Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
APPENDIX D: Revisions<br />
The original version of this document was published in August, 2005. In May, 2006, the<br />
following revisions were incorporated:<br />
1. The definition of security strength has been revised to remove “or security level”<br />
from the first column, since this term is not used in the document.<br />
2. In the footnote for 2TDEA in Table 2 of Section 5.6.1, the word “guarantee” has<br />
been changed to “assessment”.<br />
3. In the paragraph under Table 2 in Section 5.6.1, the phrase “or security strength”<br />
has been inserted into line 3. In line 5, the phrase “and the security strength to be<br />
provided by the digital signature” has been inserted.<br />
4. In Table 3 of Section 5.6.1, a list of appropriate hash functions have been inserted<br />
into the HMAC and Key Derivation Function columns. In addition, a footnote has<br />
been included for the Key Derivation Function column.<br />
5. The original text for the paragraph immediately below Table 3 has been removed.<br />
In March, 2007, the following revisions were made to allow the dual use of keys during<br />
certificate requests:<br />
1. In Section 5.2, the following text was added:<br />
“This specification also permits the use of a key transport or key agreement<br />
private key to generate a digital signature for the following special case:<br />
When requesting the (initial) certificate for a static key establishment key,<br />
the associated private key may be used to sign the certificate request. Also<br />
refer to Section 8.1.5.1.1.2.”<br />
2. In Section 8.1.5.1.1.2, the fourth paragraph was originally as follows:<br />
“The owner provides POP by performing operations with the private key that<br />
satisfy the indicated key use. For example, if a key pair is intended to support<br />
key transport, the owner may decrypt a key provided to the owner by the CA<br />
that is encrypted using the owner's public key. If the owner can correctly<br />
decrypt the ciphertext key using the associated private key and then provide<br />
evidence that the key was correctly decrypted (e.g., by encrypting a random<br />
challenge from the CA, then the owner has established POP. Where a key pair<br />
is intended to support key establishment, POP shall not be afforded by<br />
generating and verifying a digital signature with the key pair.”<br />
The paragraph was change to the following, where the changed text is indicated in<br />
italics:<br />
“The (reputed) owner should provide POP by performing operations with the<br />
private key that satisfy the indicated key use. For example, if a key pair is<br />
intended to support key transport, the owner may decrypt a key provided to<br />
141