refactored security baseline (#737)

sujithhanwha · web-flow · commit be57f0edd14b · 2026-03-25T14:44:45.000+01:00
diff --git a/doc/SecurityBaseline.xml b/doc/SecurityBaseline.xml
@@ -75,6 +75,8 @@
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink"
       xlink:href="http://www.ietf.org/rfc/rfc5280.txt"
       >http://www.ietf.org/rfc/rfc5280.txt</link>&gt;</para>
+    <para>RFC 5480 - Elliptic Curve Cryptography Subject Public Key Information</para>
+    <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc5480"/>&gt;</para>
     <para>RFC 5758 - Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA</para>
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc5758"/>&gt;</para>
     <para>RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</para>
@@ -83,6 +85,8 @@
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc7292"/>&gt;</para>
     <para>RFC 7714 - AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)</para>
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc7714"/>&gt;</para>
+    <para>RFC 7519 - JSON Web Token (JWT)</para>
+    <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc7519"/>&gt;</para>
     <para>RFC 8017 - PKCS #1: RSA Cryptography Specifications Version 2.2</para>
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc8017"/>&gt;</para>
     <para>RFC 8018 - PKCS #5: Password-Based Cryptography Specification Version 2.1</para>
@@ -91,6 +95,8 @@
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc8439"/>&gt;</para>
     <para>RFC 9579 - Use of Password-Based Message Authentication Code 1 (PBMAC1) in PKCS #12 Syntax</para>
     <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://datatracker.ietf.org/doc/html/rfc9579"/>&gt;</para>
+    <para>ANSI X9.62 - Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)</para>
+    <para>&lt;<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://webstore.ansi.org/standards/ascx9/ansix9622005"/>&gt;</para>
   </chapter>
   <chapter>
     <title>Definitions</title>
@@ -132,7 +138,7 @@
     <title>Overview</title>
     <para>The content of this document is based on state of the art technology as published by the American institute NIST and the German department BSI. 
       Note, that any updates to this specification require a review of implications on technical, profile and addon specifications.</para>
-    <para>Publication of updates must synchronized with ONVIF Technical and Technical Service Committee</para>
+    <para>Publication of updates must be synchronized with ONVIF Technical and Technical Service Committee</para>
   </chapter>
   <chapter>
     <title>Asymmetric Encryption Schemes and Key Agreement</title>
@@ -181,6 +187,62 @@
         </tbody>
       </tgroup>
     </table>
+    <table xml:id="curveTable">
+      <title>Asymmetric Encryption Algorithm OIDs</title>
+      <tgroup cols="3">
+        <colspec colname="c1" colwidth="40*"/>
+        <colspec colname="c2" colwidth="30*"/>
+        <colspec colname="c3" colwidth="30*"/>
+        <thead>
+          <row>
+            <entry>
+              <para>Name</para>
+            </entry>
+            <entry>
+              <para>OID</para>
+            </entry>
+            <entry>
+              <para>Reference</para>
+            </entry>
+          </row>
+        </thead>
+        <tbody valign="top">
+          <row>
+            <entry>
+              <para>rsaEncryption</para>
+            </entry>
+            <entry>
+              <para>1.2.840.113549.1.1.1</para>
+            </entry>
+            <entry>
+              <para>RFC 8017</para>
+            </entry>
+          </row>
+          <row>
+            <entry>
+              <para>secp256r1</para>
+            </entry>
+            <entry>
+              <para>1.2.840.10045.3.1.7</para>
+            </entry>
+            <entry>
+              <para>RFC 5480</para>
+            </entry>
+          </row>
+          <row>
+            <entry>
+              <para>secp384r1</para>
+            </entry>
+            <entry>
+              <para>1.3.132.0.34</para>
+            </entry>
+            <entry>
+              <para>RFC 5480</para>
+            </entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
   </chapter>
   <chapter>
     <title>Symmetric Encryption Schemes</title>
@@ -246,24 +308,40 @@
             </entry>
             <entry><para>FIPS 180-4</para></entry>
           </row>
+          <row>
+            <entry>
+              <para>SHA-2</para>
+            </entry>
+            <entry>
+              <para>384 Bit</para>
+            </entry>
+            <entry><para>FIPS 180-4</para></entry>
+          </row>
+          <row>
+            <entry>
+              <para>SHA-2</para>
+            </entry>
+            <entry>
+              <para>512 Bit</para>
+            </entry>
+            <entry><para>FIPS 180-4</para></entry>
+          </row>
         </tbody>
       </tgroup>
     </table>
-  </chapter>
-  <chapter>
-    <title>Signatures</title>
-    <para/>
-    <table xml:id="sigTable">
-      <title>Signatures</title>
+    <table xml:id="hashOidTable">
+      <title>Standalone Hash Algorithm OIDs</title>
       <tgroup cols="3">
-        <colspec colname="c1" colwidth="52*"/>
-        <colspec colname="c2" colwidth="12*"/>
-        <colspec colname="c3" colwidth="12*"/>
+        <colspec colname="c1" colwidth="40*"/>
+        <colspec colname="c2" colwidth="30*"/>
+        <colspec colname="c3" colwidth="30*"/>
         <thead>
           <row>
-            <entry><para>Scheme</para></entry>
             <entry>
-              <para>Hash</para>
+              <para>Name</para>
+            </entry>
+            <entry>
+              <para>OID</para>
             </entry>
             <entry>
               <para>Reference</para>
@@ -272,71 +350,86 @@
         </thead>
         <tbody valign="top">
           <row>
-            <entry><para>RSA PKCS1 v1_5</para></entry>
-            <entry><para>SHA 256, SHA 384, SHA 512</para></entry>
-            <entry><para>RFC 8017 not recommended</para></entry>
+            <entry>
+              <para>id-sha256</para>
+            </entry>
+            <entry>
+              <para>2.16.840.1.101.3.4.2.1</para>
+            </entry>
+            <entry>
+              <para>FIPS 180-4</para>
+            </entry>
           </row>
           <row>
-            <entry><para>RSASSA-PSS</para></entry>
             <entry>
-              <para>SHA 256, SHA 384, SHA 512</para>
+              <para>id-sha384</para>
+            </entry>
+            <entry>
+              <para>2.16.840.1.101.3.4.2.2</para>
+            </entry>
+            <entry>
+              <para>FIPS 180-4</para>
             </entry>
-            <entry><para>RFC 8017</para></entry>
           </row>
           <row>
-            <entry><para>ECDSA</para></entry>
-            <entry><para>SHA 256, SHA 384, SHA 512</para></entry>
-            <entry><para>RFC 5758, X9.62</para></entry>
+            <entry>
+              <para>id-sha512</para>
+            </entry>
+            <entry>
+              <para>2.16.840.1.101.3.4.2.3</para>
+            </entry>
+            <entry>
+              <para>FIPS 180-4</para>
+            </entry>
           </row>
         </tbody>
       </tgroup>
     </table>
   </chapter>
   <chapter>
-    <title>Key Derivation</title>
-    <table xml:id="keyTable">
-      <title>Key Derivation Functions</title>
+    <title>Signatures</title>
+    <para>This chapter defines the signature schemes and their corresponding algorithm OIDs that devices shall support.</para>
+    <table xml:id="sigTable">
+      <title>Signature Schemes</title>
       <tgroup cols="3">
-        <colspec colname="c1" colwidth="15*"/>
+        <colspec colname="c1" colwidth="52*"/>
         <colspec colname="c2" colwidth="12*"/>
         <colspec colname="c3" colwidth="12*"/>
         <thead>
           <row>
+            <entry><para>Scheme</para></entry>
             <entry>
-              <para>Name</para>
+              <para>Hash</para>
             </entry>
             <entry>
               <para>Reference</para>
             </entry>
-            <entry>
-              <para>Comment</para>
-            </entry>
           </row>
         </thead>
         <tbody valign="top">
           <row>
-            <entry>
-              <para>PBKDF2</para>
-            </entry>
-            <entry><para>RFC 8018 &amp; RFC 9579</para></entry>
-            <entry><para>for passwords</para></entry>
+            <entry><para>RSA PKCS1 v1_5</para></entry>
+            <entry><para>SHA 256, SHA 384, SHA 512</para></entry>
+            <entry><para>RFC 8017 not recommended</para></entry>
           </row>
           <row>
+            <entry><para>RSASSA-PSS</para></entry>
             <entry>
-              <para>HKDF</para>
+              <para>SHA 256, SHA 384, SHA 512</para>
             </entry>
-            <entry><para>RFC 5869</para></entry>
-            <entry><para>for random keys</para></entry>
+            <entry><para>RFC 8017</para></entry>
+          </row>
+          <row>
+            <entry><para>ECDSA</para></entry>
+            <entry><para>SHA 256, SHA 384, SHA 512</para></entry>
+            <entry><para>RFC 5758, X9.62</para></entry>
           </row>
         </tbody>
       </tgroup>
     </table>
-  </chapter>
-  <chapter>
-    <title>Certificates</title>
-    <para>Requirements for certificate upload and creation.</para>
+    <para>The signature algorithm OIDs listed below are applicable to certificate signatures as well as other cryptographic operations such as media signing and general-purpose digital signatures.</para>
     <table xml:id="signaturesTable">
-      <title>Signature Baseline</title>
+      <title>Signature Algorithm OIDs</title>
       <tgroup cols="3">
         <colspec colname="c1" colwidth="40*"/>
         <colspec colname="c2" colwidth="30*"/>
@@ -421,9 +514,65 @@
               <para>RFC 5758, X9.62</para>
             </entry>
           </row>
+          <row>
+            <entry>
+              <para>rsassa-pss</para>
+            </entry>
+            <entry>
+              <para>1.2.840.113549.1.1.10</para>
+            </entry>
+            <entry>
+              <para>RFC 8017</para>
+            </entry>
+          </row>
         </tbody>
       </tgroup>
     </table>
+  </chapter>
+  <chapter>
+    <title>Key Derivation</title>
+    <para/>
+    <table xml:id="keyTable">
+      <title>Key Derivation Functions</title>
+      <tgroup cols="3">
+        <colspec colname="c1" colwidth="15*"/>
+        <colspec colname="c2" colwidth="12*"/>
+        <colspec colname="c3" colwidth="12*"/>
+        <thead>
+          <row>
+            <entry>
+              <para>Name</para>
+            </entry>
+            <entry>
+              <para>Reference</para>
+            </entry>
+            <entry>
+              <para>Comment</para>
+            </entry>
+          </row>
+        </thead>
+        <tbody valign="top">
+          <row>
+            <entry>
+              <para>PBKDF2</para>
+            </entry>
+            <entry><para>RFC 8018 &amp; RFC 9579</para></entry>
+            <entry><para>for passwords</para></entry>
+          </row>
+          <row>
+            <entry>
+              <para>HKDF</para>
+            </entry>
+            <entry><para>RFC 5869</para></entry>
+            <entry><para>for random keys</para></entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+  </chapter>
+  <chapter>
+    <title>Private Key Encryption</title>
+    <para>Requirements for encrypting private keys during certificate upload and creation.</para>
     <table xml:id="certTable">
       <title>Baseline for Encrypting Private Key</title>
       <tgroup cols="3">
