1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
|
Independent Submission M. Jenkins
Request for Comments: 9152 NSA
Category: Informational S. Turner
ISSN: 2070-1721 sn3rd
April 2022
Secure Object Delivery Protocol (SODP) Server Interfaces: NSA's Profile
for Delivery of Certificates, Certificate Revocation Lists (CRLs), and
Symmetric Keys to Clients
Abstract
This document specifies protocol interfaces profiled by the United
States National Security Agency (NSA) for National Security System
(NSS) servers that provide public key certificates, Certificate
Revocation Lists (CRLs), and symmetric keys to NSS clients. Servers
that support these interfaces are referred to as Secure Object
Delivery Protocol (SODP) servers. The intended audience for this
profile comprises developers of client devices that will obtain key
management services from NSA-operated SODP servers. Interfaces
supported by SODP servers include Enrollment over Secure Transport
(EST) and its extensions as well as Certificate Management over CMS
(CMC).
This profile applies to the capabilities, configuration, and
operation of all components of US National Security Systems (SP
800-59). It is also appropriate for other US Government systems that
process high-value information. It is made publicly available for
use by developers and operators of these and any other system
deployments.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9152.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction
1.1. Documents to be Familiar With
1.2. Document Organization
1.3. Environment
2. Abstract Syntax Notation One
3. EST Interface
3.1. Hypertext Transfer Protocol Layer
3.2. Transport Layer Security
3.3. Eligibility
3.4. Authentication
3.5. Authorization
3.6. EST and EST Extensions
3.6.1. /pal
3.6.2. /cacerts
3.6.3. /simpleenroll
3.6.4. /simplereenroll
3.6.5. /fullcmc
3.6.6. /serverkeygen
3.6.7. /csrattrs
3.6.8. /crls
3.6.9. /symmetrickeys
3.6.10. /eecerts, /firmware, /tamp
4. CMC Interface
4.1. RFC 5273 Transport Protocols
4.2. Eligibility
4.3. Authentication
4.4. Authorization
4.5. Full PKI Requests/Responses
5. Trust Anchor Profile
6. Non-Self-Signed Certification Authority Certificate Profile
7. End-Entity Certificate Profile
7.1. Source of Authority Certificate Profile
7.2. Client Certificate Profile
8. Relying Party Applications
9. CRL Profile
10. IANA Considerations
11. Security Considerations
12. References
12.1. Normative References
12.2. Informative References
Authors' Addresses
1. Introduction
This document specifies protocol interfaces profiled by the United
States National Security Agency (NSA) for National Security System
(NSS) servers that provide public key certificates, Certificate
Revocation Lists (CRLs), and symmetric keys to NSS clients. Servers
that support these interfaces are referred to as Secure Object
Delivery Protocol (SODP) servers. The purpose of this document is to
indicate options from, and requirements in addition to, the base
specifications listed in Section 1.1 that are necessary for client
interoperability with NSA-operated SODP servers. Clients are always
devices and need not implement all of the interfaces specified
herein; clients are free to choose which interfaces to implement
based on their operational requirements. Interfaces supported by
SODP servers include:
* Enrollment over Secure Transport (EST) [RFC7030] and its
extensions [RFC8295], and
* Certificate Management over CMS (CMC) [RFC5274] [RFC6402] for both
Simple Public Key Infrastructure (PKI) requests and responses
(i.e., PKCS#10 requests and PKCS#7 responses) and Full PKI
requests and responses.
This profile applies to the capabilities, configuration, and
operation of all components of US National Security Systems
[SP-800-59]. It is also appropriate for other US Government systems
that process high-value information. It is made publicly available
for use by developers and operators of these and any other system
deployments.
This profile conforms to the existing requirements of the NSA's
Commercial National Security Algorithms (CNSAs). As operational
needs evolve over time, this profile will be updated to incorporate
new commercial algorithms and protocols as they are developed and
approved for use.
1.1. Documents to be Familiar With
Familiarity with the follow specifications is assumed:
* EST and EST extensions: [RFC7030] and [RFC8295]
* PKI-related specifications: [RFC2986], [RFC3739], [RFC5274],
[RFC5280], [RFC5912], [RFC5913], [RFC5916], [RFC5917], [RFC6010],
and [RFC6402]
* Key-format-related specifications: [RFC5915], [RFC5958],
[RFC5959], [RFC6031], [RFC6032], [RFC6160], [RFC6161], [RFC6162],
[RFC7191], [RFC7192], [RFC7292], and [RFC7906]
* CMS-related (Cryptographic Message Syntax) documents: [RFC5652]
and [RFC6268]
* CNSA-related documents: [RFC8603], [RFC8755], [RFC8756], and
[RFC9151]
The requirements from RFCs apply throughout this profile and are
generally not repeated here. This document is purposely written
without using the requirements language described in [RFC2119] and
[RFC8174].
1.2. Document Organization
The document is organized as follows:
* The remainder of this section describes the operational
environment used by clients to retrieve secure objects.
* Section 2 specifies the Abstract Syntax Notation One (ASN.1)
version used.
* Section 3 specifies SODP's EST interface.
* Section 4 specifies SODP's CMC interfaces.
* Sections 5-7 specify Trust Anchor (TA), Certification Authority
(CA), and End-Entity (EE) certificates, respectively.
* Sections 8 and 9 specify Relying Party Applications and CRL
Profile, respectively.
1.3. Environment
Clients obtain secure "objects" or "packages" from the client-server-
based environment. Objects/packages vary based on the Source of
Authority (SOA), but all objects are "secured" minimally through the
use of one or more digital signatures and zero or more layers of
encryption, as profiled in this document. An SOA is the authority
for the creation of objects that the client will recognize as valid.
An SOA can delegate its authority to other actors; delegation occurs
through the issuance of certificates. An object or package is the
generic term for certificates, certificate status information, and
keys (both asymmetric and symmetric). All of the objects except for
the certificates and certificate status information are directly
encapsulated in and protected by CMS content types. CMS content
types that provide security are referred to as "CMS-protecting
content types". All others are simply referred to as "CMS content
types". All secured objects are distributed either as CMS packages
or as part of a CMS package.
In the example depicted in Figure 1, there are two SOAs: one for
symmetric keys, as depicted by the Key Trust Anchor (KTA), and one
for public key certificates, as depicted by the PKI Trust Anchor
(TA). The KTA is responsible for the creation and distribution of
symmetric keys. The KTA delegates the creation and distribution
responsibilities to separate entities through the issuance of
certificates to a Key Source Authority (KSA) and a Key Distribution
Authority (KDA). The KSA generates the keys, digitally signs the
keys, and encrypts the key for the end client using CMS content types
for each step. The KDA distributes the KSA-generated and KSA-
protected key to the client; the key may also be signed by the KDA.
The resulting CMS package is provided to the client through the EST
extension's /symmetrickey service. The PKI TA is responsible for the
creation, distribution, and management of public key certificates.
The PKI TA delegates these responsibilities to Certification
Authorities (CAs), and CAs, in turn, are responsible for creating,
distributing, and managing End-Entity (EE) certificates. CAs
distribute PKI-related information through the /cacerts, /crls,
/eecerts, /fullcmc, /simpleenroll, /simplereenroll, and /csrattrs EST
and EST extension services.
+-----+ +--------+
| KTA | | PKI TA |
+-----+ +--------+
| |
| Signs | Signs
| |
+-------------+ V
| | +----+
V V | CA |
+-----+ +-----+ +----+
| KSA | | KDA | |
+-----+ +-----+ | Signs
| | |
| Signs & | Optionally +---------------+
| Encrypts | Signs | |
| | V V
| | +-------------+ +-------------+
| V | Certificate | | Certificate |
+---|-------------+ +-------------+ | Revocation |
| V | CMS Content | List |
| +-------------+ | Types +-------------+
| | Key Package | |
| +-------------+ |
+-----------------+
Figure 1: Operating Environment (Key and PKI Sources of Authority)
For clients that support the CMC interface and not the EST interface,
the environment includes only the PKI TAs.
2. Abstract Syntax Notation One
Implementations of this specification use the 2002/2008 ASN.1
version; 2002/2008 ASN.1 modules can be found in [RFC5911],
[RFC5912], and [RFC6268] (use [RFC6268] for the CMS syntax), while
other specifications already include the 2002/2008 ASN.1 along with
the 1988 ASN.1. See Section 1.1 of [RFC6268] for a discussion about
the differences between the 2002 and 2008 ASN.1 versions.
3. EST Interface
Client options for EST [RFC7030] and EST extensions [RFC8295] are
specified in this section.
3.1. Hypertext Transfer Protocol Layer
Clients that receive redirection responses (3xx status codes) will
terminate the connection ([RFC7030], Section 3.2.1).
Per Section 2.2 of [RFC8295], clients indicate the format
("application/xml" or "application/json") of the PAL information
([RFC8295], Section 2.1.1) via the HTTP Accept header.
3.2. Transport Layer Security
TLS implementations are configured as specified in [RFC9151]; the
notable exception is that only EC-based algorithms are used.
3.3. Eligibility
At the EST interface, servers only enroll clients that they have
established a prior relationship with independently of the EST
service. To accomplish this, client owners/operators interact in
person with the human acting as the Registration Authority (RA) to
ensure the information included in the transmitted certificate
request, which is sometimes called a Certificate Signing Request
(CSR), is associated with a client. The mechanism by which the
owner/operator interacts with the RA as well as the information
provided is beyond the scope of this document. The information
exchanged by the owner/operator might be something as simple as the
subject name included in the CSR to be sent or a copy of the
certificate that will be used to verify the certificate request,
which is provided out of band.
3.4. Authentication
Mutual authentication occurs via "Certificate TLS Authentication"
([RFC7030], Section 2.2.1). Clients provide their certificate to
servers in the TLS Certificate message, which is sent in response to
the server's TLS Certificate Request message. Both servers and
clients reject all attempts to authenticate based on certificates
that cannot be validated back to an installed TA.
3.5. Authorization
Clients always use an explicit TA database ([RFC7030],
Section 3.6.1). At a minimum, clients support two TAs: one for the
PKI and one for symmetric keys.
Clients check that the server's certificate includes the id-kp-cmcRA
Extended Key Usage (EKU) value ([RFC6402], Section 2.10).
Clients that support processing of the CMS Content Constraints
extension [RFC6010] ensure returned CMS content is from an SOA or an
entity authorized by an SOA for that CMS content; see Section 7.1 for
SOA certificates.
3.6. EST and EST Extensions
This section profiles SODP's interfaces for EST [RFC7030] and EST
extensions [RFC8295].
3.6.1. /pal
The Package Availability List (PAL) is limited to 32 entries, where
the 32nd PAL entry links to an additional PAL (i.e., PAL Package Type
0001).
The PAL is XML [XML].
3.6.2. /cacerts
The CA certificates located in the explicit TA database are
distributed to the client when it is registered. This TA
distribution mechanism is out of scope.
CA certificates provided through this service are as specified in
Sections 5 and 6 of this document.
3.6.3. /simpleenroll
CSRs follow the specifications in Section 4.2 of [RFC8756], except
that the CMC-specific ChangeSubjectName and the POP Link Witness V2
attributes do not apply. Only EC-based algorithms are used.
Client certificates provided through this service are as specified in
Section 7 of this document.
The HTTP content type of "text/plain" ([RFC2046], Section 4.1) is
used to return human-readable errors.
3.6.4. /simplereenroll
There are no additional requirements for requests beyond those
specified in Sections 3.4 and 3.6.3 of this document.
The HTTP content type of "text/plain" ([RFC2046], Section 4.1) is
used to return human-readable errors.
3.6.5. /fullcmc
Requests are as specified in [RFC8756] with the notable exception
that only EC-based algorithms are used.
Additional attributes for returned CMS packages can be found in
[RFC7906].
Certificates provided through this service are as specified in
Section 7 of this document.
3.6.6. /serverkeygen
PKCS#12 [RFC7292] -- sometimes referred to as "PFX" (Personal
Information Exchange) or "P12" -- is used to provide server-generated
asymmetric private keys and the associated certificate to clients.
This interface is a one-way interface as the RA requests these from
the server.
PFXs [RFC7292] are exchanged using both password privacy mode and
integrity password mode. The PRF algorithm for PBKDF2 (the KDF for
PBES2 and PBMAC1) is HMAC-SHA-384, and the PBES2 encryption scheme is
AES-256.
The HTTP content type of "text/plain" ([RFC2046], Section 4.1) is
used to return human-readable errors.
/serverkeygen/return is not supported at this time.
3.6.7. /csrattrs
Clients use this service to retrieve partially filled PKIRequests
with no public key or proof-of-possession signature, i.e., their
values are set to zero length, either a zero length BIT STRING or
OCTET STRING. The pKCS7PDU attribute, defined in [RFC2985], includes
the partially filled PKIRequest as the only element in the CsrAttrs
sequence. Even though the CsrAttrs syntax is defined as a set, there
is only ever exactly one instance of values present.
3.6.8. /crls
CRLs provided through this service are as specified in Section 9 of
this document.
3.6.9. /symmetrickeys
Clients that claim to support SODP interoperation will be able to
process the following messages from an SODP server:
* additional encryption and origin authentication ([RFC8295],
Section 5); and
* server-provided Symmetric Key Content Type [RFC6032] encapsulated
in an Encrypted Key Content Type using the EnvelopedData choice
[RFC6033] with an SOA certificate that includes the CMS Content
Constraints extension (see Section 7.1).
Client-supported algorithms to decrypt the server-returned symmetric
key are as follows:
* Message Digest: See Section 4 of [RFC8755].
* Digital Signature Algorithm: See Section 5 of [RFC8755].
* Key Agreement: See Section 6.1 of [RFC8755].
* Key Wrap: AES-256 Key Wrap with Padding [RFC6033] is used.
AES-128 Key Wrap with Padding is not used.
* Content Encryption: AES-256 Key Wrap with Padding [RFC6033] is
used. AES-128 Key Wrap with Padding is not used.
/symmetrickeys/return is not used at this time.
3.6.10. /eecerts, /firmware, /tamp
/eecerts, /firmware, and /tamp are not used at this time.
4. CMC Interface
Client options for CMC [RFC5274] [RFC6402] are specified in this
section.
4.1. RFC 5273 Transport Protocols
Clients only use the HTTPS-based transport. The TLS implementation
and configuration are as specified in [RFC9151], with the notable
exception that only EC-based algorithms are used.
Clients that receive HTTP redirection responses (3xx status codes)
will terminate the connection ([RFC7030], Section 3.2.1).
4.2. Eligibility
At the CMC interface, servers only enroll clients that they have
established a prior relationship with independently of the EST
service. To accomplish this, client owners/operators interact in
person with the human acting as the Registration Authority (RA) to
ensure the information included in the transmitted certificate
request, which is sometimes called a Certificate Signing Request
(CSR), is associated with a client. The mechanism by which the
owner/operator interacts with the RA as well as the information
provided is beyond the scope of this document. The information
exchanged by the owner/operator might be something as simple as the
subject name included in the CSR to be sent or a copy of the
certificate that will be used to verify the certificate request,
which is provided out of band.
4.3. Authentication
Mutual authentication occurs via client and server signing of CMC
protocol elements, as required by [RFC8756]. All such signatures are
validated against an installed TA; any that fail validation are
rejected.
4.4. Authorization
Clients support the simultaneous presence of as many TAs as are
required for all of the functions of the client, and only these TAs.
Clients check that the server's certificate includes the id-kp-cmcRA
Extended Key Usage (EKU) value ([RFC6402], Section 2.10).
Clients that support processing of the CMS Content Constraints
extension [RFC6010] ensure returned CMS content is from an SOA or an
entity authorized by an SOA for that CMS content; see Section 7.1 for
SOA certificates.
4.5. Full PKI Requests/Responses
Requests are as specified in [RFC8756] with the notable exception
that only EC-based algorithms are used.
Additional attributes for returned CMS packages can be found in
[RFC7906].
Certificates provided through this service are as specified in
Section 7 of this document.
5. Trust Anchor Profile
Clients are free to store the TA in the format of their choosing;
however, servers provide TA information in the form of self-signed CA
certificates. This section documents requirements for self-signed
certificates in addition to those specified in [RFC8603], which in
turn specifies requirements in addition to those in [RFC5280].
Only EC-based algorithms are used.
Issuer and subject names are composed of only the following naming
attributes: country name, domain component, organization name,
organizational unit name, common name, state or province name,
distinguished name qualifier, and serial number.
In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, the nonRepudiation bit is never set.
6. Non-Self-Signed Certification Authority Certificate Profile
This section documents requirements for non-self-signed CA
certificates in addition to those specified in [RFC8603], which in
turn specifies requirements in addition to those in [RFC5280].
Only EC-based algorithms are used.
Subject names are composed of only the following naming attributes:
country name, domain component, organization name, organizational
unit name, common name, state or province name, distinguished name
qualifier, and serial number.
In the Authority Key Identifier extension, the keyIdentifier choice
is always used. The keyIdentifier is the 64 low-order bits of the
issuer's subjectPublicKey field.
In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, the nonRepudiation bit is never set.
The Certificate Policies extension is always included, and
policyQualifiers are never used.
Non-self-signed CA certificates can also include the following:
Name Constraints: permittedSubtrees constraints are included, and
excludedSubstree constraints are not. Of the GeneralName choices,
issuers support the following: rfc822Name, dNSName,
uniformResourceIdentifier, and iPAddress (both IPv4 and IPv6) as
well as hardwareModuleName, which is defined in [RFC4108]. Note
that rfc822Name, dNSName, and uniformResourceIdentifier are
defined as IA5 strings, and the character sets allowed are not
uniform amongst these three name forms.
CRL Distribution Points: A distributionPoint is always the fullName
choice. The uniformResourceIdentifier GeneralName choice is
always included, but others can also be used as long as the first
element in the sequence of CRLDistributionPoints is the
uniformResourceIdentifier choice. The reasons and cRLIssuer
fields are never populated. This extension is never marked as
critical.
Authority Information Access: Only one instance of AccessDescription
is included. accessMethod is id-caIssuers, and accessLocation's
GeneralName is always the uniformResourceIdentifier choice.
Extended Key Usage: EST servers and RAs include the id-kp-cmcRA EKU,
and the CAs include the id-kp-cmcCA, which are both specified in
[RFC6402].
Issuers include the Authority Clearance Constraints extension
[RFC5913] in non-self-signed CA certificates that are issued to non-
SOAs; values for the Certificate Policy (CP) Object Identifier (OID)
and the supported classList values are found in the issuer's CP.
Criticality is determined by the issuer, and a securityCategories is
never included. Only one instance of Clearance is generated in the
AuthorityClearanceConstraints sequence.
Issuers include a critical CMS Content Constraints extension
[RFC6010] in CA certificates used to issue SOA certificates; this is
necessary to enable enforcement of scope of the SOA authority. The
content types included depend on the packages the SOA sources but
include key packages (i.e., Encrypted Key Packages, Symmetric Key
Packages, and Asymmetric Key Packages).
7. End-Entity Certificate Profile
This section documents requirements for EE signature and key
establishment certificates in addition to those listed in [RFC8603],
which in turn specifies requirements in addition to those in
[RFC5280].
Only EC-based algorithms are used.
Subject names are composed of the following naming attributes:
country name, domain component, organization name, organizational
unit name, common name, state or province name, distinguished name
qualifier, and serial number.
In the Authority Key Identifier extension, the keyIdentifier choice
is always used. The keyIdentifier is the 64 low-order bits of the
issuer's subjectPublicKey field.
In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, signature certificates only assert
digitalSignature, and key establishment certificates only assert
keyAgreement.
The Certificate Policies extension is always included, and
policyQualifiers are never used.
When included, the non-critical CRL Distribution Point extension's
distributionPoint is always identified by the fullName choice. The
uniformResourceIdentifier GeneralName choice is always included, but
others can also be used as long as the first element in the sequence
of distribution points is the URI choice and it is an HTTP/HTTPS
scheme. The reasons and cRLIssuer fields are never populated.
The following subsections provide additional requirements for the
different types of EE certificates.
7.1. Source of Authority Certificate Profile
This section specifies the format for SOA certificates, i.e.,
certificates issued to those entities that are authorized to create,
digitally sign, encrypt, and distribute packages; these certificates
are issued by non-PKI TAs.
The Subject Alternative Name extension is always included. The
following choices are supported: rfc822Name, dNSName, ediPartyName,
uniformResourceIdentifier, or iPAddress (both IPv4 and IPv6). This
extension is never critical.
A critical CMS Content Constraints extension [RFC6010] is included in
SOA signature certificates. The content types included depend on the
packages the SOA sources (e.g., Encrypted Key Packages, Symmetric Key
Packages, and Asymmetric Key Packages).
7.2. Client Certificate Profile
This section specifies the format for certificates issued to clients.
A non-critical Subject Directory Attributes extension is always
included with the following attributes:
* Device Owner [RFC5916]
* Clearance Sponsor [RFC5917]
* Clearance [RFC5913]
The following extensions are also included at the discretion of the
CA:
* The Authority Information Access extension with only one instance
of AccessDescription included. accessMethod is id-caIssuers, and
accessLocation's GeneralName is always the
uniformResourceIdentifier choice.
* A non-critical Subject Alternative Name extension that includes
the hardwareModuleName form [RFC4108], rfc822Name, or
uniformResourceIdentifier.
* A critical Subject Alternative Name extension that includes
dNSName, rfc822Name, ediPartyName, uniformResourceIdentifier, or
iPAddress (both IPv4 and IPv6).
8. Relying Party Applications
This section documents requirements for Relying Parties (RPs) in
addition to those listed in [RFC8603], which in turn specifies
requirements in addition to those in [RFC5280].
Only EC-based algorithms are used.
RPs support the Authority Key Identifier and the Subject Key
Identifier extensions.
RPs should support the following extensions: CRL Distribution Points,
Authority Information Access, Subject Directory Attribute, Authority
Clearance Constraints, and CMS Content Constraints.
Within the Subject Directory Attribute extension, RPs should support
the Clearance Sponsor, Clearance, and Device Owner attributes.
RPs support the id-kp-cmcRA and id-kp-cmcCA EKUs.
Failure to support extensions in this section might limit the
suitability of a device for certain applications.
9. CRL Profile
This section documents requirements for CRLs in addition to those
listed in [RFC8603], which in turn specifies requirements in addition
to those in [RFC5280].
Only EC-based algorithms are used.
Two types of CRLs are produced: complete base CRLs and partitioned
base CRLs.
crlEntryExtensions are never included, and the reasons and cRLIssuer
fields are never populated.
All CRLs include the following CRL extensions:
* The Authority Key Identifier extension: The keyIdentifier is the
64 low-order bits of the issuer's subjectPublicKey field.
* As per [RFC5280], the CRL Number extension.
The only other extension included in partitioned base CRLs is the
Issuing Distribution Point extension. The distributionPoint is
always identified by the fullName choice. The
uniformResourceIdentifier GeneralName choice is always included, but
others can also be used as long as the first element in the sequence
of distribution points is the uniformResourceIdentifier choice and
the scheme is an HTTP/HTTPS scheme. All other fields are omitted.
10. IANA Considerations
This document has no IANA actions.
11. Security Considerations
This entire document is about security. This document profiles the
use of many protocols and services: EST, CMC, and PKCS#10/#7/#12 as
well as certificates, CRLs, and their extensions [RFC5280]. These
have been cited throughout this document, and the specifications
identified by those citations should be consulted for security
considerations related to implemented protocols and services.
12. References
12.1. Normative References
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
DOI 10.17487/RFC2046, November 1996,
<https://www.rfc-editor.org/info/rfc2046>.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985,
DOI 10.17487/RFC2985, November 2000,
<https://www.rfc-editor.org/info/rfc2985>.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>.
[RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509
Public Key Infrastructure: Qualified Certificates
Profile", RFC 3739, DOI 10.17487/RFC3739, March 2004,
<https://www.rfc-editor.org/info/rfc3739>.
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to
Protect Firmware Packages", RFC 4108,
DOI 10.17487/RFC4108, August 2005,
<https://www.rfc-editor.org/info/rfc4108>.
[RFC5274] Schaad, J. and M. Myers, "Certificate Management Messages
over CMS (CMC): Compliance Requirements", RFC 5274,
DOI 10.17487/RFC5274, June 2008,
<https://www.rfc-editor.org/info/rfc5274>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>.
[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,
DOI 10.17487/RFC5911, June 2010,
<https://www.rfc-editor.org/info/rfc5911>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>.
[RFC5913] Turner, S. and S. Chokhani, "Clearance Attribute and
Authority Clearance Constraints Certificate Extension",
RFC 5913, DOI 10.17487/RFC5913, June 2010,
<https://www.rfc-editor.org/info/rfc5913>.
[RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key
Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010,
<https://www.rfc-editor.org/info/rfc5915>.
[RFC5916] Turner, S., "Device Owner Attribute", RFC 5916,
DOI 10.17487/RFC5916, June 2010,
<https://www.rfc-editor.org/info/rfc5916>.
[RFC5917] Turner, S., "Clearance Sponsor Attribute", RFC 5917,
DOI 10.17487/RFC5917, June 2010,
<https://www.rfc-editor.org/info/rfc5917>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
DOI 10.17487/RFC5958, August 2010,
<https://www.rfc-editor.org/info/rfc5958>.
[RFC5959] Turner, S., "Algorithms for Asymmetric Key Package Content
Type", RFC 5959, DOI 10.17487/RFC5959, August 2010,
<https://www.rfc-editor.org/info/rfc5959>.
[RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic
Message Syntax (CMS) Content Constraints Extension",
RFC 6010, DOI 10.17487/RFC6010, September 2010,
<https://www.rfc-editor.org/info/rfc6010>.
[RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax
(CMS) Symmetric Key Package Content Type", RFC 6031,
DOI 10.17487/RFC6031, December 2010,
<https://www.rfc-editor.org/info/rfc6031>.
[RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax
(CMS) Encrypted Key Package Content Type", RFC 6032,
DOI 10.17487/RFC6032, December 2010,
<https://www.rfc-editor.org/info/rfc6032>.
[RFC6033] Turner, S., "Algorithms for Cryptographic Message Syntax
(CMS) Encrypted Key Package Content Type", RFC 6033,
DOI 10.17487/RFC6033, December 2010,
<https://www.rfc-editor.org/info/rfc6033>.
[RFC6160] Turner, S., "Algorithms for Cryptographic Message Syntax
(CMS) Protection of Symmetric Key Package Content Types",
RFC 6160, DOI 10.17487/RFC6160, April 2011,
<https://www.rfc-editor.org/info/rfc6160>.
[RFC6161] Turner, S., "Elliptic Curve Algorithms for Cryptographic
Message Syntax (CMS) Encrypted Key Package Content Type",
RFC 6161, DOI 10.17487/RFC6161, April 2011,
<https://www.rfc-editor.org/info/rfc6161>.
[RFC6162] Turner, S., "Elliptic Curve Algorithms for Cryptographic
Message Syntax (CMS) Asymmetric Key Package Content Type",
RFC 6162, DOI 10.17487/RFC6162, April 2011,
<https://www.rfc-editor.org/info/rfc6162>.
[RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules
for the Cryptographic Message Syntax (CMS) and the Public
Key Infrastructure Using X.509 (PKIX)", RFC 6268,
DOI 10.17487/RFC6268, July 2011,
<https://www.rfc-editor.org/info/rfc6268>.
[RFC6402] Schaad, J., "Certificate Management over CMS (CMC)
Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011,
<https://www.rfc-editor.org/info/rfc6402>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013,
<https://www.rfc-editor.org/info/rfc7030>.
[RFC7191] Housley, R., "Cryptographic Message Syntax (CMS) Key
Package Receipt and Error Content Types", RFC 7191,
DOI 10.17487/RFC7191, April 2014,
<https://www.rfc-editor.org/info/rfc7191>.
[RFC7192] Turner, S., "Algorithms for Cryptographic Message Syntax
(CMS) Key Package Receipt and Error Content Types",
RFC 7192, DOI 10.17487/RFC7192, April 2014,
<https://www.rfc-editor.org/info/rfc7192>.
[RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A.,
and M. Scott, "PKCS #12: Personal Information Exchange
Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014,
<https://www.rfc-editor.org/info/rfc7292>.
[RFC7906] Timmel, P., Housley, R., and S. Turner, "NSA's
Cryptographic Message Syntax (CMS) Key Management
Attributes", RFC 7906, DOI 10.17487/RFC7906, June 2016,
<https://www.rfc-editor.org/info/rfc7906>.
[RFC8295] Turner, S., "EST (Enrollment over Secure Transport)
Extensions", RFC 8295, DOI 10.17487/RFC8295, January 2018,
<https://www.rfc-editor.org/info/rfc8295>.
[RFC8603] Jenkins, M. and L. Zieglar, "Commercial National Security
Algorithm (CNSA) Suite Certificate and Certificate
Revocation List (CRL) Profile", RFC 8603,
DOI 10.17487/RFC8603, May 2019,
<https://www.rfc-editor.org/info/rfc8603>.
[RFC8755] Jenkins, M., "Using Commercial National Security Algorithm
Suite Algorithms in Secure/Multipurpose Internet Mail
Extensions", RFC 8755, DOI 10.17487/RFC8755, March 2020,
<https://www.rfc-editor.org/info/rfc8755>.
[RFC8756] Jenkins, M. and L. Zieglar, "Commercial National Security
Algorithm (CNSA) Suite Profile of Certificate Management
over CMS", RFC 8756, DOI 10.17487/RFC8756, March 2020,
<https://www.rfc-editor.org/info/rfc8756>.
[RFC9151] Cooley, D., "Commercial National Security Algorithm (CNSA)
Suite Profile for TLS and DTLS 1.2 and 1.3", RFC 9151,
DOI 10.17487/RFC9151, April 2022,
<https://www.rfc-editor.org/info/rfc9151>.
[SP-800-59]
National Institute of Standards and Technology, "Guideline
for Identifying an Information System as a National
Security System", DOI 10.6028/NIST.SP.800-59, NIST Special
Publication 800-59, August 2003,
<https://csrc.nist.gov/publications/detail/sp/800-59/
final>.
[XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E.,
and F. Yergeau, "Extensible Markup Language (XML) 1.0
(Fifth Edition)", World Wide Web Consortium
Recommendation REC-xml-20081126, November 2008,
<https://www.w3.org/TR/2008/REC-xml-20081126/>.
12.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Authors' Addresses
Michael Jenkins
National Security Agency
Email: mjjenki@cyber.nsa.gov
Sean Turner
sn3rd
Email: sean@sn3rd.com
|
