
Digest: A list of digests of resources to be authentication and
signed.
Attribute: Optional element that consists of a collection of
complementary attributes to be authenticated.
OriginatorInfo: Element that provides identification and keying
material information related to the originator.
RecipientInfo: Optional element that provides identification and
keying material information related to the recipient.
Attributes Description
LocatorHrefBase: The LocatorHrefBase provides a similar construct to
the HTML HREFBASE attribute and implicitly sets all relative URL
references within the Manifest to be relative to the HrefBase. For
example, the IOTP Manifest may contain:
<Manifest LocatorHrefBase='iotp:<globally-unique-tid>'>
And subsequent Locators may be:
<Locator href='C.9'>
An implementation should concatenate the two locator references with
"#" to create the entire URL. See definition of the Locator attribute
on the Digest element for more detail.
Davidson & Kawatsura Informational [Page 8]
RFC 2802 Digital Signatures for IOTP April 2000
4.3.3 Algorithm
This specification uses an Algorithm data type which indicates many
different types of algoirithms. The Algorithm element allows for
specification of sub-algorithms as parameters of the primary
algorithm. This is performed via a parameter within the algorithm
that provides a reference to another Algorithm. An example of this is
shown in the Parameter section.
<!ELEMENT Algorithm (Parameter*) >
<!ATTLIST Algorithm
ID ID #REQUIRED
type (digest|signature) #IMPLIED
name NMTOKEN #REQUIRED >
Content Description
Parameter: The contents of an Algorithm element consists of an
optional collection of Parameter elements which are specified on a
per algorithm basis.
Attributes Description
ID: The ID of the algorithm is used by the Digest and RecipientInfo
to refer to the signing or digest algorithm used.
type: The type of algorithm, either a digest or signature. This is
implied by the element to which the algorithm is referred. That is,
if the DigestAlgorithmRef refers to an algorithm, it is implicit by
reference that the targeted algorithm is a digest.
name: The type of the algorithm expressed as a Uniform Resource
Name.
4.3.4 Digest
The Digest element consists of the fingerprint of a given resource.
This element is constructed of two sub-elements. This first one
indicates the algorithm to be used for computation of the
fingerprint. The second element consists of the fingerprint value.
<!ELEMENT Digest (Locator, Value) >
<!ATTLIST Digest
DigestAlgorithmRef IDREF #REQUIRED
>
Davidson & Kawatsura Informational [Page 9]
RFC 2802 Digital Signatures for IOTP April 2000
Content Description
Locator: Contains a "HREF" or URL Locator for the resources to be
fingerprinted. For use within IOTP a "scheme" with the value "iotp"
may be used with the following structure:
'iotp:<globally-unique-tid>#<id-value>'.
This should be interpreted as referring to an element with an ID
attribute that matches <id-value> in any IOTP Message that has a
TransRefBlk Block with an IotpTransId that matches <globally-unique-
tid>.
If the LocatorHrefBase attribute is set on the Manifest element of
which this Digest element is a child, then concatenate the value of
the LocatorHrefBase attribute with the value of the Locator attribute
before identifying the element that is being referred to.
If the LocatorHrefBase attribute is omitted, <globally-unique-tid>
should be interpreted as the current IotpTransId, which is included
in the IOTP message which contains the Manifest component.
Value: Encoding of the fingerprint value.
Attributes Description
DigestAlgorithmRef: ID Reference of algorithm used for computation of
the digest.
4.3.5 Attribute
The Attribute element consists of a complementary piece of
information, which shall be included in the authenticated part of the
document. This element has been defined primarily for enabling some
level of customization in the signature element. This is the area
where a specific IOTP implementation may include custom attributes
which must be authenticated directly. An Attribute element consists
of a value, a type, and a criticality.
At this time, no IOTP specific attributes are specified.
<!ELEMENT Attribute ANY >
<!ATTLIST Attribute
type NMTOKEN #REQUIRED
critical ( true | false ) #REQUIRED
>
Davidson & Kawatsura Informational [Page 10]
RFC 2802 Digital Signatures for IOTP April 2000
Content Description
ANY: The actual value of an attribute depends solely upon its type.
Attributes Description
type: Type of the attribute.
critical: Boolean value that indicates if the attribute is critical
(true) or not (false). A recipient shall reject a signature that
contains a critical attribute that he does not recognize. However, an
unrecognized non-critical attribute may be ignored.
4.3.6 OriginatorInfo
The OriginatorInfo element is used for providing identification and
keying material information for the originator.
<!ELEMENT OriginatorInfo ANY >
<!ATTLIST OriginatorInfo
OriginatorRef NMTOKEN #IMPLIED
>
Content Description
ANY: Identification and keying material information may consist of
ANY construct. Such a definition allows the adoption of
application-specific schemes.
Attributes Description
OriginatorRef: A reference to the IOTP Org ID of the originating
signer.
4.3.7 RecipientInfo
The RecipientInfo element is used for providing identification and
keying material information for the recipient. This element is used
either for enabling recognition of a Signature element by a given
recipient or when determination of the authentication key consists of
the combination of keying material provided by both the recipient and
the originator.
The RecipientInfo attributes provide a centralized location where
signatures, algorithms, and certificates intended for a particular
recipient are specified.
Davidson & Kawatsura Informational [Page 11]
RFC 2802 Digital Signatures for IOTP April 2000
The signature certificate reference ID MUST point to a certificate
object.
<!ELEMENT RecipientInfo ANY >
<!ATTLIST RecipientInfo
SignatureAlgorithmRef IDREF #REQUIRED
SignatureValueRef IDREF #IMPLIED
SignatureCertRef IDREF #IMPLIED
RecipientRefs NMTOKENS #IMPLIED
>
Content Description
ANY: Identification and keying material information may consist of
ANY construct.
Attributes Description
SignatureAlgorithmRef: A reference to the signature algorithm used to
sign the SignatureValueRef intended for this recipient. The signature
algorithm reference ID MUST point to a signature algorithm within the
Manifest.
SignatureValueRef: A reference to the signature value for this
recipient. The signature value reference ID MUST point to a value
structure directly included within a Manifest. This reference can be
omitted if the application can specify the digest value.
SignatureCertRef: A reference to the certificate used to sign the
Value pointed to by the SignatureValueRef. This reference can be
omitted if the application can identify the certificate.
RecipientRefs: A list of references to the IOTP Org ID of the
recipients this signature is intended for.
4.3.8 KeyIdentifier
The key identifier element can identify the shared public/symmetric
key identification between parties that benefit from a prior
relationship. This element can be included in the ReceipientInfo
Element.
<!ELEMENT KeyIdentifier EMPTY>
<!ATTLIST KeyIdentifier
value CDATA #REQUIRED
>
Davidson & Kawatsura Informational [Page 12]
RFC 2802 Digital Signatures for IOTP April 2000
4.3.9 Parameter
A Parameter element provides the value of a particular algorithm
parameter, whose name and format have been specified for the
algorithm considered.
<!ELEMENT Parameter ANY >
<!ATTLIST Parameter
type CDATA #REQUIRED
>
For IOTP 1.0, the following parameter type is standardized:
"AlgorithmRef".
An AlgorithmRef contains an ID of a "sub-Algorithm" used when
computing a sequence of algorithms. For example, a signature
algorithm actually signs a digest algorithm. To specify a chain of
algorithms used to compute a signature, AlgorithmRef parameter types
are used in the following manner:
<Algorithm ID='A1' type='digest' name='urn:ibm-com:dom-hash'>
<Parameter type='AlgorithmRef'>A2</Parameter>
</Algorithm>
<Algorithm ID='A2' type='digest' name='urn:nist-gov:sha1'>
</Algorithm>
<Algorithm ID='A3' type='signature' name='urn:rsasdi-com:rsa-encryption'>
<Parameter type='AlgorithmRef'>A1</Parameter>
</Algorithm>
Content Description
ANY: The contents of a Parameter element consists of ANY valid
construct, which is specified on a per algorithm per parameter basis.
Attributes Description
type: The type of the parameter expressed as a free form string,
whose value is specified on a per algorithm basis.
4.4 Certificate Component
4.4.1 Certificate
The Certificate element may be used for either providing the value of
a digital certificate or specifying a location from where it may be
retrieved.
Davidson & Kawatsura Informational [Page 13]
RFC 2802 Digital Signatures for IOTP April 2000
<!ELEMENT Certificate
( IssuerAndSerialNumber,
( Value | Locator ) )
>
<!ATTLIST Certificate
ID ID #IMPLIED
type NMTOKEN #REQUIRED >
Content Description
IssuerAndSerialNumber: Unique identifier of this certificate. This
element has been made mandatory is order to prevent unnecessary
decoding during validation of a certificate chain. This feature also
helps certificates caching, especially when the value is not directly
provided.
Value: Encoding of the certificate value. The actual value to be
encoded depends upon the type of the certificate.
Locator: XML link element that could be used for retrieving a copy of
the digital certificate. The actual value being returned by means of
this locator depends upon the security protocol being used.
Attributes Description
ID: Element identifier that may be used to reference the Certificate
element from a RecipientInfo element.
type: Type of the digital certificate. This attribute is specified as
a Universal Resource Name. Support for the X.509 version 3
certificate [X.509] is mandatory in this specification if the
Certificate element is used. The URN for such certificates is
"urn:X500:X509v3".
4.4.2 IssuerAndSerialNumber
The IssuerAndSerialNumber element identifies a certificate, and
thereby an entity and a public key, by the name of the certificate
issuer and an issuer-specific certificate identification.
<!ELEMENT IssuerAndSerialNumber EMPTY >
<!ATTLIST IssuerAndSerialNumber
issuer CDATA #REQUIRED
number CDATA #REQUIRED >
Davidson & Kawatsura Informational [Page 14]
RFC 2802 Digital Signatures for IOTP April 2000
Attributes Description
issuer: Name of the issuing certification authority. See [RFC 2253]
for RECOMMENDED syntax.
number: Issuer-specific certificate identification.
4.5 Common Components
4.5.1 Value
A value contains the "raw" data of a signature or digest algorithm,
usually in a base-64 encoded form. See [RFC 2045] for algorithm used
to base-64 encode data.
<!ELEMENT Value ( #PCDATA ) >
<!ATTLIST Value
ID ID #IMPLIED
encoding (base64|none) 'base64'
>
Content Description
PCDATA: Content value after adequate encoding.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -