summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2797.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2797.txt')
-rw-r--r--doc/rfc/rfc2797.txt2635
1 files changed, 2635 insertions, 0 deletions
diff --git a/doc/rfc/rfc2797.txt b/doc/rfc/rfc2797.txt
new file mode 100644
index 0000000..22b8184
--- /dev/null
+++ b/doc/rfc/rfc2797.txt
@@ -0,0 +1,2635 @@
+
+
+
+
+
+
+Network Working Group M. Myers
+Request for Comments: 2797 VeriSign
+Category: Standards Track X. Liu
+ Cisco
+ J. Schaad
+ Microsoft
+ J. Weinstein
+ April 2000
+
+
+ Certificate Management Messages over CMS
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+Abstract
+
+ This document defines a Certificate Management protocol using CMS
+ (CMC). This protocol addresses two immediate needs within the
+ Internet PKI community:
+
+ 1. The need for an interface to public key certification products and
+ services based on [CMS] and [PKCS10], and
+ 2. The need in [SMIMEV3] for a certificate enrollment protocol for
+ DSA-signed certificates with Diffie-Hellman public keys.
+
+ A small number of additional services are defined to supplement the
+ core certificate request service.
+
+ Throughout this specification the term CMS is used to refer to both
+ [CMS] and [PKCS7]. For both signedData and envelopedData, CMS is a
+ superset of the PKCS7. In general, the use of PKCS7 in this document
+ is aligned to the Cryptographic Message Syntax [CMS] that provides a
+ superset of the PKCS7 syntax. The term CMC refers to this
+ specification.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC 2119].
+
+
+
+Myers, et al. Standards Track [Page 1]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+1. Protocol Requirements
+
+ - The protocol is to be based as much as possible on the existing
+ CMS, PKCS#10 and CRMF specifications.
+ - The protocol must support the current industry practice of a
+ PKCS#10 request followed by a PKCS#7 response as a subset of the
+ protocol.
+ - The protocol needs to easily support the multi-key enrollment
+ protocols required by S/MIME and other groups.
+ - The protocol must supply a way of doing all operations in a
+ single-round trip. When this is not possible the number of round
+ trips is to be minimized.
+ - The protocol will be designed such that all key generation can
+ occur on the client.
+ - The mandatory algorithms must superset the required algorithms for
+ S/MIME.
+ - The protocol will contain POP methods. Optional provisions for
+ multiple-round trip POP will be made if necessary.
+ - The protocol will support deferred and pending responses to
+ certificate request for cases where external procedures are
+ required to issue a certificate.
+ - The protocol needs to support arbitrary chains of local
+ registration authorities as intermediaries between certificate
+ requesters and issuers.
+
+2. Protocol Overview
+
+ An enrollment transaction in this specification is generally composed
+ of a single round trip of messages. In the simplest case an
+ enrollment request is sent from the client to the server and an
+ enrollment response is then returned from the server to the client.
+ In some more complicated cases, such as delayed certificate issuance
+ and polling for responses, more than one round trip is required.
+
+ This specification supports two different request messages and two
+ different response messages.
+
+ Public key certification requests can be based on either the PKCS10
+ or CRMF object. The two different request messages are (a) the bare
+ PKCS10 (in the event that no other services are needed), and (b) the
+ PKCS10 or CRMF message wrapped in a CMS encapsulation as part of a
+ PKIData object.
+
+ Public key certification responses are based on the CMS signedData
+ object. The response may be either (a) a degenerate CMS signedData
+ object (in the event no other services are needed), or (b) a
+ ResponseBody object wrapped in a CMS signedData object.
+
+
+
+
+Myers, et al. Standards Track [Page 2]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ No special services are provided for doing either renewal (new
+ certificates with the same key) or re-keying (new certificates on new
+ keys) of clients. Instead a renewal/re-key message looks the same as
+ any enrollment message, with the identity proof being supplied by
+ existing certificates from the CA.
+
+ A provision exists for Local Registration Authorities (LRAs) to
+ participate in the protocol by taking client enrollment messages,
+ wrapping them in a second layer of enrollment message with additional
+ requirements or statements from the LRA and then passing this new
+ expanded request on to the Certification Authority.
+
+ This specification makes no assumptions about the underlying
+ transport mechanism. The use of CMS is not meant to imply an email-
+ based transport.
+
+ Optional services available through this specification are
+ transaction management, replay detection (through nonces), deferred
+ certificate issuance, certificate revocation requests and
+ certificate/CRL retrieval.
+
+2.1 Terminology
+
+ There are several different terms, abbreviations and acronyms used in
+ this document that we define here for convenience and consistency of
+ usage:
+
+ "End-Entity" (EE) refers to the entity that owns a key pair and for
+ whom a certificate is issued.
+ "LRA" or "RA" refers to a (Local) Registration Authority. A
+ registration authority acts as an intermediary between an End-
+ Entity and a Certification Authority. Multiple RAs can exist
+ between the End-Entity and the Certification Authority.
+ "CA" refers to a Certification Authority. A Certification Authority
+ is the entity that performs the actual issuance of a certificate.
+ "Client" refers to an entity that creates a PKI request. In this
+ document both RAs and End-Entities can be clients.
+ "Server" refers to the entities that process PKI requests and create
+ PKI responses. CAs and RAs can be servers in this document.
+ "PKCS#10" refers the Public Key Cryptography Standard #10. This is
+ one of a set of standards defined by RSA Laboratories in the
+ 1980s. PKCS#10 defines a Certificate Request Message syntax.
+ "CRMF" refers to the Certificate Request Message Format RFC [CRMF].
+ We are using certificate request message format defined in this
+ document as part of our management protocol.
+ "CMS" refers to the Cryptographic Message Syntax RFC [CMS]. This
+ document provides for basic cryptographic services including
+ encryption and signing with and without key management.
+
+
+
+Myers, et al. Standards Track [Page 3]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ "POP" is an acronym for "Proof of Possession". POP refers to a value
+ that can be used to prove that the private key corresponding to a
+ public key is in the possession and can be used by an end-entity.
+ "Transport wrapper" refers to the outermost CMS wrapping layer.
+
+2.2 Protocol Flow Charts
+
+ Figure 1 shows the Simple Enrollment Request and Response messages.
+ The contents of these messages are detailed in Sections 4.1 and 4.3
+ below.
+
+ Simple PKI Request Simple PKI Response
+ ------------------------- --------------------------
+
+ +----------+ +------------------+
+ | PKCS #10 | | CMS "certs-only" |
+ +----------+--------------+ | message |
+ | | +------------------+------+
+ | Certificate Request | | |
+ | | | CMS Signed Data, |
+ | Subject Name | | no signerInfo |
+ | Subject Public Key Info | | |
+ | (K_PUB) | | signedData contains one |
+ | Attributes | | or more certificates in |
+ | | | the "certificates" |
+ +-----------+-------------+ | portion of the |
+ | signed with | | signedData. |
+ | matching | | |
+ | K_PRIV | | encapsulatedContentInfo |
+ +-------------+ | is empty. |
+ | |
+ +--------------+----------+
+ | unsigned |
+ +----------+
+
+ Figure 1: Simple PKI Request and Response Messages
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 4]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ Full PKI Request Full PKI Response
+ ----------------------- ------------------------
+
+ +----------------+ +----------------+
+ | CMS signedData | | CMS signedData |
+ | object | | object |
+ +----------------+--------+ +----------------+--------+
+ | | | |
+ | PKIData object | | ResponseBody object |
+ | | | |
+ | Sequence of: | | Sequence of: |
+ | <enrollment attribute>* | | <enrollment attribute>* |
+ | <certification request>*| | <CMS object>* |
+ | <CMS objects>* | | <other message>* |
+ | <other message>* | | |
+ | | | where * == zero or more |
+ | where * == zero or more | | |
+ | | | All certificates issued |
+ | Certificate requests | | as part of the response |
+ | are CRMF or PKCS#10 | | are included in the |
+ | objects. Attributes are | | "certificates" portion |
+ | (OID, ANY defined by | | of the signedData. |
+ | OID) pairs. | | Relevant CA certs and |
+ | | | CRLs can be included as |
+ +-------+-----------------+ | well. |
+ | signed (keypair | | |
+ | used may be pre-| +---------+---------------+
+ | existing or | | signed by the |
+ | identified in | | CA or an LRA |
+ | the request) | +---------------+
+ +-----------------+
+
+ Figure 2: Full PKI Request and Response Messages
+
+ Figure 2 shows the Full Enrollment Request and Response messages.
+ The contents of these messages are detailed in Sections 4.2 and 4.4
+ below.
+
+3. Protocol Elements
+
+ This section covers each of the different elements that may be used
+ to construct enrollment request and enrollment response messages.
+ Section 4 will cover how to build the enrollment request and response
+ messages.
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 5]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+3.1 PKIData Object
+
+ The new content object PKIData has been defined for this protocol.
+ This new object is used as the body of the full PKI request message.
+ The new body is identified by:
+
+ id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
+
+ The ASN.1 structure corresponding to this new content type is:
+
+ PKIData ::= SEQUENCE {
+ controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
+ reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest,
+ cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
+ otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
+ }
+
+ -- controlSequence consists of a sequence of control attributes. The
+ control attributes defined in this document are found in section 5.
+ As control sequences are defined by OIDs, other parties can define
+ additional control attributes. Unrecognized OIDs MUST result in no
+ part of the request being successfully processed.
+
+ -- reqSequence consists of a sequence of certificate requests. The
+ certificate requests can be either a CertificateRequest (PKCS10
+ request) or a CertReqMsg. Details on each of these request types are
+ found in sections 3.3.1 and 3.3.2 respectively.
+
+ -- cmsSequence consists of a sequence of [CMS] message objects. This
+ protocol only uses EnvelopedData, SignedData and EncryptedData. See
+ section 3.6 for more details.
+
+ -- otherMsgSequence allows for other arbitrary data items to be
+ placed into the enrollment protocol. The {OID, any} pair of values
+ allows for arbitrary definition of material. Data objects are placed
+ here while control objects are placed in the controlSequence field.
+ See section 3.7 for more details.
+
+3.2 ResponseBody Object
+
+ The new content object ResponseBody has been defined for this
+ protocol. This new object is used as the body of the full PKI
+ response message. The new body is identified by:
+
+ id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 6]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ The ASN.1 structure corresponding to this body content type is:
+
+ ResponseBody ::= SEQUENCE {
+ controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
+ cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
+ otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
+ }
+
+ -- controlSequence consists of a sequence of control attributes. The
+ control attributes defined in this document are found in section 3.5.
+ Other parties can define additional control attributes.
+
+ -- cmsSequence consists of a sequence of [CMS] message objects. This
+ protocol only uses EnvelopedData, SignedData and EncryptedData. See
+ section 3.6 for more details.
+
+ -- otherMsgSequence allows for other arbitrary items to be placed
+ into the enrollment protocol. The {OID, any} pair of values allows
+ for arbitrary definition of material. Data objects are placed here
+ while control objects are placed in the controlSequence field. See
+ section 3.7 for more details.
+
+3.3 Certification Requests (PKCS10/CRMF)
+
+ Certification Requests are based on either PKCS10 or CRMF messages.
+ Section 3.3.1 specifies mandatory and optional requirements for
+ clients and servers dealing with PKCS10 request messages. Section
+ 3.3.2 specifies mandatory and optional requirements for clients and
+ servers dealing with CRMF request messages.
+
+3.3.1 PKCS10 Request Body
+
+ Servers MUST be able to understand and process PKCS10 request bodies.
+ Clients MUST produce a PKCS10 request body when using the Simple
+ Enrollment Request message. Clients MAY produce a PKCS10 request body
+ when using the Full Enrollment Request message.
+
+ When producing a PKCS10 request body, clients MUST produce a PKCS10
+ message body containing a subject name and public key. Some
+ certification products are operated using a central repository of
+ information to assign subject names upon receipt of a public key for
+ certification. To accommodate this mode of operation, the subject
+ name in a CertificationRequest MAY be NULL, but MUST be present. CAs
+ that receive a CertificationRequest with a NULL subject name MAY
+ reject such requests. If rejected and a response is returned, the CA
+ MUST respond with the failInfo attribute of badRequest.
+
+
+
+
+
+Myers, et al. Standards Track [Page 7]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ The client MAY incorporate one or more standard X.509 v3 extensions
+ in any PKCS10 request as an ExtensionReq attribute. An ExtensionReq
+ attribute is defined as
+
+ ExtensionReq ::= SEQUENCE OF Extension
+
+ where Extension is imported from [PKIXCERT] and ExtensionReq is
+ identified by {pkcs-9 14}.
+
+ Servers MUST be able to process all extensions defined in [PKIXCERT].
+ Servers are not required to be able to process other V3 X.509
+ extensions transmitted using this protocol, nor are they required to
+ be able to process other, private extensions. Servers are not
+ required to put all client-requested extensions into a certificate.
+ Servers are permitted to modify client-requested extensions. Servers
+ MUST NOT alter an extension so as to invalidate the original intent
+ of a client-requested extension. (For example changing key usage
+ from key exchange to signing.) If a certification request is denied
+ due to the inability to handle a requested extension and a response
+ is returned, the server MUST respond with the failInfo attribute of
+ unsupportedExt.
+
+3.3.2 CRMF Request Body
+
+ Servers MUST be able to understand and process CRMF request body.
+ Clients MAY produce a CRMF message body when using the Full
+ Enrollment Request message.
+
+ This memo imposes the following additional changes on the
+ construction and processing of CRMF messages:
+
+ - When CRMF message bodies are used in the Full Enrollment Request
+ message, each CRMF message MUST include both the subject and
+ publicKey fields in the CertTemplate. As in the case of PKCS10
+ requests, the subject may be encoded as NULL, but MUST be present.
+ - In general, when both CRMF and CMC controls exist with equivalent
+ functionality, the CMC control SHOULD be used. The CMC control
+ MUST override any CRMF control.
+ - The regInfo field MUST NOT be used on a CRMF message. Equivalent
+ functionality is provided in the regInfo control attribute
+ (section 5.12).
+ - The indirect method of proving POP is not supported in this
+ protocol. One of the other methods (including the direct method
+ described in this document) MUST be used instead if POP is
+ desired. The value of encrCert in SubsequentMessage MUST NOT be
+ used.
+
+
+
+
+
+Myers, et al. Standards Track [Page 8]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ - Since the subject and publicKeyValues are always present, the
+ POPOSigningKeyInput MUST NOT be used when computing the value for
+ POPSigningKey.
+
+ A server is not required to use all of the values suggested by the
+ client in the certificate template. Servers MUST be able to process
+ all extensions defined in [PXIXCERT]. Servers are not required to be
+ able to process other V3 X.509 extension transmitted using this
+ protocol, nor are they required to be able to process other, private
+ extensions. Servers are permitted to modify client-requested
+ extensions. Servers MUST NOT alter an extension so as to invalidate
+ the original intent of a client-requested extension. (For example
+ change key usage from key exchange to signing.) If a certificate
+ request is denied due to the inability to handle a requested
+ extension, the server MUST respond with a failInfo attribute of
+ unsupportedExt.
+
+3.3.3 Production of Diffie-Hellman Public Key Certification Requests
+
+ Part of a certification request is a signature over the request;
+ Diffie-Hellman is a key agreement algorithm and cannot be used to
+ directly produce the required signature object. [DH-POP] provides
+ two ways to produce the necessary signature value. This document
+ also defines a signature algorithm that does not provide a POP value,
+ but can be used to produce the necessary signature value.
+
+3.3.3.1 No-Signature Signature Mechanism
+
+ Key management (encryption/decryption) private keys cannot always be
+ used to produce some type of signature value as they can be in a
+ decrypt only device. Certification requests require that the
+ signature field be populated. This section provides a signature
+ algorithm specifically for that purposes. The following object
+ identifier and signature value are used to identify this signature
+ type:
+
+ id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
+
+ NoSignatureValue ::= OCTET STRING
+
+ The parameters for id-alg-noSignature MUST be present and MUST be
+ encoded as NULL. NoSignatureValue contains the hash of the
+ certification request. It is important to realize that there is no
+ security associated with this signature type. If this signature type
+ is on a certification request and the Certification Authority policy
+ requires proof-of-possession of the private key, the POP mechanism
+ defined in section 5.7 MUST be used.
+
+
+
+
+Myers, et al. Standards Track [Page 9]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+3.3.3.2 Diffie-Hellman POP Signature
+
+ CMC compliant implementations MUST support section 5 of [DH-POP].
+
+3.3.3.3 Diffie-Hellman MAC signature
+
+ CMC compliant implementations MAY support section 4 of [DH-POP].
+
+3.4 Body Part Identifiers
+
+ Each element of a PKIData or PKIResponse message has an associated
+ body part identifier. The Body Part Identifier is a 4-octet integer
+ encoded in the certReqIds field for CertReqMsg objects (in a
+ TaggedRequest) or in the bodyPartId field of the other objects. The
+ Body Part Identifier MUST be unique within a single PKIData or
+ PKIResponse object. Body Part Identifiers can be duplicated in
+ different layers (for example a CMC message embedded within another).
+ The Body Part Id of zero is reserved to designate the current PKIData
+ object. This value is used in control attributes such as the Add
+ Extensions Control in the pkiDataReference field to refer to a
+ request in the current PKIData object.
+
+ Some control attribute, such as the CMC Status Info attribute, will
+ also use Body Part Identifiers to refer to elements in the previous
+ message. This allows an error to be explicit about the attribute or
+ request to which the error applies.
+
+3.5 Control Attributes
+
+ The overall control flow of how a message is processed in this
+ document is based on the control attributes. Each control attribute
+ consists of an object identifier and a value based on the object
+ identifier.
+
+ Servers MUST fail the processing of an entire PKIData message if any
+ included control attribute is not recognized. The response MUST be
+ the error badRequest and bodyList MUST contain the bodyPartID of the
+ invalid or unrecognized control attribute.
+
+ The syntax of a control attribute is
+
+ TaggedAttribute ::= SEQUENCE {
+ bodyPartID BodyPartId,
+ attrType OBJECT IDENTIFIER,
+ attrValues SET OF AttributeValue
+ }
+
+
+
+
+
+Myers, et al. Standards Track [Page 10]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ -- bodyPartId is a unique integer that is used to reference this
+ control attribute. The id of 0 is reserved for use as the
+ reference to the current PKIData object.
+
+ -- attrType is the OID defining the associated data in attrValues
+
+ -- attrValues contains the set of data values used in processing
+ the control attribute.
+
+ The set of control attributes that are defined by this memo are found
+ in section 5.
+
+3.6 Content Info objects
+
+ The cmsSequence field of the PKIRequest and PKIResponse messages
+ contains zero or more tagged content info objects. The syntax for
+ this structure is
+
+ TaggedContentInfo ::= SEQUENCE {
+ bodyPartID BodyPartId,
+ contentInfo ContentInfo
+ }
+
+ -- bodyPartId is a unique integer that is used to reference this
+ content info object. The id of 0 is reserved for use as the
+ reference to the current PKIData object.
+
+ -- contentInfo contains a ContentInfo object (defined in [CMS]).
+ The three contents used in this location are SignedData,
+ EnvelopedData and Data.
+
+ EnvelopedData provides for shrouding of data. Data allows for
+ general transport of unstructured data.
+
+ The SignedData object from [CMS] is also used in this specification
+ to provide for authentication as well as serving as the general
+ transport wrapper of requests and responses.
+
+3.6.1 Signed Data
+
+ The signedData object is used in two different locations when
+ constructing enrollment messages. The signedData object is used as a
+ wrapper for a PKIData as part of the enrollment request message. The
+ signedData object is also used as the outer part of an enrollment
+ response message.
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 11]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ For the enrollment response the signedData wrapper allows the server
+ to sign the returning data, if any exists, and to carry the
+ certificates and CRLs for the enrollment request. If no data is
+ being returned beyond the certificates, no signerInfo objects are
+ placed in the signedData object.
+
+3.6.2 Enveloped Data
+
+ EnvelopedData is the primary method of providing confidentiality for
+ sensitive information in this protocol. The protocol currently uses
+ EnvelopedData to provide encryption of an entire request (see section
+ 4.5). The envelopedData object would also be used to wrap private
+ key material for key archival.
+
+ Servers MUST implement envelopedData according to [CMS]. There is an
+ ambiguity (about encrypting content types other than id-data) in the
+ PKCS7 specification that has lead to non-interoperability.
+
+3.7 Other Message Bodies
+
+ The other message body portion of the message allows for arbitrary
+ data objects to be carried as part of a message. This is intended to
+ contain data that is not already wrapped in a CMS contentInfo object.
+ The data is ignored unless a control attribute references the data by
+ bodyPartId.
+
+ OtherMsg ::= SEQUENCE {
+ bodyPartID BodyPartID,
+ otherMsgType OBJECT IDENTIFIER,
+ otherMsgValue ANY DEFINED BY otherMsgType }
+
+ -- bodyPartID contains the unique id of this object
+
+ -- otherMsgType contains the OID defining both the usage of this body
+ part and the syntax of the value associated with this body part
+
+ -- otherMsgValue contains the data associated with the message body
+ part.
+
+4. PKI Messages
+
+ This section discusses the details of putting together the different
+ enrollment request and response messages.
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 12]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+4.1 Simple Enrollment Request
+
+ The simplest form of an enrollment request is a plain PKCS10 message.
+ If this form of enrollment request is used for a private key that is
+ capable of generating a signature, the PKCS10 MUST be signed with
+ that private key. If this form of the enrollment request is used for
+ a D-H key, then the D-H POP mechanism described in [DH-POP] MUST be
+ used.
+
+ Servers MUST support the Simple Enrollment Request message. If the
+ Simple Enrollment Request message is used, servers MUST return the
+ Simple Enrollment Response message (see Section 4.3) if the
+ enrollment request is granted. If the enrollment request fails, the
+ Full Enrollment Response MAY be returned or no response MAY be
+ returned.
+
+ Many advanced services specified in this memo are not supported by
+ the Simple Enrollment Request message.
+
+4.2 Full PKI Request
+
+ The Full Enrollment Request provides the most functionality and
+ flexibility. Clients SHOULD use the Full Enrollment Request message
+ when enrolling. Servers MUST support the Full Enrollment Request
+ message. An enrollment response (full or simple as appropriate) MUST
+ be returned to all Full Enrollment Requests.
+
+ The Full Enrollment Request message consists of a PKIData object
+ wrapped in a signedData CMS object. The objects in the PKIData are
+ ordered as follows:
+
+ 1. All Control Attributes,
+ 2. All certification requests,
+ 3. All CMS objects,
+ 4. All other messages.
+
+ Each element in a Full Enrollment Request is identified by a Body
+ Part Identifier. If duplicate ids are found, the server MUST return
+ the error badRequest with a bodyPartID of 0.
+
+ The signedData object wrapping the PKIData may be signed either by
+ the private key material of the signature certification request, or
+ by a previously certified signature key. If the private key of a
+ signature certification request is being used, then:
+ a) the certification request containing the corresponding public key
+ MUST include a Subject Key Identifier extension request,
+ b) the subjectKeyIdentifier form of signerInfo MUST be used, and
+
+
+
+
+Myers, et al. Standards Track [Page 13]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ c) the value of the subjectKeyIdentifier form of signerInfo MUST be
+ the Subject Key Identifier specified in the corresponding
+ certification request.
+
+ (The subjectKeyIdentifier form of signerInfo is used here because no
+ certificates have yet been issued for the signing key.) If the
+ request key is used for signing, there MUST be only one signerInfo
+ object in the signedData object.
+
+ When creating a message to renew a certificate, the following should
+ be taken into consideration:
+
+ 1. The identification and identityProof control statements are not
+ required. The same information is provided by the use of an
+ existing certificate from the CA when signing the enrollment
+ message.
+ 2. CAs and LRAs may impose additional restrictions on the signing
+ certificate used. They may require that the most recently issued
+ signing certificate for an entity be used.
+ 3. A renewal message may occur either by creating a new set of keys,
+ or by re-using an existing set of keys. Some CAs may prevent re-
+ use of keys by policy. In this case the CA MUST return NOKEYREUSE
+ as the failure code.
+
+4.3 Simple Enrollment Response
+
+ Servers SHOULD use the simple enrollment response message whenever
+ possible. Clients MUST be able to process the simple enrollment
+ response message. The simple enrollment response message consists of
+ a signedData object with no signerInfo objects on it. The
+ certificates requested are returned in the certificate bag of the
+ signedData object.
+
+ Clients MUST NOT assume the certificates are in any order. Servers
+ SHOULD include all intermediate certificates needed to form complete
+ chains to one or more self-signed certificates, not just the newly
+ issued certificate(s). The server MAY additionally return CRLs in the
+ CRL bag. Servers MAY include the self-signed certificates. Clients
+ MUST NOT implicitly trust included self-signed certificate(s) merely
+ due to its presence in the certificate bag. In the event clients
+ receive a new self-signed certificate from the server, clients SHOULD
+ provide a mechanism to enable the user to explicitly trust the
+ certificate.
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 14]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+4.4 Full PKI Response
+
+ Servers MUST return full PKI response messages if a) a full PKI
+ request message failed or b) additional services other than returning
+ certificates are required. Servers MAY return full PKI responses
+ with failure information for simple PKI requests. Following section
+ 4.3 above, servers returning only certificates and a success status
+ to the client SHOULD use the simple PKI response message.
+
+ Clients MUST be able to process a full PKI response message.
+
+ The full enrollment response message consists of a signedData object
+ encapsulating a responseBody object. In a responseBody object all
+ Control Attributes MUST precede all CMS objects. The certificates
+ granted in an enrollment response are returned in the certificates
+ field of the immediately encapsulating signedData object.
+
+ Clients MUST NOT assume the certificates are in any order. Servers
+ SHOULD include all intermediate certificates needed to form complete
+ chains one ore more self-signed certificates, not just the newly
+ issued certificate(s). The server MAY additionally return CRLs in the
+ CRL bag. Servers MAY include the self-signed certificates. Clients
+ MUST NOT implicitly trust included self-signed certificate(s) merely
+ due to its presence in the certificate bag. In the event clients
+ receive a new self-signed certificate from the server, clients SHOULD
+ provide a mechanism to enable the user to explicitly trust the
+ certificate.
+
+4.5 Application of Encryption to a PKI Message
+
+ There are occasions where a PKI request or response message must be
+ encrypted in order to prevent any information about the enrollment
+ from being accessible to unauthorized entities. This section
+ describes the means used to encrypt a PKI message. This section is
+ not applicable to a simple enrollment message.
+
+ Confidentiality is provided by wrapping the PKI message (a signedData
+ object) in a CMS EnvelopedData object. The nested content type in
+ the EnvelopedData is id-signedData. Note that this is different from
+ S/MIME where there is a MIME layer placed between the encrypted and
+ signed data objects. It is recommended that if an enveloped data
+ layer is applied to a PKI message, a second signing layer be placed
+ outside of the enveloped data layer. The following figure shows how
+ this nesting would be done:
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 15]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ Normal Option 1 Option 2
+ ------ -------- --------
+ SignedData EnvelopedData SignedData
+ PKIData SignedData EnvelopedData
+ PKIData SignedData
+ PKIData
+
+ Options 1 and 2 provide the benefit of preventing leakage of
+ sensitive data by encrypting the information. LRAs can remove the
+ enveloped data wrapping, and replace or forward without further
+ processing. Section 6 contains more information about LRA processing.
+
+ PKI Messages MAY be encrypted or transmitted in the clear. Servers
+ MUST provided support for all three versions.
+
+ Alternatively, an authenticated, secure channel could exist between
+ the parties requiring encryption. Clients and servers MAY use such
+ channels instead of the technique described above to provide secure,
+ private communication of PKI request and response messages.
+
+5. Control Attributes
+
+ Control attributes are carried as part of both PKI requests and
+ responses. Each control attribute is encoded as a unique Object
+ Identifier followed by that data for the control attribute. The
+ encoding of the data is based on the control attribute object
+ identifier. Processing systems would first detect the OID and
+ process the corresponding attribute value prior to processing the
+ message body.
+
+ The following table lists the names, OID and syntactic structure for
+ each of the control attributes documented in this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 16]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ Control Attribute OID Syntax
+ ----------------- ---------- --------------
+ cMCStatusInfo id-cmc 1 CMCStatusInfo
+ identification id-cmc 2 UTF8String
+ identityProof id-cmc 3 OCTET STRING
+ dataReturn id-cmc 4 OCTET STRING
+ transactionId id-cmc 5 INTEGER
+ senderNonce id-cmc 6 OCTET STRING
+ recipientNonce id-cmc 7 OCTET STRING
+ addExtensions id-cmc 8 AddExtensions
+ encryptedPOP id-cmc 9 EncryptedPOP
+ decryptedPOP id-cmc 10 DecryptedPOP
+ lraPOPWitness id-cmc 11 LraPOPWitness
+ getCert id-cmc 15 GetCert
+ getCRL id-cmc 16 GetCRL
+ revokeRequest id-cmc 17 RevokeRequest
+ regInfo id-cmc 18 OCTET STRING
+ responseInfo id-cmc 19 OCTET STRING
+ QueryPending id-cmc 21 OCTET STRING
+ idPOPLinkRandom id-cmc 22 OCTET STRING
+ idPOPLinkWitness id-cmc 23 OCTET STRING
+ idConfirmCertAcceptance id-cmc 24 CMCCertId
+
+5.1 CMC Status Info Control Attribute
+
+ The CMC status info control is used in full PKI Response messages to
+ return information on a client request. Servers MAY emit multiple
+ CMC status info controls referring to a single body part. Clients
+ MUST be able to deal with multiple CMC status info controls in a
+ response message. This statement uses the following ASN.1 definition:
+
+ CMCStatusInfo ::= SEQUENCE {
+ cMCStatus CMCStatus,
+ bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID,
+ statusString UTF8String OPTIONAL,
+ otherInfo CHOICE {
+ failInfo CMCFailInfo,
+ pendInfo PendInfo } OPTIONAL
+ }
+
+ PendInfo ::= SEQUENCE {
+ pendToken OCTET STRING,
+ pendTime GeneralizedTime
+ }
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 17]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ -- cMCStatus is described in section 5.1.1
+
+ -- bodyList contains the list of body parts in the request message
+ to which this status information applies. If an error is being
+ returned for a simple enrollment message, body list will contain a
+ single integer of value '1'.
+
+ -- statusString contains a string with additional description
+ information. This string is human readable.
+
+ -- failInfo is described in section 5.1.2. It provides a detailed
+ error on what the failure was. This choice is present only if
+ cMCStatus is failed.
+
+ -- pendToken is the token to be used in the queryPending control
+ attribute.
+
+ -- pendTime contains the suggested time the server wants to be
+ queried about the status of the request.
+
+ If the cMCStatus field is success, the CMC Status Info Control MAY be
+ omitted unless it is only item in the response message. If no status
+ exists for a certificate request or other item requiring processing,
+ then the value of success is to be assumed.
+
+5.1.1 CMCStatus values
+
+ CMCStatus is a field in the CMCStatusInfo structure. This field
+ contains a code representing the success or failure of a specific
+ operation. CMCStatus has the ASN.1 structure of:
+
+ CMCStatus ::= INTEGER {
+ success (0),
+ -- request was granted
+ -- reserved (1),
+ -- not used, defined where the original structure was defined
+ failed (2),
+ -- you don't get what you want, more information elsewhere in
+ the message
+ pending (3),
+ -- the request body part has not yet been processed,
+ -- requester is responsible to poll back on this
+ -- pending may only be return for certificate request
+ operations.
+ noSupport (4),
+ -- the requested operation is not supported
+ confirmRequired (5)
+
+
+
+
+Myers, et al. Standards Track [Page 18]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ -- conformation using the idConfirmCertAcceptance control is
+ required
+ -- before use of certificate
+ }
+
+5.1.2 CMCFailInfo
+
+ CMCFailInfo conveys information relevant to the interpretation of a
+ failure condition. The CMCFailInfo has the following ASN.1 structure:
+
+ CMCFailInfo ::= INTEGER {
+ badAlg (0)
+ -- Unrecognized or unsupported algorithm
+ badMessageCheck (1)
+ -- integrity check failed
+ badRequest (2)
+ -- transaction not permitted or supported
+ badTime (3)
+ -- Message time field was not sufficiently close to the system
+ time
+ badCertId (4)
+ -- No certificate could be identified matching the provided
+ criteria
+ unsuportedExt (5)
+ -- A requested X.509 extension is not supported by the
+ recipient CA.
+ mustArchiveKeys (6)
+ -- Private key material must be supplied
+ badIdentity (7)
+ -- Identification Attribute failed to verify
+ popRequired (8)
+ -- Server requires a POP proof before issuing certificate
+ popFailed (9)
+ -- POP processing failed
+ noKeyReuse (10)
+ -- Server policy does not allow key re-use
+ internalCAError (11)
+ tryLater (12)
+ }
+
+ Additional failure reasons MAY be defined for closed environments
+ with a need.
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 19]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+5.2 Identification and IdentityProof Control Attributes
+
+ Some CAs and LRAs require that a proof of identity be included in a
+ certification request. Many different ways of doing this exist with
+ different degrees of security and reliability. Most people are
+ familiar with the request of a bank to provide your mother's maiden
+ name as a form of identity proof.
+
+ CMC provides one method of proving the client's identity based on a
+ shared secret between the certificate requestor and the verifying
+ authority. If clients support full request messages, clients MUST
+ implement this method of identity proof. Servers MUST provide this
+ method and MAY also have a bilateral method of similar strength
+ available.
+
+ The CMC method starts with an out-of-band transfer of a token (the
+ shared secret). The distribution of this token is beyond the scope
+ of this document. The client then uses this token for an identity
+ proof as follows:
+
+ 1. The reqSequence field of the PKIData object (encoded exactly as it
+ appears in the request message including the sequence type and
+ length) is the value to be validated.
+ 2. A SHA1 hash of the token is computed.
+ 3. An HMAC-SHA1 value is then computed over the value produced in
+ Step 1, as described in [HMAC], using the hash of the token from
+ Step 2 as the shared secret value.
+ 4. The 160-bit HMAC-SHA1 result from Step 3 is then encoded as the
+ value of the identityProof attribute.
+
+ When the server verifies the identityProof attribute, it computes the
+ HMAC-SHA1 value in the same way and compares it to the identityProof
+ attribute contained in the enrollment request.
+
+ If a server fails the verification of an identityProof attribute and
+ the server returns a response message, the failInfo attribute MUST be
+ present in the response and MUST have a value of badIdentity.
+
+ Optionally, servers MAY require the inclusion of the unprotected
+ identification attribute with an identification attribute. The
+ identification attribute is intended to contain either a text string
+ or a numeric quantity, such as a random number, which assists the
+ server in locating the shared secret needed to validate the contents
+ of the identityProof attribute. Numeric values MUST be converted to
+ text string representations prior to encoding as UTF8-STRINGs in this
+ attribute. If the identification control attribute is included in
+
+
+
+
+
+Myers, et al. Standards Track [Page 20]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ the message, the derivation of the shared secret in step 2 is altered
+ so that the hash of the concatenation of the token and the identity
+ value are hashed rather than just the token.
+
+5.2.1 Hardware Shared Secret Token Generation
+
+ The shared secret between the end-entity and the identity verify is
+ sometimes transferred using a hardware device that generates a series
+ of tokens based on some shared secret value. The user can therefore
+ prove their identity by transferring this token in plain text along
+ with a name string. The above protocol can be used with a hardware
+ shared-secret token generation device by the following modifications:
+
+ 1. The identification attribute MUST be included and MUST contain the
+ hardware-generated token.
+ 2. The shared secret value used above is the same hardware-generated
+ token.
+ 3. All certification requests MUST have a subject name and the
+ subject name MUST contain the fields required to identify the
+ holder of the hardware token device.
+
+5.3 Linking Identity and POP Information
+
+ In a PKI Full Request message identity information about the
+ creator/author of the message is carried in the signature of the CMS
+ SignedData object containing all of the certificate requests.
+ Proof-of-possession information for key pairs requesting
+ certification, however, is carried separately for each PKCS#10 or
+ CRMF message. (For keys capable of generating a digital signature,
+ the POP is provided by the signature on the PKCS#10 or CRMF request.
+ For encryption-only keys the controls described in Section 5.7 below
+ are used.) In order to prevent substitution-style attacks we must
+ guarantee that the same entity generated both the POP and proof-of-
+ identity information.
+
+ This section describes two mechanisms for linking identity and POP
+ information: witness values cryptographically derived from the
+ shared-secret (Section 5.3.1) and shared-secret/subject DN matching
+ (Section 5.3.2). Clients and servers MUST support the witness value
+ technique. Clients and servers MAY support shared-secret/subject DN
+ matching or other bilateral techniques of similar strength. The idea
+ behind both mechanisms is to force the client to sign some data into
+ each certificate request that can be directly associated with the
+ shared-secret; this will defeat attempts to include certificate
+ requests from different entities in a single Full PKI Request
+ message.
+
+
+
+
+
+Myers, et al. Standards Track [Page 21]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+5.3.1 Witness values derived from the shared-secret
+
+ The first technique for doing identity-POP linking works by forcing
+ the client to include a piece of information cryptographically-
+ derived from the shared-secret token as a signed extension within
+ each certificate request (PKCS#10 or CRMF) message. This technique
+ is useful if null subject DNs are used (because, for example, the
+ server can generate the subject DN for the certificate based only on
+ the shared secret). Processing begins when the client receives the
+ shared-secret token out-of-band from the server. The client then
+ computes the following values:
+
+ 1. The client generates a random byte-string, R, which SHOULD be at
+ least 512 bits in length.
+ 2. A SHA1 hash of the token is computed.
+ 3. An HMAC-SHA1 value is then computed over the random value produced
+ in Step 1, as described in [HMAC], using the hash of the token
+ from Step 2 as the shared secret.
+ 4. The random value produced in Step 1 is encoded as the value of an
+ idPOPLinkRandom control attribute. This control attribute MUST be
+ included in the Full PKI Request message.
+ 5. The 160-bit HMAC-SHA1 result from Step 3 is encoded as the value
+ of an idPOPLinkWitness extension to the certificate request.
+ a. For CRMF, idPOPLinkWitness is included in the controls section
+ of the CertRequest structure.
+ b. For PKCS#10, idPOPLinkWitness is included in the attributes
+ section of the CertificationRequest structure.
+
+ Upon receipt, servers MUST verify that each certificate request
+ contains a copy of the idPOPLinkWitness and that its value was
+ derived in the specified manner from the shared secret and the random
+ string included in the idPOPLinkRandom control attribute.
+
+5.3.2 Shared-secret/subject DN matching
+
+ The second technique for doing identity-POP linking is to link a
+ particular subject distinguished name (subject DN) to the shared-
+ secrets that are distributed out-of-band and to require that clients
+ using the shared-secret to prove identity include that exact subject
+ DN in every certificate request. It is expected that many client-
+ server connections using shared-secret based proof-of-identity will
+ use this mechanism. (It is common not to omit the subject DN
+ information from the certificate request messages.)
+
+ When the shared secret is generated and transferred out-of-band to
+ initiate the registration process (Section 5.2), a particular subject
+ DN is also associated with the shared secret and communicated to the
+ client. (The subject DN generated MUST be unique per entity in
+
+
+
+Myers, et al. Standards Track [Page 22]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ accordance with CA policy; a null subject DN cannot be used. A
+ common practice could be to place the identification value as part of
+ the subject DN.) When the client generates the Full PKI Request
+ message, it MUST use these two pieces of information as follows:
+
+ 1. The client MUST include the specific subject DN that it received
+ along with the shared secret as the subject name in every
+ certificate request (PKCS#10 and/or CRMF) in the Full PKI Request.
+ The subject names in the requests MUST NOT be null.
+ 2. The client MUST include the identityProof control attribute
+ (Section 5.2), derived from the shared secret, in the Full PKI
+ Request.
+
+ The server receiving this message MUST (a) validate the identityProof
+ control attribute and then, (b) check that the subject DN included in
+ each certificate request matches that associated with the shared
+ secret. If either of these checks fails the certificate request MUST
+ be rejected.
+
+5.3.3 Renewal and Re-Key Messages
+
+ In a renewal or re-key message, the subject DN in (a) the certificate
+ referenced by the CMS SignerInfo object, and (b) all certificate
+ requests within the request message MUST match according to the
+ standard name match rules described in [PKIXCERT].
+
+5.4 Data Return Control Attribute
+
+ The data return control attribute allows clients to send arbitrary
+ data (usually some type of internal state information) to the server
+ and to have the data returned as part of the enrollment response
+ message. Data placed in a data return statement is considered to be
+ opaque to the server. The same control is used for both requests and
+ responses. If the data return statement appears in an enrollment
+ message, the server MUST return it as part of the enrollment response
+ message.
+
+ In the event that the information in the data return statement needs
+ to be confidential, it is expected that the client would apply some
+ type of encryption to the contained data, but the details of this are
+ outside the scope of this specification.
+
+ An example of using this feature is for a client to place an
+ identifier marking the exact source of the private key material.
+ This might be the identifier of a hardware device containing the
+ private key.
+
+
+
+
+
+Myers, et al. Standards Track [Page 23]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+5.5 Add Extensions Control Attribute
+
+ The Add Extensions control attribute is used by LRAs in order to
+ specify additional extensions that are to be placed on certificates.
+ This attribute uses the following ASN.1 definition:
+
+ AddExtensions ::= SEQUENCE {
+ pkiDataReference BodyPartID
+ certReferences SEQUENCE OF BodyPartID,
+ extensions SEQUENCE OF Extension
+ }
+
+ -- pkiDataReference field contains the body part id of the
+ embedded request message.
+
+ -- certReferences field is a list of references to one or more of
+ the payloads contained within a PKIData. Each element of the
+ certReferences sequence MUST be equal to either the bodyPartID of
+ a TaggedCertificationRequest or the certReqId of the CertRequest
+ within a CertReqMsg. By definition, the listed extensions are to
+ be applied to every element referenced in the certReferences
+ sequence. If a request corresponding to bodyPartID cannot be
+ found, the error badRequest is returned referencing this control
+ attribute.
+
+ -- extensions field contains the sequence of extensions to be
+ applied to the referenced certificate requests.
+
+ Servers MUST be able to process all extensions defined in [PKIXCERT].
+ Servers are not required to be able to process every V3 X.509
+ extension transmitted using this protocol, nor are they required to
+ be able to process other, private extensions. Servers are not
+ required to put all LRA-requested extensions into a certificate.
+ Servers are permitted to modify LRA-requested extensions. Servers
+ MUST NOT alter an extension so as to reverse the meaning of a
+ client-requested extension If a certification request is denied due
+ to the inability to handle a requested extension and a response is
+ returned, the server MUST return a failInfo attribute with the value
+ of unsupportedExt.
+
+ If multiple Add Extensions statements exist in an enrollment message,
+ the exact behavior is left up to the certificate issuer policy.
+ However it is recommended that the following policy be used. These
+ rules would be applied to individual extensions within an Add
+ Extensions control attribute (as opposed to an "all or nothing"
+ approach).
+
+
+
+
+
+Myers, et al. Standards Track [Page 24]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ 1. If the conflict is within a single PKIData object, the certificate
+ request would be rejected with an error of badRequest.
+
+ 2. If the conflict is between different PKIData objects, the
+ outermost version of the extension would be used (allowing an LRA
+ to override the extension requested by the end-entyt).
+
+5.6 Transaction Management Control Attributes
+
+ Transactions are identified and tracked using a transaction
+ identifier. If used, clients generate transaction identifiers and
+ retain their value until the server responds with a message that
+ completes the transaction. Servers correspondingly include received
+ transaction identifiers in the response.
+
+ The transactionId attribute identifies a given transaction. It is
+ used between client and server to manage the state of an operation.
+ Clients MAY include a transactionID attribute in request messages.
+ If the original request contains a transactionID attribute, all
+ subsequent request and response messages MUST include the same
+ transactionID attribute. A server MUST use only transactionIds in
+ the outermost PKIdata object. TransactionIds on inner PKIdata objects
+ are for intermediate entities.
+
+ Replay protection can be supported through the use of sender and
+ recipient nonces. If nonces are used, in the first message of a
+ transaction, no recipientNonce is transmitted; a senderNonce is
+ instantiated by the message originator and retained for later
+ reference. The recipient of a sender nonce reflects this value back
+ to the originator as a recipientNonce and includes it's own
+ senderNonce. Upon receipt by the transaction originator of this
+ message, the originator compares the value of recipientNonce to its
+ retained value. If the values match, the message can be accepted for
+ further security processing. The received value for senderNonce is
+ also retained for inclusion in the next message associated with the
+ same transaction.
+
+ The senderNonce and recipientNonce attribute can be used to provide
+ application-level replay prevention. Clients MAY include a
+ senderNonce in the initial request message. Originating messages
+ include only a value for senderNonce. If a message includes a
+ senderNonce, the response MUST include the transmitted value of the
+ previously received senderNonce as recipientNonce and include new
+ value for senderNonce. A server MUST use only nonces in the outermost
+ PKIdata object. Nonces on inner PKIdata objects are for intermediate
+ entities.
+
+
+
+
+
+Myers, et al. Standards Track [Page 25]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+5.7 Proof-of-possession (POP) for encryption-only keys
+
+ Everything described in this section is optional to implement, for
+ both servers and clients. Servers MAY require this POP method be used
+ only if another POP method is unavailable. Servers SHOULD reject all
+ requests contained within a PKIData if any required POP is missing
+ for any element within the PKIData.
+
+ Many servers require proof that an entity requesting a certificate
+ for a public key actually possesses the corresponding private
+ component of the key pair. For keys that can be used as signature
+ keys, signing the certification request with the private key serves
+ as a POP on that key pair. With keys that can only be used for
+ encryption operations, POP MUST be performed by forcing the client to
+ decrypt a value. See Section 5 of [CRMF] for a detailed discussion
+ of POP.
+
+ By necessity, POP for encryption-only keys cannot be done in one
+ round-trip, since there are four distinct phases:
+
+ 1. Client tells the server about the public component of a new
+ encryption key pair.
+ 2. Server sends the client a POP challenge, encrypted with the
+ presented public encryption key, which the client must decrypt.
+ 3. Client decrypts the POP challenge and sends it back to the server.
+ 4. Server validates the decrypted POP challenge and continues
+ processing the certificate request.
+
+ CMC defines two different attributes. The first deals with the
+ encrypted challenge sent from the server to the user in step 2. The
+ second deals with the decrypted challenge sent from the client to the
+ server in step 3.
+
+ The encryptedPOP attribute is used to send the encrypted challenge
+ from the server to the client. As such, it is encoded as a tagged
+ attribute within the controlSequence of a ResponseBody. (Note that
+ we assume that the message sent in Step 1 above is an enrollment
+ request and that the response in step 2 is a Full Enrollment Response
+ including a failureInfo specifying that a POP is explicitly required,
+ and providing the POP challenge in the encryptedPOP attribute.)
+
+ EncryptedPOP ::= SEQUENCE {
+
+ request TaggedRequest,
+ cms contentInfo,
+ thePOPAlgID AlgorithmIdentifier,
+ witnessAlgID AlgorithmIdentifier,
+ witness OCTET STRING
+
+
+
+Myers, et al. Standards Track [Page 26]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ }
+
+ DecryptedPOP ::= SEQUENCE {
+ bodyPartID BodyPartID,
+ thePOPAlgID AlgorithmIdentifier,
+ thePOP OCTET STRING
+ }
+
+ The encrypted POP algorithm works as follows:
+
+ 1. The server generates a random value y and associates it with the
+ request.
+ 2. The server returns the encrypted pop with the following fields
+ set:
+ a. request is the certificate request in the original request
+ message (it is included here so the client need not key a copy
+ of the request),
+ b. cms is an EnvelopedData object, the content type being id-data
+ and the content being the value y. If the certificate request
+ contains a subject key identifier (SKI) extension, then the
+ recipient identifier SHOULD be the SKI. If the
+ issuerAndSerialNumber form is used, the IsserName MUST be
+ encoded as NULL and the SerialNumber as the bodyPartId of the
+ certificate request,
+ c. thePOPAlgID contains the algorithm to be used in computing the
+ return POP value,
+ d. witnessAlgID contains the hash algorithm used on y to create
+ the field witness,
+ e. witness contains the hashed value of y.
+ 3. The client decrypts the cms field to obtain the value y. The
+ client computes H(y) using the witnessAlgID and compares to the
+ value of witness. If the values do not compare or the decryption
+ is not successful, the client MUST abort the enrollment process.
+ The client aborts the process by sending a request message
+ containing a CMCStatusInfo control attribute with failInfo value
+ of popFailed.
+ 4. The client creates the decryptedPOP as part of a new PKIData
+ message. The fields in the decryptedPOP are:
+ a. bodyPartID refers to the certificate request in the new
+ enrollment message,
+ b. thePOPAlgID is copied from the encryptedPOP,
+ c. thePOP contains the possession proof. This value is computed
+ by thePOPAlgID using the value y and request referenced in
+ (4a).
+ 5. The server then re-computes the value of thePOP from its cached
+ value of y and the request and compares to the value of thePOP.
+ If the values do not match, the server MUST NOT issue the
+ certificate. The server MAY re-issue a new challenge or MAY fail
+
+
+
+Myers, et al. Standards Track [Page 27]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ the request altogether.
+
+ When defining the algorithms for thePOPAlgID and witnessAlgID care
+ must be taken to ensure that the result of witnessAlgID is not a
+ useful value to shortcut the computation with thePOPAlgID. Clients
+ MUST implement SHA-1 for witnessAlgID. Clients MUST implement HMAC-
+ SHA1 for thePOPAlgID. The value of y is used as the secret value in
+ the HMAC algorithm and the request referenced in (4a) is used as the
+ data. If y is greater than 64 bytes, only the first 64 bytes of y
+ are used as the secret.
+
+ One potential problem with the algorithm above is the amount of state
+ that a CA needs to keep in order to verify the returned POP value.
+ This describes one of many possible ways of addressing the problem by
+ reducing the amount of state kept on the CA to a single (or small
+ set) of values.
+
+ 1. Server generates random seed x, constant across all requests. (The
+ value of x would normally be altered on a regular basis and kept
+ for a short time afterwards.)
+ 2. For certificate request R, server computes y = F(x,R). F can be,
+ for example, HMAC-SHA1(x,R). All that's important for
+ statelessness is that y be consistently computable with only known
+ state constant x and function F, other inputs coming from the cert
+ request structure. y should not be predictable based on knowledge
+ of R, thus the use of a OWF like HMAC-SHA1.
+
+5.8 LRA POP Witnesses Control Attribute
+
+ In an enrollment scenario involving an LRAs the CA may allow (or
+ require) the LRA to perform the POP protocol with the entity
+ requesting certification. In this case the LRA needs a way to inform
+ the CA it has done the POP. This control attribute has been created
+ to address this issue.
+
+ The ASN.1 structure for the LRA POP witness is as follows:
+
+ LraPopWitness ::= SEQUENCE {
+ pkiDataBodyid BodyPartID,
+ bodyIds SEQUENCE of BodyPartID
+ }
+
+ -- pkiDataBodyid field contains the body part id of the nested CMS
+ body object containing the client's full request message.
+ pkiDataBodyid is set to 0 if the request is in the current
+ PKIRequest body.
+
+
+
+
+
+Myers, et al. Standards Track [Page 28]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ -- bodyIds contains a list of certificate requests for which the
+ LRA has performed an out-of-band authentication. The method of
+ authentication could be archival of private key material,
+ challenge-response or other means.
+
+ If a certificate server does not allow for an LRA to do the POP
+ verification, it returns an error of POPFAILURE. The CA MUST NOT
+ start a challenge-response to re-verify the POP itself.
+
+5.9 Get Certificate Control Attribute
+
+ Everything described in this section is optional to implement.
+
+ The get certificate control attribute is used to retrieve previously
+ issued certificates from a repository of certificates. A Certificate
+ Authority, an LRA or an independent service may provide this
+ repository. The clients expected to use this facility are those
+ operating in a resource-constrained environment. (An example of a
+ resource-constrained client would be a low-end IP router that does
+ not retain its own certificate in non-volatile memory.)
+
+ The get certificate control attribute has the following ASN.1
+ structure:
+
+ GetCert ::= SEQUENCE {
+ issuerName GeneralName,
+ serialNumber INTEGER }
+
+ The service responding to the request will place the requested
+ certificate in the certificates field of a SignedData object. If the
+ get certificate attribute is the only control in a Full PKI Request
+ message, the response would be a Simple Enrollment Response.
+
+5.10 Get CRL Control Attribute
+
+ Everything described in this section is optional to implement.
+
+ The get CRL control attribute is used to retrieve CRLs from a
+ repository of CRLs. A Certification Authority, an LRA or an
+ independent service may provide this repository. The clients
+ expected to use this facility are those where a fully deployed
+ directory is either infeasible or undesirable.
+
+ The get CRL control attribute has the following ASN.1 structure:
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 29]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ GetCRL ::= SEQUENCE {
+ issuerName Name,
+ cRLName GeneralName OPTIONAL,
+ time GeneralizedTime OPTIONAL,
+ reasons ReasonFlags OPTIONAL }
+
+ The fields in a GetCRL have the following meanings:
+
+ -- issuerName is the name of the CRL issuer.
+
+ -- cRLName may be the value of CRLDistributionPoints in the
+ subject certificate or equivalent value in the event the
+ certificate does not contain such a value.
+
+ -- time is used by the client to specify from among potentially
+ several issues of CRL that one whose thisUpdate value is less than
+ but nearest to the specified time. In the absence of a time
+ component, the CA always returns with the most recent CRL.
+
+ -- reasons is used to specify from among CRLs partitioned by
+ revocation reason. Implementers should bear in mind that while a
+ specific revocation request has a single CRLReason code--and
+ consequently entries in the CRL would have a single CRLReason code
+ value--a single CRL can aggregate information for one or more
+ reasonFlags.
+
+ A service responding to the request will place the requested CRL in
+ the crls field of a SignedData object. If the get CRL attribute is
+ the only control in a full enrollment message, the response would be
+ a simple enrollment response.
+
+5.11 Revocation Request Control Attribute
+
+ The revocation request control attribute is used to request that a
+ certificate be revoked.
+
+ The revocation request control attribute has the following ASN.1
+ syntax:
+
+ RevRequest ::= SEQUENCE {
+ issuerName Name,
+ serialNumber INTEGER,
+ reason CRLReason,
+ invalidityDate GeneralizedTime OPTIONAL,
+ sharedSecret OCTET STRING OPTIONAL,
+ comment UTF8string OPTIONAL }
+
+
+
+
+
+Myers, et al. Standards Track [Page 30]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ -- issuerName contains the issuerName of the certificate to be
+ revoked.
+
+ -- serialNumber contains the serial number of the certificate to
+ be revoked
+
+ -- reason contains the suggested CRLReason code for why the
+ certificate is being revoked. The CA can use this value at its
+ discretion in building the CRL.
+
+ -- invalidityDate contains the suggested value for the Invalidity
+ Date CRL Extension. The CA can use this value at its discretion
+ in building the CRL.
+
+ -- sharedSecret contains a secret value registered by the EE when
+ the certificate was obtained to allow for revocation of a
+ certificate in the event of key loss.
+
+ -- comment contains a human readable comment.
+
+ For a revocation request to become a reliable object in the event of
+ a dispute, a strong proof of originator authenticity is required.
+ However, in the instance when an end-entity has lost use of its
+ signature private key, it is impossible for the end-entity to produce
+ a digital signature (prior to the certification of a new signature
+ key pair). The RevRequest provides for the optional transmission from
+ the end-entity to the CA of a shared secret that may be used as an
+ alternative authenticator in the instance of loss of use. The
+ acceptability of this practice is a matter of local security policy.
+
+ (Note that in some situations a Registration Authority may be
+ delegated authority to revoke certificates on behalf of some
+ population within its scope control. In these situations the CA
+ would accept the LRA's digital signature on the request to revoke a
+ certificate, independent of whether the end entity still had access
+ to the private component of the key pair.)
+
+ Clients MUST provide the capability to produce a digitally signed
+ revocation request control attribute. Clients SHOULD be capable of
+ producing an unsigned revocation request containing the end-entity's
+ shared secret. If a client provides shared secret based self-
+ revocation, the client MUST be capable of producing a revocation
+ request containing the shared secret. Servers MUST be capable of
+ accepting both forms of revocation requests.
+
+ The structure of an unsigned, shared secret based revocation request
+ is a matter of local implementation. The shared secret does not need
+ to be encrypted when sent in a revocation request. The shared secret
+
+
+
+Myers, et al. Standards Track [Page 31]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ has a one-time use, that of causing the certificate to be revoked,
+ and public knowledge of the shared secret after the certificate has
+ been revoked is not a problem. Clients need to inform users that the
+ same shared secret SHOULD NOT be used for multiple certificates.
+
+ A full response message MUST be returned for a revocation request.
+
+5.12 Registration and Response Information Control Attributes
+
+ The regInfo control attribute is for clients and LRAs to pass
+ additional information as part a PKI request. The regInfo control
+ attribute uses the ASN.1 structure:
+
+ RegInfo ::= OCTET STRING
+
+ The content of this data is based on bilateral agreement between the
+ client and server.
+
+ If a server (or LRA) needs to return information back to a requestor
+ in response to data submitted in a regInfo attribute, then that data
+ is returned as a responseInfo control attribute. The content of the
+ OCTET STRING for response information is based on bilateral agreement
+ between the client and server.
+
+5.13 Query Pending Control Attribute
+
+ In some environments, process requirements for manual intervention or
+ other identity checking can cause a delay in returning the
+ certificate related to a certificate request. The query pending
+ attribute allows for a client to query a server about the state of a
+ pending certificate request. The server returns a token as part of
+ the CMCStatusInfo attribute (in the otherInfo field). The client
+ puts the token into the query pending attribute to identify the
+ correct request to the server. The server can also return a
+ suggested time for the client to query for the state of a pending
+ certificate request.
+
+ The ASN.1 structure used by the query pending control attribute is:
+
+ QueryPending ::= OCTET STRING
+
+ If a server returns a pending state (the transaction is still
+ pending), the otherInfo MAY be omitted. If it is not omitted then
+ the same value MUST be returned (the token MUST NOT change during the
+ request).
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 32]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+5.14 Confirm Certificate Acceptance
+
+ Some Certification Authorities require that clients give a positive
+ conformation that the certificates issued to it are acceptable. The
+ Confirm Certificate Acceptance control attribute is used for that
+ purpose. If the CMCStatusInfo on a certificate request is
+ confirmRequired, then the client MUST return a Confirm Certificate
+
+ Acceptance prior to any usage of the certificate. Clients SHOULD
+ wait for the response from the server that the conformation has been
+ received.
+
+ The confirm certificate acceptance structure is:
+
+ CMCCertId ::= IssuerSerial
+
+ -- CMCCertId contains the issuer and serial number of the
+ certificate being accepted.
+
+ Servers MUST return a full enrollment response for a confirm
+ certificate acceptance control.
+
+6. Local Registration Authorities
+
+ This specification permits the use of Local Registration Authorities
+ (LRAs). An LRA sits between the end-entity and the Certification
+ Authority. From the end-entity's perspective, the LRA appears to be
+ the Certification Authority and from the server the LRA appears to be
+ a client. LRAs receive the enrollment messages, perform local
+ processing and then forward onto Certificate Authorities. Some of the
+ types of local processing that an LRA can perform include:
+
+ - batching multiple enrollment messages together,
+ - challenge/response POP proofs,
+ - addition of private or standardized certificate extensions to all
+ requests,
+ - archival of private key material,
+ - routing of requests to different CAs.
+
+ When an LRA receives an enrollment message it has three options: it
+ may forward the message without modification, it may add a new
+ wrapping layer to the message, or it may remove one or more existing
+ layers and add a new wrapping layer.
+
+ When an LRA adds a new wrapping layer to a message it creates a new
+ PKIData object. The new layer contains any control attributes
+ required (for example if the LRA does the POP proof for an encryption
+ key or the addExtension control attribute to modify an enrollment
+
+
+
+Myers, et al. Standards Track [Page 33]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ request) and the client enrollment message. The client enrollment
+ message is placed in the cmsSequence if it is a Full Enrollment
+ message and in the reqSequence if it is a Simple Enrollment message.
+ If an LRA is batching multiple client messages together, then each
+ client enrollment message is placed into the appropriate location in
+ the LRA's PKIData object along with all relevant control attributes.
+
+ (If multiple LRAs are in the path between the end-entity and the
+ Certification Authority, this will lead to multiple wrapping layers
+ on the message.)
+
+ In processing an enrollment message, an LRA MUST NOT alter any
+ certificate request body (PKCS #10 or CRMF) as any alteration would
+ invalidate the signature on the request and thus the POP for the
+ private key.
+
+ An example of how this would look is illustrated by the following
+ figure:
+
+ SignedData (by LRA)
+ PKIData
+ controlSequence
+ LRA added control statements
+ reqSequence
+ Zero or more Simple CertificationRequests from clients
+ cmsSequence
+ Zero or more Full PKI messages from clients
+ SignedData (by client)
+ PKIData
+
+ Under some circumstances an LRA is required to remove wrapping
+ layers. The following sections look at the processing required if
+ encryption layers and signing layers need to be removed.
+
+6.1 Encryption Removal
+
+ There are two cases that require an LRA to remove or change
+ encryption in an enrollment message. In the first case the
+ encryption was applied for the purposes of protecting the entire
+ enrollment request from unauthorized entities. If the CA does not
+ have a recipient info entry in the encryption layer, the LRA MUST
+ remove the encryption layer. The LRA MAY add a new encryption layer
+ with or without adding a new signing layer.
+
+ The second change of encryption that may be required is to change the
+ encryption inside of a signing layer. In this case the LRA MUST
+ remove all signing layers containing the encryption. All control
+ statements MUST be merged according to local policy rules as each
+
+
+
+Myers, et al. Standards Track [Page 34]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ signing layer is removed and the resulting merged controls MUST be
+ placed in a new signing layer provided by the LRA. If the signing
+ layer provided by the end-entity needs to be removed to the LRA can
+ remove the layer.
+
+6.2 Signature Layer Removal
+
+ Only two instances exist where an LRA should remove a signature layer
+ on a Full Enrollment message. If an encryption needs to be modified
+ within the message, or if a Certificate Authority will not accept
+ secondary delegation (i.e. multiple LRA signatures). In all other
+ situations LRAs SHOULD NOT remove a signing layer from a message.
+
+ If an LRA removes a signing layer from a message, all control
+ statements MUST be merged according to local policy rules. The
+ resulting merged control statements MUST be placed in a new signing
+ layer provided by the LRA.
+
+7. Transport Wrapping
+
+ Not all methods of transporting data allow for sending unlabeled raw
+ binary data, in may cases standard methods of encoding can be used to
+ greatly ease this issue. These methods normally consist of wrapping
+ some identification of the content around the binary data, possibly
+ applying an encoding to the data and labeling the data. We document
+ for use three different wrapping methods.
+
+ -- MIME wrapping is for transports that are natively MIME based such
+ as HTTP and E-mail.
+ -- Binary file transport is defined since floppy disk transport is
+ still very common. File transport can be done either as MIME
+ wrapped (section 7.1) or bare (section 7.2).
+ -- Socket based transport uses the raw BER encoded object.
+
+7.1 MIME Wrapping
+
+ MIME wrapping is defined for those environments that are MIME native.
+ These include E-Mail based protocols as well as HTTP.
+
+ The basic mime wrapping in this section is taken from [SMIMEV2] and
+ [SMIMEV3]. Simple enrollment requests are encoded using the
+ application/pkcs10 content type. A file name MUST be included either
+ in a content type or content disposition statement. The extension
+ for the file MUST be ".p10".
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 35]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ Simple enrollment response messages MUST be encoded as content-type
+ application/pkcs7-mime. An smime-type parameter MUST be on the
+ content-type statement with a value of "certs-only." A file name with
+ the ".p7c" extension MUST be specified as part of the content-type or
+ content-disposition.
+
+ Full enrollment request messages MUST be encoded as content-type
+ application/pkcs7-mime. The smime-type parameter MUST be included
+ with a value of "CMC-enroll". A file name with the ".p7m" extension
+ MUST be specified as part of the content-type or content-disposition
+ statement.
+
+ Full enrollment response messages MUST be encoded as content-type
+ application/pkcs7-mime. The smime-type parameter MUST be included
+ with a value of "CMC-response." A file name with the ".p7m"
+ extensions MUST be specified as part of the content-type or content-
+ disposition.
+
+MIME TYPE File Extension SMIME-TYPE
+
+application/pkcs10 .p10 N/A
+(simple PKI request)
+
+application/pkcs7-mime .p7m CMC-request
+(full PKI request)
+
+application/pkcs7-mime .p7c certs-only
+(simple PKI response)
+
+application/pkcs7-mime .p7m CMC-response
+(full PKI response)
+
+7.2 File-Based Transport
+
+ Enrollment messages and responses may also be transferred between
+ clients and servers using file system-based mechanisms, such as when
+ enrollment is performed for an off-line client. When files are used
+ to transport binary, BER-encoded Full Enrollment Request and Response
+ messages, the following file type extensions SHOULD be used:
+
+ Message Type File Extension
+
+ Full PKI Request .crq
+
+ Full PKI Response .crp
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 36]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+7.3 Socket-Based Transport
+
+ When enrollment messages and responses are sent over sockets, no
+ wrapping is required. Messages SHOULD be sent in their binary, BER-
+ encoded form.
+
+8. Interoperability
+
+8.1 Mandatory and Optional Algorithms
+
+ CMC clients and servers MUST be capable of producing and processing
+ message signatures using the Digital Signature Algorithm [DSA]. DSA
+ signatures MUST be indicated by the DSA AlgorithmIdentifier value (as
+ specified in section 7.2.2 of [PKIXCERT]). PKI clients and servers
+ SHOULD also be capable of producing and processing RSA signatures (as
+ specified in section 7.2.1 of [PKIXCERT]).
+
+ CMC clients and servers MUST be capable of protecting and accessing
+ message encryption keys using the Diffie-Hellman (D-H) key exchange
+ algorithm. D-H/3DES protection MUST be indicated by the D-H
+ AlgorithmIdentifier value specified in [CMS]. PKI clients and
+ servers SHOULD also be capable of producing and processing RSA key
+ transport. When used for PKI messages, RSA key transport MUST be
+ indicated as specified in section 7.2.1 of [PKIXCERT].
+
+8.2 Minimum Conformance Requirements
+
+ A minimally compliant CMC server:
+
+ a) MUST accept a Full PKI Request message
+ i) MUST accept CRMF Request Bodies within a Full PKI Request
+ ii) MUST accept PKCS#10 Request Bodies within a Full PKI Request
+ b) MUST accept a Simple Enrollment Request message
+ c) MUST be able to return a Full PKI Response. (A Full PKI Response
+ is always a valid response, but for interoperability with
+ downlevel clients a compliant server SHOULD use the Simple
+ Enrollment Response whenever possible.)
+
+ A minimally-complaint CMC client:
+
+ a) MAY use either the Simple Enrollment Message or the Full PKI
+ Request.
+ i) clients MUST use PKCS#10 with the Simple Enrollment Message
+ ii) clients MAY use either PKCS#10 or CRMF with the Full PKI
+ Request
+ b) MUST understand the Simple Enrollment Response.
+ c) MUST understand the Full PKI Response.
+
+
+
+
+Myers, et al. Standards Track [Page 37]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+9. Security Considerations
+
+ Initiation of a secure communications channel between an end-entity
+ and a CA or LRA (and, similarly, between an LRA and another LRA or
+ CA) necessarily requires an out-of-band trust initiation mechanism.
+ For example, a secure channel may be constructed between the end-
+ entity and the CA via IPSEC or TLS. Many such schemes exist and the
+ choice of any particular scheme for trust initiation is outside the
+ scope of this document. Implementers of this protocol are strongly
+ encouraged to consider generally accepted principles of secure key
+ management when integrating this capability within an overall
+ security architecture.
+
+ Mechanisms for thwarting replay attacks may be required in particular
+ implementations of this protocol depending on the operational
+ environment. In cases where the CA maintains significant state
+ information, replay attacks may be detectable without the inclusion
+ of the optional nonce mechanisms. Implementers of this protocol need
+ to carefully consider environmental conditions before choosing
+ whether or not to implement the senderNonce and recipientNonce
+ attributes described in section 5.6. Developers of state-constrained
+ PKI clients are strongly encouraged to incorporate the use of these
+ attributes.
+
+ Under no circumstances should a signing key be archived. Doing so
+ allows the archiving entity to potentially use the key for forging
+ signatures.
+
+ Due care must be taken prior to archiving keys. Once a key is given
+ to an archiving entity, the archiving entity could use the keys in a
+ way not conducive to the archiving entity. Users should be made
+ especially aware that proper verification is made of the certificate
+ used to encrypt the private key material.
+
+ Clients and servers need to do some checks on cryptographic
+ parameters prior to issuing certificates to make sure that weak
+ parameters are not used. A description of the small subgroup attack
+ is provided in [X942]. CMC implementations ought to be aware of this
+ attack when doing parameter validations.
+
+
+
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 38]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+10. Acknowledgments
+
+ The authors would like to thank Brian LaMacchia for his work in
+ developing and writing up many of the concepts presented in this
+ document. The authors would also like to thank Alex Deacon and Barb
+ Fox for their contributions.
+
+11. References
+
+ [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630,
+ June 1999.
+
+ [CRMF] Myers, M., Adams, C., Solo, D. and D. Kemp, "Internet
+ X.509 Certificate Request Message Format", RFC 2511, March
+ 1999.
+
+ [DH] B. Kaliski, "PKCS 3: Diffie-Hellman Key Agreement v1.4"
+
+ [DH-POP] H. Prafullchandra, J. Schaad, "Diffie-Hellman Proof-of-
+ Possession Algorithms", Work in Progress.
+
+ [HMAC] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104, February
+ 1997.
+
+ [PKCS1] Kaliski, B., "PKCS #1: RSA Encryption, Version 1.5", RFC
+ 2313, March 1998.
+
+ [PKCS7] Kaliski, B., "PKCS #7: Cryptographic Message Syntax v1.5",
+ RFC 2315, October 1997.
+
+ [PKCS8] RSA Laboratories, "PKCS#8: Private-Key Information Syntax
+ Standard, Version 1.2", November 1, 1993.
+
+ [PKCS10] Kaliski, B., "PKCS #10: Certification Request Syntax
+ v1.5", RFC 2314, October 1997.
+
+ [PKIXCERT] Housley, R., Ford, W., Polk, W. and D. Solo "Internet
+ X.509 Public Key Infrastructure Certificate and CRL
+ Profile", RFC 2459, January 1999.
+
+ [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [SMIMEV2] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L. and L.
+ Repka, "S/MIME Version 2 Message Specification", RFC 2311,
+ March 1998.
+
+
+
+
+Myers, et al. Standards Track [Page 39]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ [SMIMEV3] Ramsdell, B., "S/MIME Version 3 Message Specification",
+ RFC 2633, June 1999.
+
+ [X942] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC
+ 2631, June 1999.
+
+12. Authors' Addresses
+
+ Michael Myers
+ VeriSign Inc.
+ 1350 Charleston Road
+ Mountain View, CA, 94043
+
+ Phone: (650) 429-3402
+ EMail: mmyers@verisign.com
+
+
+ Xiaoyi Liu
+ Cisco Systems
+ 170 West Tasman Drive
+ San Jose, CA 95134
+
+ Phone: (480) 526-7430
+ EMail: xliu@cisco.com
+
+
+ Jim Schaad
+
+ EMail: jimsch@nwlink.com
+
+
+ Jeff Weinstein
+
+ EMail: jsw@meer.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 40]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+Appendix A ASN.1 Module
+
+EnrollmentMessageSyntax
+ { iso(1) identified-organization(3) dod(4) internet(1)
+ security(5) mechansims(5) pkix(7) id-mod(0) id-mod-cmc(6) }
+
+ DEFINITIONS IMPLICIT TAGS ::=
+ BEGIN
+
+ -- EXPORTS All --
+ -- The types and values defined in this module are exported for use
+ -- in the other ASN.1 modules. Other applications may use them for
+ -- their own purposes.
+
+ IMPORTS
+
+ -- Information Directory Framework (X.501)
+ Name
+ FROM InformationFramework { joint-iso-itu-t ds(5)
+ modules(1) informationFramework(1) 3 }
+
+ -- Directory Authentication Framework (X.509)
+ AlgorithmIdentifier, AttributeCertificate, Certificate,
+ CertificateList, CertificateSerialNumber
+ FROM AuthenticationFramework { joint-iso-itu-t ds(5)
+ module(1) authenticationFramework(7) 3 }
+
+ -- PKIX Part 1 - Implicit
+ GeneralName, CRLReason, ReasonFlags
+ FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-pkix1-implicit-88(2)}
+
+ -- PKIX Part 1 - Explicit
+ SubjectPublicKeyInfo, Extension
+ FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
+ internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
+ id-pkix1-explicit-88(1)}
+
+ -- Cryptographic Message Syntax
+ ContentInfo, Attribute
+ FROM CryptographicMessageSyntax { 1 2 840 113549 1 9 16 0 1}
+
+ -- CRMF
+ CertReqMsg
+ FROM CRMF { 1 3 6 1 5 5 7 0 5 };
+
+ id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
+
+
+
+Myers, et al. Standards Track [Page 41]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
+
+ id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls
+ id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
+
+ -- The following controls have simple type content (usually OCTET
+STRING)
+
+ id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}
+ id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3}
+ id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4}
+ id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}
+ id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6}
+ id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}
+ id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18}
+ id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19}
+ id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21}
+ id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22)
+ id-cmc-popLinkWitness OBJECT IDENTIFIER ::= (id-cmc 23)
+
+ -- This is the content type used for a request message in the
+protocol
+
+ id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
+
+
+ PKIData ::= SEQUENCE {
+ controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
+ reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest,
+ cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
+ otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
+ }
+
+ bodyIdMax INTEGER ::= 4294967295
+
+ BodyPartID ::= INTEGER(0..bodyIdMax)
+
+ TaggedAttribute ::= SEQUENCE {
+ bodyPartID BodyPartId,
+ attrType OBJECT IDENTIFIER,
+ attrValues SET OF AttributeValue
+ }
+
+ AttributeValue ::= ANY
+
+ TaggedRequest ::= CHOICE {
+ tcr [0] TaggedCertificationRequest,
+ crm [1] CertReqMsg
+
+
+
+Myers, et al. Standards Track [Page 42]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ }
+
+ TaggedCertificationRequest ::= SEQUENCE {
+ bodyPartID BodyPartID,
+ certificationRequest CertificationRequest
+ }
+
+ CertificationRequest ::= SEQUENCE {
+ certificationRequestInfo SEQUENCE {
+ version INTEGER,
+ subject Name,
+ subjectPublicKeyInfo SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING },
+ attributes [0] IMPLICIT SET OF Attribute },
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING
+ }
+
+ TaggedContentInfo ::= SEQUENCE {
+ bodyPartID BodyPartId,
+ contentInfo ContentInfo
+ }
+
+ OtherMsg ::= SEQUENCE {
+ bodyPartID BodyPartID,
+ otherMsgType OBJECT IDENTIFIER,
+ otherMsgValue ANY DEFINED BY otherMsgType }
+
+ -- This defines the response message in the protocol
+ id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
+
+ ResponseBody ::= SEQUENCE {
+ controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
+ cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
+ otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
+ }
+
+ -- Used to return status state in a response
+
+ id-cmc-cMCStatusInfo OBJECT IDENTIFIER ::= {id-cmc 1}
+
+ CMCStatusInfo ::= SEQUENCE {
+ cMCStatus CMCStatus,
+ bodyList SEQUENCE SIZE (1..MAX) OF INTEGER,
+ statusString UTF8String OPTIONAL,
+ otherInfo CHOICE {
+ failInfo CMCFailInfo,
+
+
+
+Myers, et al. Standards Track [Page 43]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ pendInfo PendInfo } OPTIONAL
+ }
+
+ PendInfo ::= SEQUENCE {
+ pendToken INTEGER,
+ pendTime GENERALIZEDTIME
+ }
+
+ CMCStatus ::= INTEGER {
+ success (0),
+ -- you got exactly what you asked for
+ failed (2),
+ -- you don't get it, more information elsewhere in the message
+ pending (3),
+ -- the request body part has not yet been processed,
+ -- requester is responsible to poll back on this
+ noSupport (4)
+ -- the requested operation is not supported
+ }
+
+ CMCFailInfo ::= INTEGER {
+ badAlg (0),
+ -- Unrecognized or unsupported algorithm
+ badMessageCheck (1),
+ -- integrity check failed
+ badRequest (2),
+ -- transaction not permitted or supported
+ badTime (3),
+ -- Message time field was not sufficiently close to the system
+time
+ badCertId (4),
+ -- No certificate could be identified matching the provided
+criteria
+ unsuportedExt (5),
+ -- A requested X.509 extension is not supported by the recipient
+CA.
+ mustArchiveKeys (6),
+ -- Private key material must be supplied
+ badIdentity (7),
+ -- Identification Attribute failed to verify
+ popRequired (8),
+ -- Server requires a POP proof before issuing certificate
+ popFailed (9),
+ -- Server failed to get an acceptable POP for the request
+ noKeyReuse (10)
+ -- Server policy does not allow key re-use
+ internalCAError (11)
+ tryLater (12)
+
+
+
+Myers, et al. Standards Track [Page 44]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ }
+
+ -- Used for LRAs to add extensions to certificate requests
+ id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
+
+ AddExtensions ::= SEQUENCE {
+ pkiDataReference BodyPartID,
+ certReferences SEQUENCE OF BodyPartID,
+ extensions SEQUENCE OF Extension
+ }
+
+
+ id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9}
+ id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}
+
+ EncryptedPOP ::= SEQUENCE {
+ request TaggedRequest,
+ cms ContentInfo,
+ thePOPAlgID AlgorithmIdentifier,
+ witnessAlgID AlgorithmIdentifier,
+ witness OCTET STRING
+ }
+
+ DecryptedPOP ::= SEQUENCE {
+ bodyPartID BodyPartID,
+ thePOPAlgID AlgorithmIdentifier,
+ thePOP OCTET STRING
+ }
+
+ id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}
+
+ LraPopWitness ::= SEQUENCE {
+ pkiDataBodyid BodyPartID,
+ bodyIds SEQUENCE OF BodyPartID
+ }
+
+
+ --
+ id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}
+
+ GetCert ::= SEQUENCE {
+ issuerName GeneralName,
+ serialNumber INTEGER }
+
+
+ id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
+
+ GetCRL ::= SEQUENCE {
+
+
+
+Myers, et al. Standards Track [Page 45]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+ issuerName Name,
+ cRLName GeneralName OPTIONAL,
+ time GeneralizedTime OPTIONAL,
+ reasons ReasonFlags OPTIONAL }
+
+ id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}
+
+ RevRequest ::= SEQUENCE {
+ issuerName Name,
+ serialNumber INTEGER,
+ reason CRLReason,
+ invalidityDate GeneralizedTime OPTIONAL,
+ passphrase OCTET STRING OPTIONAL,
+ comment UTF8String OPTIONAL }
+
+ id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {pkix-cmc 24}
+
+ CMCCertId ::= IssuerSerial
+
+ -- The following is used to request V3 extensions be added to a
+certificate
+
+ id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) pkcs-9(9) 14}
+
+ ExtensionReq ::= SEQUENCE OF Extension
+
+ -- The following exists to allow Diffie-Hellman Certificate Requests
+Messages to be
+ -- well-formed
+
+ id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
+
+ NoSignatureValue ::= OCTET STRING
+
+END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 46]
+
+RFC 2797 Certificate Management Messages over CMS April 2000
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Myers, et al. Standards Track [Page 47]
+