Internet Engineering Task Force (IETF) R. Housley
Request for Comments: 6019 Vigil Security
Obsoletes: 4049 September 2010
Category: Standards Track
ISSN: 2070-1721
Internet Engineering Task Force (IETF) R. Housley
Request for Comments: 6019 Vigil Security
Obsoletes: 4049 September 2010
Category: Standards Track
ISSN: 2070-1721
BinaryTime: An Alternate Format for Representing Date and Time in ASN.1
BinaryTime:在ASN.1中表示日期和时间的另一种格式
Abstract
摘要
This document specifies a new ASN.1 type for representing time: BinaryTime. This document also specifies an alternate to the signing-time attribute for use with the Cryptographic Message Syntax (CMS) SignedData and AuthenticatedData content types; the binary-signing-time attribute uses BinaryTime. CMS and the signing-time attribute are defined in RFC 5652.
本文档指定了一种新的ASN.1类型来表示时间:BinaryTime。本文档还指定了用于加密消息语法(CMS)SignedData和AuthenticatedData内容类型的签名时间属性的替代项;二进制签名时间属性使用BinaryTime。CMS和签名时间属性在RFC 5652中定义。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6019.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6019.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document specifies a new ASN.1 [ASN1] type for representing time: BinaryTime. This ASN.1 type can be used to represent date and time values.
本文档指定了一种新的ASN.1[ASN1]类型来表示时间:BinaryTime。此ASN.1类型可用于表示日期和时间值。
This document also specifies an alternative to the signing-time attribute used with the Cryptographic Message Syntax [CMS] SignedData and AuthenticatedData content types, allowing the BinaryTime type to be used instead of the traditional UTCTime and GeneralizedTime types.
本文档还指定了与加密消息语法[CMS]SignedData和AuthenticatedData内容类型一起使用的签名时间属性的替代方法,允许使用BinaryTime类型,而不是传统的UTCTime和GeneralizedTime类型。
Many operating systems represent date and time as an integer. This document specifies an ASN.1 type for representing date and time in a manner that is also an integer. Although some conversion may be necessary due to the selection of a different epoch or a different granularity, an integer representation has several advantages over the UTCTime and GeneralizedTime types.
许多操作系统将日期和时间表示为整数。本文档指定了ASN.1类型,用于以整数的方式表示日期和时间。尽管由于选择了不同的历元或不同的粒度,可能需要进行一些转换,但整数表示与UTCTime和GeneratedTime类型相比有几个优点。
First, a BinaryTime value is smaller than either a UTCTime or a GeneralizedTime value.
首先,BinaryTime值小于UTCTime或GeneralizedTime值。
Second, in some operating systems, the value can be used with little or no conversion. Conversion, when it is needed, requires only straightforward computation. If the endian ordering is different from the ASN.1 representation of an INTEGER, then straightforward manipulation is needed to obtain an equivalent integer value. If the epoch is different than the one chosen for BinaryTime, addition or subtraction is needed to compensate. If the granularity is something other than seconds, then multiplication or division is needed to compensate. Also, padding may be needed to convert the variable-length ASN.1 encoding of INTEGER to a fixed-length value used in the operating system.
第二,在某些操作系统中,可以使用该值而很少或根本不进行转换。当需要转换时,只需要简单的计算。如果endian排序不同于整数的ASN.1表示,则需要直接操作以获得等效的整数值。如果历元不同于为二进制时间选择的历元,则需要进行加法或减法补偿。如果粒度不是秒,则需要乘法或除法进行补偿。此外,可能需要填充来将整数的可变长度ASN.1编码转换为操作系统中使用的固定长度值。
Third, date comparison is very easy with BinaryTime. Integer comparison is easy, even when multi-precision integers are involved. Date comparison with UTCTime or GeneralizedTime can be complex when the two values to be compared are provided in different time zones.
第三,使用二进制时间进行日期比较非常容易。即使涉及多精度整数,整数比较也很容易。当要比较的两个值在不同的时区中提供时,使用UTCTime或GeneratedTime进行日期比较可能会很复杂。
This is a rare instance in which both memory and processor cycles can be saved.
这是一个罕见的既可以节省内存又可以节省处理器周期的实例。
The signing-time attribute is defined in [CMS]. The alternative binary-signing-time attribute is defined in this document in order to obtain the benefits of the BinaryTime type.
签名时间属性在[CMS]中定义。本文档中定义了可选的二进制签名时间属性,以获得BinaryTime类型的好处。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [STDWORDS].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[STDWORDS]中所述进行解释。
The BinaryTime ASN.1 type is used to represent an absolute time and date. A positive integer value is used to represent time values based on coordinated universal time (UTC), which is also called Greenwich Mean Time (GMT) and ZULU clock time.
BinaryTime ASN.1类型用于表示绝对时间和日期。正整数值用于表示基于协调世界时(UTC)的时间值,协调世界时也称为格林威治标准时间(GMT)和祖鲁时钟时间。
The syntax for BinaryTime is:
BinaryTime的语法为:
BinaryTime ::= INTEGER (0..MAX)
BinaryTime ::= INTEGER (0..MAX)
The integer value is the number of seconds, excluding leap seconds, after midnight UTC, January 1, 1970. This representation of time is sometimes called "UNIX time" [POSIX]. This time format cannot represent time values prior to January 1, 1970. The latest UTC time value that can be represented by a four-octet integer value is 03:14:07 on January 19, 2038, which is represented by the hexadecimal value 7FFFFFFF. Time values beyond 03:14:07 on January 19, 2038, are represented by integer values that are longer than four octets, and a five-octet integer value is sufficient to represent dates covering the next seventeen millennia.
整数值是UTC(1970年1月1日)午夜后的秒数,不包括闰秒。这种时间表示有时称为“UNIX时间”[POSIX]。此时间格式不能表示1970年1月1日之前的时间值。可由四个八位整数表示的最新UTC时间值为2038年1月19日03:14:07,由十六进制值7FFFFF表示。2038年1月19日03:14:07之后的时间值由大于四个八位字节的整数值表示,五个八位字节的整数值足以表示下一个17000年的日期。
This specification uses a variable-length encoding of INTEGER. This permits any time value after midnight UTC, January 1, 1970, to be represented.
此规范使用整数的可变长度编码。这允许表示1970年1月1日UTC午夜之后的任何时间值。
When encoding an integer value that consists of more than one octet, which includes almost all the time values of interest, the bits of the first octet and bit 8 of the second octet MUST NOT all be ones or all zeros. This rule ensures that an integer value is always encoded in the smallest possible number of octets. However, it means that implementations cannot assume a fixed length for the integer value.
当编码一个由多个八位组组成的整数值时,其中包括几乎所有感兴趣的时间值,第一个八位组的位和第二个八位组的位8不得全部为1或全部为零。此规则确保整数值始终以尽可能小的八位字节数编码。但是,这意味着实现不能假定整数值的固定长度。
The binary-signing-time attribute type specifies the time at which the signer (purportedly) performed the signing process. The binary-signing-time attribute type is intended for use in the CMS SignedData content type; however, the attribute can also be used with the AuthenticatedData content type.
二进制签名时间属性类型指定签名者(据称)执行签名过程的时间。二进制签名时间属性类型用于CMS SignedData内容类型;但是,该属性也可以与AuthenticatedData内容类型一起使用。
The binary-signing-time attribute MUST be a signed attribute or an authenticated attribute; it MUST NOT be an unsigned attribute, unauthenticated attribute, or unprotected attribute.
二进制签名时间属性必须是已签名属性或已验证属性;它不能是未签名的属性、未经身份验证的属性或未受保护的属性。
The following object identifier identifies the binary-signing-time attribute:
以下对象标识符标识二进制签名时间属性:
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 }
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 }
The binary-signing-time attribute values have ASN.1 type BinarySigningTime:
二进制签名时间属性值具有ASN.1类型BinarySigningTime:
BinarySigningTime ::= BinaryTime
BinarySigningTime ::= BinaryTime
In [CMS], the SignedAttributes syntax and the AuthAttributes syntax are each defined as a SET OF Attributes. However, the binary-signing-time attribute MUST have a single attribute value, even though the syntax is defined as a SET OF AttributeValue. There MUST NOT be zero or multiple instances of AttributeValue present.
在[CMS]中,SignedAttribute语法和AuthAttributes语法都定义为一组属性。但是,二进制签名时间属性必须具有单个属性值,即使语法定义为一组AttributeValue。AttributeValue的实例不能为零或多个。
The SignedAttributes contained in the signerInfo structure within SignedData MUST NOT include multiple instances of the binary-signing-time attribute. Similarly, the AuthAttributes in an AuthenticatedData MUST NOT include multiple instances of the binary-signing-time attribute.
SignedData中signerInfo结构中包含的SignedAttribute不能包含二进制签名时间属性的多个实例。类似地,AuthenticatedData中的AuthAttributes不得包含二进制签名时间属性的多个实例。
No requirement is imposed concerning the correctness of the signing time itself, and acceptance of a purported signing time is a matter of a recipient's discretion. It is expected, however, that some signers, such as time-stamp servers, will be trusted implicitly.
没有对签字时间本身的正确性提出任何要求,接受所谓的签字时间是接收人的自由裁量权。但是,预计某些签名者(如时间戳服务器)将受到隐式信任。
Use of the binary-signing-time attribute does not necessarily provide confidence in the time when the signature value was produced. Therefore, acceptance of a purported signing time is a matter of a recipient's discretion. RFC 3161 [TSP] specifies a protocol for obtaining time stamps from a trusted entity.
使用二进制签名时间属性不一定能提供生成签名值的时间的置信度。因此,接受所谓的签署时间是接收人的自由裁量权。RFC 3161[TSP]指定了一种从受信任实体获取时间戳的协议。
The original signing-time attribute defined in [CMS] has the same semantics as the binary-signing-time attribute specified in this document. Therefore, only one of these attributes SHOULD be present in the signedAttrs of a SignerInfo object or in the authAttrs of an AuthenticatedData object. However, if both of these attributes are present, they MUST provide the same date and time.
[CMS]中定义的原始签名时间属性与本文档中指定的二进制签名时间属性具有相同的语义。因此,SignerInfo对象的SignedAttr或AuthenticatedData对象的AuthAttr中只应存在其中一个属性。但是,如果这两个属性都存在,则它们必须提供相同的日期和时间。
[ASN1] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.
[ASN1]CCITT。建议X.208:抽象语法符号1(ASN.1)的规范。1988
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, September 2009.
[CMS]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 56522009年9月。
[STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[POSIX] Institute of Electrical and Electronics Engineers. IEEE P1003.1, Information Technology Portable Operating System Interface (POSIX) Part 1: System Application Program Interface (API) [C Language], 1990.
[POSIX]电气和电子工程师学会。IEEE P1003.1,信息技术便携式操作系统接口(POSIX)第1部分:系统应用程序接口(API)[C语言],1990年。
[TSP] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)", RFC 3161, August 2001.
[TSP]Adams,C.,Cain,P.,Pinkas,D.,和R.Zuccherato,“互联网X.509公钥基础设施时间戳协议(TSP)”,RFC 31612001年8月。
Appendix A: ASN.1 Module
附录A:ASN.1模块
The ASN.1 module contained in this appendix defines the structures that are needed to implement this specification. It is expected to be used in conjunction with the ASN.1 modules in [CMS].
本附录中包含的ASN.1模块定义了实施本规范所需的结构。预计它将与[CMS]中的ASN.1模块一起使用。
BinarySigningTimeModule
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) 27 }
BinarySigningTimeModule
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) 27 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- BinaryTime Definition
--二进制时间定义
BinaryTime ::= INTEGER (0..MAX)
BinaryTime ::= INTEGER (0..MAX)
-- Signing Binary Time Attribute
--签名二进制时间属性
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 }
id-aa-binarySigningTime OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 46 }
BinarySigningTime ::= BinaryTime
BinarySigningTime ::= BinaryTime
END
终止
Author's Address
作者地址
Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA
Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170
EMail: housley@vigilsec.com
EMail: housley@vigilsec.com