PKCS #8: Private-Key Information Content Types

PKCS #8: Private-Key Information Content Types AKAYLA, Inc.

joe@akayla.com

Vigil Security, LLC

housley@vigilsec.com

sn3rd

sean@sn3rd.com

SEC lamps CMS This document defines PKCS #8 content types for use with PrivateKeyInfo and EncryptedPrivateKeyInfo as specified in RFC 5958.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

. Introduction
. Private-Key Information Content Types
. ASN.1 Module
. Security Considerations
. IANA Considerations
. References
- . Normative References
- . Informative References
Acknowledgments
Authors' Addresses

Introduction The syntax for private-key information was originally described in , and the syntax was later revised by to include the AsymmetricKeyPackage content type that supports multiple PrivateKeyInfos. This document defines PKCS #8 content types for use with one PrivateKeyInfo and one EncryptedPrivateKeyInfo. These content type assignments are needed for the PrivateKeyInfo and EncryptedPrivateKeyInfo to be carried in the Cryptographic Message Syntax (CMS) . Note: A very long time ago, media types for PrivateKeyInfo and EncryptedPrivateKeyInfo were assigned as "application/pkcs8" and "application/pkcs8-encrypted", respectively.

Private-Key Information Content Types This section defines a content type for private-key information and encrypted private-key information. The PrivateKeyInfo content type is identified by the following object identifier: id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 52 } The EncryptedPrivateKeyInfo content type is identified by the following object identifier: id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 53 }

ASN.1 Module The ASN.1 module in this section builds upon the modules in . PrivateKeyInfoContentTypes { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-pkcs8ContentType(85) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS CONTENT-TYPE FROM CryptographicMessageSyntax-2009 -- in [RFC5911] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } PrivateKeyInfo, EncryptedPrivateKeyInfo FROM AsymmetricKeyPackageModuleV1 -- in [RFC5958] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-asymmetricKeyPkgV1(50) } ; PrivateKeyInfoContentTypes CONTENT-TYPE ::= { ct-privateKeyInfo | ct-encrPrivateKeyInfo, ... -- Expect additional content types -- } ct-privateKeyInfo CONTENT-TYPE ::= { PrivateKeyInfo IDENTIFIED BY id-ct-privateKeyInfo } id-ct-privateKeyInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 52 } ct-encrPrivateKeyInfo CONTENT-TYPE ::= { EncryptedPrivateKeyInfo IDENTIFIED BY id-ct-encrPrivateKeyInfo } id-ct-encrPrivateKeyInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 53 } END

Security Considerations The security considerations in apply here.

IANA Considerations For each of the private-key information content types defined in , IANA has assigned an Object Identifier (OID). The OIDs for the content types have been allocated in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry as follows:

Decimal	Description	Reference
52	id-ct-privateKeyInfo	RFC 9939
53	id-ct-encrPrivateKeyInfo	RFC 9939

For the ASN.1 module in , IANA has assigned an OID for the module identifier. The OID for the module has been allocated in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry as follows:

Decimal	Description	Reference
85	id-mod-pkcs8ContentType	RFC 9939

IANA has updated the application/cms registration entry in the "Media Types" registry by adding RFC 9939 to the "Interoperability considerations" section and to the list of RFCs where Inner Content Types (ICTs) are defined (see the "Optional parameters" section) and by adding the following values to the list of ICTs:

privateKeyInfo
encrPrivateKeyInfo

IANA has also updated the "Security considerations" section in the application/cms entry as follows:

RFC	CMS Protecting Content Type and Algorithms
RFC 9939	privateKeyInfo and encrPrivateKeyInfo

References Normative References Cryptographic Message Syntax (CMS) This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. Asymmetric Key Packages This document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK] Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation ITU-T Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) ITU-T Informative References SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) IANA SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) IANA Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2 This document represents a republication of PKCS #8 v1.2 from RSA Laboratories' Public Key Cryptography Standard (PKCS) series. Change control is transferred to the IETF. The body of this document, except for the security considerations section, is taken directly from the PKCS #8 v1.2 specification. This document describes a syntax for private-key information. This memo provides information for the Internet community.

Acknowledgments Thanks to , , , , and for reviewing the document and providing comments.

Authors' Addresses AKAYLA, Inc.

joe@akayla.com

Vigil Security, LLC

housley@vigilsec.com

sn3rd

sean@sn3rd.com