1

Web Services Security 3XCBF Token Profile

2 4Working

Draft 1.0,

on!ay, "# $ove%ber "00"

5Docu%ent i!entifier& 6 8

{draft}-{WS-Security}-{XCBF Binding}-{1.0} (Word) (PDF) http://www.oasis-open.org/committees/wss

7'ocation& 9(!itors& 10 Phillip H. riffin! riffin "ons#lting $phil.griffin%asn-&.com' 11 (onica ). (artin! Dra*e "erti+o $mmartin%certi+o.net' 12 13Contributors& 14 15 16 18 19 20 21 22 23 24 25 26 27 28 29Status& 30 31 32 33 34 35 2

,-., ,/ 0- 1-234-D ,/ 35"67D- 8DD3,3/586 "/5,1307,/14 84 5-"-44819 Phillip H. riffin! riffin "ons#lting (onica ). (artin! Dra*e "erti+o ,his doc#ment descri:es how to #se .(6 "ommon 0iometric Format (."0F) with the We: 4er+ices 4ec#rit; (W44) specification. 0iometric technolog; can :e #sed for identification and a#thentication. 0iometrics are the meas#ra:le ph;sical characteristics or personal :eha+ioral traits that can :e #sed to recogni<e the identit; of an indi+id#al! or to +erif; a claimed identit;. ."0F defines a common .(6 mar*#p representation of the patron formats specified in 534, "ommon 0iometric -=change File Format >&&?. ,hese .(6 +al#es are :ased on the 845.& schema and cr;ptographic message t;pes defined in the .@.AB 0iometrics 3nformation (anagement and 4ec#rit; standard >@?. ,hese +al#es ma; contain ..CD@ certificates >B? and other digitall; signed or encr;pted information. .0"F +al#es ma; :e represented as .(6 mar*#p or in a compact :inar; format. ,his is a wor*ing draft s#:mitted for consideration :; the /8434 We: 4er+ices 4ec#rit; (W44) technical committee. Please send comments to the editors. 3f ;o# are on the wss%lists.oasis-open.org list for committee mem:ers! send comments there. 3f ;o# are not on that list! s#:scri:e to the wss-comment%lists.oasis-open.org list and send comments there. ,o s#:scri:e! send an email message to wss-commentreE#est%lists.oasis-open.org with the word Fs#:scri:eF as the :od; of the message.

17)bstract&

3 4 36 37 38 39

For patent disclos#re information that ma; :e essential to the implementation of this specification! and an; offers of licensing terms! refer to the 3ntellect#al Propert; 1ights section of the /8434 4ec#rit; 4er+ices ,echnical "ommittee (44,") we: page at http://www.oasis-open.org/who/intellect#alpropert;.shtml.

5 6WS*Security XCBF Bin!ing 7"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 8

GC 5o+em:er GDDG Page "

9 10

40Table

of Contents

41& 3ntrod#ction................................................................................................................................. B 42G ,erminolog;................................................................................................................................ B 43I 8cron;ms and 8::re+iations...................................................................................................... C 44B 7sage.......................................................................................................................................... C 45 B.& Processing (odel................................................................................................................. J 46 B.G 8ttaching 4ec#rit; ,o*ens.................................................................................................... J 47 B.G.& .(6 ."0F 4ec#rit; ,o*en - 0iometric/:Kects.............................................................L 48 B.G.G 0inar; ."0F 4ec#rit; ,o*en - 0iometric4;nta=4ets.....................................................A 49 B.G.I .(6 ."0F 4ec#rit; ,o*en - -ncr;ptedData.................................................................A 50 B.I -rror "odes........................................................................................................................ &D 51 B.B ,hreat (odel....................................................................................................................... &D 52C 1eferences................................................................................................................................ &D 53 C.& 5ormati+e........................................................................................................................... &D 548ppendi= 8. 8c*nowledgments.................................................................................................... &G 558ppendi= 0. 1e+ision Histor;....................................................................................................... &I 568ppendi= ". 5otices.................................................................................................................... &B 57

11 12WS*Security XCBF Bin!ing 13"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 14

GC 5o+em:er GDDG Page +

15 16

581

,ntro!uction

59,his doc#ment descri:es the #se of .(6 "ommon 0iometric Format (."0F) >&? cr;ptographic 60messages within the W4-4ec#rit; specification. ."0F messages are +alidated against an 845.& 61schema >C?. ,his schema definition lang#age is #sed to define ..CD@ certificates and "16s! and 62the cr;ptographic messages #sed to sec#re electronic mail in 1F"IIJ@ >&C? and .@.@J .(6 63"r;ptographic (essage 4;nta= >&D?. 3n an instance of comm#nication! ."0F messages ma; :e 64represented in a compact :inar; format or as well-formed .(6 mar*#p. 65 668 common ."0F sec#rit; to*en is defined to con+e; and manage :iometric information #sed for 67a#thentication and identification. -ach :inar; representation of an ."0F message has an .(6 68mar*#p representation. 0oth representations share the same schema. ,his characteristic allows 69.(6 mar*#p to :e #sed in reso#rce rich en+ironments! :#t transferred or stored in a compressed 70:inar; format in reso#rce poor en+ironments! e.g. smart cards! wireless and remote de+ices! and 71high +ol#me transaction s;stems. 72 73."0F messages ma; incl#de digitall; signed or encr;pted information. ,he :inar; format #sed to 74represent ."0F messages relies on the canonical Disting#ished -ncoding 1#les (D-1) >J? #sed 75to encode ..CD@ certificates. ,he .(6 mar*#p format #sed in this 4tandard is the canonical 76+ariant of the .(6 -ncoding 1#les (.-1) >L?. 77 784ection & is non-normati+e.

79"

Ter%inology

80,he *e; words must! must not! required! shall! shall not! should! should not! recommended! may! 81and optional in this doc#ment are to :e interpreted as descri:ed in 1F"G&&@ >&G?. 82 835amespace 713s (of the general form Fsome-713F) represent some application-dependent or 84conte=t-dependent 713 as defined in 1F"GI@J >&I?. 85 86,his specification design is intended to wor* with an; +ersion the general 4/8P >I? message 87str#ct#re and processing model! tho#gh the 4/8P &.G namespace 713 is #sed in e=amples. 88 89"ommonl; #sed sec#rit; terms are defined in the 3nternet 4ec#rit;

lossar; >&B?.

90 91,he namespaces #sed in this doc#ment are shown in the following ta:le. 92

Prefi= 4 wsse

5amespace http://www.wI.org/GDD&/&G/soap-en+elope http://schemas.=mlsoap.org/ws/GDDG/==/sece=t

17 18WS*Security XCBF Bin!ing 19"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 20

GC 5o+em:er GDDG Page -

21 22 93 945ote that the namespaces for .(6 Digital 4ignat#re and .(6 -ncr;ption are not #sed. 3nstead 95the cr;ptographic processing #sed in ."0F sec#rit; to*ens are fo#nded on simple cr;ptographic 96techniE#es commonl; #sed for the protection of :inar; data. ,he same techniE#es are applied to 97:oth .(6 mar*#p and :inar; to*en content. ,hese techniE#es are :ased on standards that 98define their message schemas #sing 845.&! s#ch as the 148 4ec#rit; PM"4 NL "r;ptographic 99(essage 4;nta= 4tandard ("(4) >&L? and the 3-,F 4(3(- standard #sed for sec#re electronic 100mail! 1F" IIJ@.

101+

)crony%s an! )bbreviations

Definition 8:stract 4;nta= 5otation /ne "ommon 0iometric -=change File Format "r;ptographic (essage 4;nta= "ertificate 1e+ocation 6ist Disting#ished -ncoding 1#les P#:lic Me; "r;ptograph; 4;stem 4imple /:Kect access Protocol 7niform 1eso#rce 3dentifier .(6 "ommon 0iometric Format .(6 "r;ptographic (essage 4;nta= .(6 -ncoding 1#les -=tensi:le (ar*#p 6ang#age

Ter% 845.& "0-FF "(4 "16 D-1 PM"4 4/8P 713 ."0F ."(4 .-1 .(6

102-

.sage

1038 +al#e of <BiometricSyntaxSets> is a series of <BiometricSyntax> +al#es! each

104containing a collection of :iometric information defined in one of fo#r possi:le formats. ,hese fo#r 105choice alternati+es ha+e the following meanings: 106

107<biometricObjects> 108<integrityObjects> 109<privacyObjects> 110<privacyAndIntegrityObjects>

23 24WS*Security XCBF Bin!ing

#nprotected :iometric +al#es digitall; signed :iometric +al#es encr;pted :iometric +al#es digitall; signed and encr;pted :iometric +al#es

GC 5o+em:er GDDG Page #

25"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 26

27 28 111 1128ll of the message o:Kects in ."0F are +al#es of <BiometricSyntaxSets>. ."0F messages 113ma; contain an; com:ination of signed! encr;pted or #nprotected sets of :iometric information.

114-.1 Processing

o!el

115,he processing model for W4-4ec#rit; with ."0F o:Kects is no different from that of other to*en 116formats descri:ed in W4-4ec#rit;. ."0F o:Kects can :e represented for transfer in two formats! a 117compact :inar; encoding and .(6 &.D mar*#p. ,hese two formats represent the same a:stract 118+al#es and :oth rel; on the 845.& schema defined in ."0F and .@.AB. 119 120When these o:Kects are represented in :inar;! the; rel; on the same 845.& schema definition 121lang#age and Disting#ished -ncoding 1#les #sed :; ..CD@ certificates. When represented as 122.(6 mar*#p! the; are formatted #sing the .(6 -ncoding 1#les and do not #se an; attri:#tes or 123namespace information. 124 1256i*e ..CD@ certificates! ."0F :iometric o:Kects ma; contain digitall; signed information. 4ome 126."0F o:Kects ma; contain digitall; signed ..CD@ certificates and "16s. ."0F o:Kects ma; 127contain encr;pted or signed and encr;pted information. ,he :iometric! signat#re and encr;ption 128processing of ."0F o:Kects is not a direct part of the W4-4ec#rit; processing model.

129-." )ttac/ing Security Tokens 130."0F message +al#es m#st :e specified #sing a <wsse:XCBFSecurity o!en>. ,o*en
131attri:#tes are #sed to indicate characteristics of the to*en content to the processing W4-4ec#rit; 132application. 133 134,he following +al#e spaces are defined for @ValueType:

0$a%e wsse:."0F+&
135 136,he attri:#tes are:

Descri1tion ."0F +& sec#rit; to*en

)ttribute 3d 2al#e,;pe -ncoding,;pe

2alue 8n; application specified string ."0F+& .-1 D-1

Descri1tion 8pplication defined ,his to*en contains an ."0F +ersion one +al#e of t;pe 0iometric4;nta=4ets .(6 -ncoding 1#les +al#e Disting#ished -ncoding 1#les +al#e

137 138-=amples are pro+ided in #pcoming sections.

29 30WS*Security XCBF Bin!ing 31"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 32

GC 5o+em:er GDDG Page 3

33 34

139-.".1 X ' XCBF Security Token * Bio%etric4b5ects

140,he following e=ample ill#strates a 4/8P message with an ."0F sec#rit; to*en encoded #sing 141the .(6 -ncoding 1#les (.-1). ,he to*en content is a simple! #nprotected :iometric o:Kect. 142
143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188

<S:Envelope xmlns:S="..."> <S:Header> <wsse:Security xmlns:wsse="..."> <wsse: !"#SecurityTo$en xmlns:wsse=""ttp:##sc"emas$xm%soap$org#ws#&''&#'(#secext" %d="XCBF)biometric)object" ValueType="wsse:XCBFv*" Encodin&Type="wsee:X+,"> <"iometricSyntaxSets> <"iometricSyntax> <'iometric(')ects> <"iometric(')ect> <'iometricHeader> <version> * <+version> <recordType> <id> , <+id> <+recordType> <dataType> <processed+> <+dataType> <purpose> <audit+> <+purpose> <-uality> ./ <+-uality> <validity0eriod> <not"e1ore> /23*./*., <+not"e1ore> <not41ter>5**6./*.6.56.72.72<+not41ter> <+validity0eriod> <1ormat> <1ormat(wner> <oid> 5.56.,5.2./*.,.5 <+oid> <+1ormat(wner> <+1ormat> <+'iometricHeader> <'iometric8ata> *4*"*!*8*E*#/4/"/!/8/E/#545"5!585E5# <+'iometric8ata> <+"iometric(')ect> <+'iometric(')ects> <+"iometricSyntax> <+"iometricSyntaxSets> <+wsse: !"#SecurityTo$en> <+wsse:Security> <+S:Header> <S:"ody> ... <+S:"ody>

189 1903n this e=ample the ."0F4ec#rit;,o*en contains a <BiometricSyntaxSets> +al#e which 191contains a single :iometric o:Kect. ,he :iometric o:Kect is neither signed nor encr;pted! and the 192<biometric-eader> information appears in the clear. ,he <biometric.ata> is an opaE#e 193string of he=adecimal characters and ma; :e cr;ptographicall; enhanced according to the 35 36WS*Security XCBF Bin!ing 37"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 38

GC 5o+em:er GDDG Page 6

39 40 194sec#rit; reE#irements of a :iometric ser+ice pro+ider or ."0F application. 4#ch reE#irements are 195o#tside the scope of W4-4ec#rit;.

196-."." Binary XCBF Security Token * Bio%etricSynta7Sets

197,he following e=ample ill#strates a 4/8P message with an ."0F sec#rit; to*en encoded #sing 198the D-1 -ncoding 1#les (D-1)! then 0aseJB armored >&J?. 199
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218

<S:Envelope xmlns:S="..."> <S:Header> <wsse:Security xmlns:wsse="..."> <wsse: !"#SecurityTo$en xmlns:wsse=""ttp:##sc"emas$xm%soap$org#ws#&''&#'(#secext" %d="biometric)objects" ValueType="wsse:XCBFv*" Encodin&Type="wsee:.+,"> 9%%E:;9<9;!!42!;0H=;4w%"4 ... <+wsse: !"#SecurityTo$en> <+wsse:Security> <+S:Header> <S:"ody> ... <+S:"ody>

219 2203n this e=ample the ."0F4ec#rit;,o*en contains a <BiometricSyntaxSets> +al#e which 221contains one or more :iometric o:Kects. ,he :iometric o:Kects ma; :e signed nor encr;pted! and 222the :inar; to*en content has :een o:sc#red :; 0aseJB armoring.

223-.".+ X ' XCBF Security Token * (ncry1te!Data

224,he following e=ample ill#strates a 4/8P message with an ."0F sec#rit; to*en encoded #sing 225the .(6 -ncoding 1#les (.-1). ,his message contains an ."0F pri+ac; o:Kect. 226

227,he <named/ey>0choice alternati+e of the pri+ac; :loc* is #sed. ,his choice alternati+e pairs a 228cr;ptographic *e; identifier <!ey1ame> with an .(6 mar*#p representation of a +al#e of "(4 229<+ncrypted.ata>.
230
231 232 233 234 235 236 237 238 239 240 241 242

<S:Envelope xmlns:S="..."> <S:Header> <wsse:Security xmlns:wsse="..."> <wsse: !"#SecurityTo$en xmlns:wsse=""ttp:##sc"emas$xm%soap$org#ws#&''&#'(#secext" %d="biometric)privacy)objects" ValueType="wsse:XCBFv*" Encodin&Type="wsee:X+,"> <"iometricSyntaxSets> <"iometricSyntax> <privacy(')ects>

41 42WS*Security XCBF Bin!ing 43"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 44

GC 5o+em:er GDDG Page 8

45 46
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284

<privacy"loc$> <named>ey> <$ey?ame>@4E/A6"#742A68/E<+$ey?ame> <encrypted8ata> <version>3,<+version> <encrypted!ontent%n1o> <contentType> /.5.3,*.//67,2./.A.@ 000000000000000000000000000000<+contentType> <contentEncryption4l&oritBm> <al&oritBm> /.5.3,*.//67,2.6.A <+al&oritBm> <parameters> <%V>AE4/68@E/,6!"7!2<+%V> <+parameters> <+contentEncryption4l&oritBm> <encrypted!ontent> !22#43!E4*,6"338A4,23/!6536@4*8*,,, #5,//5#*,"5,A/*,2383522@/36/2@3*2#4 "!@72A**#24!E@!E4@"*@*66535,3@""/E2 ... "7//#!#,37E*@#37473"6/*A,@7*A66*!#6 7EE8,32"#8832#A*5*"872!348/78,*68E5 7A/E"#3*!A3*,,3#7"A//,,##E"E,"7A5@" <+encrypted!ontent> <+encrypted!ontent%n1o> <+encrypted8ata> <+named>ey> <+privacy"loc$> <+privacy(')ects> <+"iometricSyntax> <+"iometricSyntaxSets> <+wsse: !"#SecurityTo$en> <+wsse:Security> <+S:Header> <S:"ody> ... <+S:"ody>

285

2863n this e=ample the ."0F4ec#rit;,o*en contains a <BiometricSyntaxSets> +al#e which 287contains encr;pted :iometric information. 5one of the optional <biometric-eader> 288information appears in the clear. ,he <encrypted.ata> is an opaE#e string of he=adecimal 290shared secret *e; identified :; the <!ey1ame> element.
289characters that res#lt from the encr;ption of a series of one or more :iometric o:Kects #sing the

291 292,he cr;ptographic processing reE#irements are defined in the ."0F standard. ,his processing of 293encr;pted .(6 mar*#p is identical to that #sed when a <BiometricSyntaxSets> +al#e is 294encoded in :inar;. ,he same cr;ptographic processing reE#irements #sed in ."0F are #sed in 295other sec#rit; standards! incl#ding .@.LI "r;ptographic (essage 4;nta= >A?! .@.AB! .@.@J 296."(4! and 1F" IIJ@. ,he details of this cr;ptographic processing are o#tside the scope of W42974ec#rit;. 47 48WS*Security XCBF Bin!ing 49"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 50

GC 5o+em:er GDDG Page 9

51 52

298-.+ (rror Co!es

2993mplementations ma; #se c#stom error codes defined in pri+ate namespaces if needed. 0#t it is 300recommended that the; #se the error handling codes defined in the W4-4ec#rit; specification for 301signat#re! decr;ption! encoding and to*en header errors. When #sing c#stom error codes! 302implementations sho#ld :e caref#l not to introd#ce sec#rit; +#lnera:ilities that ma; assist an 303attac*er in the error codes ret#rned. 3048t this time! the error codes defined in W4-4ec#rit; core largel; s#pport ."0F. Howe+er! the; 305do not appear to s#pport hash! (8" or H(8". ,herefore! ."0F recommends the error codes :e 306generali<ed to s#pport specified hash! (8" and H(8" (for e=ample with more general 307references to Ocr;ptographic algorithmP). 3n lie# of that change! ."0F recommends definition of a 308."0F namespace for an; specific error codes s#ch as: 309

=:cf:7ns#pported8lgorithm - 8n #ns#pported cr;ptographic algorithm was #sed.

310-.- T/reat

o!el

311,he #se of ."0F messages in an ."0F sec#rit; to*en introd#ces no new threats :e;ond those 312alread; identified for other t;pes of W4-4ec#rit; to*ens. (essage alteration and ea+esdropping 313are addressed directl; in the ."0F message that forms the to*en content :; #sing the integrit; 314and pri+ac; mechanisms descri:ed in ."0F. 1epla; attac*s can :e addressed :; #sing 315message timestamps and caching! as well as other application-specific trac*ing mechanisms. For 316."0F messages ownership is +erified :; #se of *e;s and man-in-the-middle attac*s are 317generall; mitigated. 318 3193t is strongl; recommended that ."0F to*en content :e protected :; #se of one of the integrit; 320o:Kect choice alternati+es defined in ."0F. While it is possi:le that transport-le+el sec#rit; co#ld 321:e #sed to protect the o+erall message and the ."0F sec#rit; to*en! great care m#st :e ta*en to 322protect :iometric information. 3t is strongl; recommended that ."0F to*en content :e protected 323:; #se of one of the pri+ac; o:Kect choice alternati+es defined in ."0F.

324#

:eferences
>&? ."0F GDDG (draft) .(6 "ommon 0iometric Format! /rgani<ation for the 8d+ancement of 4tr#ct#red 3nformation 4tandards (/8434)! http://www.oasis-open.org/. WI" -=tensi:le (ar*#p 6ang#age (.(6) &.D (4econd -dition)! WI" 1ecommendation! "op;right H >J /cto:er GDDD? World Wide We: "onsorti#m! ((assach#setts 3nstit#te of ,echnolog;! 3nstit#t 5ational de 1echerche en 3nformatiE#e et en 8#tomatiE#e! Meio 7ni+ersit;)! http://www.wI.org/,1/GDDD/1-"-=ml-GDDD&DDJ/. WI" 4/8P &.&:GDDD! 4imple /:Kect 8ccess Protocol (5ote)! WI" 1ecommendation! "op;right H GDDD World Wide We: "onsorti#m! ((assach#setts 3nstit#te of ,echnolog;! 3nstit#t 5ational de 1echerche en 3nformatiE#e et en 8#tomatiE#e! Meio 7ni+ersit;! http://www.wI.org/,1/4/8P/.

325#.1 $or%ative
326 327 328 329 330 331 332 333 334 335 336 337 338

>G?

>I?

53 54WS*Security XCBF Bin!ing 55"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 56

GC 5o+em:er GDDG Page 10

57 58 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373

>B?

>C?

>J?

>L?

>A? >@? >&D? >&&? >&G? >&I? >&B? >&C? >&J?

>&L?

34//3-" @C@B-A: 3nformation technolog; (GDDD) Q 3,7-, 1ecommendation ..CD@ (GDD&)! /pen 4;stems 3nterconnection -- ,he Director;: 8#thentication framewor*. 34//3-" AAGB >Part &-B?:GDD& Q 3,7-, 1ecommendation ..JAD-4eries (GDDG)! 3nformation ,echnolog; - 8:stract 4;nta= 5otation /ne (845.&)! http://www.it#.int/3,7-,/st#d;gro#ps/com&L/lang#ages/. 34//3-" AAGC-&:GDD& Q 3,7-, 1ecommendation ..J@D (GDDG)! 3nformation ,echnolog; - 845.& -ncoding 1#les: 4pecification of 0asic -ncoding 1#les (0-1)! "anonical -ncoding 1#les ("-1) and Disting#ished -ncoding 1#les (D-1)! http://www.it#.int/3,7,/st#d;gro#ps/com&L/lang#ages/. 34//3-" AAGC-B:GDD& Q ..J@I 3,7-, 1ecommendation ..J@I (GDDG) Q! 3nformation ,echnolog; - 845.& -ncoding 1#les: .(6 -ncoding 1#les (.-1). http://www.it#.int/3,7-,/st#d;gro#ps/com&L/lang#ages/. 854 .@.LI:GDDG "r;ptographic (essage 4;nta= ("(4) For ,he Financial 4er+ices 3nd#str;. 854 .@.AB:GDDG 0iometrics 3nformation (anagement and 4ec#rit; For ,he Financial 4er+ices 3nd#str;. 854 .@.@J:GDDG (draft) .(6 "r;ptographic (essage 4;nta= (."(4). "0-FF "ommon 0iometric -=change File Format! 534,31-JCG@! )an#ar; I! GDD&. 4. 0radner! Me; words for #se in 1F"s to 3ndicate 1eE#irement 6e+els! http://www.ietf.org/rfc/rfcG&&@.t=t! 3-,F 1F" G&&@! (arch &@@L. ,. 0erners-6ee! 7niform 1eso#rce 3dentifiers (713): eneral 4;nta=! http://www.ietf.org/rfc/rfcGI@J.t=t! 3-,F 1F" GI@J! 8#g#st &@@A. 1. 4hirle;! 3nternet 4ec#rit; lossar;! http://www.ietf.org/rfc/rfcGAGA.t=t! 3-,F 1F" GAGA! (a; GDDD. 1. Ho#sle;! "r;ptographic (essage 4;nta= ("(4)! http://www.ietf.org/rfc/rfcIIJ@.t=t! 3-,F 1F" IIJ@! 8#g#st GDDG. 5. Freed and 5. 0orenstein! (#ltip#rpose 3nternet (ail -=tensions ((3(-) Part &: Format of 3nternet (essage 0odies! http://www.ietf.org/rfc/rfcGDBC.t=t! 3-,F 1F" GDBC! 5o+em:er &@@J. 148 4ec#rit; PM"4 NL - "r;ptographic (essage 4;nta= 4tandard! http://www.rsasec#rit;.com/rsala:s/p*cs/p*cs-L/inde=.html! P#:lic-Me; "r;ptograph; 4standards! 5o+em:er &! &@@I.

59 60WS*Security XCBF Bin!ing 61"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 62

GC 5o+em:er GDDG Page 11

63 64

374)11en!i7

). )ckno;le!g%ents

375,he following indi+id#als were mem:ers of the committee d#ring the de+elopment of this 376specification: 377

378

,0D

65 66WS*Security XCBF Bin!ing 67"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 68

GC 5o+em:er GDDG Page 1"

69 70

379)11en!i7
1e+ Wd-D.@ Wd-&.D Date

B. :evision <istory
0; Whom (onica (artin Phil riffin What 3nitial +ersion 7pdatedR added references! te=t! e=amplesR spell chec*! lin*s! other.

GDDG-&&-&J GDDG-&&-GC

71 72WS*Security XCBF Bin!ing 73"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 74

GC 5o+em:er GDDG Page 1+

75 76

380)11en!i7

C. $otices

381/8434 ta*es no position regarding the +alidit; or scope of an; intellect#al propert; or other rights 382that might :e claimed to pertain to the implementation or #se of the technolog; descri:ed in this 383doc#ment or the e=tent to which an; license #nder s#ch rights might or might not :e a+aila:leR 384neither does it represent that it has made an; effort to identif; an; s#ch rights. 3nformation on 385/8434Ss proced#res with respect to rights in /8434 specifications can :e fo#nd at the /8434 386we:site. "opies of claims of rights made a+aila:le for p#:lication and an; ass#rances of licenses 387to :e made a+aila:le! or the res#lt of an attempt made to o:tain a general license or permission 388for the #se of s#ch proprietar; rights :; implementors or #sers of this specification! can :e 389o:tained from the /8434 -=ec#ti+e Director. 390/8434 in+ites an; interested part; to :ring to its attention an; cop;rights! patents or patent 391applications! or other proprietar; rights which ma; co+er technolog; that ma; :e reE#ired to 392implement this specification. Please address the information to the /8434 -=ec#ti+e Director. 393"op;right H ,he /rgani<ation for the 8d+ancement of 4tr#ct#red 3nformation 4tandards >/8434? 394GDDG. 8ll 1ights 1eser+ed. 395,his doc#ment and translations of it ma; :e copied and f#rnished to others! and deri+ati+e wor*s 396that comment on or otherwise e=plain it or assist in its implementation ma; :e prepared! copied! 397p#:lished and distri:#ted! in whole or in part! witho#t restriction of an; *ind! pro+ided that the 398a:o+e cop;right notice and this paragraph are incl#ded on all s#ch copies and deri+ati+e wor*s. 399Howe+er! this doc#ment itself does not :e modified in an; wa;! s#ch as :; remo+ing the 400cop;right notice or references to /8434! e=cept as needed for the p#rpose of de+eloping /8434 401specifications! in which case the proced#res for cop;rights defined in the /8434 3ntellect#al 402Propert; 1ights doc#ment m#st :e followed! or as reE#ired to translate it into lang#ages other 403than -nglish. 404,he limited permissions granted a:o+e are perpet#al and will not :e re+o*ed :; /8434 or its 405s#ccessors or assigns. 406,his doc#ment and the information contained herein is pro+ided on an O84 34P :asis and /8434 407D34"683(4 866 W81185,3-4! -.P1-44 /1 3(P63-D! 35"67D35 07, 5/, 63(3,-D ,/ 408859 W81185,9 ,H8, ,H- 74- /F ,H- 35F/1(8,3/5 H-1-35 W366 5/, 35F135 409859 13 H,4 /1 859 3(P63-D W81185,3-4 /F (-1"H85,80363,9 /1 F3,5-44 F/1 8 410P81,3"7681 P71P/4-.

77 78WS*Security XCBF Bin!ing 79"op;right H /8434 /pen GDDG. 8ll 1ights 1eser+ed. 80

GC 5o+em:er GDDG Page 1-