SafeBag Format for Exported Credentials

Sometimes it may be necessary to export an identity’s credentials (i.e., private key and associated certificate) from one machine and import them into another. This requires a secure container to carry the sensitive information. For this purpose, we define the SafeBag format, which contains an NDN certificate and the corresponding private key in encrypted form. The private key is formatted as a DER-encoded EncryptedPrivateKeyInfo structure as described in PKCS #8.

The TLV encoding of SafeBag is defined as follows:

SafeBag = SAFE-BAG-TYPE TLV-LENGTH
            Certificate
            EncryptedKey

EncryptedKey = ENCRYPTED-KEY-TYPE TLV-LENGTH
                 *OCTET ; PKCS #8 EncryptedPrivateKeyInfo

Type

Assigned number (decimal)

Assigned number (hexadecimal)

SafeBag

128

0x80

EncryptedKey

129

0x81