From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7030.txt | 2971 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2971 insertions(+) create mode 100644 doc/rfc/rfc7030.txt (limited to 'doc/rfc/rfc7030.txt') diff --git a/doc/rfc/rfc7030.txt b/doc/rfc/rfc7030.txt new file mode 100644 index 0000000..d1d710c --- /dev/null +++ b/doc/rfc/rfc7030.txt @@ -0,0 +1,2971 @@ + + + + + + +Internet Engineering Task Force (IETF) M. Pritikin, Ed. +Request for Comments: 7030 Cisco Systems, Inc. +Category: Standards Track P. Yee, Ed. +ISSN: 2070-1721 AKAYLA, Inc. + D. Harkins, Ed. + Aruba Networks + October 2013 + + + Enrollment over Secure Transport + +Abstract + + This document profiles certificate enrollment for clients using + Certificate Management over CMS (CMC) messages over a secure + transport. This profile, called Enrollment over Secure Transport + (EST), describes a simple, yet functional, certificate management + protocol targeting Public Key Infrastructure (PKI) clients that need + to acquire client certificates and associated Certification Authority + (CA) certificates. It also supports client-generated public/private + key pairs as well as key pairs generated by the CA. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7030. + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 1] + +RFC 7030 EST October 2013 + + +Copyright Notice + + Copyright (c) 2013 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Terminology ................................................4 + 2. Operational Scenario Overviews ..................................5 + 2.1. Obtaining CA Certificates ..................................6 + 2.2. Initial Enrollment .........................................7 + 2.2.1. Certificate TLS Authentication ......................8 + 2.2.2. Certificate-Less TLS Authentication .................8 + 2.2.3. HTTP-Based Client Authentication ....................8 + 2.3. Client Certificate Reissuance ..............................8 + 2.4. Server Key Generation ......................................9 + 2.5. Full PKI Request Messages ..................................9 + 2.6. Certificate Signing Request (CSR) Attributes Request .......9 + 3. Protocol Design and Layering ...................................10 + 3.1. Application Layer .........................................13 + 3.2. HTTP Layer ................................................14 + 3.2.1. HTTP Headers for Control ...........................15 + 3.2.2. HTTP URIs for Control ..............................16 + 3.2.3. HTTP-Based Client Authentication ...................17 + 3.2.4. Message Types ......................................19 + 3.3. TLS Layer .................................................20 + 3.3.1. TLS-Based Server Authentication ....................20 + 3.3.2. TLS-Based Client Authentication ....................21 + 3.3.3. Certificate-Less TLS Mutual Authentication .........21 + 3.4. Proof-of-Possession .......................................22 + 3.5. Linking Identity and POP Information ......................22 + 3.6. Server Authorization ......................................23 + 3.6.1. Client Use of Explicit TA Database .................24 + 3.6.2. Client Use of Implicit TA Database .................24 + 3.7. Client Authorization ......................................24 + 4. Protocol Exchange Details ......................................25 + 4.1. Distribution of CA Certificates ...........................25 + + + +Pritikin, et al. Standards Track [Page 2] + +RFC 7030 EST October 2013 + + + 4.1.1. Bootstrap Distribution of CA Certificates ..........25 + 4.1.2. CA Certificates Request ............................26 + 4.1.3. CA Certificates Response ...........................26 + 4.2. Client Certificate Request Functions ......................27 + 4.2.1. Simple Enrollment of Clients .......................28 + 4.2.2. Simple Re-enrollment of Clients ....................29 + 4.2.3. Simple Enroll and Re-enroll Response ...............29 + 4.3. Full CMC ..................................................30 + 4.3.1. Full CMC Request ...................................30 + 4.3.2. Full CMC Response ..................................30 + 4.4. Server-Side Key Generation ................................31 + 4.4.1. Server-Side Key Generation Request .................32 + 4.4.1.1. Requests for Symmetric Key + Encryption of the Private Key .............32 + 4.4.1.2. Requests for Asymmetric Encryption + of the Private Key ........................33 + 4.4.2. Server-Side Key Generation Response ................33 + 4.5. CSR Attributes ............................................35 + 4.5.1. CSR Attributes Request .............................35 + 4.5.2. CSR Attributes Response ............................35 + 5. IANA Considerations ............................................37 + 6. Security Considerations ........................................39 + 7. References .....................................................41 + 7.1. Normative References ......................................41 + 7.2. Informative References ....................................43 + Appendix A. Operational Scenario Example Messages .................45 + A.1. Obtaining CA Certificates ..................................45 + A.2. CSR Attributes .............................................47 + A.3. Enroll/Re-enroll ...........................................47 + A.4. Server Key Generation ......................................50 + Appendix B. Contributors and Acknowledgements .....................52 + +1. Introduction + + This document profiles certificate enrollment for clients using + Certificate Management over CMS (CMC) [RFC5272] messages over a + secure transport. Enrollment over Secure Transport (EST) describes + the use of Transport Layer Security (TLS) 1.1 [RFC4346], 1.2 + [RFC5246], or any future version) and Hypertext Transfer Protocol + (HTTP) [RFC2616] to provide an authenticated and authorized channel + for Simple Public Key Infrastructure (PKI) Requests and Responses + [RFC5272]. + + Architecturally, the EST service is located between a Certification + Authority (CA) and a client. It performs several functions + traditionally allocated to the Registration Authority (RA) role in a + PKI. The nature of communication between an EST server and a CA is + not described in this document. + + + +Pritikin, et al. Standards Track [Page 3] + +RFC 7030 EST October 2013 + + + EST adopts the Certificate Management Protocol (CMP) [RFC4210] model + for CA certificate rollover, but it does not use the CMP message + syntax or protocol. EST servers are extensible in that new functions + may be defined to provide additional capabilities not specified in + CMC [RFC5272], and this document defines two such extensions: one for + requesting Certificate Signing Request attributes and another for + requesting server-generated keys. + + EST specifies how to transfer messages securely via HTTP over TLS + (HTTPS) [RFC2818], where the HTTP headers and media types are used in + conjunction with TLS. HTTPS operates over TCP; this document does + not specify EST over HTTP/Datagram Transport Layer Security/User + Datagram Protocol (HTTP/DTLS/UDP). With a suitable specification for + combining HTTP, DTLS, and UDP, there are no EST requirements that + would prevent it from working over such a stack. Figure 1 shows how + the layers build upon each other. + + EST Layering: + + Protocols: + +--------------------------------------------+ + | | + | EST request/response messages | + | | + +--------------------------------------------+ + | | + | HTTP for message transfer and signaling | + | | + +--------------------------------------------+ + | | + | TLS for transport security | + | | + +--------------------------------------------+ + | | + | TCP for transport | + | | + +--------------------------------------------+ + + Figure 1 + +1.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + + + + + +Pritikin, et al. Standards Track [Page 4] + +RFC 7030 EST October 2013 + + + It is assumed that the reader is familiar with the terms and concepts + described in Public Key Cryptography Standard (PKCS) #10 [RFC2986], + HTTPS [RFC2818], CMP [RFC4210], CMC [RFC5272][RFC5273][RFC5274], and + TLS [RFC4346]. + + In addition to the terms defined in the terminology section of CMC + [RFC5272], the following terms are defined for clarity: + + EST CA: For certificate issuing services, the EST CA is reached + through the EST server; the CA could be logically "behind" the EST + server or embedded within it. + + Third-Party Trust Anchor: Any trust anchor (TA) that is not + authoritative for the PKI hierarchy for which the EST server is + providing services. + + Explicit Trust Anchor: Any TA that is explicitly configured on the + client or server for use during EST TLS authentication; for + example, a TA that is manually configured on the EST client or + bootstrapped as described in Section 4.1.1. (See more details in + Sections 3.6 and 6.) + + Implicit Trust Anchor: Any third-party TA that is available on the + client or server for use during TLS authentication but is not + specifically indicated for use during EST TLS authentication; for + example, TAs commonly used by web browsers to authenticate web + servers or TAs used by servers to authenticate manufacturer- + installed client credentials (such as certificates populated into + cable modems or routers in the factory). The authorization model + for these TAs is different from the authorization model for + Explicit Trust Anchors. (See more details in Sections 3.6.1, + 3.6.2, and 6). + + Certificate-Less TLS: Certificate-less TLS cipher suites provide a + way to perform mutual authentication in situations where neither + the client nor server have certificates or are willing to use + them. The credential used for authentication is a word, phrase, + code, or key that is shared between the client and server. The + credential must be uniquely shared between the client and server + in order to provide authentication of an individual client to an + individual server. + +2. Operational Scenario Overviews + + This section provides an informative overview of the operational + scenarios to better introduce the reader to the protocol discussion. + + + + + +Pritikin, et al. Standards Track [Page 5] + +RFC 7030 EST October 2013 + + + Both the EST clients and server are configured with information that + provides the basis for mutual authentication and for authorization. + The specific initialization data depends on the methods available in + the client and server, but it can include shared secrets, network + service names and locations (e.g., a Uniform Resource Identifier + (URI) [RFC3986]), trust anchor information (e.g., a CA certificate or + a hash of a TA's certificate), and enrollment keys and certificates. + Depending on an enterprise's acquisition and network management + practices, some initialization may be performed by the vendor prior + to delivery of client hardware and software. In that case, the + client vendor may provide data, such as trust anchors, to the + enterprise via a secure procedure. The distribution of this initial + information is out of scope. + + Distribution of trust anchors and other certificates can be effected + via the EST server. However, nothing can be inferred about the + authenticity of this data until an out-of-band mechanism is used to + verify them. + + Sections 2.1-2.3 very closely mirror the text of the Scenarios + Appendix of [RFC6403] with such modifications as are appropriate for + this profile. Sections 2.1-2.6, below, enumerate the set of EST + functions (see Figure 5) and provide an informative overview of EST's + capabilities. + + The general client/server interaction proceeds as follows: + + The client initiates a TLS-secured HTTP session with an EST + server. + + A specific EST service is requested based on a portion of the URI + used for the session. + + The client and server authenticate each other. + + The client verifies that the server is authorized to serve this + client. + + The server verifies that the client is authorized to make use of + this server and the request that the client has made. + + The server acts upon the client request. + +2.1. Obtaining CA Certificates + + The EST client can request a copy of the current EST CA + certificate(s) from the EST server. The EST client is assumed to + perform this operation before performing other operations. + + + +Pritikin, et al. Standards Track [Page 6] + +RFC 7030 EST October 2013 + + + Throughout this document we assume the EST CA has a certificate that + is used by the client to verify signed objects issued by the CA, + e.g., certificates and certificate revocation lists (CRLs), and that + a different certificate than the one used to verify signatures on + certificates and CRLs is used when EST protocol communication + requires additional encryption. + + The EST client authenticates and verifies the authorization scope of + the EST server when requesting the current CA certificate(s). As + detailed in Sections 3.3.1 and 3.3.3, available options include: + + o Verifying the EST server's HTTPS URI against the EST server's + certificate using Implicit TAs (similar to a common HTTPS + exchange). This allows the EST server and client to leverage + existing TAs that might be known to the EST client. + + o The client can leverage a previously distributed trust anchor + specific to the EST server. This allows the EST client to use an + existing, potentially older, CA certificate to request a current + CA certificate. + + o For bootstrapping, the EST client can rely upon manual + authentication performed by the end-user as detailed in + Section 4.1.1. + + o The client can leverage the binding of a shared credential to a + specific EST server with a certificate-less TLS cipher suite. + + Client authentication is not required for this exchange, so it is + trivially supported by the EST server. + +2.2. Initial Enrollment + + After authenticating an EST server and verifying that it is + authorized to provide services to the client, an EST client can + acquire a certificate for itself by submitting an enrollment request + to that server. + + The EST server authenticates and authorizes the EST client as + specified in Sections 3.3.2, 3.3.3, and 3.7. The methods described + in the normative text that are discussed in this overview include: + + o TLS with a previously issued client certificate (e.g., an existing + certificate issued by the EST CA); + + o TLS with a previously installed certificate (e.g., manufacturer- + installed certificate or a certificate issued by some other + party); + + + +Pritikin, et al. Standards Track [Page 7] + +RFC 7030 EST October 2013 + + + o Certificate-less TLS (e.g., with a shared credential distributed + out-of-band); + + o HTTP-based with a username/password distributed out-of-band. + +2.2.1. Certificate TLS Authentication + + If the EST client has a previously installed certificate issued by a + third-party CA, this certificate can be used to authenticate the + client's request for a certificate from the EST server (if that CA is + recognized by the EST server). An EST client responds to the EST + server's TLS certificate request message with the existing + certificate already held by the client. The EST server will verify + the client's existing certificate and authorize the client's request + as described in Section 3.3.2. + +2.2.2. Certificate-Less TLS Authentication + + The EST client and EST server can be mutually authenticated using a + certificate-less TLS cipher suite (see Section 3.3.3). + +2.2.3. HTTP-Based Client Authentication + + The EST server can optionally also request that the EST client submit + a username/password using the HTTP Basic or Digest authentication + methods (see Section 3.2.3). This approach is desirable if the EST + client cannot be authenticated during the TLS handshake (see + Section 3.3.2) or the EST server policy requires additional + authentication information; see Section 3.2.3. In all cases, + HTTP-based client authentication is only to be performed over a + TLS-protected transport (see Section 3.3). + +2.3. Client Certificate Reissuance + + An EST client can renew/rekey its existing client certificate by + submitting a re-enrollment request to an EST server. + + When the current EST client certificate can be used for TLS client + authentication (Section 3.3.2), the client presents this certificate + to the EST server for client authentication. When the to be reissued + EST client certificate cannot be used for TLS client authentication, + any of the authentication methods used for initial enrollment can be + used. + + For example, if the client has an alternative certificate issued by + the EST CA that can be used for TLS client authentication, then it + can be used. + + + + +Pritikin, et al. Standards Track [Page 8] + +RFC 7030 EST October 2013 + + + The certificate request message includes the same Subject and + SubjectAltName as the current certificate. Name changes are + requested as specified in Section 4.2.2. + +2.4. Server Key Generation + + The EST client can request a server-generated certificate and key + pair (see Section 4.4). + +2.5. Full PKI Request Messages + + Full PKI Request [RFC5272] messages can be transported via EST using + the Full CMC Request function. This affords access to functions not + provided by the Simple Enrollment functions. Full PKI Request + messages are defined in Sections 3.2 and 4.2 of [RFC5272]. See + Section 4.3 for a discussion of how EST provides a transport for + these messages. + +2.6. Certificate Signing Request (CSR) Attributes Request + + Prior to sending an enrollment request to an EST server, an EST + client can query the EST server for a set of additional attributes + that the client is requested to use in a subsequent enrollment + request. + + These attributes can provide additional descriptive information that + the EST server cannot access itself, such as the Media Access Control + (MAC) address of an interface of the EST client. Alternatively, + these attributes can indicate the kind of enrollment request, such as + a specific elliptic curve or a specific hash function that the client + is expected to use when generating the CSR. + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 9] + +RFC 7030 EST October 2013 + + +3. Protocol Design and Layering + + Figure 2 provides an expansion of Figure 1, describing how the layers + are used. Each aspect is described in more detail in the sections + that follow. + + EST Layering: + + Protocols and uses: + +----------------------------------------------------+ + | | + | Message types: | + | - "Simple PKI" messages | + | (incorporates proof-of-possession) | + | - CA certificate retrieval | + | - "Full PKI" messages (OPTIONAL) | + | (incorporates proof-of-possession) | + | - CSR Attributes Request (OPTIONAL) | + | - Server-generated key request (OPTIONAL) | + | | + +----------------------------------------------------+ + | | + | HTTP: | + | - HTTP headers and URIs for control | + | - Content-Type headers specify message type | + | - Headers for control/error messages | + | - URIs for selecting functions | + | - Basic or Digest authentication (OPTIONAL) | + | | + +----------------------------------------------------+ + | | + | TLS for transport security: | + | - Authentication of the EST server | + | - Authentication of the EST client (OPTIONAL) | + | - Provides communications integrity | + | and confidentiality | + | - Supplies channel-binding [RFC5929] information | + | to link proof-of-identity with message-based | + | proof-of-possession (OPTIONAL) | + | | + +----------------------------------------------------+ + + Figure 2 + + Specifying HTTPS as the secure transport for enrollment messages + introduces two "layers" to communicate authentication and control + messages: TLS and HTTP. + + + + +Pritikin, et al. Standards Track [Page 10] + +RFC 7030 EST October 2013 + + + The TLS layer provides integrity and confidentiality during + transport. The proof-of-identity is supplied by TLS handshake + authentication and optionally also by the HTTP layer headers. The + message type and control/error messages are included in the HTTP + headers. + + CMC ([RFC5272], Section 3.1) notes that "the Simple PKI Request MUST + NOT be used if a proof-of-identity needs to be included". Since the + TLS and HTTP layers can provide proof-of-identity for EST clients and + servers, the Simple PKI message types are used. + + The TLS layer certificate exchange provides a method for authorizing + client enrollment requests using existing certificates. Such + certificates may have been issued by the CA (from which the client is + requesting a certificate), or they may have been issued under a + distinct PKI (e.g., an IEEE 802.1AR Initial Device Identifier + (IDevID) [IDevID] credential). + + Proof-of-possession (POP) is a distinct issue from proof-of-identity + and is included in the Simple PKI message type as described in + Section 3.4. A method of linking proof-of-identity and + proof-of-possession is described in Section 3.5. + + This document also defines transport for CMC [RFC5272] that complies + with the CMC Transport Protocols [RFC5273]. CMC's POP and + proof-of-identity mechanisms are defined in CMC, but the mechanisms + here can also be used in conjunction with those mechanisms in "Full + PKI" messages. + + During protocol exchanges, different certificates can be used. The + following table provides an informative overview. End-entities can + have one or more certificates of each type listed in Figure 3 and use + one or more trust anchor databases of each type listed in Figure 4. + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 11] + +RFC 7030 EST October 2013 + + + Certificates and their corresponding uses: + +--------------+--------------------+-------------------------------+ + | Certificate | Issuer | Use and section references | + +==============+====================+===============================+ + | EST server | The CA served by | Presented by the EST server | + | certificate | the EST server | during the TLS handshake. | + | | | | + | | | Section 3.3.1 | + +--------------+--------------------+-------------------------------+ + | EST server | A CA | Presented by the EST server | + | certificate | authenticatable by | during the TLS handshake. | + | | a third-party TA, | | + | | e.g., a web server | Section 3.3.1 and | + | | CA | Security Considerations | + +--------------+--------------------+-------------------------------+ + | Third-party | A CA | Presented by the EST client | + | EST client | authenticatable by | to the EST server by clients | + | certificate | a third-party TA, | that have not yet enrolled. | + | | e.g., a device | | + | | manufacturer | Section 3.3.2 | + +--------------+--------------------+-------------------------------+ + | EST client | The CA served by | Presented to the EST server | + | certificate | the EST server | during future EST operations. | + | | | | + | | | Section 3.3.2 | + +--------------+--------------------+-------------------------------+ + | End-entity | The CA served by | Clients can obtain certs | + | certificate | the EST server | that are intended for | + | | | non-EST uses. This includes | + | | | certs that cannot be used | + | | | for EST operations. | + | | | | + | | | Section 4.2.3 | + +--------------+--------------------+-------------------------------+ + + + Figure 3 + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 12] + +RFC 7030 EST October 2013 + + + Trust anchor databases and their corresponding uses: + +--------------+----------------------------------------------------+ + | TA database | Use and section references | + +==============+====================================================+ + | EST server | EST servers use this TA database to authenticate | + | Explicit | certificates issued by the EST CA, including EST | + | TA database | client certificates during enroll/re-enroll | + | | operations. | + | | | + | | Section 3.3.2 | + +--------------+----------------------------------------------------+ + | EST server | EST servers use this TA database to authenticate | + | Implicit | certificates issued by third-party TAs; | + | TA database | e.g., EST client certificates issued by a device | + | | manufacturer. | + | | An Implicit TA database can be disabled. | + | | | + | | Section 3.3.2 | + +--------------+----------------------------------------------------+ + | EST client | EST clients use this TA database to authenticate | + | Explicit | certificates issued by the EST CA, including EST | + | TA database | server certificates. | + | | | + | | Sections 3.1, 3.3.1, 3.6.1, and 4.1.1 | + +--------------+----------------------------------------------------+ + | EST client | EST clients use this TA database to | + | Implicit | authenticate an EST server that uses an externally | + | TA database | issued certificate. | + | | An Implicit TA database can be disabled. | + | | | + | | Sections 3.1, 3.3.1, 3.6.2, and | + | | Security Considerations | + +--------------+----------------------------------------------------+ + + + Figure 4 + +3.1. Application Layer + + The EST client MUST be capable of generating and parsing Simple PKI + messages (see Section 4.2). Generating and parsing Full PKI messages + is OPTIONAL (see Section 4.3). The client MUST also be able to + request CA certificates from the EST server and parse the returned + "bag" of certificates (see Section 4.1). Requesting CSR attributes + and parsing the returned list of attributes is OPTIONAL (see + Section 4.5). + + + + + +Pritikin, et al. Standards Track [Page 13] + +RFC 7030 EST October 2013 + + + Details of the EST client application configuration are out of scope + of the protocol discussion but are necessary for understanding the + prerequisites of initiating protocol operations. The EST client is + RECOMMENDED to be configured with TA databases for Section 3.3.1 or + with a secret key for Section 3.3.3. Implementations conforming to + this standard MUST provide the ability to designate Explicit TAs. + For human usability reasons, a "fingerprint" of an Explicit TA + database entry can be configured for bootstrapping as discussed in + Section 4.1.1. Configuration of an Implicit TA database, perhaps by + its inclusion within the EST client distribution or available from + the operating system, provides flexibility along with the caveats + detailed in Section 6. Implementations conforming to this standard + MUST provide the ability to disable use of any Implicit TA database. + + The EST client is configured with sufficient information to form the + EST server URI. This can be the full operation path segment (e.g., + https://www.example.com/.well-known/est/ or + https://www.example.com/.well-known/est/arbitraryLabel1), or the EST + client can be configured with a tuple composed of the authority + portion of the URI along with the OPTIONAL label (e.g., + "www.example.com:80" and "arbitraryLabel1") or just the authority + portion of the URI. + +3.2. HTTP Layer + + HTTP is used to transfer EST messages. URIs are defined for handling + each media type (i.e., message type) as described in Section 3.2.2. + HTTP is also used for client authentication services when TLS client + authentication is not available, due to the lack of a client + certificate suitable for use by TLS (see Section 3.2.3). HTTP + authentication can also be used in addition to TLS client + authentication if the EST server wishes additional authentication + information, as noted in Section 2.2.3. Registered media types are + used to convey EST messages as specified in Figure 6. + + HTTP 1.1 [RFC2616] and above support persistent connections. As + described in Section 8.1 of RFC 2616, persistent connections may be + used to reduce network and processing loads associated with multiple + HTTP requests. EST does not require or preclude persistent HTTP + connections. + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 14] + +RFC 7030 EST October 2013 + + +3.2.1. HTTP Headers for Control + + The HTTP Status value is used to communicate success or failure of an + EST function. HTTP authentication is used by a client when requested + by the server. + + The media types specified in the HTTP Content-Type header indicate + which EST message is being transferred. Media types used by EST are + specified in Section 3.2.4. + + HTTP redirections (3xx status codes) to the same web origin (see + [RFC6454]) SHOULD be handled by the client without user input so long + as all applicable security checks (Sections 3.3 and 3.6) have been + enforced on the initial connection. The client initiates a new TLS + connection and performs all applicable security checks when + redirected to other web origin servers. Redirections to other web + origins require the EST client to obtain user input for non-GET or + HEAD requests as specified in [RFC2616]. Additionally, if the client + has already generated a CSR that includes linking identity and POP + information (Section 3.5), then the CSR will need to be recreated to + incorporate the tls-unique from the new, redirected session. Note: + the key pair need not be regenerated. These are processing and + interface burdens on the client. EST server administrators are + advised to take this into consideration. + + + + + + + + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 15] + +RFC 7030 EST October 2013 + + +3.2.2. HTTP URIs for Control + + The EST server MUST support the use of the path-prefix of "/.well- + known/" as defined in [RFC5785] and the registered name of "est". + Thus, a valid EST server URI path begins with + "https://www.example.com/.well-known/est". Each EST operation is + indicated by a path-suffix that indicates the intended operation: + + Operations and their corresponding URIs: + +------------------------+-----------------+-------------------+ + | Operation |Operation path | Details | + +========================+=================+===================+ + | Distribution of CA | /cacerts | Section 4.1 | + | Certificates (MUST) | | | + +------------------------+-----------------+-------------------+ + | Enrollment of | /simpleenroll | Section 4.2 | + | Clients (MUST) | | | + +------------------------+-----------------+-------------------+ + | Re-enrollment of | /simplereenroll | Section 4.2.2 | + | Clients (MUST) | | | + +------------------------+-----------------+-------------------+ + | Full CMC (OPTIONAL) | /fullcmc | Section 4.3 | + +------------------------+-----------------+-------------------+ + | Server-Side Key | /serverkeygen | Section 4.4 | + | Generation (OPTIONAL) | | | + +------------------------+-----------------+-------------------+ + | CSR Attributes | /csrattrs | Section 4.5 | + | (OPTIONAL) | | | + +------------------------+-----------------+-------------------+ + + Figure 5 + + The operation path (Figure 5) is appended to the path-prefix to form + the URI used with HTTP GET or POST to perform the desired EST + operation. An example valid URI absolute path for the "/cacerts" + operation is "/.well-known/est/cacerts". To retrieve the CA's + certificates, the EST client would use the following HTTP + request-line: + + GET /.well-known/est/cacerts HTTP/1.1 + + Likewise, to request a new certificate in this example scheme, the + EST client would use the following request-line: + + POST /.well-known/est/simpleenroll HTTP/1.1 + + + + + + +Pritikin, et al. Standards Track [Page 16] + +RFC 7030 EST October 2013 + + + The use of distinct operation paths simplifies implementation for + servers that do not perform client authentication when distributing + /cacerts responses. + + An EST server MAY provide service for multiple CAs as indicated by an + OPTIONAL additional path segment between the registered application + name and the operation path. To avoid conflict, the CA label MUST + NOT be the same as any defined operation path segment. The EST + server MUST provide services regardless of whether the additional + path segment is present. The following are three example valid URIs: + + 1. https://www.example.com/.well-known/est/cacerts + + 2. https://www.example.com/.well-known/est/arbitraryLabel1/cacerts + + 3. https://www.example.com/.well-known/est/arbitraryLabel2/cacerts + + In this specification, the distinction between enroll and renew/rekey + is explicitly indicated by the HTTP URI. When requesting /fullcmc + operations, CMC [RFC5272] uses the same messages for certificate + renewal and certificate rekey. + + An EST server can provide additional services using other URIs. + +3.2.3. HTTP-Based Client Authentication + + The EST server MAY request HTTP-based client authentication. This + request can be in addition to successful TLS client authentication + (Section 3.3.2) if EST server policy requires additional + authentication. (For example, the EST server may require that an EST + client "knows" a password in addition to "having" an existing client + certificate.) Or, HTTP-based client authentication can be an EST + server policy-specified fallback in situations where the EST client + did not successfully complete the TLS client authentication. (This + might arise if the EST client is enrolling for the first time or if + the certificates available to an EST client cannot be used for TLS + client authentication.) + + HTTP Basic and Digest authentication MUST only be performed over TLS + 1.1 [RFC4346] or later versions. NULL and anon cipher suites MUST + NOT be used because they do not provide confidentiality or support + mutual certificate-based or certificate-less authentication, + respectively. As specified in "Certificate Management over CMS + (CMC): Transport Protocols" [RFC5273], the server "MUST NOT assume + client support for any type of HTTP authentication such as cookies, + Basic authentication, or Digest authentication". Clients SHOULD + support the Basic and Digest authentication mechanism. + + + + +Pritikin, et al. Standards Track [Page 17] + +RFC 7030 EST October 2013 + + + Servers that wish to use Basic and Digest authentication reject the + HTTP request using the HTTP-defined WWW-Authenticate response-header + ([RFC2616], Section 14.47). The client is expected to retry the + request, including the appropriate Authorization Request header + ([RFC2617], Section 3.2.2), if the client is capable of using the + Basic or Digest authentication. If the client is not capable of + retrying the request or it is not capable of Basic or Digest + authentication, then the client MUST terminate the connection. + + A client MAY set the username to the empty string ("") if it is + presenting a password that is not associated with a username. + + Support for HTTP-based client authentication has security + ramifications as discussed in Section 6. The client MUST NOT respond + to the server's HTTP authentication request unless the client has + authorized the EST server (as per Section 3.6). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 18] + +RFC 7030 EST October 2013 + + +3.2.4. Message Types + + This document uses existing media types for the messages as specified + by FTP and HTTP [RFC2585], application/pkcs10 [RFC5967], and CMC + [RFC5272]. + + For consistency with [RFC5273], each distinct EST message type uses + an HTTP Content-Type header with a specific media type. + + The EST messages and their corresponding media types for each + operation are: + + +--------------------+--------------------------+-------------------+ + | Message type | Request media type | Request section(s)| + | | Response media type(s) | Response section | + | (per operation) | Source(s) of types | | + +====================+==========================+===================+ + | Distribution of CA | N/A | Section 4.1 | + | Certificates | application/pkcs7-mime | Section 4.1.1 | + | | [RFC5751] | | + | /cacerts | | | + +--------------------+--------------------------+-------------------+ + | Client Certificate | application/pkcs10 | Sections 4.2/4.2.1| + | Request Functions | application/pkcs7-mime | Section 4.2.2 | + | | [RFC5967] [RFC5751] | | + | /simpleenroll | | | + | /simplereenroll | | | + +--------------------+--------------------------+-------------------+ + | Full CMC | application/pkcs7-mime | Section 4.3.1 | + | | application/pkcs7-mime | Section 4.3.2 | + | /fullcmc | [RFC5751] | | + +--------------------+--------------------------+-------------------+ + | Server-Side Key | application/pkcs10 | Section 4.4.1 | + | Generation | multipart/mixed | Section 4.4.2 | + | | (application/pkcs7-mime &| | + | | application/pkcs8) | | + | | [RFC5967] [RFC5751] | | + | /serverkeygen | [RFC5958] | | + +--------------------+--------------------------+-------------------+ + | CSR Attributes | N/A | Section 4.5.1 | + | | application/csrattrs | Section 4.5.2 | + | | (This document) | | + | /csrattrs | | | + +--------------------+--------------------------+-------------------+ + + Figure 6 + + + + + +Pritikin, et al. Standards Track [Page 19] + +RFC 7030 EST October 2013 + + +3.3. TLS Layer + + TLS provides authentication, which in turn enables authorization + decisions. The EST server and EST client are responsible for + ensuring that an acceptable cipher suite is negotiated and that + mutual authentication has been performed. TLS authentication is most + commonly enabled with the use of certificates [RFC5280]. + Alternately, certificate-less TLS authentication, where neither the + client nor server present a certificate, is also an acceptable method + for EST mutual authentication (Section 3.3.3). The EST server MUST + be authenticated during the TLS handshake unless the client is + requesting Bootstrap Distribution of CA certificates (Section 4.1.1) + or Full CMC (Section 4.3). + + HTTPS [RFC2818] specifies how HTTP messages are carried over TLS. + HTTPS MUST be used. TLS 1.1 [RFC4346] (or a later version) MUST be + used for all EST communications. TLS session resumption [RFC5077] + SHOULD be supported. + + TLS channel-binding information can be inserted into a certificate + request, as detailed in Section 3.5, in order to provide the EST + server with assurance that the authenticated TLS client has access to + the private key for the certificate being requested. The EST server + MUST implement Section 3.5. + +3.3.1. TLS-Based Server Authentication + + TLS server authentication with certificates MUST be supported. + + The EST client authenticates the EST server as defined for the cipher + suite negotiated. The following text provides details assuming a + certificate-based cipher suite, such as the TLS 1.1 [RFC4346] + mandatory cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA). + + Certificate validation MUST be performed as per [RFC5280]. The EST + server certificate MUST conform to the [RFC5280] certificate profile. + + The client validates the TLS server certificate using the EST client + Explicit and, if enabled, Implicit TA database(s). The client MUST + maintain a distinction between the use of Explicit and Implicit TA + databases during authentication in order to support proper + authorization. The EST client MUST perform authorization checks as + specified in Section 3.6. + + If certificate validation fails, the client MAY follow the procedure + outlined in Section 4.1.1 for Bootstrap Distribution of CA + certificates. + + + + +Pritikin, et al. Standards Track [Page 20] + +RFC 7030 EST October 2013 + + +3.3.2. TLS-Based Client Authentication + + TLS client authentication is the RECOMMENDED method for identifying + EST clients. HTTP-based client authentication (Section 3.2.3) MAY be + used. + + The EST server authenticates the EST client as defined for the cipher + suite negotiated. The following text provides details assuming a + certificate-based cipher suite such as the TLS 1.1 [RFC4346] + mandatory cipher suite (TLS_RSA_WITH_3DES_EDE_CBC_SHA). The EST + server MUST support certificate-based client authentication. + + Generally, the client will use an existing certificate for renew or + rekey operations. If the certificate to be renewed or rekeyed is + appropriate for the negotiated cipher suite, then the client MUST use + it for the TLS handshake, otherwise the client SHOULD use an + alternate certificate that is suitable for the cipher suite and + contains the same subject identity information. When requesting an + enroll operation, the client MAY use a client certificate issued by a + third party to authenticate itself. + + Certificate validation MUST be performed as per [RFC5280]. The EST + client certificate MUST conform to the [RFC5280] certificate profile. + + The server validates the TLS client certificate using the EST server + Explicit and, if enabled, Implicit TA database(s). The server MUST + maintain a distinction between the use of Explicit and Implicit TA + databases during authentication in order to support proper + authorization. + + The EST server MUST perform authorization checks as specified in + Section 3.7. + + If a client does not support TLS client authentication, then it MUST + support HTTP-based client authentication (Section 3.2.3) or + certificate-less TLS authentication (Section 3.3.3). + +3.3.3. Certificate-Less TLS Mutual Authentication + + Certificate-less TLS cipher suites provide a way to perform mutual + authentication in situations where neither the client nor server have + certificates, do not desire to use certificates, or do not have the + trust anchors necessary to verify a certificate. The client and + server MAY negotiate a certificate-less cipher suite for mutual + authentication. + + When using certificate-less mutual authentication in TLS for + enrollment, the cipher suite MUST be based on a protocol that is + + + +Pritikin, et al. Standards Track [Page 21] + +RFC 7030 EST October 2013 + + + resistant to dictionary attack and MUST be based on a zero knowledge + protocol. Transport Layer Security-Secure Remote Password (TLS-SRP) + cipher suites, i.e., those with _SRP_ in the name, listed in + Section 2.7 of [RFC5054] are suitable for this purpose. Section 6 + lists the characteristics of a cipher suite that are suitable for use + in certificate-less mutual authentication for enrollment. + + Successful authentication using a certificate-less cipher suite + proves knowledge of a pre-shared secret that implicitly authorizes a + peer in the exchange. + +3.4. Proof-of-Possession + + As defined in Section 2.1 of CMC [RFC5272], proof-of-possession (POP) + "refers to a value that can be used to prove that the private key + corresponding to the public key is in the possession of and can be + used by an end-entity". + + The signed enrollment request provides a signature-based + proof-of-possession. The mechanism described in Section 3.5 + strengthens this by optionally including "Direct"-based + proof-of-possession [RFC5272] by including TLS session-specific + information within the data covered by the enrollment request + signature (thus linking the enrollment request to the authenticated + end point of the TLS connection). + +3.5. Linking Identity and POP Information + + Server policy will determine whether clients are required to use the + mechanism specified in this section. This specification provides a + method of linking identity and proof-of-possession by including + information specific to the current authenticated TLS session within + the signed certification request. The client can determine if the + server requires the linking of identity and POP by examining the CSR + Attributes Response (see Section 4.5.2). Regardless of the CSR + Attributes Response, clients SHOULD link identity and POP by + embedding tls-unique information in the certification request. If + tls-unique information is included by the client, the server MUST + verify it. The EST server MAY reject requests without tls-unique + information as indicated by server policy. + + Linking identity and proof-of-possession proves to the server that + the authenticated TLS client has possession of the private key + associated with the certification request, and that the client was + able to sign the certification request after the TLS session was + established. This is an alternative to the "Linking Identity and POP + Information" method defined by Section 6 of [RFC5272] that is + available if Full PKI messages are used. + + + +Pritikin, et al. Standards Track [Page 22] + +RFC 7030 EST October 2013 + + + The client generating the CSR obtains the tls-unique value from the + TLS subsystem as described in Channel Bindings for TLS [RFC5929]. + The EST client operations between obtaining the tls-unique value + through generation of the CSR that contains the current tls-unique + value and the subsequent verification of this value by the EST server + are the "phases of the application protocol during which application- + layer authentication occurs"; these operations are protected by the + synchronization interoperability mechanism described in the "Channel + Bindings for TLS" interoperability notes in Section 3.1 of [RFC5929]. + + When performing renegotiation, TLS "secure_renegotiation" [RFC5746] + MUST be used. + + The tls-unique value is base64 encoded as specified in Section 4 of + [RFC4648], and the resulting string is placed in the certification + request challenge-password field ([RFC2985], Section 5.4.1). The + challenge-password field is limited to 255 bytes (Section 7.4.9 of + [RFC5246] indicates that no existing cipher suite would result in an + issue with this limitation). If the challenge-password attribute is + absent, the client did not include the optional channel-binding + information (the presence of the challenge-password attribute + indicates the inclusion of tls-unique information). + + If the EST server makes use of a back-end infrastructure for + processing, it is RECOMMENDED that the results of this verification + be communicated. (For example, this communication might use the CMC + [RFC5272] "RA POP Witness Control" in a CMC Full PKI Request message. + Or, an EST server might TLS-authenticate an EST client as being a + trusted infrastructure element that does not forward invalid + requests. A detailed discussion of back-end processing is out of + scope.) + + When rejecting requests, the EST server response is as described for + all enroll responses (Section 4.2.3). If a Full PKI Response is + included, the CMCFailInfo MUST be set to popFailed. If a human- + readable reject message is included, it SHOULD include an informative + text message indicating that the linking of identity and POP + information is required. + +3.6. Server Authorization + + The client MUST check EST server authorization before accepting any + server responses or responding to HTTP authentication requests. + + The EST client authorization method depends on which method was used + to authenticate the server. When the Explicit TA database is used to + authenticate the EST server, then Section 3.6.1 applies. When the + Implicit TA database is used to authenticate the EST server, then + + + +Pritikin, et al. Standards Track [Page 23] + +RFC 7030 EST October 2013 + + + Section 3.6.2 applies. Successful authentication using a + certificate-less cipher suite implies authorization of the server. + + The client MAY perform bootstrapping as specified in Section 4.1.1 + even if these checks fail. + +3.6.1. Client Use of Explicit TA Database + + When the EST client Explicit TA database is used to validate the EST + server certificate, the client MUST check either the configured URI + or the most recent HTTP redirection URI against the server's identity + according to the rules specified in [RFC6125], Section 6.4, or the + EST server certificate MUST contain the id-kp-cmcRA [RFC6402] + extended key usage extension. + +3.6.2. Client Use of Implicit TA Database + + When the EST client Implicit TA database is used to validate the EST + server certificate, the client MUST check the configured URI and each + HTTP redirection URI according to the rules specified in [RFC6125], + Section 6.4. The provisioned URI or the most recent HTTP redirection + URI provides the basis for authorization, and the server's + authenticated identity confirms it is the authorized server. + +3.7. Client Authorization + + The decision to issue a certificate to a client is always controlled + by local CA policy. The EST server configuration reflects this CA + policy. This document does not specify any constraints on such + policy. EST provides the EST server access to each client's + authenticated identity -- e.g., the TLS client's certificate in + addition to any HTTP user authentication credentials -- to help in + implementing such policy. + + If the client's certificate was issued by the EST CA, and it includes + the id-kp-cmcRA [RFC6402] extended key usage extension, then the + client is a Registration Authority (RA) as described in [RFC5272] and + [RFC6402]. In this case, the EST server SHOULD apply authorization + policy consistent with an RA client. For example, when handling + /simpleenroll requests, the EST server could be configured to accept + POP linking information that does not match the current TLS session + because the authenticated EST client RA has verified this information + when acting as an EST server (as specified in Section 3.5). More + specific RA mechanisms are available if the EST client uses /fullcmc + methods. + + + + + + +Pritikin, et al. Standards Track [Page 24] + +RFC 7030 EST October 2013 + + +4. Protocol Exchange Details + + Before processing a request, an EST server determines if the client + is authorized to receive the requested services. Likewise, the + client determines if it will make requests to the EST server. These + authorization decisions are described in the next two sections. + Assuming that both sides of the exchange are authorized, then the + actual operations are as described in subsequent sections. + +4.1. Distribution of CA Certificates + + The EST client can request a copy of the current CA certificates. + This function is generally performed before other EST functions. + +4.1.1. Bootstrap Distribution of CA Certificates + + It is possible that the client was not configured with an Implicit TA + database that allows a bootstrap installation of the Explicit TA + database as described in 4.1.3. This section describes an alternate + method by which minimally configured EST clients can populate their + Explicit TA database. + + If the EST client application does not specify either an Explicit TA + database or an Implicit TA database, then the initial TLS server + authentication and authorization will fail. The client MAY + provisionally continue the TLS handshake to completion for the + purposes of accessing the /cacerts or /fullcmc method. If the EST + client continues with an unauthenticated connection, the client MUST + extract the HTTP content data from the response (Sections 4.1.3 or + 4.3.2) and engage a human user to authorize the CA certificate using + out-of-band data such as a CA certificate "fingerprint" (e.g., a + SHA-256 or SHA-512 [SHS] hash on the whole CA certificate). In a + /fullcmc response, it is the Publish Trust Anchors control (CMC + [RFC5272], Section 6.15) within the Full PKI Response that must be + accepted manually. It is incumbent on the user to properly verify + the TA information, or to provide the "fingerprint" data during + configuration that is necessary to verify the TA information. + + HTTP authentication requests MUST NOT be responded to if the server + has not been authenticated as specified in Section 3.3.1 or if the + optional certificate-less authentication is used as specified in + Section 3.3.3. + + The EST client uses the /cacerts response to establish an Explicit + Trust Anchor database for subsequent TLS authentication of the EST + server. EST clients MUST NOT engage in any other protocol exchange + + + + + +Pritikin, et al. Standards Track [Page 25] + +RFC 7030 EST October 2013 + + + until after the /cacerts response has been accepted and a new TLS + session has been established (using TLS certificate-based + authentication). + +4.1.2. CA Certificates Request + + EST clients request the EST CA TA database information of the CA (in + the form of certificates) with an HTTPS GET message using an + operation path of "/cacerts". EST clients and servers MUST support + the /cacerts function. Clients SHOULD request an up-to-date response + before stored information has expired in order to ensure the EST CA + TA database is up to date. + + The EST server SHOULD NOT require client authentication or + authorization to reply to this request. + + The client MUST authenticate the EST server, as specified in + Section 3.3.1 if certificate-based authentication is used or + Section 3.3.3 if the optional certificate-less authentication is + used, and check the server's authorization as given in Section 3.6, + or follow the procedure outlined in Section 4.1.1. + +4.1.3. CA Certificates Response + + If successful, the server response MUST have an HTTP 200 response + code. Any other response code indicates an error and the client MUST + abort the protocol. + + A successful response MUST be a certs-only CMC Simple PKI Response, + as defined in [RFC5272], containing the certificates described in the + following paragraph. The HTTP content-type of + "application/pkcs7-mime" is used. The Simple PKI Response is sent + with a Content-Transfer-Encoding of "base64" [RFC2045]. + + The EST server MUST include the current root CA certificate in the + response. The EST server MUST include any additional certificates + the client would need to build a chain from an EST CA-issued + certificate to the current EST CA TA. For example, if the EST CA is + a subordinate CA, then all the appropriate subordinate CA + certificates necessary to build a chain to the root EST CA are + included in the response. + + The EST server SHOULD include the three "Root CA Key Update" + certificates OldWithOld, OldWithNew, and NewWithOld in the response + chain. These are defined in Section 4.4 of CMP [RFC4210]. The EST + client MUST be able to handle these certificates in the response. + The EST CA's most recent self-signed certificate (e.g., NewWithNew + certificate) is self-signed and has the latest NotAfter date. If the + + + +Pritikin, et al. Standards Track [Page 26] + +RFC 7030 EST October 2013 + + + EST server does not include these in the response, then after the + current EST CA certificate expires, the EST clients will need to be + reinitialized with the PKI using the Bootstrap Distribution of CA + certificates (Section 4.1.1) method, which involves user interaction. + + After out-of-band validation occurs, all the other certificates MUST + be validated using normal [RFC5280] certificate path validation + (using the most recent CA certificate as the TA) before they can be + used to build certificate paths during certificate validation. + + The EST client MUST store the extracted EST CA certificate as an + Explicit TA database entry for subsequent EST server authentication. + The EST client SHOULD disable use of Implicit TA database entries for + this EST server now that an Explicit TA database entry is available. + If the client disables the Implicit TA database, and if the EST + server certificate was verified using an Implicit TA database entry, + then the client MUST include the "Trusted CA Indication" extension in + future TLS sessions [RFC6066]. This indicates to the server that + only an EST server certificate authenticatable by the Explicit TA + database entry is now acceptable (otherwise, the EST server might + continue to use a server certificate that is only verifiable by a now + disabled Implicit TA). + + The EST client SHOULD also make the CA Certificate response + information available to the end-entity software for use when + validating peer certificates. + +4.2. Client Certificate Request Functions + + EST clients request a certificate from the EST server with an HTTPS + POST using the operation path value of "/simpleenroll". EST clients + request a renew/rekey of existing certificates with an HTTP POST + using the operation path value of "/simplereenroll". EST servers + MUST support the /simpleenroll and /simplereenroll functions. + + It is RECOMMENDED that a client obtain the current CA certificates, + as described in Section 4.1, before performing certificate request + functions. This ensures that the client will be able to validate the + EST server certificate. The client MUST authenticate the EST server + as specified in Section 3.3.1 if certificate-based authentication is + used or Section 3.3.3 if the optional certificate-less authentication + is used. The client MUST verify the authorization of the EST server + as specified in Section 3.6. + + The server MUST authenticate the client as specified in Section 3.3.2 + if certificate-based authentication is used or Section 3.3.3 if the + optional certificate-less authentication is used. The server MUST + verify client authorization as specified in Section 3.7. The EST + + + +Pritikin, et al. Standards Track [Page 27] + +RFC 7030 EST October 2013 + + + server MUST check the tls-unique value, as described in Section 3.5, + if one is submitted by the client. + + The server MAY accept a certificate request for manual authorization + checking by an administrator. (Section 4.2.3 describes the use of an + HTTP 202 response to the EST client if this occurs.) + +4.2.1. Simple Enrollment of Clients + + When HTTPS POSTing to /simpleenroll, the client MUST include a Simple + PKI Request as specified in CMC [RFC5272], Section 3.1 (i.e., a PKCS + #10 Certification Request [RFC2986]). + + The Certification Signing Request (CSR) signature provides + proof-of-possession of the client-possessed private key to the EST + server. If the CSR KeyUsage extension indicates that the private key + can be used to generate digital signatures, then the client MUST + generate the CSR signature using the private key. If the key can be + used to generate digital signatures but the requested CSR KeyUsage + extension prohibits generation of digital signatures, then the CSR + signature MAY still be generated using the private key, but the key + MUST NOT be used for any other signature operations (this is + consistent with the recommendations concerning submission of + proof-of-possession to an RA or CA as described in + [SP-800-57-Part-1]). The use of /fullcmc operations provides access + to more advanced proof-of-possession methods that are used when the + key pair cannot be used for digital signature generation (see + Section 4.3). + + The HTTP content-type of "application/pkcs10" is used here. The + format of the message is as specified in [RFC5967] with a Content- + Transfer-Encoding of "base64" [RFC2045]. + + If the EST client authenticated using a previously installed + certificate issued by a third-party CA (see Section 2.2.1), the + client MAY include the ChangeSubjectName attribute, as defined in + [RFC6402], in the CSR to request that the subjectName and + SubjectAltName be changed in the new certificate. + + The EST client MAY request additional certificates even when using an + existing certificate in the TLS client authentication. For example, + the client can use an existing certificate for TLS client + authentication when requesting a certificate that cannot be used for + TLS client authentication. + + + + + + + +Pritikin, et al. Standards Track [Page 28] + +RFC 7030 EST October 2013 + + +4.2.2. Simple Re-enrollment of Clients + + EST clients renew/rekey certificates with an HTTPS POST using the + operation path value of "/simplereenroll". + + A certificate request employs the same format as the "simpleenroll" + request, using the same HTTP content-type. The request Subject field + and SubjectAltName extension MUST be identical to the corresponding + fields in the certificate being renewed/rekeyed. The + ChangeSubjectName attribute, as defined in [RFC6402], MAY be included + in the CSR to request that these fields be changed in the new + certificate. + + If the Subject Public Key Info in the certification request is the + same as the current client certificate, then the EST server renews + the client certificate. If the public key information in the + certification request is different than the current client + certificate, then the EST server rekeys the client certificate. + +4.2.3. Simple Enroll and Re-enroll Response + + If the enrollment is successful, the server response MUST contain an + HTTP 200 response code with a content-type of + "application/pkcs7-mime". + + A successful response MUST be a certs-only CMC Simple PKI Response, + as defined in [RFC5272], containing only the certificate that was + issued. The HTTP content-type of "application/pkcs7-mime" with an + smime-type parameter "certs-only" is used, as specified in [RFC5273]. + + The server MUST answer with a suitable 4xx or 5xx HTTP [RFC2616] + error code when a problem occurs. A Simple PKI Response with an HTTP + content-type of "application/pkcs7-mime" (see Section 4.3.2) MAY be + included in the response data to convey an error response. If the + content-type is not set, the response data MUST be a plaintext human- + readable error message containing explanatory information describing + why the request was rejected (for example, indicating that CSR + attributes are incomplete). + + If the server responds with an HTTP [RFC2616] 202, this indicates + that the request has been accepted for processing but that a response + is not yet available. The server MUST include a Retry-After header + as defined for HTTP 503 responses. The server also MAY include + informative human-readable content. The client MUST wait at least + the specified "retry-after" time before repeating the same request. + The client repeats the initial enrollment request after the + appropriate "retry-after" interval has expired. The client SHOULD + log or inform the end-user of this event. The server is responsible + + + +Pritikin, et al. Standards Track [Page 29] + +RFC 7030 EST October 2013 + + + for maintaining all states necessary to recognize and handle retry + operations as the client is stateless in this regard; it simply sends + the same request repeatedly until it receives a different response + code. All other return codes are handled as specified in HTTP + [RFC2616]. + + If the client closes the TLS connections while waiting for the Retry- + After time to expire, then the client initiates a new TLS connection + and performs all applicable security checks. If the client has + already generated a CSR that includes linking identity and POP + information (Section 3.5), then the CSR will need to be recreated to + incorporate the tls-unique from the new, redirected session. Note: + the key pair need not be regenerated. These are processing and + interface burdens on the client. EST server administrators are + advised to take this into consideration. + + The EST client MAY also make the certificate response, and associated + private key, available to end-entity software for use as an + end-entity certificate. + +4.3. Full CMC + + An EST client can request a certificate from an EST server with an + HTTPS POST using the operation path value of "/fullcmc". Support for + the /fullcmc function is OPTIONAL for both clients and servers. + +4.3.1. Full CMC Request + + If the HTTP POST to /fullcmc is not a valid Full PKI Request, the + server MUST reject the message. The HTTP content-type used is + "application/pkcs7-mime" with an smime-type parameter "CMC-request", + as specified in [RFC5273]. The body of the message is the binary + value of the encoding of the PKI Request with a + Content-Transfer-Encoding of "base64" [RFC2045]. + +4.3.2. Full CMC Response + + If the enrollment is successful, the server response MUST include an + HTTP 200 response code with a content-type of + "application/pkcs7-mime" as specified in [RFC5273]. The response + data includes either the Simple PKI Response with an smime-type + parameter of "certs-only" or the Full PKI Response with an smime-type + parameter "CMC-response", as specified in Section 3.2.1 of [RFC5751]. + The body of the message is the binary value of the encoding of the + PKI Response with a Content-Transfer-Encoding of "base64" [RFC2045]. + + + + + + +Pritikin, et al. Standards Track [Page 30] + +RFC 7030 EST October 2013 + + + When rejecting a request, the server MUST specify either an HTTP 4xx + error or an HTTP 5xx error. A CMC response with the content-type of + "application/pkcs7-mime" MUST be included in the response data for + any CMC error response. + + All other return codes are handled as specified in Section 4.2.3 or + HTTP [RFC2616]. For example, a client interprets an HTTP 404 or 501 + response to indicate that this service is not implemented. + +4.4. Server-Side Key Generation + + An EST client may request a private key and associated certificate + from an EST server using an HTTPS POST with an operation path value + of "/serverkeygen". Support for the /serverkeygen function is + OPTIONAL. + + A client MUST authenticate an EST server, as specified in + Section 3.3.1 if certificate-based authentication is used or + Section 3.3.3 if the optional certificate-less authentication is + used, and check the server's authorization as given in Section 3.6. + + The EST server MUST authenticate the client, as specified in + Section 3.3.2 if certificate-based authenticated is used or + Section 3.3.3 if the optional certificate-less authentication is + used, and check the client's authorization as given in Section 3.7. + The EST server applies whatever authorization or logic it chooses to + determine if the private key and certificate should be provided. + + Cipher suites that have a NULL confidentiality algorithm MUST NOT be + used as they will disclose the contents of an unprotected private + key. + + Proper random number and key generation [RFC4086] is a server + implementation responsibility, and server archiving of generated keys + is determined by CA policy. The key pair and certificate are + transferred over the TLS session. The cipher suite used to return + the private key and certificate MUST offer confidentiality + commensurate with the private key being delivered to the client. + + The EST client MAY request additional certificates even when using an + existing certificate in the TLS client authentication. For example, + the client can use an existing certificate for TLS client + authentication when requesting a certificate that cannot be used for + TLS client authentication. + + + + + + + +Pritikin, et al. Standards Track [Page 31] + +RFC 7030 EST October 2013 + + +4.4.1. Server-Side Key Generation Request + + The certificate request is HTTPS POSTed and is the same format as for + the "/simpleenroll" and "/simplereenroll" path extensions with the + same content-type and transfer encoding. + + In all respects, the server SHOULD treat the CSR as it would any + enroll or re-enroll CSR; the only distinction here is that the server + MUST ignore the public key values and signature in the CSR. These + are included in the request only to allow re-use of existing + codebases for generating and parsing such requests. + + If the client desires to receive the private key with encryption that + exists outside of and in addition to that of the TLS transport used + by EST or if server policy requires that the key be delivered in such + a form, the client MUST include an attribute in the CSR indicating + the encryption key to be used. Both symmetric and asymmetric + encryption are supported as described in the following subsections. + The client MUST also include an SMIMECapabilities attribute + ([RFC2633], Section 2.5) in the CSR to indicate the key encipherment + algorithms the client is willing to use. + + It is strongly RECOMMENDED that the clients request that the returned + private key be afforded the additional security of the Cryptographic + Message Syntax (CMS) EnvelopedData in addition to the TLS-provided + security to protect against unauthorized disclosure. + +4.4.1.1. Requests for Symmetric Key Encryption of the Private Key + + To specify a symmetric encryption key to be used to encrypt the + server-generated private key, the client MUST include a + DecryptKeyIdentifier attribute (as defined in Section 2.2.5 of + [RFC4108]) specifying the identifier of the secret key to be used by + the server to encrypt the private key. While that attribute was + originally designated for specifying a firmware encryption key, it + exactly mirrors the requirements for specifying a secret key to + encrypt a private key. If the server does not have a secret key + matching the identifier specified by the client, the request MUST be + terminated and an error returned to the client. Distribution of the + key specified by the DecryptKeyIdentifier to the key generator and + the client is outside the scope of this document. + + + + + + + + + + +Pritikin, et al. Standards Track [Page 32] + +RFC 7030 EST October 2013 + + +4.4.1.2. Requests for Asymmetric Encryption of the Private Key + + To specify an asymmetric encryption key to be used to encrypt the + server-generated private key, the client MUST include an + AsymmetricDecryptKeyIdentifier attribute. The + AsymmetricDecryptKeyIdentifier attribute is defined as: + + id-aa-asymmDecryptKeyID OBJECT IDENTIFIER ::= { + id-aa 54 } + + The asymmetric-decrypt-key-identifier attribute values have ASN.1 + type AsymmetricDecryptKeyIdentifier (where ASN.1 is defined in + [X.680]):: + + AsymmetricDecryptKeyIdentifier ::= OCTET STRING + + If the server does not have a public key matching the identifier + specified by the client, the request MUST be terminated and an error + returned to the client. Distribution of the key specified by the + AsymmetricDecryptKeyIdentifier to the key generator and the client is + outside the scope of this document. If the key identified is bound + to an X.509 certificate, then the key MUST either explicitly support + keyTransport or keyAgreement or its use MUST be unrestricted. + +4.4.2. Server-Side Key Generation Response + + If the request is successful, the server response MUST have an HTTP + 200 response code with a content-type of "multipart/mixed" consisting + of two parts: one part is the private key data and the other part is + the certificate data. + + The format in which the private key data part is returned is + dependent on whether the private key is being returned with + additional encryption on top of that provided by TLS. + + If additional encryption is not being employed, the private key data + MUST be placed in an "application/pkcs8". An "application/pkcs8" + part consists of the base64-encoded DER-encoded [X.690] + PrivateKeyInfo with a Content-Transfer-Encoding of "base64" + [RFC2045]. + + If additional encryption is being employed, the private key is placed + inside of a CMS SignedData. The SignedData is signed by the party + that generated the private key, which may or may not be the EST + server or the EST CA. The SignedData is further protected by placing + it inside of a CMS EnvelopedData, as described in Section 4 of + [RFC5958]. The following list shows how the EncryptedData is used, + depending on the type of protection key specified by the client. + + + +Pritikin, et al. Standards Track [Page 33] + +RFC 7030 EST October 2013 + + + o If the client specified a symmetric encryption key to protect the + server-generated private key, the EnvelopedData content is + encrypted using the secret key identified in the request. The + EnvelopedData RecipientInfo field MUST indicate the key-encryption + kekri key management technique. The values are as follows: + version is set to 4, key-encryption key identifier (kekid) is set + to the value of the DecryptKeyIdentifier from Section 4.4.1.1; + keyEncryptionAlgorithm is set to one of the key wrap algorithms + that the client included in the SMIMECapabilities accompanying the + request; and encryptedKey is the encrypted key. + + o If the client specified an asymmetric encryption key suitable for + key transport operations to protect the server-generated private + key, the EnvelopedData content is encrypted using a randomly + generated symmetric encryption key. The cryptographic strength of + the symmetric encryption key SHOULD be equivalent to the client- + specified asymmetric key. The EnvelopedData RecipientInfo field + MUST indicate the KeyTransRecipientInfo (ktri) key management + technique. In KeyTransRecipientInfo, the RecipientIdentifier + (rid) is either the subjectKeyIdentifier copied from the attribute + defined in Section 4.4.1.2 or the server determines an associated + issuerAndSerialNumber from the attribute; version is derived from + the choice of rid [RFC5652], keyEncryptionAlgorithm is set to one + of the key wrap algorithms that the client included in the + SMIMECapabilities accompanying the request, and encryptedKey is + the encrypted key. + + o If the client specified an asymmetric encryption key suitable for + key agreement operations to protect the server-generated private + key, the EnvelopedData content is encrypted using a randomly + generated symmetric encryption key. The cryptographic strength of + the symmetric encryption key SHOULD be equivalent to the client- + specified asymmetric key. The EnvelopedData RecipientInfo field + MUST indicate the KeyAgreeRecipientInfo (kari) key management + technique. In the KeyAgreeRecipientInfo type, version, + originator, and user keying material (ukm) are as in [RFC5652], + and keyEncryptionAlgorithm is set to one of the key wrap + algorithms that the client included in the SMIMECapabilities + accompanying the request. The recipient's key identifier is + either copied from the attribute defined in Section 4.4.1.2 to + subjectKeyIdentifier or the server determines an + IssuerAndSerialNumber that corresponds to the value provided in + the attribute. + + In all three additional encryption cases, the EnvelopedData is + returned in the response as an "application/pkcs7-mime" part with an + smime-type parameter of "server-generated-key" and a Content- + Transfer-Encoding of "base64". + + + +Pritikin, et al. Standards Track [Page 34] + +RFC 7030 EST October 2013 + + + The certificate data part is an "application/pkcs7-mime" and exactly + matches the certificate response to /simpleenroll. + + When rejecting a request, the server MUST specify either an HTTP 4xx + error or an HTTP 5xx error. If the content-type is not set, the + response data MUST be a plaintext human-readable error message. + +4.5. CSR Attributes + + CA policy may allow inclusion of client-provided attributes in + certificates that it issues, and some of these attributes may + describe information that is not available to the CA. In addition, a + CA may desire to certify a certain type of public key and a client + may not have a priori knowledge of that fact. Therefore, clients + SHOULD request a list of expected attributes that are required, or + desired, by the CA in an enrollment request or if dictated by local + policy. + + The EST server SHOULD NOT require client authentication or + authorization to reply to this request. + + Requesting CSR attributes is optional, but clients are advised that + CAs may refuse enrollment requests that are not encoded according to + the CA's policy. + +4.5.1. CSR Attributes Request + + The EST client requests a list of CA-desired CSR attributes from the + CA by sending an HTTPS GET message to the EST server with an + operations path of "/csrattrs". + +4.5.2. CSR Attributes Response + + If locally configured policy for an authenticated EST client + indicates a CSR Attributes Response is to be provided, the server + response MUST include an HTTP 200 response code. An HTTP response + code of 204 or 404 indicates that a CSR Attributes Response is not + available. Regardless of the response code, the EST server and CA + MAY reject any subsequent enrollment requests for any reason, e.g., + incomplete CSR attributes in the request. + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 35] + +RFC 7030 EST October 2013 + + + Responses to attribute request messages MUST be encoded as the + content-type of "application/csrattrs" with a + Content-Transfer-Encoding of "base64" [RFC2045]. The syntax for + application/csrattrs body is as follows: + + CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID + + AttrOrOID ::= CHOICE (oid OBJECT IDENTIFIER, attribute Attribute } + + Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { + type ATTRIBUTE.&id({IOSet}), + values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type}) } + + An EST server includes zero or more OIDs or attributes [RFC2986] that + it requests the client to use in the certification request. The + client MUST ignore any OID or attribute it does not recognize. When + the server encodes CSR Attributes as an empty SEQUENCE, it means that + the server has no specific additional information it desires in a + client certification request (this is functionally equivalent to an + HTTP response code of 204 or 404). + + If the CA requires a particular crypto system or use of a particular + signature scheme (e.g., certification of a public key based on a + certain elliptic curve, or signing using a certain hash algorithm) it + MUST provide that information in the CSR Attribute Response. If an + EST server requires the linking of identity and POP information (see + Section 3.5), it MUST include the challengePassword OID in the CSR + Attributes Response. + + The structure of the CSR Attributes Response SHOULD, to the greatest + extent possible, reflect the structure of the CSR it is requesting. + Requests to use a particular signature scheme (e.g. using a + particular hash function) are represented as an OID to be reflected + in the SignatureAlgorithm of the CSR. Requests to use a particular + crypto system (e.g., certification of a public key based on a certain + elliptic curve) are represented as an attribute, to be reflected as + the AlgorithmIdentifier of the SubjectPublicKeyInfo, with a type + indicating the algorithm and the values indicating the particular + parameters specific to the algorithm. Requests for descriptive + information from the client are made by an attribute, to be + represented as Attributes of the CSR, with a type indicating the + [RFC2985] extensionRequest and the values indicating the particular + attributes desired to be included in the resulting certificate's + extensions. + + The sequence is Distinguished Encoding Rules (DER) encoded [X.690] + and then base64 encoded (Section 4 of [RFC4648]). The resulting text + forms the application/csrattr body, without headers. + + + +Pritikin, et al. Standards Track [Page 36] + +RFC 7030 EST October 2013 + + + For example, if a CA requests a client to submit a certification + request containing the challengePassword (indicating that linking of + identity and POP information is requested; see Section 3.5), an + extensionRequest with the Media Access Control (MAC) address + ([RFC2307]) of the client, and to use the secp384r1 elliptic curve + and to sign with the SHA384 hash function. Then, it takes the + following: + + OID: challengePassword (1.2.840.113549.1.9.7) + + Attribute: type = extensionRequest (1.2.840.113549.1.9.14) + value = macAddress (1.3.6.1.1.1.1.22) + + Attribute: type = id-ecPublicKey (1.2.840.10045.2.1) + value = secp384r1 (1.3.132.0.34) + + OID: ecdsaWithSHA384 (1.2.840.10045.4.3.3) + + and encodes them into an ASN.1 SEQUENCE to produce: + + 30 41 06 09 2a 86 48 86 f7 0d 01 09 07 30 12 06 07 2a 86 48 ce 3d + 02 01 31 07 06 05 2b 81 04 00 22 30 16 06 09 2a 86 48 86 f7 0d 01 + 09 0e 31 09 06 07 2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03 + 03 + + and then base64 encodes the resulting ASN.1 SEQUENCE to produce: + + MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ + BgcrBgEBAQEWBggqhkjOPQQDAw== + +5. IANA Considerations + + Section 4.4.1.2 defines an OID that has been registered in an arc + delegated by the IANA to the PKIX working group. + + IANA has registered the following: + + IANA updated the well-known URI registry with the following filled-in + template from [RFC5785]. + + URI suffix: est + + Change controller: IETF + + + + + + + + +Pritikin, et al. Standards Track [Page 37] + +RFC 7030 EST October 2013 + + + IANA has updated the "Application Media Types" registry with the + following filled-in templates from [RFC6838]. + + The media subtype for CSR attributes in a CSR Attributes Response is + application/csrattrs. + + Type name: application + + Subtype name: csrattrs + + Required parameters: None + + Optional parameters: None + + Encoding considerations: binary; + + Security Considerations: + + Clients request a list of attributes that servers wish to be in + certification requests. The request/response is normally done + in a TLS-protected tunnel. + + Interoperability considerations: None + + Published specification: This memo. + + Applications which use this media type: Enrollment over Secure + Transport (EST) + + Additional information: + + Magic number(s): None + + File extension: .csrattrs + + Person & email address to contact for further information: + + Dan Harkins + + Restrictions on usage: None + + Author: Dan Harkins + + Intended usage: COMMON + + Change controller: The IESG + + + + + +Pritikin, et al. Standards Track [Page 38] + +RFC 7030 EST October 2013 + + + The application/pkcs7-mime content-type defines the optional + "smime-type" parameter [RFC5751] with a set of specific values. This + document adds another value, "server-generated-key", as the parameter + value for Server-side Key Generation Response. + +6. Security Considerations + + Support for Basic authentication, as specified in HTTP [RFC2617], + allows the server access to a client's cleartext password. This + provides support for legacy username/password databases but requires + exposing the plaintext password to the EST server. Use of a PIN or + one-time password can help mitigate such exposure, but it is + RECOMMENDED that EST clients use such credentials only once to obtain + a client certificate (that will be used during future interactions + with the EST server). + + When a client uses the Implicit TA database for certificate + validation (see Section 3), then authorization proceeds as specified + in Section 3.6.2. In this situation, the client has validated the + server as being a responder that is certified by a third party for + the URI configured, but it cannot verify that the responder is + authorized to act as an RA for the PKI in which the client is trying + to enroll. Clients using an Implicit Trust Anchor database are + RECOMMENDED to use only TLS-based client authentication (to prevent + exposing HTTP-based client authentication information). It is + RECOMMENDED that such clients include "Linking Identity and POP + Information" (Section 3.5) in requests (to prevent such requests from + being forwarded to a real EST server by a man in the middle). It is + RECOMMENDED that the Implicit Trust Anchor database used for EST + server authentication be carefully managed to reduce the chance of a + third-party CA with poor certification practices from being trusted. + Disabling the Implicit Trust Anchor database after successfully + receiving the Distribution of CA certificates response + (Section 4.1.3) limits any vulnerability to the first TLS exchange. + + Certificate-less TLS cipher suites that maintain security and perform + the mutual authentication necessary for enrollment have the following + properties: + + o the only information leaked by an active attack is whether or not + a single guess of the secret is correct. + + o any advantage an adversary gains is through interaction and not + computation. + + o it is possible to perform countermeasures, such as exponential + backoff after a certain number of failed attempts, to frustrate + repeated active attacks. + + + +Pritikin, et al. Standards Track [Page 39] + +RFC 7030 EST October 2013 + + + Using a certificate-less cipher suite that does not have the + properties listed above would render the results of enrollment void + and potentially result in certificates being issued to + unauthenticated and/or unauthorized entities. + + When using a certificate-less TLS cipher suite, the shared secret + used for authentication and authorization cannot be shared with an + entity that is not a party to the exchange: someone other than the + client and the server. Any additional sharing of secrets voids the + security afforded by a certificate-less cipher suite. Exposure of a + shared secret used by a certificate-less cipher suite to a third + party enables client impersonation that can result in corruption of a + client's trust anchor database. + + TLS cipher suites that include "_EXPORT_" and "_DES_" in their names + MUST NOT be used. These ciphers do not offer a sufficient level of + protection; 40-bit crypto in 2013 doesn't offer acceptable + protection, and the use of DES is deprecated. + + As described in CMC, Section 6.7 of [RFC5272], "For keys that can be + used as signature keys, signing the certification request with the + private key serves as a POP on that key pair". The inclusion of tls- + unique within the certification request links the proof-of-possession + to the TLS proof-of-identity by enforcing that the POP operation + occurred while the TLS session was active. This implies to the + server that the authenticated client currently has access to the + private key. If the authenticated client is known to have specific + capabilities, such as hardware protection for authentication + credentials and key storage, this implication is strengthened but not + proven. + + The server-side key generation method allows keys to be transported + over the TLS connection to the client without any application-layer + protection. The distribution of private key material is inherently + risky. Private key distribution uses the encryption mode of the + negotiated TLS cipher suite. Keys are not protected by preferred key + wrapping methods such as AES Key Wrap [RFC3394] or as specified in + [RFC5958] as encryption of the private key beyond that provided by + TLS is optional. It is RECOMMENDED that EST servers not support this + operation by default. It is RECOMMENDED that clients not request + this service unless there is a compelling operational benefit. Use + of an Implicit Trust Anchor database is NOT RECOMMENDED when + server-side key generation is employed. The use of an encrypted CMS + Server-Side Key Generation Response is RECOMMENDED. + + Regarding the CSR attributes that the CA may list for inclusion in an + enrollment request, there are no real inherent security issues with + the content being conveyed, but an adversary who is able to interpose + + + +Pritikin, et al. Standards Track [Page 40] + +RFC 7030 EST October 2013 + + + herself into the conversation could exclude attributes that a server + may want, include attributes that a server may not want, and render + meaningless other attributes that a server may want. + + ASN.1 encoding rules (e.g., DER and BER) have a type-length-value + structure, and it is easy to construct malicious content with invalid + length fields that can cause buffer overrun conditions. ASN.1 + encoding rules allow for arbitrary levels of nesting, which may make + it possible to construct malicious content that will cause a stack + overflow. Interpreters of ASN.1 structures should be aware of these + issues and should take appropriate measures to guard against buffer + overflows and stack overruns in particular, and malicious content in + general. + +7. References + +7.1. Normative References + + [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) Part One: Format of Internet Message + Bodies", RFC 2045, November 1996. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2585] Housley, R. and P. Hoffman, "Internet X.509 Public Key + Infrastructure Operational Protocols: FTP and HTTP", RFC + 2585, May 1999. + + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., + Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext + Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. + + [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., + Leach, P., Luotonen, A., and L. Stewart, "HTTP + Authentication: Basic and Digest Access Authentication", + RFC 2617, June 1999. + + [RFC2633] Ramsdell, B., "S/MIME Version 3 Message Specification", + RFC 2633, June 1999. + + [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification + Request Syntax Specification Version 1.7", RFC 2986, + November 2000. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, RFC + 3986, January 2005. + + + +Pritikin, et al. Standards Track [Page 41] + +RFC 7030 EST October 2013 + + + [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to + Protect Firmware Packages", RFC 4108, August 2005. + + [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, + "Internet X.509 Public Key Infrastructure Certificate + Management Protocol (CMP)", RFC 4210, September 2005. + + [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.1", RFC 4346, April 2006. + + [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data + Encodings", RFC 4648, October 2006. + + [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, + "Transport Layer Security (TLS) Session Resumption without + Server-Side State", RFC 5077, January 2008. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, August 2008. + + [RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS + (CMC)", RFC 5272, June 2008. + + [RFC5273] Schaad, J. and M. Myers, "Certificate Management over CMS + (CMC): Transport Protocols", RFC 5273, June 2008. + + [RFC5274] Schaad, J. and M. Myers, "Certificate Management Messages + over CMS (CMC): Compliance Requirements", RFC 5274, June + 2008. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 5280, May 2008. + + [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, + RFC 5652, September 2009. + + [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, + "Transport Layer Security (TLS) Renegotiation Indication + Extension", RFC 5746, February 2010. + + [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet + Mail Extensions (S/MIME) Version 3.2 Message + Specification", RFC 5751, January 2010. + + + +Pritikin, et al. Standards Track [Page 42] + +RFC 7030 EST October 2013 + + + [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known + Uniform Resource Identifiers (URIs)", RFC 5785, April + 2010. + + [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings + for TLS", RFC 5929, July 2010. + + [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, August + 2010. + + [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: + Extension Definitions", RFC 6066, January 2011. + + [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and + Verification of Domain-Based Application Service Identity + within Internet Public Key Infrastructure Using X.509 + (PKIX) Certificates in the Context of Transport Layer + Security (TLS)", RFC 6125, March 2011. + + [RFC6402] Schaad, J., "Certificate Management over CMS (CMC) + Updates", RFC 6402, November 2011. + + [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, December + 2011. + + [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type + Specifications and Registration Procedures", BCP 13, RFC + 6838, January 2013. + + [X.680] ITU-T Recommendation X.680 (2008) | ISO/IEC 8824-1:2008, + "Abstract Syntax Notation One (ASN.1): Specification of + basic notation", November 2008, + . + + [X.690] ITU-T Recommendation X.690 (2008) | ISO/IEC 8825-1:2008, + "ASN.1 encoding rules: Specification of Basic Encoding + Rules (BER), Canonical Encoding Rules (CER) and + Distinguished Encoding Rules (DER)", November 2008, + . + +7.2. Informative References + + [IDevID] IEEE Standards Association, "IEEE 802.1AR Secure Device + Identifier", December 2009, . + + [RFC2307] Howard, L., "An Approach for Using LDAP as a Network + Information Service", RFC 2307, March 1998. + + + +Pritikin, et al. Standards Track [Page 43] + +RFC 7030 EST October 2013 + + + [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. + + [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object + Classes and Attribute Types Version 2.0", RFC 2985, + November 2000. + + [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard + (AES) Key Wrap Algorithm", RFC 3394, September 2002. + + [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, + "Using the Secure Remote Password (SRP) Protocol for TLS + Authentication", RFC 5054, November 2007. + + [RFC5967] Turner, S., "The application/pkcs10 Media Type", RFC 5967, + August 2010. + + [RFC6403] Zieglar, L., Turner, S., and M. Peck, "Suite B Profile of + Certificate Management over CMS", RFC 6403, November 2011. + + [SHS] National Institute of Standards and Technology, "Secure + Hash Standard (SHS)", Federal Information Processing + Standard Publication 180-4, March 2012, + . + + [SP-800-57-Part-1] + National Institute of Standards and Technology, + "Recommendation for Key Management - Part 1: General + (Revision 3)", July 2012, + . + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 44] + +RFC 7030 EST October 2013 + + +Appendix A. Operational Scenario Example Messages + + (Informative) + + This section expands on the Operational Scenario Overviews by + providing detailed examples of the messages at each TLS layer. + +A.1. Obtaining CA Certificates + + The following is an example of a valid /cacerts exchange. + + During the initial TLS handshake, the client can ignore the optional + server-generated "certificate request" and can instead proceed with + the HTTP GET request: + + GET /.well-known/est/cacerts HTTP/1.1 + User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenS + SL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 + Host: 192.0.2.1:8085 + Accept: */* + + In response, the server provides the current CA certificates: + + HTTP/1.1 200 OK + Status: 200 OK + Content-Type: application/pkcs7-mime + Content-Transfer-Encoding: base64 + Content-Length: 4246 + + MIIMOQYJKoZIhvcNAQcCoIIMKjCCDCYCAQExADALBgkqhkiG9w0BBwGgggwMMIIC + +zCCAeOgAwIBAgIJAJpY3nUZO3qcMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNVBAMT + EGVzdEV4YW1wbGVDQSBPd08wHhcNMTMwNTA5MDM1MzMxWhcNMTQwNTA5MDM1MzMx + WjAbMRkwFwYDVQQDExBlc3RFeGFtcGxlQ0EgT3dPMIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAwDqpiHopaICubpRqbpEN7LqTIqWELFIA9qDDheHIKuyO + HW/ZAP7Rl4S5ZU6gaLW/ksseBUxdmox3KNyvtyjehIofTu28eZWhgy6/LCEGWR3P + K+fgPBA0l0JfJR/8oeXZa70oLVQc3hI4kCeqjFMs+biYH0vp/RluhftyZ5kzQyH1 + EGsRkw1/qUKkTZ8PCF8VFlYfqmUoqsaRTyZbjII4J+Y6/jEG+p7QreW9zcz4sPe8 + 3c/uhwMLOWQkZtKsQtgo5CpfYMjuAmk4Q2joQq2vcxlc+WNKHf+wbrDb11ORZril + 9ISlI94oumcRz3uBG1Yg7z83hdDfasmdfbp8gOSNFQIDAQABo0IwQDAPBgNVHRMB + Af8EBTADAQH/MB0GA1UdDgQWBBQITTKxMqATXrfc4ffpCIbt6Gsz0jAOBgNVHQ8B + Af8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBACPnQPu5WReUGuCMS0nBOGa2tXh6 + uZP4mS3J1qEfDePam/IiU9ssyYdcDwhVvKMoP4gI/yu4XFqhdpIoy/PyD4T15MT7 + KADCxXkh5rM1IqMui7FvBKLWYGdy9sjEf90wAkBjHBe/TMO1NNw3uELyONSkHIvo + X0pu6aPmm/moIMyGi46niFse1iWlXXldGLkOQsh0e7U+wpBX07QpOr2KB2+Yf+uA + KY1SWzEG23bUxXlvcbUMgANDGj5r6z+niKL0VlApip/iCuVEEOcZ91UlmJjVLQWA + x6ie+v84oM+pIojiGM0C4XWcVlKKEgcMOsN3S4lvm8Ptpq0GLoIJY8NTD20wggMD + MIIB66ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNVBAMTEGVzdEV4YW1w + bGVDQSBPd08wHhcNMTMwNTA5MDM1MzMyWhcNMTQwNTA5MDM1MzMyWjAbMRkwFwYD + + + +Pritikin, et al. Standards Track [Page 45] + +RFC 7030 EST October 2013 + + + VQQDExBlc3RFeGFtcGxlQ0EgTndPMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAnn3rZ3rMJHwf7MD9K4mubxHAvtdnrsQf5OfgtMhRIL4aePNhAdgPyj8C + loxOgD3UTV+dQ1ViOzVxPN7acikoOnkIdRpjpOpkyMo+KkvHMQXGnQTbsMAv1qWt + 9S12DMpo0GOA1e4Ge3ud5YPOTR/q6PvjN51IEwYKksG7CglwZwB+5JbwhYr2D/0u + btGltriRVixPWrvt+wz/ITp5rcjh/8RS3LE8tQy3kTNhJF3Y/esR2sSgOiPNgIto + CATysbaINEPr4MemqML4tDpR/aG9y+8Qe7s1LyMFvDletp2mmBykAC/7nOat/pwU + lB0sN524D1XAgz8ZKvWrkh+ZaOr3hwIDAQABo1IwUDAOBgNVHQ8BAf8EBAMCBLAw + HQYDVR0OBBYEFLHEaeZbowSn2Jejizu/uWqyMkI8MB8GA1UdIwQYMBaAFAhNMrEy + oBNet9zh9+kIhu3oazPSMA0GCSqGSIb3DQEBBQUAA4IBAQCLDkL7aLNV6hSOkIqH + q+shV9YLO56/tj00vY/jV5skgDHk5d0B+OGortKVuGa57+v0avTrlJns3bNW8Ntv + zkDEhmd00Ak02aPsi4wRHLFgttUf9HdEHAuTkAESPTU43DiptjkfHhtBMfsFrCkd + sxWzCz+prDOMHYfUEkhRVV++1zyGEX6ov1Ap2IU2p3E+ASihL/amxTEQAsbwjUTI + R52zoL6nMPzpbKeZi2M0eEBVF8sDueA9Hjo6woLjgJqV0/yc5vC2HAxUOhx0cWTY + GcRBgL/yOyQLKiY5TKBH951OjQ4vhF2HmcoO7DkcNLYJOge16ssx4ogBHul20VgF + XJJjMIIDAzCCAeugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBl + c3RFeGFtcGxlQ0EgTndOMB4XDTEzMDUwOTAzNTMzMloXDTE0MDUwOTAzNTMzMlow + GzEZMBcGA1UEAxMQZXN0RXhhbXBsZUNBIE93TjCCASIwDQYJKoZIhvcNAQEBBQAD + ggEPADCCAQoCggEBAMA6qYh6KWiArm6Uam6RDey6kyKlhCxSAPagw4XhyCrsjh1v + 2QD+0ZeEuWVOoGi1v5LLHgVMXZqMdyjcr7co3oSKH07tvHmVoYMuvywhBlkdzyvn + 4DwQNJdCXyUf/KHl2Wu9KC1UHN4SOJAnqoxTLPm4mB9L6f0ZboX7cmeZM0Mh9RBr + EZMNf6lCpE2fDwhfFRZWH6plKKrGkU8mW4yCOCfmOv4xBvqe0K3lvc3M+LD3vN3P + 7ocDCzlkJGbSrELYKOQqX2DI7gJpOENo6EKtr3MZXPljSh3/sG6w29dTkWa4pfSE + pSPeKLpnEc97gRtWIO8/N4XQ32rJnX26fIDkjRUCAwEAAaNSMFAwDgYDVR0PAQH/ + BAQDAgSwMB0GA1UdDgQWBBQITTKxMqATXrfc4ffpCIbt6Gsz0jAfBgNVHSMEGDAW + gBSxxGnmW6MEp9iXo4s7v7lqsjJCPDANBgkqhkiG9w0BAQUFAAOCAQEALhDaE6Mp + BINBsJozdbXlijrWxL1CSv8f4GwpUFk3CgZjibt/qW9UoaNR4E58yRopuEhjwFZK + 2w8YtRqx8IZoFhcoLkpBDfgLLwhoztzbYvOVKQMidjBlkBEVNR5MWdrs7F/AxWuy + iZ2+8AnR8GwqEIbCD0A7xIghmWEMh/BVI9C7GLqd6PxKrTAjuDfEpfdWhU/uYKmK + cL3XDbSwr30j2EQyaTV/3W0Tn2UfuxdwDQ4ZJs9G+Mw50s7AG6CpISyOIFmX6/bU + DpJXGLiLwfJ9C/aum9nylYuGCJ68BuTrCs9567KGfXEXI0mdFFCL7TaVR43kjsg3 + c43kZ7369MeEZzCCAvswggHjoAMCAQICCQDprp3DmjOyETANBgkqhkiG9w0BAQUF + ADAbMRkwFwYDVQQDExBlc3RFeGFtcGxlQ0EgTndOMB4XDTEzMDUwOTAzNTMzMloX + DTE0MDUwOTAzNTMzMlowGzEZMBcGA1UEAxMQZXN0RXhhbXBsZUNBIE53TjCCASIw + DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ5962d6zCR8H+zA/SuJrm8RwL7X + Z67EH+Tn4LTIUSC+GnjzYQHYD8o/ApaMToA91E1fnUNVYjs1cTze2nIpKDp5CHUa + Y6TqZMjKPipLxzEFxp0E27DAL9alrfUtdgzKaNBjgNXuBnt7neWDzk0f6uj74zed + SBMGCpLBuwoJcGcAfuSW8IWK9g/9Lm7Rpba4kVYsT1q77fsM/yE6ea3I4f/EUtyx + PLUMt5EzYSRd2P3rEdrEoDojzYCLaAgE8rG2iDRD6+DHpqjC+LQ6Uf2hvcvvEHu7 + NS8jBbw5XradppgcpAAv+5zmrf6cFJQdLDeduA9VwIM/GSr1q5IfmWjq94cCAwEA + AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUscRp5lujBKfYl6OLO7+5 + arIyQjwwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQBCz/CWdYvn + GM/SdCdEiom5A1VxaW8nKgCWg/EyWtAIiaHQuViB+jTUAE9lona2MbJoFHW8U5e8 + 9dCP0rJpA9UYXXhWvFQzd5ZWpms4wUYt1j3gqqd36KorJIAuPigVng13yKytxM7c + VmxQnh0aux3aEnEyRGAhGalHp0RaKdgPRzUaGtipJTNBkSV5S4kD4yDCPHMNbBu+ + OcluerwEpbz6GvE7CpXl2jrTBZSqBsFelq0iz4kk9++9CnwZwrVgdzklhRfJ1Z4j + NkLruwbQ+o4NvBZsXiKxNfn3K2o3SK8AuaEyDWkq18+5rjcfprRO8x4YTW+6mXPq + jM0MAGNDEW+1oQAxAA== + + + + +Pritikin, et al. Standards Track [Page 46] + +RFC 7030 EST October 2013 + + +A.2. CSR Attributes + + The following is an example of a valid /csrattrs exchange. During + this exchange, the EST client authenticates itself using an existing + certificate issued by the CA for which the EST server provides + services. + + The initial TLS handshake is identical to the enrollment example + handshake. The HTTP GET request: + + GET /.well-known/est/csrattrs HTTP/1.1 + User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenS + SL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 + Host: 192.0.2.1:8085 + Accept: */* + + In response, the server provides suggested attributes that are + appropriate for the authenticated client. In this example, the EST + server also includes two example attributes that the client would + ignore unless the attribute type is known to the client: + + HTTP/1.1 200 OK + Status: 200 OK + Content-Type: application/csrattrs + Content-Transfer-Encoding: base64 + Content-Length: 171 + + MHwGBysGAQEBARYwIgYDiDcBMRsTGVBhcnNlIFNFVCBhcyAyLjk5OS4xIGRhdGEG + CSqGSIb3DQEJBzAsBgOINwIxJQYDiDcDBgOINwQTGVBhcnNlIFNFVCBhcyAyLjk5 + OS4yIGRhdGEGCSskAwMCCAEBCwYJYIZIAWUDBAIC + +A.3. Enroll/Re-enroll + + The following is an example of a valid /simpleenroll exchange. The + data messages for /simplereenroll are similar. + + During this exchange, the EST client uses an out-of-band distributed + username/password to authenticate itself to the EST server. This is + the normal HTTP WWW-Authenticate behavior and is included here for + informative purposes. When an existing TLS client certificate is + used, the server might skip requesting the HTTP WWW-Authenticate + header, such as during a /simplereenroll operation. + + During the initial TLS handshake, the client can ignore the optional + server-generated "certificate request" and can instead proceed with + the HTTP POST request. In response to the initial HTTP POST attempt, + + + + + +Pritikin, et al. Standards Track [Page 47] + +RFC 7030 EST October 2013 + + + the server requests WWW-Authenticate from the client (this might + occur even if the client used a client certificate, as detailed in + the normative text above): + + HTTP/1.1 401 Unauthorized + Content-Length: 0 + WWW-Authenticate: Digest qop="auth", realm="estrealm", + nonce="1368141352" + + In the subsequent HTTP POST, the username/password is included, along + with the complete application/pkcs10 content: + + POST /.well-known/est/simpleenroll HTTP/1.1 + Authorization: Digest username="estuser", realm="estrealm", nonc + e="1368141352", uri="/.well-known/est/simpleenroll", cnonce="M + TYwMzg3", nc=00000001, qop="auth", response="144cc27f96046f1d70e + b16db20f75f22" + Host: 192.0.2.1:8085 + Accept: */* + Content-Type: application/pkcs10 + Content-Transfer-Encoding: base64 + Content-Length: 882 + + MIIChTCCAW0CAQAwHzEdMBsGA1UEAxMUZGVtb3N0ZXA0IDEzNjgxNDEzNTIwggEi + MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClNp+kdz+Nj8XpEp9kaumWxDZ3 + eFYJpQKz9ddD5e5OzUeCm103ZIXQIxc0eVtMCatnRr3dnZRCAxGjwbqoB3eKt29/ + XSQffVv+odbyw0WdkQOIbntCQry8YdcBZ+8LjI/N7M2krmjmoSLmLwU2V4aNKf0Y + MLR5Krmah3Ik31jmYCSvwTnv6mx6pr2pTJ82JavhTEIIt/fAYq1RYhkM1CXoBL+y + hEoDanN7TzC94skfS3VV+f53J9SkUxTYcy1Rw0k3VXfxWwy+cSKEPREl7I6k0YeK + tDEVAgBIEYM/L1S69RXTLujirwnqSRjOquzkAkD31BE961KZCxeYGrhxaR4PAgMB + AAGgITAfBgkqhkiG9w0BCQcxEhMQK3JyQ2lyLzcrRVl1NTBUNDANBgkqhkiG9w0B + AQUFAAOCAQEARBv0AJeXaHpl1MFIdzWqoi1dOCf6U+qaYWcBzpLADvJrPK1qx5pq + wXM830A1O+7RvrFv+nyd6VF2rl/MrNp+IsKuA9LYWIBjVe/LXoBO8dB/KxrYl16c + VUS+Yydi1m/a+DaftYSRGolMLtWeiqbc2SDBr2kHXW1TR130hIcpwmr29kC2Kzur + 5thsuj276FGL1vPu0dRfGQfx4WWa9uAHBgz6tW37CepZsrUKe/0pfVhr2oHxApYh + cHGBQDQHVTFVjHccdUjAXicrtbsVhU5o1lPv7f4lEApv3SBQmJcaq5O832BzHw7n + PyMFcM15E9gtUVee5C62bVwuk/tbnGsbwQ== + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 48] + +RFC 7030 EST October 2013 + + + The EST server uses the username/password to perform + authentication/authorization and responds with the issued + certificate: + + HTTP/1.1 200 OK + Status: 200 OK + Content-Type: application/pkcs7-mime; smime-type=certs-only + Content-Transfer-Encoding: base64 + Content-Length: 1122 + + MIIDOAYJKoZIhvcNAQcCoIIDKTCCAyUCAQExADALBgkqhkiG9w0BBwGgggMLMIID + BzCCAe+gAwIBAgIBFTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBlc3RFeGFt + cGxlQ0EgTndOMB4XDTEzMDUwOTIzMTU1M1oXDTE0MDUwOTIzMTU1M1owHzEdMBsG + A1UEAxMUZGVtb3N0ZXA0IDEzNjgxNDEzNTIwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQClNp+kdz+Nj8XpEp9kaumWxDZ3eFYJpQKz9ddD5e5OzUeCm103 + ZIXQIxc0eVtMCatnRr3dnZRCAxGjwbqoB3eKt29/XSQffVv+odbyw0WdkQOIbntC + Qry8YdcBZ+8LjI/N7M2krmjmoSLmLwU2V4aNKf0YMLR5Krmah3Ik31jmYCSvwTnv + 6mx6pr2pTJ82JavhTEIIt/fAYq1RYhkM1CXoBL+yhEoDanN7TzC94skfS3VV+f53 + J9SkUxTYcy1Rw0k3VXfxWwy+cSKEPREl7I6k0YeKtDEVAgBIEYM/L1S69RXTLuji + rwnqSRjOquzkAkD31BE961KZCxeYGrhxaR4PAgMBAAGjUjBQMA4GA1UdDwEB/wQE + AwIEsDAdBgNVHQ4EFgQU/qDdB6ii6icQ8wGMXvy1jfE4xtUwHwYDVR0jBBgwFoAU + scRp5lujBKfYl6OLO7+5arIyQjwwDQYJKoZIhvcNAQEFBQADggEBACmxg1hvL6+7 + a+lFTARoxainBx5gxdZ9omSb0L+qL+4PDvg/+KHzKsDnMCrcU6M4YP5n0EDKmGa6 + 4lY8fbET4tt7juJg6ixb95/760Th0vuctwkGr6+D6ETTfqyHnrbhX3lAhnB+0Ja7 + o1gv4CWxh1I8aRaTXdpOHORvN0SMXdcrlCys2vrtOl+LjR2a3kajJO6eQ5leOdzF + QlZfOPhaLWen0e2BLNJI0vsC2Fa+2LMCnfC38XfGALa5A8e7fNHXWZBjXZLBCza3 + rEs9Mlh2CjA/ocSC/WxmMvd+Eqnt/FpggRy+F8IZSRvBaRUCtGE1lgDmu6AFUxce + R4POrT2xz8ChADEA + + + + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 49] + +RFC 7030 EST October 2013 + + +A.4. Server Key Generation + + The following is an example of a valid /serverkeygen exchange. + During this exchange, the EST client authenticates itself using an + existing certificate issued by the CA the EST server provides + services for. + + The initial TLS handshake is identical to the enrollment example + handshake. An example HTTP POSTed message is: + + POST /.well-known/est/serverkeygen HTTP/1.1 + Host: 192.0.2.1:8085 + Accept: */* + Expect: 100-continue + Content-Type: application/pkcs10 + Content-Transfer-Encoding: base64 + Content-Length: 963 + + MIICwTCCAakCAQAwWzE+MDwGA1UEAxM1c2VydmVyS2V5R2VuIHJlcSBieSBjbGll + bnQgaW4gZGVtbyBzdGVwIDEyIDEzNjgxNDE5NTUxGTAXBgNVBAUTEFBJRDpXaWRn + ZXQgU046MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvE1/6m4A/ + 3/L32Suyzbf28LM9y8CQfp0aepa7o20BSfluvm8HXR44mlV+wpieM8H5n3Ub3RIo + RUun/FllIzK9uV7UrkqJ3Yzmq2NOoTd4C+OPsV/RPTu873dhFrssDk3P4NIphlSS + sSIkt5rhz7wYbCqCFR5Aphe/30Jx7D+xBI5Rs8e6vRS8IpuImh71BHiLfhq9AFhz + 4ZJsOUSVpUmqUogFsM7SOQ6XI4dl+djhpjT+YTJ6hQ2PXrqdch3KsTQ8c6aKs+e2 + 5QJxh7O8JHVlPHo4YIxXtAYSutcbbTN5TXWFCWSrWDJ+zuMmk2yU+dio1oW7YR7V + ftAvazJ3laQbAgMBAAGgITAfBgkqhkiG9w0BCQcxEhMQZEZzQVhtSm5qb2tCdER2 + cjANBgkqhkiG9w0BAQUFAAOCAQEAR+I0EQB+hSjrLCAjnVH6bZdHUNGszIdwx1iu + L4n+0XK3SfEzeOMkC4T74yFGKj3redS1Ht9atYUPb0D1Qi9Jf9Co8eLblo1l19A6 + GaS798ofxIF0Pl0Dr6/GqjheqJEIbcDTAJq+kvDihyQ4GQnhosygIZHvKppQlebA + gvp2RJSnMroPCe6RgTU9E2fmI9rin/9PyXeWFF1namp+lYbTGwjv1aE1ikhjCLlH + veHhCdgOExPw+fqhKhHjp+0ZKBlo2bC3pqRWvDTiZuwt9UpFFfGtuxvpTp44oS/j + M/965hWIw/5dshY/wQjIfYs07bbq2ERbpJiw9bAQY34gyoVmEQ== + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 50] + +RFC 7030 EST October 2013 + + + Because the DecryptKeyIdentifier attribute is not included in this + request, the response does not include additional encryption beyond + the TLS session. The EST server response is: + + HTTP/1.1 200 OK + Status: 200 OK + Content-Type: multipart/mixed ; boundary=estServerExampleBoundary + Content-Length: 3219 + + This is the preamble. It is to be ignored, though it + is a handy place for estServer to include an explanatory note, + including contact or support information. + --estServerExampleBoundary + Content-Type: application/pkcs8 + Content-Transfer-Encoding: base64 + + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPwKtwJ7TjMgA+ + Poj64V909ryql0foP1hU4Yq5y8/bOP5ZTe6ArgVhUye099Ac+dfdwpyP/DESiujU + F/dS62Vck3UWNbnw+4O38FUp0enLbbjSTud48KpEW6+FzkeuAanPGZMA1wKyrYy9 + rD5tQOOJU/CBVhUrITyYLZNYUe4agbpcR0wMtrRr2E58Mu8wQ80ryk6nkL7COk5Z + IQdNRxldk7DFvpA85Yn1stumoGRtVLW51iXeTS1LtXwhuUb/j6Lds3vvAiJ2SiZ0 + Y3rxPlnJVyFmR8Mf2TBOjzuFqva/VLD2ayQjgaGEjq2ZWHXelQAOZ6N3lrChojEK + FGq93yOhAgMBAAECggEBALQ5az/nYjd5x9Y3f7NMUffwl+jRRfMHCMTRx/u4AEAo + KBYm0hFVZZtxfM+z7xlD8G0Th6gs2hFA6gwcIlUPmiX+UaOLxht0xWaLGgYmcNAm + BiCDjLBQ7xRQCWtlcK9WCA5+HBWtcEy6244rXxh+IyWd6NT6bXC165AEcX87y/e3 + JFJ7XFNeDP656s2DmxSCci+iDte6SaEm7sJvYGu16qevJeMThcQcC9/rJjXkvpGL + IKK2px5idad4Pb6+QHpqj3d4oM8djO6wYUvrH8XQLqAaF8Hd5lFWVU57nSYY+H79 + GaNDTfRTUL6AXr7kmMsKVFOJ0JjZExUCVMZtGiqhB6UCgYEA639OtdWLZCzyZFMe + p7VlRddoz0VAtrU2dxnEb4cWD8Gerg8uNvp8OG84gH+6MbPwz4ZYWKCgDFqyrAlw + SF02n9Sovh93eoJ5latSbfeYUkLtB8L/HVk5/CBGEsV9MUkdMF0+B43YlhyEDyKW + fX2+0UeHLFgRrfpSzP2cXduEieMCgYEA4db/SIrwN2+g1Gjo3oE09kd89VGjVRer + srbcqc7DcPXP6Lw42sx96h4jVWWqHVo3DfwFBdUb1LH2cnVXQjgDUHdNdpl01cf/ + BFYCFINi2qKMqiJYswkhYxZ1BLz/zuQTDbPFL2PgLniKFG2aFLrTS3S/tgeB5QwI + RPigH3kfI6sCgYAPqsCJyFMlrvfRRNZdQewi4VnPsEPF4/hjpAs1gD8vfSoZWlkw + vylUd9HCerzgYaA7rixieQ0sxTvtxhL6PXlM2NEBFQbV16hPFL6/IiG4F0u9oHNo + eG8rHtqKlSjnBn4yoYFm70Dhe7QtbZelcaAoPCH6CUHj2St5B8ZHWDtREQKBgHNp + wER+XIy4C2UByCANv9csaXulIOdXlXNbaCGPfOm5dWrm5ddLMf33MO9vaSRe+ku3 + Q4nbgsGLwPp1ZQZ+QZNZpMi7W6306yp4GdAJ5Pb+oww/ST0VqW5OB7dILyK4A9S4 + zkiNrf+Rsl8GM/vsDhc9rsuDwqofIAq/VHVBHNzJAoGBAOHQof5L6iGHOHcxLazx + 4MGvRTpmzU/PX6Q3QxqpetEGFEDZAaL58L67SSS3fFBnKrVAidF6llC1bAH1aoRa + fYHUDi45xBoroy0hBwrnTKRxppua4UK75FUH5PPJfR6cCvw5stRkzIevTZHhozkX + pM7PYH/x4BiBmgQ3bhOqTp4H + --estServerExampleBoundary + Content-Type: application/pkcs7-mime; smime-type=certs-only + Content-Transfer-Encoding: base64 + + + + + + +Pritikin, et al. Standards Track [Page 51] + +RFC 7030 EST October 2013 + + + MIIDRQYJKoZIhvcNAQcCoIIDNjCCAzICAQExADALBgkqhkiG9w0BBwGgggMYMIID + FDCCAfygAwIBAgIBFjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBlc3RFeGFt + cGxlQ0EgTndOMB4XDTEzMDUwOTIzMjU1NloXDTE0MDUwOTIzMjU1NlowLDEqMCgG + A1UEAxMhc2VydmVyc2lkZSBrZXkgZ2VuZXJhdGVkIHJlc3BvbnNlMIIBIjANBgkq + hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8CrcCe04zIAPj6I+uFfdPa8qpdH6D9Y + VOGKucvP2zj+WU3ugK4FYVMntPfQHPnX3cKcj/wxEoro1Bf3UutlXJN1FjW58PuD + t/BVKdHpy2240k7nePCqRFuvhc5HrgGpzxmTANcCsq2Mvaw+bUDjiVPwgVYVKyE8 + mC2TWFHuGoG6XEdMDLa0a9hOfDLvMEPNK8pOp5C+wjpOWSEHTUcZXZOwxb6QPOWJ + 9bLbpqBkbVS1udYl3k0tS7V8IblG/4+i3bN77wIidkomdGN68T5ZyVchZkfDH9kw + To87har2v1Sw9mskI4GhhI6tmVh13pUADmejd5awoaIxChRqvd8joQIDAQABo1Iw + UDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0OBBYEFKeZixu9F+appDX2SS5HaxmV6Jr4 + MB8GA1UdIwQYMBaAFLHEaeZbowSn2Jejizu/uWqyMkI8MA0GCSqGSIb3DQEBBQUA + A4IBAQBHhLmRAKrnTapqqBObDM9IQDQPuwW+fW1gYwZKlSm/IWIwHEZL1igXhpjj + rf4xqpIkiJMmkaOeoXA8PFniX0/lZM9FQSM/j89CUf5dMoAqWj8s17xuXu9L/hVe + XjjXHsL40WuDG6tMPN9vcT8tE3ruor608MKSHFX/NEM6+AaNVSUPTmB33BgYB1Wa + E7pn3JMN6pjIxsHnF4pKi8qvoTSVVjaCEwUe8Q/fw1yvjoHoYJtyMn4v5Kb3Rt+m + s8Yie1tcfVQrjQutqr34/IJsKdPziZwi92KZa+1958A6M9O/p5OI0up9ZXKg2DEC + 1O9qT0GyYJ6sxAyKiGTOxk6jMddDoQAxAA== + --estServerExampleBoundary-- + This is the epilogue. It is also to be ignored. + +Appendix B. Contributors and Acknowledgements + + The editors would like to thank Stephen Kent, Vinod Arjun, Jan + Vilhuber, Sean Turner, Russ Housley, and others for their feedback + and prototypes of early versions of this document. Our thanks also + go the authors of [RFC6403], around whose document we structured part + of this specification. + + + + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 52] + +RFC 7030 EST October 2013 + + +Authors' Addresses + + Max Pritikin (editor) + Cisco Systems, Inc. + 510 McCarthy Drive + Milpitas, CA 95035 + USA + + EMail: pritikin@cisco.com + + + Peter E. Yee (editor) + AKAYLA, Inc. + 7150 Moorland Drive + Clarksville, MD 21029 + USA + + EMail: peter@akayla.com + + + Dan Harkins (editor) + Aruba Networks + 1322 Crossman Avenue + Sunnyvale, CA 94089-1113 + USA + + EMail: dharkins@arubanetworks.com + + + + + + + + + + + + + + + + + + + + + + + + +Pritikin, et al. Standards Track [Page 53] + -- cgit v1.2.3