| rfc9563v4.txt | rfc9563.txt | |||
|---|---|---|---|---|
| Independent Submission C. Zhang | Independent Submission C. Zhang | |||
| Request for Comments: 9563 Y. Liu | Request for Comments: 9563 Y. Liu | |||
| Category: Informational F. Leng | Category: Informational F. Leng | |||
| ISSN: 2070-1721 Q. Zhao | ISSN: 2070-1721 Q. Zhao | |||
| Z. He | Z. He | |||
| CNNIC | CNNIC | |||
| September 2024 | November 2024 | |||
| SM2 Digital Signature Algorithm for DNSSEC | SM2 Digital Signature Algorithm for DNSSEC | |||
| Abstract | Abstract | |||
| This document specifies the use of the SM2 digital signature | This document specifies the use of the SM2 digital signature | |||
| algorithm and SM3 hash algorithm for DNS Security (DNSSEC). | algorithm and SM3 hash algorithm for DNS Security (DNSSEC). | |||
| This document is an Independent Submission to the RFC series and does | This document is an Independent Submission to the RFC series and does | |||
| not have consensus of the IETF community. | not have consensus of the IETF community. | |||
| skipping to change at line 136 ¶ | skipping to change at line 136 ¶ | |||
| n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | |||
| 7203DF6B 21C6052B 53BBF409 39D54123 | 7203DF6B 21C6052B 53BBF409 39D54123 | |||
| 4. DNSKEY and RRSIG Resource Records for SM2 | 4. DNSKEY and RRSIG Resource Records for SM2 | |||
| 4.1. DNSKEY Resource Records | 4.1. DNSKEY Resource Records | |||
| SM2 public keys consist of a single value, called "P". In DNSSEC | SM2 public keys consist of a single value, called "P". In DNSSEC | |||
| keys, P is a string of 64 octets that represents the uncompressed | keys, P is a string of 64 octets that represents the uncompressed | |||
| form of a curve point, "x | y". (Conversion of a point to an octet | form of a curve point, "x | y". (Conversion of a point to an octet | |||
| string is described in Section 4.2.8 of [GBT-32918.1-2016].) | string is described in Section 4.2.8 of [GM-0003.1].) | |||
| 4.2. RRSIG Resource Records | 4.2. RRSIG Resource Records | |||
| The SM2 signature is the combination of two non-negative integers, | The SM2 signature is the combination of two non-negative integers, | |||
| called "r" and "s". The two integers, each of which is formatted as | called "r" and "s". The two integers, each of which is formatted as | |||
| a simple octet string, are combined into a single longer octet string | a simple octet string, are combined into a single longer octet string | |||
| for DNSSEC as the concatenation "r | s". (Conversion of the integers | for DNSSEC as the concatenation "r | s". (Conversion of the integers | |||
| to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) | to bit strings is described in Section 4.2.1 of [GM-0003.1].) Each | |||
| Each integer MUST be encoded as 32 octets. | integer MUST be encoded as 32 octets. | |||
| Process details are described in Section 6 of [GMT-0003.2]. | Process details are described in Section 6 of [GMT-0003.2]. | |||
| The algorithm number associated with the DNSKEY and RRSIG resource | The algorithm number associated with the DNSKEY and RRSIG resource | |||
| records is 17, which is described in the IANA Considerations section. | records is 17, which is described in the IANA Considerations section. | |||
| Conformant implementations that create records to be put into the DNS | Conformant implementations that create records to be put into the DNS | |||
| MAY implement signing and verification for the SM2 digital signature | MAY implement signing and verification for the SM2 digital signature | |||
| algorithm. Conformant DNSSEC verifiers MAY implement verification | algorithm. Conformant DNSSEC verifiers MAY implement verification | |||
| for the above algorithm. | for the above algorithm. | |||
| skipping to change at line 271 ¶ | skipping to change at line 271 ¶ | |||
| rollovers, taking into account record caching. See [RFC7583] for | rollovers, taking into account record caching. See [RFC7583] for | |||
| details. A suitable replacement algorithm should be both widely | details. A suitable replacement algorithm should be both widely | |||
| implemented and not known to have weaknesses. | implemented and not known to have weaknesses. | |||
| The security considerations listed in [RFC4509] apply here as well. | The security considerations listed in [RFC4509] apply here as well. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [GBT-32918.1-2016] | [GM-0003.1] | |||
| Standardization Administration of China, "Information | Cryptography Standardization Technical Committee of China, | |||
| security technology--Public key cryptographic algorithm | "SM2 Public Key Cryptographic Algorithms Based on Elliptic | |||
| SM2 based on elliptic curves--Part 1: General", [In | Curves Part 1: General", [In Chinese], GM/T 0003.1-2012, | |||
| Chinese], GB/T 32918.1-2016, March 2017. English | March 2012. English translation available at: | |||
| translation available at: http://www.gmbz.org.cn/ | http://www.gmbz.org.cn/ | |||
| upload/2018-07-24/1532401673134070738.pdf | upload/2024-11-18/1731899501687024253.pdf | |||
| (http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401673134070738.pdf) | ||||
| [GMT-0003.2] | [GMT-0003.2] | |||
| Cryptography Standardization Technical Committee of China, | Cryptography Standardization Technical Committee of China, | |||
| "SM2 public key cryptographic algorithm based on elliptic | "SM2 Public Key Cryptographic Algorithms Based on Elliptic | |||
| curves -- Part 2: Digital signature algorithm", [In | Curves Part 2: Digital Signature Algorithm", [In Chinese], | |||
| Chinese], GM/T 0003.2-2012, March 2012. English | GM/T 0003.2-2012, March 2012. English translation | |||
| translation available at: TBD (TBD) | available at: http://www.gmbz.org.cn/ | |||
| upload/2024-11-18/1731899583359013934.pdf | ||||
| [GMT-0004] Cryptography Standardization Technical Committee of China, | [GMT-0004] Cryptography Standardization Technical Committee of China, | |||
| "SM3 Cryptographic Hash Algorithm", [In Chinese], GM/ | "SM3 Cryptographic Hash Algorithm", [In Chinese], GM/ | |||
| T 0004-2012, March 2012. English translation available | T 0004-2012, March 2012. English translation available | |||
| at: TBD (TBD). | at: http://www.gmbz.org.cn/ | |||
| upload/2024-11-18/1731899426565012428.pdf. | ||||
| [IANA] IANA, "DNS Security Algorithm Numbers", | [IANA] IANA, "DNS Security Algorithm Numbers", | |||
| <https://www.iana.org/assignments/dns-sec-alg-numbers>. | <https://www.iana.org/assignments/dns-sec-alg-numbers>. | |||
| [ISO-IEC10118-3_2018] | [ISO-IEC10118-3_2018] | |||
| ISO/IEC, "IT Security techniques -- Hash-functions -- Part | ISO/IEC, "IT Security techniques -- Hash-functions -- Part | |||
| 3: Dedicated hash-functions", ISO/IEC 10118-3:2018, | 3: Dedicated hash-functions", ISO/IEC 10118-3:2018, | |||
| October 2018. | October 2018. | |||
| [ISO-IEC14888-3_2018] | [ISO-IEC14888-3_2018] | |||
| End of changes. 6 change blocks. | ||||
| 18 lines changed or deleted | 18 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||