draft-ietf-lamps-cmp-updates-03.txt   draft-ietf-lamps-cmp-updates-04.txt 
LAMPS Working Group H. Brockhaus LAMPS Working Group H. Brockhaus
Internet-Draft Siemens Internet-Draft Siemens
Updates: 4210, 6712 (if approved) August 7, 2020 Updates: 4210, 6712 (if approved) September 8, 2020
Intended status: Standards Track Intended status: Standards Track
Expires: February 8, 2021 Expires: March 12, 2021
CMP Updates CMP Updates
draft-ietf-lamps-cmp-updates-03 draft-ietf-lamps-cmp-updates-04
Abstract Abstract
This document contains a set of updates to the base syntax and This document contains a set of updates to the base syntax and
transport of Certificate Management Protocol (CMP) version 2. This transport of Certificate Management Protocol (CMP) version 2. This
document updates RFC 4210 and RFC 6712. document updates RFC 4210 and RFC 6712.
Specifically, the CMP services updated in this document comprise the Specifically, the CMP services updated in this document comprise the
enabling of using EnvelopedData instead of EncryptedValue, the enabling of using EnvelopedData instead of EncryptedValue, the
definition of extended key usages to identify certificates of CMP definition of extended key usages to identify certificates of CMP
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 8, 2021. This Internet-Draft will expire on March 12, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 21
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Convention and Terminology . . . . . . . . . . . . . . . 3 1.1. Convention and Terminology . . . . . . . . . . . . . . . 3
2. Updates to RFC 4210 - Certificate Management Protocol (CMP) . 3 2. Updates to RFC 4210 - Certificate Management Protocol (CMP) . 3
2.1. New Section 1.1. - Changes since RFC 4210 . . . . . . . . 3 2.1. New Section 1.1. - Changes since RFC 4210 . . . . . . . . 3
2.2. New Section 4.5 - Extended Key Usage . . . . . . . . . . 4 2.2. New Section 4.5 - Extended Key Usage . . . . . . . . . . 4
2.3. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 6 2.3. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 6
2.4. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 7 2.4. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 7
2.5. Update Section 5.3.4. - Certification Response . . . . . 9 2.5. Update Section 5.3.4. - Certification Response . . . . . 9
2.6. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 9 2.6. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 9
2.7. Update Section 5.3.22 - Polling Request and Response . . 10 2.7. Update Section 5.3.19. - PKI General Message Content . . 10
2.8. IANA Considerations . . . . . . . . . . . . . . . . . . . 11 2.8. Update Section 5.3.22 - Polling Request and Response . . 11
2.9. Update Appendix B - The Use of Revocation Passphrase . . 11 2.9. Update Section 9 - IANA Considerations . . . . . . . . . 12
2.10. Update Appendix C - Request Message Behavioral 2.10. Update Appendix B - The Use of Revocation Passphrase . . 13
Clarifications . . . . . . . . . . . . . . . . . . . . . 12 2.11. Update Appendix C - Request Message Behavioral
2.11. Update Appendix D.4. - Initial Registration/Certification Clarifications . . . . . . . . . . . . . . . . . . . . . 13
(Basic Authenticated Scheme) . . . . . . . . . . . . . . 12 2.12. Update Appendix D.4. - Initial Registration/Certification
(Basic Authenticated Scheme) . . . . . . . . . . . . . . 14
3. Updates to RFC 6712 - HTTP Transfer for the Certificate 3. Updates to RFC 6712 - HTTP Transfer for the Certificate
Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 13 Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 14
3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 13 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 14
3.2. New Section 3.6. - HTTP Request-URI . . . . . . . . . . . 13 3.2. New Section 3.6. - HTTP Request-URI . . . . . . . . . . . 15
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 16
5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 5. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Normative References . . . . . . . . . . . . . . . . . . 15 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.2. Informative References . . . . . . . . . . . . . . . . . 16 7.1. Normative References . . . . . . . . . . . . . . . . . . 17
Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 17 7.2. Informative References . . . . . . . . . . . . . . . . . 18
A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 17 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 19
A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 28 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 19
Appendix B. History of changes . . . . . . . . . . . . . . . . . 39 A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 31
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 41 Appendix B. History of changes . . . . . . . . . . . . . . . . . 43
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 45
1. Introduction 1. Introduction
While using CMP [RFC4210] in industrial and IoT environments and While using CMP [RFC4210] in industrial and IoT environments and
developing the Lightweight CMP Profile developing the Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile] some limitations were [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were
identified in the original CMP specification. This document updates identified in the original CMP specification. This document updates
RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these
limitations. limitations.
skipping to change at page 10, line 5 skipping to change at page 10, line 10
purpose of authenticating a later revocation request (in the case purpose of authenticating a later revocation request (in the case
that the appropriate signing private key is no longer available to that the appropriate signing private key is no longer available to
authenticate the request). See Appendix B for further details on the authenticate the request). See Appendix B for further details on the
use of this mechanism. use of this mechanism.
GenMsg: {id-it 12}, EncryptedKey GenMsg: {id-it 12}, EncryptedKey
GenRep: {id-it 12}, < absent > GenRep: {id-it 12}, < absent >
The use of EncryptedKey is described in section 5.2.2. The use of EncryptedKey is described in section 5.2.2.
2.7. Update Section 5.3.22 - Polling Request and Response 2.7. Update Section 5.3.19. - PKI General Message Content
The following subsections describes IDs for new examples
InfoTypeAndValue to be used in general messages content specified in
RFC 4210 [RFC4210].
Section 5.3.19 of RFC 4210 [RFC4210] describes various PKI general
messages and the respective OIDs. This document adds three
additional subsection to introduce the new IDs id-it-caCerts, id-it-
rootCaKeyUpdate, and id-it-certReqTemplate to the support messages as
defined in Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile] Section 4.4.
Add these new subsections at the end of this section with the
following text.
2.3.19.14 CA Certificates
This MAY be used by the client to get the latest CA intermediate and
issuing CA certificates.
GenMsg: {id-it 17}, < absent >
GenRep: {id-it 17}, CaCertsValue | < absent >
5.3.19.15. Root CA Certificates Update
This MAY be used by the client to get an update of an existing root
CA Certificate.
GenMsg: {id-it 18}, < absent >
GenRep: {id-it 18}, RootCaKeyUpdateValue | < absent >
Note: In contrast to CAKeyUpdAnnContent, this type offers omitting
newWithOld and oldWithNew in the GenRep message, depending on the
needs of the EE.
5.3.19.16. Certificate Request Template
This MAY be used by the client to get a template with parameters for
a future certificate request operation.
GenMsg: {id-it 19}, < absent >
GenRep: {id-it 19}, CertReqTemplateValue | < absent >
2.8. Update Section 5.3.22 - Polling Request and Response
Section 5.3.22 of RFC 4210 [RFC4210] describes when and how polling Section 5.3.22 of RFC 4210 [RFC4210] describes when and how polling
messages are used. This document adds the polling mechanism also to messages are used. This document adds the polling mechanism also to
outstanding p10cr transactions. outstanding p10cr transactions.
Replace all paragraphs in front of the state machine diagram with the Replace all paragraphs in front of the state machine diagram with the
following text. following text.
This pair of messages is intended to handle scenarios in which the This pair of messages is intended to handle scenarios in which the
client needs to poll the server in order to determine the status of client needs to poll the server in order to determine the status of
skipping to change at page 11, line 5 skipping to change at page 12, line 5
the checkAfter value before sending another pollReq. the checkAfter value before sending another pollReq.
4 If an ip, cp, or kup is received in response to a pollReq, then it 4 If an ip, cp, or kup is received in response to a pollReq, then it
will be treated in the same way as the initial response. will be treated in the same way as the initial response.
Note: A p10cr message contains exactly one CertificationRequestInfo Note: A p10cr message contains exactly one CertificationRequestInfo
data structure as specified in PKCS#10 [RFC2986] but no certificate data structure as specified in PKCS#10 [RFC2986] but no certificate
request number. Therefore, the certReqId MUST be set to 0 in all request number. Therefore, the certReqId MUST be set to 0 in all
following messages of this transaction. following messages of this transaction.
2.8. IANA Considerations 2.9. Update Section 9 - IANA Considerations
Section 9 of RFC 4210 [RFC4210] contains the IANA Considerations of Section 9 of RFC 4210 [RFC4210] contains the IANA Considerations of
that document. As this document defines a new and updates two that document. As this document defines a new and updates two
existing Extended Key Usages, the IANA Considerations need to be existing Extended Key Usages, the IANA Considerations need to be
updated accordingly. updated accordingly.
Add the following paragraphs between the first and second paragraph Add the following paragraphs between the first and second paragraph
of the section. of the section.
Within the SMI-numbers registry "SMI Security for PKIX Extended Key Within the SMI-numbers registry "SMI Security for PKIX Extended Key
skipping to change at page 11, line 35 skipping to change at page 12, line 35
------- ----------- ------------------ ------- ----------- ------------------
27 id-kp-cmcCA [RFC6402][thisRFC] 27 id-kp-cmcCA [RFC6402][thisRFC]
28 id-kp-cmcRA [RFC6402][thisRFC] 28 id-kp-cmcRA [RFC6402][thisRFC]
One new entry has been added: One new entry has been added:
Decimal Description References Decimal Description References
------- ----------- ---------- ------- ----------- ----------
32 id-kp-cmKGA [thisRFC] 32 id-kp-cmKGA [thisRFC]
2.9. Update Appendix B - The Use of Revocation Passphrase Within the SMI-numbers registry "SMI Security for PKIX CMP
Information Types (1.3.6.1.5.5.7.4)" (see
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-
numbers-1.3.6.1.5.5.7.4) as defined in RFC 7299 [RFC7299] three
changes have been performed.
Three new entry have been added:
Decimal Description References
------- --------------------- ----------
17 id-it-caCerts [thisRFC]
18 id-it-rootCaKeyUpdate [thisRFC]
19 id-it-certReqTemplate [thisRFC]
2.10. Update Appendix B - The Use of Revocation Passphrase
Appendix B of RFC 4210 [RFC4210] describes the usage of the Appendix B of RFC 4210 [RFC4210] describes the usage of the
revocation passphrase. As this document updates RFC 4210 [RFC4210] revocation passphrase. As this document updates RFC 4210 [RFC4210]
to utilize the parent structure EncryptedKey instead of to utilize the parent structure EncryptedKey instead of
EncryptedValue as described in Section 2.1 above, the description is EncryptedValue as described in Section 2.1 above, the description is
updated accordingly. updated accordingly.
Replace the first bullet point of this section with the following Replace the first bullet point of this section with the following
text. text.
skipping to change at page 12, line 21 skipping to change at page 13, line 40
Replace the third bullet point of this section with the following Replace the third bullet point of this section with the following
text. text.
o When using EnvelopedData the localKeyId attribute as specified in o When using EnvelopedData the localKeyId attribute as specified in
RFC 2985 [RFC2985] and when using EncryptedValue the valueHint RFC 2985 [RFC2985] and when using EncryptedValue the valueHint
field MAY contain a key identifier (chosen by the entity, along field MAY contain a key identifier (chosen by the entity, along
with the passphrase itself) to assist in later retrieval of the with the passphrase itself) to assist in later retrieval of the
correct passphrase (e.g., when the revocation request is correct passphrase (e.g., when the revocation request is
constructed by the entity and received by the CA/RA). constructed by the entity and received by the CA/RA).
2.10. Update Appendix C - Request Message Behavioral Clarifications 2.11. Update Appendix C - Request Message Behavioral Clarifications
Appendix C of RFC 4210 [RFC4210] provides clarifications to the Appendix C of RFC 4210 [RFC4210] provides clarifications to the
request message behavior. As this document updates RFC 4210 request message behavior. As this document updates RFC 4210
[RFC4210] to utilize the parent structure EncryptedKey instead of [RFC4210] to utilize the parent structure EncryptedKey instead of
EncryptedValue as described in Section 2.1 above, the description is EncryptedValue as described in Section 2.1 above, the description is
updated accordingly. updated accordingly.
Replace the note coming after the ASN.1 syntax of POPOPrivKey of this Replace the note coming after the ASN.1 syntax of POPOPrivKey of this
section with the following text. section with the following text.
skipping to change at page 12, line 45 skipping to change at page 14, line 18
-- * Section 5.2.2 of this specification). Therefore, this document -- * Section 5.2.2 of this specification). Therefore, this document
-- * makes the behavioral clarification of specifying that the -- * makes the behavioral clarification of specifying that the
-- * contents of "thisMessage" MUST be encoded either as -- * contents of "thisMessage" MUST be encoded either as
-- * "EnvelopedData" or "EncryptedValue" (only for backward -- * "EnvelopedData" or "EncryptedValue" (only for backward
-- * compatibility) and then wrapped in a BIT STRING. This allows -- * compatibility) and then wrapped in a BIT STRING. This allows
-- * the necessary conveyance and protection of the private key -- * the necessary conveyance and protection of the private key
-- * while maintaining bits-on-the-wire compatibility with RFC 4211 -- * while maintaining bits-on-the-wire compatibility with RFC 4211
-- * [RFC4211]. -- * [RFC4211].
-- ********** -- **********
2.11. Update Appendix D.4. - Initial Registration/Certification (Basic 2.12. Update Appendix D.4. - Initial Registration/Certification (Basic
Authenticated Scheme) Authenticated Scheme)
Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/ Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/
certification scheme. This scheme shall continue to use certification scheme. This scheme shall continue to use
EncryptedValue for backward compatibility reasons. EncryptedValue for backward compatibility reasons.
Replace the comment after the privateKey field of Replace the comment after the privateKey field of
crc[1].certifiedKeyPair in the syntax of the Initialization Response crc[1].certifiedKeyPair in the syntax of the Initialization Response
message with the following text. message with the following text.
skipping to change at page 13, line 37 skipping to change at page 15, line 12
o Add an HTTP URI discovery mechanism and extend the URI structure. o Add an HTTP URI discovery mechanism and extend the URI structure.
3.2. New Section 3.6. - HTTP Request-URI 3.2. New Section 3.6. - HTTP Request-URI
Section 3.6 of RFC 6712 [RFC6712] specifies the used HTTP URIs. This Section 3.6 of RFC 6712 [RFC6712] specifies the used HTTP URIs. This
document adds a discovery mechanism and extends the URIs. document adds a discovery mechanism and extends the URIs.
Replace the text of the section with the following text. Replace the text of the section with the following text.
Each PKI management entity supporting HTTP or HTTPS transport MUST Each CMP server on a PKI management entity supporting HTTP or HTTPS
support the use of the path-prefix of '/.well-known/' as defined in transport MUST support the use of the path-prefix of '/.well-known/'
RFC 5785 [RFC5785] and the registered name of 'cmp' to ease as defined in RFC 8515 [RFC8515] and the registered name of 'cmp' to
interworking in a multi-vendor environment. ease interworking in a multi-vendor environment.
The CMP client MUST be configured with sufficient information to form The CMP client needs to be configured with sufficient information to
the CMP server URI. This MUST be at least the authority portion of form the CMP server URI. This is at least the authority portion of
the URI, e.g., 'www.example.com:80', or the full operational path of the URI, e.g., 'www.example.com:80', or the full operational path of
the PKI management entity. Additional arbitrary label, e.g., the PKI management entity. Additional arbitrary label, e.g.,
'profileLabel' and 'operationLabel', MAY be configured as a separate 'profileLabel' and 'operationLabel', may be configured as a separate
component or as part of the full operational path to provide further component or as part of the full operational path to provide further
information. The 'profileLabel' MAY support addressing multiple CAs information. The 'profileLabel' may support addressing multiple CAs
or certificate profiles and the 'operationLabel' may support or certificate profiles and the 'operationLabel' may support
addressing PKI management operation specific endpoints. A valid full addressing PKI management operation specific endpoints. A valid full
operational path can look like this: operational path can look like this:
1 http://www.example.com/.well-known/cmp 1 http://www.example.com/.well-known/cmp
2 http://www.example.com/.well-known/cmp/operationLabel 2 http://www.example.com/.well-known/cmp/operationLabel
3 http://www.example.com/.well-known/cmp/profileLabel 3 http://www.example.com/.well-known/cmp/profileLabel
4 http://www.example.com/.well-known/cmp/profileLabel/operationLabel 4 http://www.example.com/.well-known/cmp/profileLabel/operationLabel
The discovery of supported endpoints as defined above will provide The discovery of supported endpoints as defined above will provide
the information to the EE, how to contact the PKI management entity the information to the CMP client how to contact the PKI management
and, if available, how to request enrolment for a specific entity and, if available, how to request enrolment for a specific
certificate profile or revoke a certificate at a specific CA. certificate profile or revoke a certificate at a specific CA.
Querying the PKI management entity, the EE will get a list of Querying the PKI management entity, the CMP client will get a list of
potential endpoints supported by the PKI management entity. potential endpoints supported by the PKI management entity.
Performing a GET on "/.well-known/cmp" to the default port MUST Performing a GET on "/.well-known/cmp" to the default port MUST
return a set of links to endpoints available from the server. In return a set of links to endpoints available from the CMP server. In
addition to the link also the expected format of the data object is addition to the link also the expected format of the data object is
provided as content type (ct). provided as content type (ct).
< TBD: It needs to be discussed if the discovery should be performed < TBD: It needs to be discussed if the discovery should be performed
using GET on "/.well-known/cmp" or GET on "/.well-known" only. > using GET on "/.well-known/cmp" or GET on "/.well-known" only. >
The following provides an illustrative example for a PKI management The following provides an illustrative example for a PKI management
entity supporting different PKI management operations for different entity supporting various PKI management operations for various
certificate profiles and CAs. certificate profiles and CAs.
Detailed message description: Detailed message description:
REQ: GET /.well-known/cmp REQ: GET /.well-known/cmp
RES: Content RES: Content
</cmp/certprofile1/operation1>;ct=pkixcmp </cmp/certprofile1/operation1>;ct=pkixcmp
</cmp/certprofile2/operation1>;ct=pkixcmp </cmp/certprofile2/operation1>;ct=pkixcmp
</cmp/certprofile3/operation1>;ct=pkixcmp </cmp/certprofile3/operation1>;ct=pkixcmp
</cmp/certprofile1/operation2>;ct=pkixcmp </cmp/certprofile1/operation2>;ct=pkixcmp
</cmp/certprofile2/operation2>;ct=pkixcmp </cmp/certprofile2/operation2>;ct=pkixcmp
</cmp/certprofile3/operation2>;ct=pkixcmp </cmp/certprofile3/operation2>;ct=pkixcmp
</cmp/ca1/operation3>;ct=pkixcmp </cmp/ca1/operation3>;ct=pkixcmp
</cmp/ca2/operation3>;ct=pkixcmp </cmp/ca2/operation3>;ct=pkixcmp
3.3. Update Section 6. - IANA Considerations
Section 6 of RFC 6712 [RFC6712] contains the IANA Considerations of
that document. As this document defines a new well-known URI, the
IANA Considerations need to be updated accordingly.
Add the following text between the first and second paragraph of the
section.
Within the well-known URI registry (see
https://www.iana.org/assignments/well-known-uris/well-known-
uris.xhtml#well-known-uris-1) as defined in RFC 8515 [RFC8515] the
following change has been performed.
One new name entry has been added:
URI suffix Change controller
----------- -----------------
cmp IETF
4. IANA Considerations 4. IANA Considerations
This document contains an update to the IANA Considerations section This document contains an update to the IANA Consideration sections
to be added to [RFC4210]. to be added to [RFC4210] and [RFC6712].
< TBD: The existing description and information of id-kp-cmcRA and < TBD: The existing description and information of id-kp-cmcRA and
id-kp-cmcCA need to be updated to reflect their extended usage. > id-kp-cmcCA need to be updated to reflect their extended usage. >
5. Security Considerations 5. Security Considerations
No changes are made to the existing security considerations of No changes are made to the existing security considerations of
RFC 4210 [RFC4210] and RFC 6712 [RFC6712]. RFC 4210 [RFC4210] and RFC 6712 [RFC6712].
6. Acknowledgements 6. Acknowledgements
skipping to change at page 16, line 15 skipping to change at page 18, line 15
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
Uniform Resource Identifiers (URIs)", RFC 5785,
DOI 10.17487/RFC5785, April 2010,
<https://www.rfc-editor.org/info/rfc5785>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>. <https://www.rfc-editor.org/info/rfc5912>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
DOI 10.17487/RFC5958, August 2010, DOI 10.17487/RFC5958, August 2010,
<https://www.rfc-editor.org/info/rfc5958>. <https://www.rfc-editor.org/info/rfc5958>.
[RFC6402] Schaad, J., "Certificate Management over CMS (CMC) [RFC6402] Schaad, J., "Certificate Management over CMS (CMC)
skipping to change at page 16, line 43 skipping to change at page 18, line 38
[RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key [RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key
Infrastructure -- HTTP Transfer for the Certificate Infrastructure -- HTTP Transfer for the Certificate
Management Protocol (CMP)", RFC 6712, Management Protocol (CMP)", RFC 6712,
DOI 10.17487/RFC6712, September 2012, DOI 10.17487/RFC6712, September 2012,
<https://www.rfc-editor.org/info/rfc6712>. <https://www.rfc-editor.org/info/rfc6712>.
[RFC7299] Housley, R., "Object Identifier Registry for the PKIX [RFC7299] Housley, R., "Object Identifier Registry for the PKIX
Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014,
<https://www.rfc-editor.org/info/rfc7299>. <https://www.rfc-editor.org/info/rfc7299>.
[RFC8515] Jethanandani, M. and M. Reina Ortega, "URN Namespace for
ETSI Documents", RFC 8515, DOI 10.17487/RFC8515, February
2019, <https://www.rfc-editor.org/info/rfc8515>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-lamps-lightweight-cmp-profile] [I-D.ietf-lamps-lightweight-cmp-profile]
Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP
Profile", draft-ietf-lamps-lightweight-cmp-profile-02 Profile", draft-ietf-lamps-lightweight-cmp-profile-02
(work in progress), July 2020. (work in progress), July 2020.
[IEEE802.1AR] [IEEE802.1AR]
IEEE, "802.1AR Secure Device Identifier", June 2018, IEEE, "802.1AR Secure Device Identifier", June 2018,
<http://standards.ieee.org/findstds/standard/802.1AR- <http://standards.ieee.org/findstds/standard/802.1AR-
skipping to change at page 17, line 48 skipping to change at page 19, line 43
FROM PKIX1Implicit88 {iso(1) identified-organization(3) FROM PKIX1Implicit88 {iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-implicit-88(2)} id-mod(0) id-pkix1-implicit-88(2)}
CertTemplate, PKIPublicationInfo, EncryptedKey, EncryptedValue, CertTemplate, PKIPublicationInfo, EncryptedKey, EncryptedValue,
CertId, CertReqMessages CertId, CertReqMessages
FROM PKIXCRMF-2005 {iso(1) identified-organization(3) FROM PKIXCRMF-2005 {iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-crmf2005(36)} id-mod(0) id-mod-crmf2005(36)}
-- The import of EncryptedKey is added due to the updates made -- The import of EncryptedKey is added due to the updates made
-- in this document -- in CMP Updates [thisRFC]
-- see also the behavioral clarifications to CRMF codified in -- see also the behavioral clarifications to CRMF codified in
-- Appendix C of this specification -- Appendix C of this specification
CertificationRequest CertificationRequest
FROM PKCS-10 {iso(1) member-body(2) FROM PKCS-10 {iso(1) member-body(2)
us(840) rsadsi(113549) us(840) rsadsi(113549)
pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)} pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)}
-- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT
-- tags). Alternatively, implementers may directly include -- tags). Alternatively, implementers may directly include
-- the [PKCS10] syntax in this module -- the [PKCS10] syntax in this module
localKeyId localKeyId
FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)} pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)}
-- The import of localKeyId is added due to the updates made in -- The import of localKeyId is added due to the updates made in
-- this document -- CMP Updates [thisRFC]
EnvelopedData, SignedData EnvelopedData, SignedData
FROM CryptographicMessageSyntax2004 { iso(1) FROM CryptographicMessageSyntax2004 { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) cms-2004(24) }
-- The import of EnvelopedData and SignedData is added due to -- The import of EnvelopedData and SignedData is added due to
-- the updates made in this document -- the updates made in CMP Updates [thisRFC]
; ;
-- the rest of the module contains locally-defined OIDs and -- the rest of the module contains locally-defined OIDs and
-- constructs -- constructs
CMPCertificate ::= CHOICE { CMPCertificate ::= CHOICE {
x509v3PKCert Certificate x509v3PKCert Certificate
} }
-- This syntax, while bits-on-the-wire compatible with the -- This syntax, while bits-on-the-wire compatible with the
skipping to change at page 24, line 34 skipping to change at page 26, line 30
-- analogous to the id-regInfo-utf8Pairs string defined -- analogous to the id-regInfo-utf8Pairs string defined
-- for regInfo in CertReqMsg [CRMF] -- for regInfo in CertReqMsg [CRMF]
} }
CertifiedKeyPair ::= SEQUENCE { CertifiedKeyPair ::= SEQUENCE {
certOrEncCert CertOrEncCert, certOrEncCert CertOrEncCert,
privateKey [0] EncryptedKey OPTIONAL, privateKey [0] EncryptedKey OPTIONAL,
-- see [CRMF] for comment on encoding -- see [CRMF] for comment on encoding
-- Changed from Encrypted Value to EncryptedKey as a CHOICE of -- Changed from Encrypted Value to EncryptedKey as a CHOICE of
-- EncryptedValue and EnvelopedData due to the changes made in -- EncryptedValue and EnvelopedData due to the changes made in
-- this document -- CMP Updates [thisRFC]
-- Using the choice EncryptedValue is bit-compatible to the -- Using the choice EncryptedValue is bit-compatible to the
-- syntax without this change -- syntax without this change
publicationInfo [1] PKIPublicationInfo OPTIONAL publicationInfo [1] PKIPublicationInfo OPTIONAL
} }
CertOrEncCert ::= CHOICE { CertOrEncCert ::= CHOICE {
certificate [0] CMPCertificate, certificate [0] CMPCertificate,
encryptedCert [1] EncryptedKey encryptedCert [1] EncryptedKey
-- Changed from Encrypted Value to EncryptedKey as a CHOICE of -- Changed from Encrypted Value to EncryptedKey as a CHOICE of
-- EncryptedValue and EnvelopedData due to the changes made in -- EncryptedValue and EnvelopedData due to the changes made in
-- this document -- CMP Updates [thisRFC]
-- Using the choice EncryptedValue is bit-compatible to the -- Using the choice EncryptedValue is bit-compatible to the
-- syntax without this change -- syntax without this change
} }
KeyRecRepContent ::= SEQUENCE { KeyRecRepContent ::= SEQUENCE {
status PKIStatusInfo, status PKIStatusInfo,
newSigCert [0] CMPCertificate OPTIONAL, newSigCert [0] CMPCertificate OPTIONAL,
caCerts [1] SEQUENCE SIZE (1..MAX) OF caCerts [1] SEQUENCE SIZE (1..MAX) OF
CMPCertificate OPTIONAL, CMPCertificate OPTIONAL,
keyPairHist [2] SEQUENCE SIZE (1..MAX) OF keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
skipping to change at page 26, line 17 skipping to change at page 28, line 14
certHash OCTET STRING, certHash OCTET STRING,
-- the hash of the certificate, using the same hash algorithm -- the hash of the certificate, using the same hash algorithm
-- as is used to create and verify the certificate signature -- as is used to create and verify the certificate signature
certReqId INTEGER, certReqId INTEGER,
-- to match this confirmation with the corresponding req/rep -- to match this confirmation with the corresponding req/rep
statusInfo PKIStatusInfo OPTIONAL statusInfo PKIStatusInfo OPTIONAL
} }
PKIConfirmContent ::= NULL PKIConfirmContent ::= NULL
-- Added in CMP Updates [thisRFC]
RootCaKeyUpdateContent ::= SEQUENCE {
newWithNew CMPCertificate
-- new root CA certificate
newWithOld [0] CMPCertificate OPTIONAL,
-- X.509 certificate containing the new public root CA key
-- signed with the old private root CA key
oldWithNew [1] CMPCertificate OPTIONAL
-- old root CA key certificate
}
-- Added in CMP Updates [thisRFC]
CertReqTemplateContent ::= SEQUENCE {
certTemplate CertTemplate,
-- prefilled certTemplate structure elements
rsaKeyLen INTEGER OPTIONAL
-- Any reasonable RSA key length, if subjectPublicKeyInfo
-- of the certTemplate has the OID rsaEncryption.
}
InfoTypeAndValue ::= SEQUENCE { InfoTypeAndValue ::= SEQUENCE {
infoType OBJECT IDENTIFIER, infoType OBJECT IDENTIFIER,
infoValue ANY DEFINED BY infoType OPTIONAL infoValue ANY DEFINED BY infoType OPTIONAL
} }
-- Example InfoTypeAndValue contents include, but are not limited -- Example InfoTypeAndValue contents include, but are not limited
-- to, the following (un-comment in this ASN.1 module and use as -- to, the following (un-comment in this ASN.1 module and use as
-- appropriate for a given environment): -- appropriate for a given environment):
-- --
-- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1} -- id-it-caProtEncCert OBJECT IDENTIFIER ::= {id-it 1}
-- CAProtEncCertValue ::= CMPCertificate -- CAProtEncCertValue ::= CMPCertificate
skipping to change at page 26, line 47 skipping to change at page 29, line 18
-- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
-- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER -- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER
-- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10}
-- KeyPairParamReqValue ::= OBJECT IDENTIFIER -- KeyPairParamReqValue ::= OBJECT IDENTIFIER
-- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11}
-- KeyPairParamRepValue ::= AlgorithmIdentifer -- KeyPairParamRepValue ::= AlgorithmIdentifer
-- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12}
-- RevPassphraseValue ::= EncryptedKey -- RevPassphraseValue ::= EncryptedKey
-- -- Changed from Encrypted Value to EncryptedKey as a CHOICE -- -- Changed from Encrypted Value to EncryptedKey as a CHOICE
-- -- of EncryptedValue and EnvelopedData due to the changes -- -- of EncryptedValue and EnvelopedData due to the changes
-- -- made in this document -- -- made in CMP Updates [thisRFC]
-- -- Using the choice EncryptedValue is bit-compatible to the -- -- Using the choice EncryptedValue is bit-compatible to the
-- -- syntax without this change -- -- syntax without this change
-- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13}
-- ImplicitConfirmValue ::= NULL -- ImplicitConfirmValue ::= NULL
-- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14}
-- ConfirmWaitTimeValue ::= GeneralizedTime -- ConfirmWaitTimeValue ::= GeneralizedTime
-- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
-- OrigPKIMessageValue ::= PKIMessages -- OrigPKIMessageValue ::= PKIMessages
-- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16}
-- SuppLangTagsValue ::= SEQUENCE OF UTF8String -- SuppLangTagsValue ::= SEQUENCE OF UTF8String
-- id-it-caCerts OBJECT IDENTIFIER ::= { id-it 17}
-- CaCertsValue ::= SEQUENCE OF CMPCertificate
-- -- id-it-caCerts added in CMP Updates [thisRFC]
-- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= { id-it 18}
-- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
-- -- id-it-rootCaKeyUpdate added in CMP Updates [thisRFC]
-- id-it-certReqTemplate OBJECT IDENTIFIER ::= { id-it 19}
-- CertReqTemplateValue ::= CertReqTemplateContent
-- -- id-it-certReqTemplate added in CMP Updates [thisRFC]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
-- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- id-it OBJECT IDENTIFIER ::= {id-pkix 4}
-- --
-- --
skipping to change at page 28, line 11 skipping to change at page 30, line 39
} }
PollRepContent ::= SEQUENCE OF SEQUENCE { PollRepContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER, certReqId INTEGER,
checkAfter INTEGER, -- time in seconds checkAfter INTEGER, -- time in seconds
reason PKIFreeText OPTIONAL reason PKIFreeText OPTIONAL
} }
-- --
-- Extended Key Usage extension for PKI entities used in CMP -- Extended Key Usage extension for PKI entities used in CMP
-- operations, added due to the changes made in this document -- operations, added due to the changes made in
-- CMP Updates [thisRFC]
-- The EKUs for the CA and RA are reused from CMC as defined in -- The EKUs for the CA and RA are reused from CMC as defined in
-- [RFC6402] -- [RFC6402]
-- --
-- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 }
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END -- of CMP module END -- of CMP module
skipping to change at page 29, line 37 skipping to change at page 32, line 19
mechanisms(5) pkix(7) id-mod(0) id-mod-pkcs10-2009(69)} mechanisms(5) pkix(7) id-mod(0) id-mod-pkcs10-2009(69)}
-- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT
-- tags). Alternatively, implementers may directly include -- tags). Alternatively, implementers may directly include
-- the [PKCS10] syntax in this module -- the [PKCS10] syntax in this module
localKeyId localKeyId
FROM PKCS-9 FROM PKCS-9
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
modules(0) pkcs-9(1)} modules(0) pkcs-9(1)}
-- The import of localKeyId is added due to the updates made in -- The import of localKeyId is added due to the updates made in
-- this document -- CMP Updates [thisRFC]
EnvelopedData, SignedData EnvelopedData, SignedData
FROM CryptographicMessageSyntax-2009 FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-2004-02(41)} smime(16) modules(0) id-mod-cms-2004-02(41)}
-- The import of EnvelopedData and SignedData is added due to -- The import of EnvelopedData and SignedData is added due to
-- the updates made in this document -- the updates made in CMP Updates [thisRFC]
; ;
-- the rest of the module contains locally defined OIDs and -- the rest of the module contains locally defined OIDs and
-- constructs -- constructs
CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... } CMPCertificate ::= CHOICE { x509v3PKCert Certificate, ... }
-- This syntax, while bits-on-the-wire compatible with the -- This syntax, while bits-on-the-wire compatible with the
-- standard X.509 definition of "Certificate", allows the -- standard X.509 definition of "Certificate", allows the
-- possibility of future certificate types (such as X.509 -- possibility of future certificate types (such as X.509
-- attribute certificates, WAP WTLS certificates, or other kinds -- attribute certificates, WAP WTLS certificates, or other kinds
skipping to change at page 36, line 5 skipping to change at page 38, line 36
-- analogous to the id-regInfo-utf8Pairs string defined -- analogous to the id-regInfo-utf8Pairs string defined
-- for regInfo in CertReqMsg [RFC4211] -- for regInfo in CertReqMsg [RFC4211]
} }
CertifiedKeyPair ::= SEQUENCE { CertifiedKeyPair ::= SEQUENCE {
certOrEncCert CertOrEncCert, certOrEncCert CertOrEncCert,
privateKey [0] EncryptedKey OPTIONAL, privateKey [0] EncryptedKey OPTIONAL,
-- see [RFC4211] for comment on encoding -- see [RFC4211] for comment on encoding
-- Changed from Encrypted Value to EncryptedKey as a CHOICE of -- Changed from Encrypted Value to EncryptedKey as a CHOICE of
-- EncryptedValue and EnvelopedData due to the changes made in -- EncryptedValue and EnvelopedData due to the changes made in
-- this document -- CMP Updates [thisRFC]
-- Using the choice EncryptedValue is bit-compatible to the -- Using the choice EncryptedValue is bit-compatible to the
-- syntax without this change -- syntax without this change
publicationInfo [1] PKIPublicationInfo OPTIONAL } publicationInfo [1] PKIPublicationInfo OPTIONAL }
CertOrEncCert ::= CHOICE { CertOrEncCert ::= CHOICE {
certificate [0] CMPCertificate, certificate [0] CMPCertificate,
encryptedCert [1] EncryptedKey encryptedCert [1] EncryptedKey
-- Changed from Encrypted Value to EncryptedKey as a CHOICE of -- Changed from Encrypted Value to EncryptedKey as a CHOICE of
-- EncryptedValue and EnvelopedData due to the changes made in -- EncryptedValue and EnvelopedData due to the changes made in
-- this document -- CMP Updates [thisRFC]
-- Using the choice EncryptedValue is bit-compatible to the -- Using the choice EncryptedValue is bit-compatible to the
-- syntax without this change -- syntax without this change
} }
KeyRecRepContent ::= SEQUENCE { KeyRecRepContent ::= SEQUENCE {
status PKIStatusInfo, status PKIStatusInfo,
newSigCert [0] CMPCertificate OPTIONAL, newSigCert [0] CMPCertificate OPTIONAL,
caCerts [1] SEQUENCE SIZE (1..MAX) OF caCerts [1] SEQUENCE SIZE (1..MAX) OF
CMPCertificate OPTIONAL, CMPCertificate OPTIONAL,
keyPairHist [2] SEQUENCE SIZE (1..MAX) OF keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
skipping to change at page 37, line 20 skipping to change at page 40, line 4
status PKIStatus, status PKIStatus,
certId CertId, certId CertId,
willBeRevokedAt GeneralizedTime, willBeRevokedAt GeneralizedTime,
badSinceDate GeneralizedTime, badSinceDate GeneralizedTime,
crlDetails Extensions{{...}} OPTIONAL crlDetails Extensions{{...}} OPTIONAL
-- extra CRL details (e.g., crl number, reason, location, etc.) -- extra CRL details (e.g., crl number, reason, location, etc.)
} }
CRLAnnContent ::= SEQUENCE OF CertificateList CRLAnnContent ::= SEQUENCE OF CertificateList
PKIConfirmContent ::= NULL PKIConfirmContent ::= NULL
NestedMessageContent ::= PKIMessages NestedMessageContent ::= PKIMessages
-- Added in CMP Updates [thisRFC]
RootCaKeyUpdateContent ::= SEQUENCE {
newWithNew CMPCertificate
-- new root CA certificate
newWithOld [0] CMPCertificate OPTIONAL,
-- X.509 certificate containing the new public root CA key
-- signed with the old private root CA key
oldWithNew [1] CMPCertificate OPTIONAL
-- old root CA key certificate
}
-- Added in CMP Updates [thisRFC]
CertReqTemplateContent ::= SEQUENCE {
certTemplate CertTemplate,
-- prefilled certTemplate structure elements
rsaKeyLen INTEGER OPTIONAL
-- Any reasonable RSA key length, if subjectPublicKeyInfo
-- of the certTemplate has the OID rsaEncryption.
}
INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER INFO-TYPE-AND-VALUE ::= TYPE-IDENTIFIER
InfoTypeAndValue ::= SEQUENCE { InfoTypeAndValue ::= SEQUENCE {
infoType INFO-TYPE-AND-VALUE. infoType INFO-TYPE-AND-VALUE.
&id({SupportedInfoSet}), &id({SupportedInfoSet}),
infoValue INFO-TYPE-AND-VALUE. infoValue INFO-TYPE-AND-VALUE.
&Type({SupportedInfoSet}{@infoType}) } &Type({SupportedInfoSet}{@infoType}) }
SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... } SupportedInfoSet INFO-TYPE-AND-VALUE ::= { ... }
skipping to change at page 38, line 13 skipping to change at page 41, line 18
-- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7} -- id-it-unsupportedOIDs OBJECT IDENTIFIER ::= {id-it 7}
-- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER -- UnsupportedOIDsValue ::= SEQUENCE OF OBJECT IDENTIFIER
-- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10} -- id-it-keyPairParamReq OBJECT IDENTIFIER ::= {id-it 10}
-- KeyPairParamReqValue ::= OBJECT IDENTIFIER -- KeyPairParamReqValue ::= OBJECT IDENTIFIER
-- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11} -- id-it-keyPairParamRep OBJECT IDENTIFIER ::= {id-it 11}
-- KeyPairParamRepValue ::= AlgorithmIdentifer -- KeyPairParamRepValue ::= AlgorithmIdentifer
-- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12} -- id-it-revPassphrase OBJECT IDENTIFIER ::= {id-it 12}
-- RevPassphraseValue ::= EncryptedKey -- RevPassphraseValue ::= EncryptedKey
-- -- Changed from Encrypted Value to EncryptedKey as a CHOICE -- -- Changed from Encrypted Value to EncryptedKey as a CHOICE
-- -- of EncryptedValue and EnvelopedData due to the changes -- -- of EncryptedValue and EnvelopedData due to the changes
-- -- made in this document -- -- made in CMP Updates [thisRFC]
-- -- Using the choice EncryptedValue is bit-compatible to -- -- Using the choice EncryptedValue is bit-compatible to
-- -- the syntax without this change -- -- the syntax without this change
-- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13} -- id-it-implicitConfirm OBJECT IDENTIFIER ::= {id-it 13}
-- ImplicitConfirmValue ::= NULL -- ImplicitConfirmValue ::= NULL
-- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14} -- id-it-confirmWaitTime OBJECT IDENTIFIER ::= {id-it 14}
-- ConfirmWaitTimeValue ::= GeneralizedTime -- ConfirmWaitTimeValue ::= GeneralizedTime
-- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15} -- id-it-origPKIMessage OBJECT IDENTIFIER ::= {id-it 15}
-- OrigPKIMessageValue ::= PKIMessages -- OrigPKIMessageValue ::= PKIMessages
-- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16} -- id-it-suppLangTags OBJECT IDENTIFIER ::= {id-it 16}
-- SuppLangTagsValue ::= SEQUENCE OF UTF8String -- SuppLangTagsValue ::= SEQUENCE OF UTF8String
-- id-it-caCerts OBJECT IDENTIFIER ::= { id-it 17}
-- CaCertsValue ::= SEQUENCE OF CMPCertificate
-- -- id-it-caCerts added in CMP Updates [thisRFC]
-- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= { id-it 18}
-- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent
-- -- id-it-rootCaKeyUpdate added in CMP Updates [thisRFC]
-- id-it-certReqTemplate OBJECT IDENTIFIER ::= { id-it 19}
-- CertReqTemplateValue ::= CertReqTemplateContent
-- -- id-it-certReqTemplate added in CMP Updates [thisRFC]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
-- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- id-it OBJECT IDENTIFIER ::= {id-pkix 4}
-- --
-- --
skipping to change at page 39, line 33 skipping to change at page 42, line 47
PollReqContent ::= SEQUENCE OF SEQUENCE { PollReqContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER } certReqId INTEGER }
PollRepContent ::= SEQUENCE OF SEQUENCE { PollRepContent ::= SEQUENCE OF SEQUENCE {
certReqId INTEGER, certReqId INTEGER,
checkAfter INTEGER, -- time in seconds checkAfter INTEGER, -- time in seconds
reason PKIFreeText OPTIONAL } reason PKIFreeText OPTIONAL }
-- --
-- Extended Key Usage extension for PKI entities used in CMP -- Extended Key Usage extension for PKI entities used in CMP
-- operations, added due to the changes made in this document -- operations, added due to the changes made in
-- CMP Updates [thisRFC]
-- The EKUs for the CA and RA are reused from CMC as defined in -- The EKUs for the CA and RA are reused from CMC as defined in
-- [RFC6402] -- [RFC6402]
-- --
-- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 }
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of changes Appendix B. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
skipping to change at page 39, line 49 skipping to change at page 43, line 15
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of changes Appendix B. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 03 -> 04:
o Added Section 2.7 to introduce three new id-it IDs for uses in
general messages as discussed (see thread "draft-ietf-lamps-cmp-
updates add section to introduce id-it-caCerts, id-it-
rootCaKeyUpdate, and id-it-certReqTemplate")
o Added the new id-it IDs and the /.well-known/cmp to the IANA
Considerations of [RFC4210] in Section 2.9
o Updated the IANA Considerations of [RFC4210] in Section 2.10
o Some changes in wording on Section 3 due to review comments from
Martin Peylo
From version 02 -> 03: From version 02 -> 03:
o Added a ToDo on aligning with the CMP Algorithms draft that will o Added a ToDo on aligning with the CMP Algorithms draft that will
be set up as decided in IETF 108 be set up as decided in IETF 108
o Updated section on Encrypted Values in Section 2.4 to add the o Updated section on Encrypted Values in Section 2.4 to add the
AsymmetricKey Package structure to transport a newly generated AsymmetricKey Package structure to transport a newly generated
private key as decided in IETF 108 private key as decided in IETF 108
o Updated the IANA Considerations of [RFC4210] in Section 2.9 o Updated the IANA Considerations of [RFC4210] in Section 2.10
o Added the pre-registered OID in Section 2.9 and the ASN.1 module o Added the pre-registered OID in Section 2.10 and the ASN.1 module
o Added Section 3Section 3 to document the changes to RFC 6712 o Added Section 3 to document the changes to RFC 6712 [RFC6712]
[RFC6712] regarding URI discovery and using the path-prefix of regarding URI discovery and using the path-prefix of '/.well-
'/.well-known/' as discussed in IETF 108 known/' as discussed in IETF 108
o Updated the IANA Considerations section o Updated the IANA Considerations section
o Added a complete updated ASN.1 module in 1988 syntax to update o Added a complete updated ASN.1 module in 1988 syntax to update
Appendix F of [RFC4210] and a complete updated ASN.1 module in Appendix F of [RFC4210] and a complete updated ASN.1 module in
2002 syntax to update Section 9 of [RFC5912] 2002 syntax to update Section 9 of [RFC5912]
o Minor changes in wording o Minor changes in wording
From version 01 -> 02: From version 01 -> 02:
o Updated section on EKU OIDs in Section 2.2 as decided in IETF 107 o Updated section on EKU OIDs in Section 2.2 as decided in IETF 107
o Changed from symmetric key-encryption to password-based key o Changed from symmetric key-encryption to password-based key
management technique in Section 2.4 as discussed with Russ and Jim management technique in Section 2.4 as discussed with Russ and Jim
on the mailing list on the mailing list
o Defined the attribute containing the key identifier for the o Defined the attribute containing the key identifier for the
revocation passphrase in Section 2.9 revocation passphrase in Section 2.10
o Moved the change history to the Appendix o Moved the change history to the Appendix
From version 00 -> 01: From version 00 -> 01:
o Minor changes in wording o Minor changes in wording
From draft-brockhaus-lamps-cmp-updates-03 -> draft-ietf-lamps-cmp- From draft-brockhaus-lamps-cmp-updates-03 -> draft-ietf-lamps-cmp-
updates-00: updates-00:
 End of changes. 48 change blocks. 
72 lines changed or deleted 227 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/