docs: spec of SafeBag format
This spec defines the TLV-based format of SafeBag, replacing the
previous SecureBag which uses DER-based encoding.
Change-Id: I001153bd3f4246a0f84656167b00c6387b2fea07
Refs: #3048
diff --git a/docs/specs/safe-bag.rst b/docs/specs/safe-bag.rst
new file mode 100644
index 0000000..2542f8d
--- /dev/null
+++ b/docs/specs/safe-bag.rst
@@ -0,0 +1,27 @@
+Export/Import Credentials
+=========================
+
+Sometimes, one may need to export credentials (e.g., certificate and private key) from
+one machine, and import them into another machine. This requires a secured container for
+sensitive information. We define **SafeBag**, which contains both an NDN certificate
+(:doc:`version 2.0 <certificate-format>`) and the corresponding private
+key which is encrypted in `PKCS#8 format <https://tools.ietf.org/html/rfc5208>`_.
+
+The format of **SafeBag** is defined as:
+
+::
+
+ SafeBag ::= SAFE-BAG-TYPE TLV-LENGTH
+ Certificate ; a data packet following certificate format spec
+ EncryptedKeyBag ; private key encrypted in PKCS#8 format
+
+All TLV-TYPE codes are application specific:
+
++---------------------------------------------+-------------------+----------------+
+| TLV-TYPE | Assigned code | Assigned code |
+| | (decimal) | (hexadecimal) |
++=============================================+===================+================+
+| SafeBag | 128 | 0x80 |
++---------------------------------------------+-------------------+----------------+
+| EncryptedKeyBag | 129 | 0x81 |
++---------------------------------------------+-------------------+----------------+