rfc9152.original   rfc9152.txt 
Network Working Group M. Jenkins Independent Submission M. Jenkins
Internet Draft NSA Request for Comments: 9152 NSA
Intended Status: Informational Sean Turner Category: Informational S. Turner
Expires: February 29, 2021 sn3rd ISSN: 2070-1721 sn3rd
September 8, 2020 April 2022
The SODP (Secure Object Delivery Protocol) Server Interfaces: Secure Object Delivery Protocol (SODP) Server Interfaces: NSA's Profile
NSA's Profile for Delivery of Certificates, for Delivery of Certificates, Certificate Revocation Lists (CRLs), and
CRLs, and Symmetric Keys to Clients Symmetric Keys to Clients
draft-turner-sodp-profile-08.txt
Abstract Abstract
This document specifies protocol interfaces profiled by the US NSA This document specifies protocol interfaces profiled by the United
(United States National Security Agency) for NSS (National Security States National Security Agency (NSA) for National Security System
System) servers that provide public key certificates, CRLs (NSS) servers that provide public key certificates, Certificate
(Certificate Revocation Lists), and symmetric keys to NSS clients. Revocation Lists (CRLs), and symmetric keys to NSS clients. Servers
Servers that support these interfaces are referred to as SODP (Secure that support these interfaces are referred to as Secure Object
Object Delivery Protocol) servers. The intended audience for this Delivery Protocol (SODP) servers. The intended audience for this
profile comprises developers of client devices that will obtain key profile comprises developers of client devices that will obtain key
management services from NSA-operated SODP servers. Interfaces management services from NSA-operated SODP servers. Interfaces
supported by SODP servers include: EST (Enrollment over Secure supported by SODP servers include Enrollment over Secure Transport
Transport) and its extensions as well as CMC (Certificate Management (EST) and its extensions as well as Certificate Management over CMS
over CMS (Cryptographic Message Syntax)). (CMC).
This profile applies to the capabilities, configuration, and This profile applies to the capabilities, configuration, and
operation of all components of US National Security Systems (SP 800- operation of all components of US National Security Systems (SP
59). It is also appropriate for other US Government systems that 800-59). It is also appropriate for other US Government systems that
process high-value information. It is made publicly available for use process high-value information. It is made publicly available for
by developers and operators of these and any other system use by developers and operators of these and any other system
deployments. deployments.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering This is a contribution to the RFC Series, independently of any other
Task Force (IETF). Note that other groups may also distribute RFC stream. The RFC Editor has chosen to publish this document at
working documents as Internet-Drafts. The list of current Internet- its discretion and makes no statement about its value for
Drafts is at http://datatracker.ietf.org/drafts/current/. implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
Internet-Drafts are draft documents valid for a maximum of six months Information about the current status of this document, any errata,
and may be updated, replaced, or obsoleted by other documents at any and how to provide feedback on it may be obtained at
time. It is inappropriate to use Internet-Drafts as reference https://www.rfc-editor.org/info/rfc9152.
material or to cite them other than as "work in progress."
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document.
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Documents to be Familiar With . . . . . . . . . . . . . . . 3 1.1. Documents to be Familiar With
1.2. Document Organization . . . . . . . . . . . . . . . . . . 4 1.2. Document Organization
1.3. Environment . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Environment
2. Abstract Syntax Notation One . . . . . . . . . . . . . . . . . 6 2. Abstract Syntax Notation One
3. EST Interface . . . . . . . . . . . . . . . . . . . . . . . . 6 3. EST Interface
3.1. Hypertext Transfer Protocol Layer . . . . . . . . . . . . 6 3.1. Hypertext Transfer Protocol Layer
3.2. Transport Layer Security . . . . . . . . . . . . . . . . . 6 3.2. Transport Layer Security
3.3. Eligibility . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. Eligibility
3.4. Authentication . . . . . . . . . . . . . . . . . . . . . . 7 3.4. Authentication
3.5. Authorization . . . . . . . . . . . . . . . . . . . . . . 7 3.5. Authorization
3.6. EST and EST Extensions . . . . . . . . . . . . . . . . . . 7 3.6. EST and EST Extensions
3.6.1. /pal . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.6.1. /pal
3.6.2. /cacerts . . . . . . . . . . . . . . . . . . . . . . . 7 3.6.2. /cacerts
3.6.3. /simpleenroll . . . . . . . . . . . . . . . . . . . . 8 3.6.3. /simpleenroll
3.6.4. /simplereenroll . . . . . . . . . . . . . . . . . . . 8 3.6.4. /simplereenroll
3.6.5. /fullcmc . . . . . . . . . . . . . . . . . . . . . . . 8 3.6.5. /fullcmc
3.6.6. /serverkeygen . . . . . . . . . . . . . . . . . . . . 8 3.6.6. /serverkeygen
3.6.7. /csrattrs . . . . . . . . . . . . . . . . . . . . . . 9 3.6.7. /csrattrs
3.6.8. /crls . . . . . . . . . . . . . . . . . . . . . . . . 9 3.6.8. /crls
3.6.9. /symmetrickeys . . . . . . . . . . . . . . . . . . . . 9 3.6.9. /symmetrickeys
3.6.10. /eecerts, /firmware, /tamp . . . . . . . . . . . . . 9 3.6.10. /eecerts, /firmware, /tamp
4. CMC Interface . . . . . . . . . . . . . . . . . . . . . . . . 10 4. CMC Interface
4.1. RFC 5273 Transport Protocols . . . . . . . . . . . . . . . 10 4.1. RFC 5273 Transport Protocols
4.2. Eligibility . . . . . . . . . . . . . . . . . . . . . . . 10 4.2. Eligibility
4.3. Authentication . . . . . . . . . . . . . . . . . . . . . . 10 4.3. Authentication
4.4. Authorization . . . . . . . . . . . . . . . . . . . . . . 10 4.4. Authorization
4.5. Full PKI Requests/Responses . . . . . . . . . . . . . . . 11 4.5. Full PKI Requests/Responses
5. Trust Anchor Profile . . . . . . . . . . . . . . . . . . . . . 11 5. Trust Anchor Profile
6. Non-Self-Signed Certification Authority Certificate Profile . 11 6. Non-Self-Signed Certification Authority Certificate Profile
7. End-Entity Certificate Profile . . . . . . . . . . . . . . . . 13 7. End-Entity Certificate Profile
7.1. Source of Authority Certificate Profile . . . . . . . . . 13 7.1. Source of Authority Certificate Profile
7.2. Client Certificate Profile . . . . . . . . . . . . . . . . 14 7.2. Client Certificate Profile
8. Relying Party Applications . . . . . . . . . . . . . . . . . . 14 8. Relying Party Applications
9. CRL Profile . . . . . . . . . . . . . . . . . . . . . . . . . 15 9. CRL Profile
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 10. IANA Considerations
11. Security Considerations . . . . . . . . . . . . . . . . . . . 15 11. Security Considerations
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 12. References
12.1. Normative References . . . . . . . . . . . . . . . . . . 16 12.1. Normative References
12.2. Informative References . . . . . . . . . . . . . . . . . 20 12.2. Informative References
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses
1. Introduction 1. Introduction
This document specifies protocol interfaces profiled by the US NSA This document specifies protocol interfaces profiled by the United
(United States National Security Agency) for NSS (National Security States National Security Agency (NSA) for National Security System
System) servers that provide public key certificates, CRLs (NSS) servers that provide public key certificates, Certificate
(Certificate Revocation Lists), and symmetric keys to NSS clients. Revocation Lists (CRLs), and symmetric keys to NSS clients. Servers
Servers that support these interfaces are referred to as SODP (Secure that support these interfaces are referred to as Secure Object
Object Delivery Protocol) servers. The purpose of this document is Delivery Protocol (SODP) servers. The purpose of this document is to
to indicate options from, and requirements additional to, the base indicate options from, and requirements in addition to, the base
specifications listed in Section 1.1 that are necessary for client specifications listed in Section 1.1 that are necessary for client
interoperability with NSA-operated SODP servers. Clients are always interoperability with NSA-operated SODP servers. Clients are always
devices, and need not implement all of the interfaces specified devices and need not implement all of the interfaces specified
herein; clients are free to choose which interfaces to implement herein; clients are free to choose which interfaces to implement
based on their operational requirements. Interfaces supported by based on their operational requirements. Interfaces supported by
SODP servers include: SODP servers include:
o EST (Enrollment over Secure Transport) [RFC7030] and its * Enrollment over Secure Transport (EST) [RFC7030] and its
extensions [RFC8295], and extensions [RFC8295], and
o CMC (Certificate Management over CMS (Cryptographic Message
Syntax)) [RFC5274][RFC6402] for both Simple PKI (Public Key * Certificate Management over CMS (CMC) [RFC5274] [RFC6402] for both
Infrastructure) requests and responses (i.e., PKCS#10 requests Simple Public Key Infrastructure (PKI) requests and responses
and PKCS#7 responses) and Full PKI requests and responses. (i.e., PKCS#10 requests and PKCS#7 responses) and Full PKI
requests and responses.
This profile applies to the capabilities, configuration, and This profile applies to the capabilities, configuration, and
operation of all components of US National Security Systems [SP 800- operation of all components of US National Security Systems
59]. It is also appropriate for other US Government systems that [SP-800-59]. It is also appropriate for other US Government systems
process high-value information. It is made publicly available for use that process high-value information. It is made publicly available
by developers and operators of these and any other system for use by developers and operators of these and any other system
deployments. deployments.
This profile conforms to the existing requirements of NSA's This profile conforms to the existing requirements of the NSA's
Commercial National Security Algorithms. As operational needs evolve Commercial National Security Algorithms (CNSAs). As operational
over time, this profile will be updated to incorporate new commercial needs evolve over time, this profile will be updated to incorporate
algorithms and protocols as they are developed and approved for use. new commercial algorithms and protocols as they are developed and
approved for use.
1.1. Documents to be Familiar With
1.1. Documents to be Familiar With
Familiarity with the follow specifications is assumed: Familiarity with the follow specifications is assumed:
o EST [RFC7030] and EST extensions [RFC8295]; * EST and EST extensions: [RFC7030] and [RFC8295]
o PKI-related specifications [RFC2986], [RFC3739], [RFC5274],
[RFC5280], [RFC5912], [RFC5913], [RFC5916], [RFC5917], [RFC6010], * PKI-related specifications: [RFC2986], [RFC3739], [RFC5274],
and [RFC6402]; [RFC5280], [RFC5912], [RFC5913], [RFC5916], [RFC5917], [RFC6010],
o Key-format-related specifications [RFC5915], [RFC5958], and [RFC6402]
[RFC5959], [RFC6031], [RFC6032], [RFC6160], [RFC6161], [RFC6162],
[RFC7191], [RFC7192], [RFC7292], and [RFC7906]; * Key-format-related specifications: [RFC5915], [RFC5958],
o CMS-related (Cryptographic Message Syntax) RFCs [RFC5652], [RFC5959], [RFC6031], [RFC6032], [RFC6160], [RFC6161], [RFC6162],
[RFC6268], and; [RFC7191], [RFC7192], [RFC7292], and [RFC7906]
o CNSA-related (Commercial National Security Algorithm) drafts
[RFC8603], [RFC8755], [RFC8756], and * CMS-related (Cryptographic Message Syntax) documents: [RFC5652]
[ID.cnsa-tls-profile]. and [RFC6268]
* CNSA-related documents: [RFC8603], [RFC8755], [RFC8756], and
[RFC9151]
The requirements from RFCs apply throughout this profile and are The requirements from RFCs apply throughout this profile and are
generally not repeated here. This document is purposely written generally not repeated here. This document is purposely written
without [RFC2119] language. without using the requirements language described in [RFC2119] and
[RFC8174].
1.2. Document Organization 1.2. Document Organization
The document is organized as follows: The document is organized as follows:
o The remainder of this section describes the operational * The remainder of this section describes the operational
environment used by clients to retrieve secure objects. environment used by clients to retrieve secure objects.
o Section 2 specifies the ASN.1 (Abstract Syntax Notation one)
version used. * Section 2 specifies the Abstract Syntax Notation One (ASN.1)
o Section 3 specifies SODP's EST interface. version used.
o Section 4 specifies SODP's CMC interfaces; one section each for
Simple PKI requests/responses and Full PKI requests/responses. * Section 3 specifies SODP's EST interface.
o Sections 5-9 respectively specify TA, CA, and EE certificates as
well as CRL. * Section 4 specifies SODP's CMC interfaces.
* Sections 5-7 specify Trust Anchor (TA), Certification Authority
(CA), and End-Entity (EE) certificates, respectively.
* Sections 8 and 9 specify Relying Party Applications and CRL
Profile, respectively.
1.3. Environment 1.3. Environment
The environment is Client-Server-based from which clients obtain Clients obtain secure "objects" or "packages" from the client-server-
secure "objects" or "packages". Objects/packages vary based on the based environment. Objects/packages vary based on the Source of
SOA (Source of Authority) but all objects are "secured" minimally Authority (SOA), but all objects are "secured" minimally through the
through the use of one or more digital signatures and zero or more use of one or more digital signatures and zero or more layers of
layers of encryption, as profiled in this document. An SOA is the encryption, as profiled in this document. An SOA is the authority
authority for the creation of objects that the client will recognize for the creation of objects that the client will recognize as valid.
as valid. An SOA can delegate its authority to other actors; An SOA can delegate its authority to other actors; delegation occurs
delegation occurs through the issuance of certificates. An object or through the issuance of certificates. An object or package is the
package is the generic term for certificates, certificate status generic term for certificates, certificate status information, and
information, and keys (both asymmetric and symmetric). All of the keys (both asymmetric and symmetric). All of the objects except for
objects except for the certificates and certificate status the certificates and certificate status information are directly
information are directly encapsulated in and protected by CMS content encapsulated in and protected by CMS content types. CMS content
types. CMS content types that provide security are referred to as types that provide security are referred to as "CMS-protecting
CMS-protecting content types. All others are simply referred to as content types". All others are simply referred to as "CMS content
CMS content types. All secured objects are distributed either as CMS types". All secured objects are distributed either as CMS packages
packages or as part of a CMS package. or as part of a CMS package.
In the following example depicted in Figure 1, there are two SOAs: In the example depicted in Figure 1, there are two SOAs: one for
one for symmetric keys, as depicted by the KTA (Key Trust Anchor), symmetric keys, as depicted by the Key Trust Anchor (KTA), and one
and one for public key certificates, as depicted by the PKI TA (Trust for public key certificates, as depicted by the PKI Trust Anchor
Anchor). The KTA is responsible for the creation and distribution of (TA). The KTA is responsible for the creation and distribution of
symmetric keys. The KTA delegates the creation and distribution symmetric keys. The KTA delegates the creation and distribution
responsibilities to separate entities through the issuance of responsibilities to separate entities through the issuance of
certificates to a KSA (Key Source Authority) and a KDA (Key certificates to a Key Source Authority (KSA) and a Key Distribution
Distribution Authority). The KSA generates the keys, digitally signs Authority (KDA). The KSA generates the keys, digitally signs the
the keys, and encrypts the key for the end client using CMS content keys, and encrypts the key for the end client using CMS content types
types for each step. The KDA distributes the KSA-generated and - for each step. The KDA distributes the KSA-generated and KSA-
protected key to the client; the key may also be signed by the KDA. protected key to the client; the key may also be signed by the KDA.
The resulting CMS package is provided to the client through the EST The resulting CMS package is provided to the client through the EST
extension's /symmetrickey service. The PKI TA is responsible for the extension's /symmetrickey service. The PKI TA is responsible for the
creation, distribution, and management of public key certificates. creation, distribution, and management of public key certificates.
The PKI TA delegates these responsibilities to CAs (Certification The PKI TA delegates these responsibilities to Certification
Authorities) and CAs in turn are responsible for creating, Authorities (CAs), and CAs, in turn, are responsible for creating,
distributing, and managing EEs (End-Entities) certificates; CAs distributing, and managing End-Entity (EE) certificates. CAs
distribute PKI-related information through the /cacerts, /crls, distribute PKI-related information through the /cacerts, /crls,
/eecerts, /fullcmc, /simpleenroll, /simplereenroll, and /csrattrs EST /eecerts, /fullcmc, /simpleenroll, /simplereenroll, and /csrattrs EST
and EST extension services. and EST extension services.
+-----+ +--------+ +-----+ +--------+
| KTA | | PKI TA | | KTA | | PKI TA |
+-----+ +--------+ +-----+ +--------+
| | | |
| Signs | Signs | Signs | Signs
| | | |
skipping to change at page 6, line 7 skipping to change at line 252
| | V V | | V V
| | +-------------+ +-------------+ | | +-------------+ +-------------+
| V | Certificate | | Certificate | | V | Certificate | | Certificate |
+---|-------------+ +-------------+ | Revocation | +---|-------------+ +-------------+ | Revocation |
| V | CMS Content | List | | V | CMS Content | List |
| +-------------+ | Types +-------------+ | +-------------+ | Types +-------------+
| | Key Package | | | | Key Package | |
| +-------------+ | | +-------------+ |
+-----------------+ +-----------------+
Figure 1 - Operating Environment (Key and PKI Sources of Authority) Figure 1: Operating Environment (Key and PKI Sources of Authority)
For clients that support the CMC interface and not the EST interface, For clients that support the CMC interface and not the EST interface,
the environment includes only the PKI TAs. the environment includes only the PKI TAs.
2. Abstract Syntax Notation One 2. Abstract Syntax Notation One
Implementations of this specification use the '02/'08 ASN.1 (Abstract Implementations of this specification use the 2002/2008 ASN.1
Syntax Notation One) version; '02/'08 ASN.1 modules can be found in version; 2002/2008 ASN.1 modules can be found in [RFC5911],
[RFC5911], [RFC5912], and [RFC6268] (use RFC 6268 for the CMS syntax) [RFC5912], and [RFC6268] (use [RFC6268] for the CMS syntax), while
while other specifications already include the '02/'08 ASN.1 along other specifications already include the 2002/2008 ASN.1 along with
with the '88 ASN.1. See Section 1.1 of [RFC6268] for a discussion the 1988 ASN.1. See Section 1.1 of [RFC6268] for a discussion about
about the differences between the '02 and '08 ASN.1 versions. the differences between the 2002 and 2008 ASN.1 versions.
3. EST Interface 3. EST Interface
EST [RFC7030] and EST extensions [RFC8295] client options are Client options for EST [RFC7030] and EST extensions [RFC8295] are
specified in this section. specified in this section.
3.1. Hypertext Transfer Protocol Layer 3.1. Hypertext Transfer Protocol Layer
Clients that receive redirection responses (3xx status codes) will Clients that receive redirection responses (3xx status codes) will
terminate the connection ([RFC7030], Section 3.2.1). terminate the connection ([RFC7030], Section 3.2.1).
Per Section 2.2 of [RFC8295], clients indicate the format Per Section 2.2 of [RFC8295], clients indicate the format
("application/xml" or "application/json") of the PAL information ("application/xml" or "application/json") of the PAL information
([RFC8295], Section 2.1.1) via the HTTP Accept header. ([RFC8295], Section 2.1.1) via the HTTP Accept header.
3.2. Transport Layer Security 3.2. Transport Layer Security
TLS implementations are configured as specified in TLS implementations are configured as specified in [RFC9151]; the
[ID.cnsa-tls-profile]; the notable exception is that only EC-based notable exception is that only EC-based algorithms are used.
algorithms are used.
3.3. Eligibility 3.3. Eligibility
At the EST interface, servers enroll only clients that they have a At the EST interface, servers only enroll clients that they have
prior established relationship with, established independently of established a prior relationship with independently of the EST
the EST service. To accomplish this, client owners/operators service. To accomplish this, client owners/operators interact in
interact in person with the human acting as the RA (Registration person with the human acting as the Registration Authority (RA) to
Authority) to ensure the information included in the transmitted ensure the information included in the transmitted certificate
certificate request, which is sometimes called a CSR (Certificate request, which is sometimes called a Certificate Signing Request
Signing Request), is associated with a client. The mechanism by (CSR), is associated with a client. The mechanism by which the
which the owner/operator interact with the RA as well as owner/operator interacts with the RA as well as the information
the information provided is beyond the scope of this document. The provided is beyond the scope of this document. The information
information exchanged by the owner/operator might be something as exchanged by the owner/operator might be something as simple as the
simple as the subject name included in the to-be sent CSR or a copy subject name included in the CSR to be sent or a copy of the
of the certificate that will be used to verify the certificate certificate that will be used to verify the certificate request,
request, provided out-of-band. which is provided out of band.
3.4. Authentication 3.4. Authentication
Mutual authentication occurs via "Certificate TLS Authentication" Mutual authentication occurs via "Certificate TLS Authentication"
([RFC7030], Section 2.1). Clients provide their certificate to ([RFC7030], Section 2.2.1). Clients provide their certificate to
servers in the TLS Certificate message, which is sent in response to servers in the TLS Certificate message, which is sent in response to
the server's TLS Certificate Request message. Both servers and the server's TLS Certificate Request message. Both servers and
clients reject all attempts to authenticate based on certificates clients reject all attempts to authenticate based on certificates
that cannot be validated back to an installed TA. that cannot be validated back to an installed TA.
3.5. Authorization 3.5. Authorization
Clients always use an explicit TA database ([RFC7030], Section Clients always use an explicit TA database ([RFC7030],
3.6.1). At a minimum, clients support two TAs; one for the PKI and Section 3.6.1). At a minimum, clients support two TAs: one for the
one for symmetric keys. PKI and one for symmetric keys.
Clients check that the server's certificate includes the id-kp-cmcRA Clients check that the server's certificate includes the id-kp-cmcRA
EKU (Extended Key Usage) value ([RFC6402], Section 2.10). Extended Key Usage (EKU) value ([RFC6402], Section 2.10).
Clients that support processing the CMS Content Constraints extension Clients that support processing of the CMS Content Constraints
[RFC6010] ensure returned CMS content is from an SOA or is from an extension [RFC6010] ensure returned CMS content is from an SOA or an
entity authorized by an SOA for that CMS content; see Section 6.0 for entity authorized by an SOA for that CMS content; see Section 7.1 for
SOA certificates. SOA certificates.
3.6. EST and EST Extensions 3.6. EST and EST Extensions
This section profiles SODP's EST [RFC7030] and EST Extensions This section profiles SODP's interfaces for EST [RFC7030] and EST
[RFC8295] interfaces. extensions [RFC8295].
3.6.1. /pal 3.6.1. /pal
The PAL (Package Availability List) is limited to 32 entries, where The Package Availability List (PAL) is limited to 32 entries, where
the 32nd PAL entry links to an additional PAL (i.e., is PAL Package the 32nd PAL entry links to an additional PAL (i.e., PAL Package Type
Type 0001). 0001).
The PAL is XML [XML]. The PAL is XML [XML].
3.6.2. /cacerts 3.6.2. /cacerts
The CA certificates located in the explicit TA database are The CA certificates located in the explicit TA database are
distributed to the client when it is registered. This TA distributed to the client when it is registered. This TA
distribution mechanism is out-of-scope. distribution mechanism is out of scope.
CA certificates provided through this service are as specified in CA certificates provided through this service are as specified in
Sections 5 and 6 of this document. Sections 5 and 6 of this document.
3.6.3. /simpleenroll 3.6.3. /simpleenroll
CSRs follow the specifications in Section 4.2 of [RFC8756], CSRs follow the specifications in Section 4.2 of [RFC8756], except
except that the CMC-specific Change Subject Name and that the CMC-specific ChangeSubjectName and the POP Link Witness V2
the POP Link Witness V2 attributes do not apply. Second, only attributes do not apply. Only EC-based algorithms are used.
EC-based algorithms are used.
Client certificates provided through this service are as specified in Client certificates provided through this service are as specified in
Section 7 of this document. Section 7 of this document.
The HTTP content-type of "text/plain" ([RFC2046], Section 4.1) is The HTTP content type of "text/plain" ([RFC2046], Section 4.1) is
used to return human readable errors. used to return human-readable errors.
3.6.4. /simplereenroll 3.6.4. /simplereenroll
There are no additional requirements for requests beyond those There are no additional requirements for requests beyond those
specified in Sections 3.4 and 3.6.3 of this document. specified in Sections 3.4 and 3.6.3 of this document.
The HTTP content-type of "text/plain" ([RFC2046], Section 4.1) is The HTTP content type of "text/plain" ([RFC2046], Section 4.1) is
used to return human readable errors. used to return human-readable errors.
3.6.5. /fullcmc 3.6.5. /fullcmc
Requests are as specified in [RFC8756] with the notable Requests are as specified in [RFC8756] with the notable exception
exception that only EC-based algorithms are used. that only EC-based algorithms are used.
Additional attributes for returned CMS packages can be found in Additional attributes for returned CMS packages can be found in
[RFC7906]. [RFC7906].
Certificates provided through this service are as specified in Certificates provided through this service are as specified in
Section 7 of this document. Section 7 of this document.
3.6.6. /serverkeygen 3.6.6. /serverkeygen
PKCS#12 [RFC7292], sometimes referred to as "PFX" (Personal PKCS#12 [RFC7292] -- sometimes referred to as "PFX" (Personal
inFormation eXchange), "P12", and "PKCS#12" files, are used to Information Exchange) or "P12" -- is used to provide server-generated
provide server-generated asymmetric private keys and the associated asymmetric private keys and the associated certificate to clients.
certificate to clients. This interface is a one-way interface as the This interface is a one-way interface as the RA requests these from
RA requests these from the server. the server.
PFXs [RFC7292] are exchanged using both password privacy mode and PFXs [RFC7292] are exchanged using both password privacy mode and
integrity password mode. The PRF algorithm for PBKDF2 (the KDF for integrity password mode. The PRF algorithm for PBKDF2 (the KDF for
PBES2 and PBMAC1) is HMAC-SHA-384 and the PBES2 encryption scheme is PBES2 and PBMAC1) is HMAC-SHA-384, and the PBES2 encryption scheme is
AES-256. AES-256.
The HTTP content-type of "text/plain" ([RFC2046], Section 4.1) is The HTTP content type of "text/plain" ([RFC2046], Section 4.1) is
used to return human readable errors. used to return human-readable errors.
/serverkeygen/return is not supported at this time. /serverkeygen/return is not supported at this time.
3.6.7. /csrattrs 3.6.7. /csrattrs
Clients use this service to retrieve partially filled PKIRequests: Clients use this service to retrieve partially filled PKIRequests
PKIRequests with no public key or proof-of-possession signature, with no public key or proof-of-possession signature, i.e., their
i.e., their values are set to zero length either a zero length BIT values are set to zero length, either a zero length BIT STRING or
STRING or OCTET STRING. The pKCS7PDU attribute, defined in OCTET STRING. The pKCS7PDU attribute, defined in [RFC2985], includes
[RFC2985], includes the partially filled PKIRequest as the only the partially filled PKIRequest as the only element in the CsrAttrs
element in the CsrAttrs sequence. Even though the CsrAttrs syntax is sequence. Even though the CsrAttrs syntax is defined as a set, there
defined as a set, there is only ever exactly one instance of values is only ever exactly one instance of values present.
present.
3.6.8. /crls 3.6.8. /crls
CRLs provided through this service are as specified in Section 9 of CRLs provided through this service are as specified in Section 9 of
this document. this document.
3.6.9. /symmetrickeys 3.6.9. /symmetrickeys
Clients that claim to support SODP-interoperation will be able to Clients that claim to support SODP interoperation will be able to
process the following messages from a SODP server: additional process the following messages from an SODP server:
encryption and origin authentication ([RFC8295], Section 5); server-
provided Symmetric Key Content Type [RFC6032] encapsulated in an * additional encryption and origin authentication ([RFC8295],
Encrypted Key Content Type using the EnvelopedData choice [RFC6033] Section 5); and
with a SOA certificate that includes the CMS Content Constraints
extension (see Section 7.1). * server-provided Symmetric Key Content Type [RFC6032] encapsulated
in an Encrypted Key Content Type using the EnvelopedData choice
[RFC6033] with an SOA certificate that includes the CMS Content
Constraints extension (see Section 7.1).
Client-supported algorithms to decrypt the server-returned symmetric Client-supported algorithms to decrypt the server-returned symmetric
key are as follows: key are as follows:
o Message Digest: See Section 5 of [RFC8755]. * Message Digest: See Section 4 of [RFC8755].
o Digital Signature Algorithm: See Section 6.1 of
[RFC8755]. * Digital Signature Algorithm: See Section 5 of [RFC8755].
o Key Agreement: See Section 7.1 of [RFC8755].
o Key Wrap: AES-256 Key Wrap with Padding [RFC6033] is used. AES- * Key Agreement: See Section 6.1 of [RFC8755].
128 Key Wrap with Padding is not used.
o Content Encryption: AES-256 Key Wrap with Padding [RFC6033] is * Key Wrap: AES-256 Key Wrap with Padding [RFC6033] is used.
used. AES-128 Key Wrap with Padding is not used. AES-128 Key Wrap with Padding is not used.
* Content Encryption: AES-256 Key Wrap with Padding [RFC6033] is
used. AES-128 Key Wrap with Padding is not used.
/symmetrickeys/return is not used at this time. /symmetrickeys/return is not used at this time.
3.6.10. /eecerts, /firmware, /tamp 3.6.10. /eecerts, /firmware, /tamp
/eecerts, /firmware, /tamp are not used at this time. /eecerts, /firmware, and /tamp are not used at this time.
4. CMC Interface 4. CMC Interface
CMC [RFC5274][RFC6402] clients options are specified in this section. Client options for CMC [RFC5274] [RFC6402] are specified in this
section.
4.1. RFC 5273 Transport Protocols 4.1. RFC 5273 Transport Protocols
Clients use only the HTTPS-based transport; the TLS implementation Clients only use the HTTPS-based transport. The TLS implementation
and configuration is as specified in [ID.cnsa-tls-profile]; the and configuration are as specified in [RFC9151], with the notable
notable exceptions are that only EC-based algorithms are used. exception that only EC-based algorithms are used.
Clients that receive HTTP redirection responses (3xx status codes) Clients that receive HTTP redirection responses (3xx status codes)
will terminate the connection ([RFC7030], Section 3.2.1). will terminate the connection ([RFC7030], Section 3.2.1).
4.2. Eligibility 4.2. Eligibility
At the CMC interface, servers enroll only clients that they have a At the CMC interface, servers only enroll clients that they have
prior established relationship with, established independently of established a prior relationship with independently of the EST
the EST service. To accomplish this, client owners/operators service. To accomplish this, client owners/operators interact in
interact in person with the human acting as the RA (Registration person with the human acting as the Registration Authority (RA) to
Authority) to ensure the information included in the transmitted ensure the information included in the transmitted certificate
certificate request, which is sometimes called a CSR (Certificate request, which is sometimes called a Certificate Signing Request
Signing Request), is associated with a client. The mechanism by (CSR), is associated with a client. The mechanism by which the
which the owner/operator interact with the RA as well as the owner/operator interacts with the RA as well as the information
information provided is beyond the scope of this document. The provided is beyond the scope of this document. The information
information exchanged by the owner/operator might be something as exchanged by the owner/operator might be something as simple as the
simple as the subject name included in the to-be sent CSR or a copy subject name included in the CSR to be sent or a copy of the
of the certificate that will be used to verify the certificate certificate that will be used to verify the certificate request,
request, provided out-of-band. which is provided out of band.
4.3. Authentication 4.3. Authentication
Mutual authentication occurs via client and server signing of CMC Mutual authentication occurs via client and server signing of CMC
protocol elements, as required by [RFC8756]. All such protocol elements, as required by [RFC8756]. All such signatures are
signatures must be validated against an installed TA; any that fail validated against an installed TA; any that fail validation are
validation are rejected. rejected.
4.4. Authorization 4.4. Authorization
Clients support the simultaneous presence of as many TAs as are Clients support the simultaneous presence of as many TAs as are
required for all of the functions of the client, and only these TAs. required for all of the functions of the client, and only these TAs.
Clients check that the server's certificate includes the id-kp-cmcRA Clients check that the server's certificate includes the id-kp-cmcRA
EKU (Extended Key Usage) value [RFC6402], Section 2.10. Extended Key Usage (EKU) value ([RFC6402], Section 2.10).
Clients that support processing the CMS Content Constraints extension Clients that support processing of the CMS Content Constraints
[RFC6010] ensure returned CMS content is from an SOA or is from an extension [RFC6010] ensure returned CMS content is from an SOA or an
entity authorized by an SOA for that CMS content; see Section 6.0 for entity authorized by an SOA for that CMS content; see Section 7.1 for
SOA certificates SOA certificates.
4.5. Full PKI Requests/Responses 4.5. Full PKI Requests/Responses
Requests are as specified in [RFC8756] with the notable Requests are as specified in [RFC8756] with the notable exception
exception that only EC-based algorithms are used. that only EC-based algorithms are used.
Additional attributes for returned CMC packages can be found in Additional attributes for returned CMS packages can be found in
[RFC7906]. [RFC7906].
Certificates provided through this service are as specified in Certificates provided through this service are as specified in
Section 7 of this document. Section 7 of this document.
5. Trust Anchor Profile 5. Trust Anchor Profile
Clients are free to store the TA in format of their choosing; Clients are free to store the TA in the format of their choosing;
however, servers provide TA information in the form of self-signed CA however, servers provide TA information in the form of self-signed CA
certificates. This section documents requirements for self-signed certificates. This section documents requirements for self-signed
certificates in addition to those specified in [RFC8603], which in certificates in addition to those specified in [RFC8603], which in
turn specifies requirements in addition to those in [RFC5280]. turn specifies requirements in addition to those in [RFC5280].
Only EC-based algorithms are used. Only EC-based algorithms are used.
Issuer and subject names are composed of only the following naming Issuer and subject names are composed of only the following naming
attributes: country name, domain component, organization name, attributes: country name, domain component, organization name,
organizational unit name, common name, state or province name, organizational unit name, common name, state or province name,
distinguished name qualifier, and serial number. distinguished name qualifier, and serial number.
In the Subject Key Identifier extension, the keyIdentifier is the 64 In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field. low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, the nonRepudiation bit is never set. In the Key Usage extension, the nonRepudiation bit is never set.
6. Non-Self-Signed Certification Authority Certificate Profile 6. Non-Self-Signed Certification Authority Certificate Profile
This section documents requirements for non-self signed CA This section documents requirements for non-self-signed CA
certificates in addition to those specified in [RFC8603], which in certificates in addition to those specified in [RFC8603], which in
turn specifies requirements in addition to those in [RFC5280]. turn specifies requirements in addition to those in [RFC5280].
Only EC-based algorithms are used. Only EC-based algorithms are used.
Subject names are composed of only the following naming attributes: Subject names are composed of only the following naming attributes:
country name, domain component, organization name, organizational country name, domain component, organization name, organizational
unit name, common name, state or province name, distinguished name unit name, common name, state or province name, distinguished name
qualifier, and serial number. qualifier, and serial number.
In the Authority Key Identifier extension, the keyIdentifier choice In the Authority Key Identifier extension, the keyIdentifier choice
is always used. The keyIdentifier is the 64 low-order bits of the is always used. The keyIdentifier is the 64 low-order bits of the
issuer's subjectPublicKey field. issuer's subjectPublicKey field.
In the Subject Key Identifier extension, the keyIdentifier is the 64 In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field. low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, the nonRepudiation bit is never set. In the Key Usage extension, the nonRepudiation bit is never set.
The Certificate Policies extension is always included and The Certificate Policies extension is always included, and
policyQualifiers are never used. policyQualifiers are never used.
Non-self-signed CA certificates can also include the following: Non-self-signed CA certificates can also include the following:
o Name Constraints: permittedSubtrees constraints are included and Name Constraints: permittedSubtrees constraints are included, and
excludedSubstree constraints are not. Of the GeneralName excludedSubstree constraints are not. Of the GeneralName choices,
choices, issuers support the following: rfc822Name, dNSName, issuers support the following: rfc822Name, dNSName,
uniformResourceIdentifier, and iPAddress (both IPv4 and IPv6) as uniformResourceIdentifier, and iPAddress (both IPv4 and IPv6) as
well as hardwareModuleName, which is defined in [RFC4108]. Note well as hardwareModuleName, which is defined in [RFC4108]. Note
that rfc822Name, dNSName, and uniformResourceIdentifier are that rfc822Name, dNSName, and uniformResourceIdentifier are
defined as IA5 strings and the character sets allowed is not defined as IA5 strings, and the character sets allowed are not
uniform amongst these three name forms. uniform amongst these three name forms.
o CRL Distribution Points: A distributionPoint is always the CRL Distribution Points: A distributionPoint is always the fullName
fullName choice; the uniformResourceIdentifier GeneralName choice choice. The uniformResourceIdentifier GeneralName choice is
is always included but others can also be used as long as the always included, but others can also be used as long as the first
first element in the sequence of CRLDistributionPoints is the element in the sequence of CRLDistributionPoints is the
uniformResourceIdentifier choice; the reasons and CRLIssuer uniformResourceIdentifier choice. The reasons and cRLIssuer
fields are never populated. This extension is never marked fields are never populated. This extension is never marked as
critical. critical.
o Authority Information Access: Only one instance of Authority Information Access: Only one instance of AccessDescription
AccessDescription is included. accessMethod is id-caIssuers and is included. accessMethod is id-caIssuers, and accessLocation's
accessLocation's GeneralName is always the GeneralName is always the uniformResourceIdentifier choice.
uniformResourceIdentifier choice.
o Extended Key Usage: EST servers and RAs include the id-kp-cmcRA Extended Key Usage: EST servers and RAs include the id-kp-cmcRA EKU,
EKU and the CAs include the id-kp-cmcCA, which are both specified and the CAs include the id-kp-cmcCA, which are both specified in
in [RFC6402]. [RFC6402].
Issuers include the Authority Clearance Constraints extension Issuers include the Authority Clearance Constraints extension
[RFC5913] in non-self-signed CA certificates that are issued to non- [RFC5913] in non-self-signed CA certificates that are issued to non-
SOAs; values for the CP (Certificate Policy) OID (Object IDentifier) SOAs; values for the Certificate Policy (CP) Object Identifier (OID)
and the supported classList values are found in the Issuer's CP. and the supported classList values are found in the issuer's CP.
Criticality is determined by the issuer and a securityCategories is Criticality is determined by the issuer, and a securityCategories is
never included. Only one instance of Clearance is generated in the never included. Only one instance of Clearance is generated in the
AuthorityClearanceConstraints sequence. AuthorityClearanceConstraints sequence.
Issuers include a critical CMS Content Constraints extension Issuers include a critical CMS Content Constraints extension
[RFC6010] in CA certificates used to issue SOA certificates; [RFC6010] in CA certificates used to issue SOA certificates; this is
this is necessary to enable enforcement of scope of the SOA necessary to enable enforcement of scope of the SOA authority. The
authority. The content types included depend on the packages the content types included depend on the packages the SOA sources but
SOA sources, but include key packages (i.e., Encrypted Key Packages, include key packages (i.e., Encrypted Key Packages, Symmetric Key
Symmetric Key Packages, and Asymmetric Key Packages). Packages, and Asymmetric Key Packages).
7. End-Entity Certificate Profile 7. End-Entity Certificate Profile
This section documents requirements for EE signature and key This section documents requirements for EE signature and key
establishment certificates in addition to those listed in [RFC8603], establishment certificates in addition to those listed in [RFC8603],
which in turn specifies requirements in addition to those in which in turn specifies requirements in addition to those in
[RFC5280]. [RFC5280].
Only EC-based algorithms are used. Only EC-based algorithms are used.
skipping to change at page 13, line 28 skipping to change at line 614
qualifier, and serial number. qualifier, and serial number.
In the Authority Key Identifier extension, the keyIdentifier choice In the Authority Key Identifier extension, the keyIdentifier choice
is always used. The keyIdentifier is the 64 low-order bits of the is always used. The keyIdentifier is the 64 low-order bits of the
issuer's subjectPublicKey field. issuer's subjectPublicKey field.
In the Subject Key Identifier extension, the keyIdentifier is the 64 In the Subject Key Identifier extension, the keyIdentifier is the 64
low-order bits of the subject's subjectPublicKey field. low-order bits of the subject's subjectPublicKey field.
In the Key Usage extension, signature certificates only assert In the Key Usage extension, signature certificates only assert
digitalSignature and key establishment certificates only assert digitalSignature, and key establishment certificates only assert
keyAgreement. keyAgreement.
The Certificate Policies extension is always included and The Certificate Policies extension is always included, and
policyQualifiers are never used. policyQualifiers are never used.
When included, the non-critical CRL Distribution Point extension's When included, the non-critical CRL Distribution Point extension's
distributionPoint is always identified by the fullName choice; the distributionPoint is always identified by the fullName choice. The
uniformResourceIdentifier GeneralName choice is always included but uniformResourceIdentifier GeneralName choice is always included, but
others can also be used as long as the first element in the sequence others can also be used as long as the first element in the sequence
of distribution points is the URI choice and it is an HTTP/HTTPS of distribution points is the URI choice and it is an HTTP/HTTPS
scheme; the reasons and cRLIssuer fields are never populated. scheme. The reasons and cRLIssuer fields are never populated.
The following subsections provide additional requirements for the The following subsections provide additional requirements for the
different types of EE certificates. different types of EE certificates.
7.1. Source of Authority Certificate Profile 7.1. Source of Authority Certificate Profile
This section specifies the format for SOA certificates, i.e., This section specifies the format for SOA certificates, i.e.,
certificates issued to those entities that are authorized to create, certificates issued to those entities that are authorized to create,
digitally sign, encrypt, and distribute key packages; these digitally sign, encrypt, and distribute packages; these certificates
certificates are issued by non-PKI TAs. are issued by non-PKI TAs.
The Subject Alternative Name extension is always included. The The Subject Alternative Name extension is always included. The
following choices are supported rfc822Name, dnsName, ediPartyName, following choices are supported: rfc822Name, dNSName, ediPartyName,
uniformResourceIdentifier, or ipAddress (both IPv4 and IPv6). This uniformResourceIdentifier, or iPAddress (both IPv4 and IPv6). This
extension is never critical. extension is never critical.
A critical CMS Content Constraints extension [RFC6010] is included in A critical CMS Content Constraints extension [RFC6010] is included in
SOA signature certificates. The content types included depend on the SOA signature certificates. The content types included depend on the
packages the SOA sources (e.g., Encrypted Key Packages, Symmetric Key packages the SOA sources (e.g., Encrypted Key Packages, Symmetric Key
Packages, Asymmetric Key Packages). Packages, and Asymmetric Key Packages).
7.2. Client Certificate Profile 7.2. Client Certificate Profile
This section specifies the format for certificates issued to clients. This section specifies the format for certificates issued to clients.
A non-critical Subject Directory Attributes extension is always A non-critical Subject Directory Attributes extension is always
included with the following attributes: included with the following attributes:
o Device Owner [RFC5916] * Device Owner [RFC5916]
o Clearance Sponsor [RFC5917]
o Clearance [RFC5913] * Clearance Sponsor [RFC5917]
* Clearance [RFC5913]
The following extensions are also included at the discretion of the The following extensions are also included at the discretion of the
CA: CA:
o The Authority Information Access extension with only one instance * The Authority Information Access extension with only one instance
of the accessMethod id-caIssuers and the accessLocation's of AccessDescription included. accessMethod is id-caIssuers, and
GeneralName using the uniformResourceIdentifier choice. accessLocation's GeneralName is always the
uniformResourceIdentifier choice.
o A non-critical Subject Alternative Name extension that includes * A non-critical Subject Alternative Name extension that includes
the hardwareModuleName form [RFC4108], rfc822Name, or the hardwareModuleName form [RFC4108], rfc822Name, or
uniformResourceIdentifier. uniformResourceIdentifier.
o A critical Subject Alternative Name extension that includes: * A critical Subject Alternative Name extension that includes
dNSName, rfc822Name, ediPartyName, uniformResourceIdentifier, or dNSName, rfc822Name, ediPartyName, uniformResourceIdentifier, or
ipAddress (both IPv4 and IPv6). iPAddress (both IPv4 and IPv6).
8. Relying Party Applications 8. Relying Party Applications
This section documents requirements for RPs (Relying Parties) in This section documents requirements for Relying Parties (RPs) in
addition to those listed in [RFC8603], which in turn specifies addition to those listed in [RFC8603], which in turn specifies
requirements in addition to those in [RFC5280]. requirements in addition to those in [RFC5280].
Only EC-based algorithms are used. Only EC-based algorithms are used.
RPs support the Authority Key Identifier and the Subject Key RPs support the Authority Key Identifier and the Subject Key
Identifier extensions. Identifier extensions.
RPs should support the following extensions: CRL Distribution Points, RPs should support the following extensions: CRL Distribution Points,
Authority Information Access, Subject Directory Attribute, Authority Authority Information Access, Subject Directory Attribute, Authority
Clearance Constraints, and CMS Content Constraints extensions. Clearance Constraints, and CMS Content Constraints.
Within the Subject Directory Attribute extension, RPs should support Within the Subject Directory Attribute extension, RPs should support
the Clearance Sponsor, Clearance, and Device Owner attributes. the Clearance Sponsor, Clearance, and Device Owner attributes.
RPs support the id-kp-cmcRA and id-kp-cmcCA EKUs. RPs support the id-kp-cmcRA and id-kp-cmcCA EKUs.
Failure to support extensions in this section might limit the Failure to support extensions in this section might limit the
suitability of a device for certain applications. suitability of a device for certain applications.
9. CRL Profile 9. CRL Profile
This section documents requirements for CRLs in addition to those This section documents requirements for CRLs in addition to those
listed in [RFC8603], which in turn specifies requirements in addition listed in [RFC8603], which in turn specifies requirements in addition
to those in [RFC5280]. to those in [RFC5280].
Only EC-based algorithms are used. Only EC-based algorithms are used.
Two types of CRLs are produced: complete base CRLs and partitioned Two types of CRLs are produced: complete base CRLs and partitioned
base CRLs. base CRLs.
crlEntryExtensions are never included and the reasons and cRLIssuer crlEntryExtensions are never included, and the reasons and cRLIssuer
fields are never populated. fields are never populated.
All CRLs include the following CRL extensions: All CRLs include the following CRL extensions:
o The Authority Key Identifier extension: The keyIdentifier is the * The Authority Key Identifier extension: The keyIdentifier is the
64 low-order bits of the issuer's subjectPublicKey field. 64 low-order bits of the issuer's subjectPublicKey field.
o As per [RFC5280], the CRL Number extension. * As per [RFC5280], the CRL Number extension.
The only other extension included in partitioned base CRLs is the The only other extension included in partitioned base CRLs is the
Issuing Distribution Point extension. The distributionPoint is Issuing Distribution Point extension. The distributionPoint is
always identified by the fullName choice; the always identified by the fullName choice. The
uniformResourceIdenifier GeneralName choice is always included but uniformResourceIdentifier GeneralName choice is always included, but
others can also be used as long as the first element in the sequence others can also be used as long as the first element in the sequence
of distribution points is the uniformResourceIdenifier choice and the of distribution points is the uniformResourceIdentifier choice and
scheme is an HTTP/HTTPS scheme; all other fields are omitted. the scheme is an HTTP/HTTPS scheme. All other fields are omitted.
10. IANA Considerations 10. IANA Considerations
None. This document has no IANA actions.
11. Security Considerations 11. Security Considerations
This entire document is about security. This document profiles the This entire document is about security. This document profiles the
use of many protocols and services: EST, CMC, and PKCS#10/#7/#12 as use of many protocols and services: EST, CMC, and PKCS#10/#7/#12 as
well as certificates, CRLs, and their extensions [RFC5280]. These well as certificates, CRLs, and their extensions [RFC5280]. These
have been referred to throughout this document and those have been cited throughout this document, and the specifications
specifications should be consulted for security considerations identified by those citations should be consulted for security
related to implemented protocol and services. considerations related to implemented protocols and services.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, DOI Extensions (MIME) Part Two: Media Types", RFC 2046,
10.17487/RFC2046, November 1996, <https://www.rfc- DOI 10.17487/RFC2046, November 1996,
editor.org/info/rfc2046>. <https://www.rfc-editor.org/info/rfc2046>.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985, DOI Classes and Attribute Types Version 2.0", RFC 2985,
10.17487/RFC2985, November 2000, <https://www.rfc- DOI 10.17487/RFC2985, November 2000,
editor.org/info/rfc2985>. <https://www.rfc-editor.org/info/rfc2985>.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986, DOI Request Syntax Specification Version 1.7", RFC 2986,
10.17487/RFC2986, November 2000, <https://www.rfc- DOI 10.17487/RFC2986, November 2000,
editor.org/info/rfc2986>. <https://www.rfc-editor.org/info/rfc2986>.
[RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509 [RFC3739] Santesson, S., Nystrom, M., and T. Polk, "Internet X.509
Public Key Infrastructure: Qualified Certificates Profile", Public Key Infrastructure: Qualified Certificates
RFC 3739, DOI 10.17487/RFC3739, March 2004, Profile", RFC 3739, DOI 10.17487/RFC3739, March 2004,
<https://www.rfc-editor.org/info/rfc3739>. <https://www.rfc-editor.org/info/rfc3739>.
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to
Protect Firmware Packages", RFC 4108, DOI 10.17487/RFC4108, Protect Firmware Packages", RFC 4108,
August 2005, <https://www.rfc-editor.org/info/rfc4108>. DOI 10.17487/RFC4108, August 2005,
<https://www.rfc-editor.org/info/rfc4108>.
[RFC5274] Schaad, J. and M. Myers, "Certificate Management Messages [RFC5274] Schaad, J. and M. Myers, "Certificate Management Messages
over CMS (CMC): Compliance Requirements", RFC 5274, DOI over CMS (CMC): Compliance Requirements", RFC 5274,
10.17487/RFC5274, June 2008, <https://www.rfc- DOI 10.17487/RFC5274, June 2008,
editor.org/info/rfc5274>. <https://www.rfc-editor.org/info/rfc5274>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,
DOI 10.17487/RFC5911, June 2010, <https://www.rfc- DOI 10.17487/RFC5911, June 2010,
editor.org/info/rfc5911>. <https://www.rfc-editor.org/info/rfc5911>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010, <https://www.rfc- DOI 10.17487/RFC5912, June 2010,
editor.org/info/rfc5912>. <https://www.rfc-editor.org/info/rfc5912>.
[RFC5913] Turner, S. and S. Chokhani, "Clearance Attribute and [RFC5913] Turner, S. and S. Chokhani, "Clearance Attribute and
Authority Clearance Constraints Certificate Extension", Authority Clearance Constraints Certificate Extension",
RFC 5913, DOI 10.17487/RFC5913, June 2010, RFC 5913, DOI 10.17487/RFC5913, June 2010,
<https://www.rfc-editor.org/info/rfc5913>. <https://www.rfc-editor.org/info/rfc5913>.
[RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key [RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key
Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010, Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010,
<https://www.rfc-editor.org/info/rfc5915>. <https://www.rfc-editor.org/info/rfc5915>.
[RFC5916] Turner, S., "Device Owner Attribute", RFC 5916, DOI [RFC5916] Turner, S., "Device Owner Attribute", RFC 5916,
10.17487/RFC5916, June 2010, <https://www.rfc- DOI 10.17487/RFC5916, June 2010,
editor.org/info/rfc5916>. <https://www.rfc-editor.org/info/rfc5916>.
[RFC5917] Turner, S., "Clearance Sponsor Attribute", RFC 5917, DOI [RFC5917] Turner, S., "Clearance Sponsor Attribute", RFC 5917,
10.17487/RFC5917, June 2010, <https://www.rfc- DOI 10.17487/RFC5917, June 2010,
editor.org/info/rfc5917>. <https://www.rfc-editor.org/info/rfc5917>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958,
10.17487/RFC5958, August 2010, <https://www.rfc- DOI 10.17487/RFC5958, August 2010,
editor.org/info/rfc5958>. <https://www.rfc-editor.org/info/rfc5958>.
[RFC5959] Turner, S., "Algorithms for Asymmetric Key Package Content [RFC5959] Turner, S., "Algorithms for Asymmetric Key Package Content
Type", RFC 5959, DOI 10.17487/RFC5959, August 2010, Type", RFC 5959, DOI 10.17487/RFC5959, August 2010,
<https://www.rfc-editor.org/info/rfc5959>. <https://www.rfc-editor.org/info/rfc5959>.
[RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic [RFC6010] Housley, R., Ashmore, S., and C. Wallace, "Cryptographic
Message Syntax (CMS) Content Constraints Extension", Message Syntax (CMS) Content Constraints Extension",
RFC 6010, DOI 10.17487/RFC6010, September 2010, RFC 6010, DOI 10.17487/RFC6010, September 2010,
<https://www.rfc-editor.org/info/rfc6010>. <https://www.rfc-editor.org/info/rfc6010>.
[RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax [RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax
(CMS) Symmetric Key Package Content Type", RFC 6031, DOI (CMS) Symmetric Key Package Content Type", RFC 6031,
10.17487/RFC6031, December 2010, <https://www.rfc- DOI 10.17487/RFC6031, December 2010,
editor.org/info/rfc6031>. <https://www.rfc-editor.org/info/rfc6031>.
[RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax [RFC6032] Turner, S. and R. Housley, "Cryptographic Message Syntax
(CMS) Encrypted Key Package Content Type", RFC 6032, DOI (CMS) Encrypted Key Package Content Type", RFC 6032,
10.17487/RFC6032, December 2010, <https://www.rfc- DOI 10.17487/RFC6032, December 2010,
editor.org/info/rfc6032>. <https://www.rfc-editor.org/info/rfc6032>.
[RFC6033] Turner, S., "Algorithms for Cryptographic Message Syntax [RFC6033] Turner, S., "Algorithms for Cryptographic Message Syntax
(CMS) Encrypted Key Package Content Type", RFC 6033, DOI (CMS) Encrypted Key Package Content Type", RFC 6033,
10.17487/RFC6033, December 2010, <https://www.rfc- DOI 10.17487/RFC6033, December 2010,
editor.org/info/rfc6033>. <https://www.rfc-editor.org/info/rfc6033>.
[RFC6160] Turner, S., "Algorithms for Cryptographic Message Syntax [RFC6160] Turner, S., "Algorithms for Cryptographic Message Syntax
(CMS) Protection of Symmetric Key Package Content Types", (CMS) Protection of Symmetric Key Package Content Types",
RFC 6160, DOI 10.17487/RFC6160, April 2011, RFC 6160, DOI 10.17487/RFC6160, April 2011,
<https://www.rfc-editor.org/info/rfc6160>. <https://www.rfc-editor.org/info/rfc6160>.
[RFC6161] Turner, S., "Elliptic Curve Algorithms for Cryptographic [RFC6161] Turner, S., "Elliptic Curve Algorithms for Cryptographic
Message Syntax (CMS) Encrypted Key Package Content Type", Message Syntax (CMS) Encrypted Key Package Content Type",
RFC 6161, DOI 10.17487/RFC6161, April 2011, RFC 6161, DOI 10.17487/RFC6161, April 2011,
<https://www.rfc-editor.org/info/rfc6161>. <https://www.rfc-editor.org/info/rfc6161>.
[RFC6162] Turner, S., "Elliptic Curve Algorithms for Cryptographic [RFC6162] Turner, S., "Elliptic Curve Algorithms for Cryptographic
Message Syntax (CMS) Asymmetric Key Package Content Type", Message Syntax (CMS) Asymmetric Key Package Content Type",
RFC 6162, DOI 10.17487/RFC6162, April 2011, RFC 6162, DOI 10.17487/RFC6162, April 2011,
<https://www.rfc-editor.org/info/rfc6162>. <https://www.rfc-editor.org/info/rfc6162>.
[RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules for [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules
the Cryptographic Message Syntax (CMS) and the Public Key for the Cryptographic Message Syntax (CMS) and the Public
Infrastructure Using X.509 (PKIX)", RFC 6268, DOI Key Infrastructure Using X.509 (PKIX)", RFC 6268,
10.17487/RFC6268, July 2011, <https://www.rfc- DOI 10.17487/RFC6268, July 2011,
editor.org/info/rfc6268>. <https://www.rfc-editor.org/info/rfc6268>.
[RFC6402] Schaad, J., "Certificate Management over CMS (CMC) [RFC6402] Schaad, J., "Certificate Management over CMS (CMC)
Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011, Updates", RFC 6402, DOI 10.17487/RFC6402, November 2011,
<https://www.rfc-editor.org/info/rfc6402>. <https://www.rfc-editor.org/info/rfc6402>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, DOI "Enrollment over Secure Transport", RFC 7030,
10.17487/RFC7030, October 2013, <https://www.rfc- DOI 10.17487/RFC7030, October 2013,
editor.org/info/rfc7030>. <https://www.rfc-editor.org/info/rfc7030>.
[RFC7191] Housley, R., "Cryptographic Message Syntax (CMS) Key [RFC7191] Housley, R., "Cryptographic Message Syntax (CMS) Key
Package Receipt and Error Content Types", RFC 7191, DOI Package Receipt and Error Content Types", RFC 7191,
10.17487/RFC7191, April 2014, <https://www.rfc- DOI 10.17487/RFC7191, April 2014,
editor.org/info/rfc7191>. <https://www.rfc-editor.org/info/rfc7191>.
[RFC7192] Turner, S., "Algorithms for Cryptographic Message Syntax [RFC7192] Turner, S., "Algorithms for Cryptographic Message Syntax
(CMS) Key Package Receipt and Error Content Types", (CMS) Key Package Receipt and Error Content Types",
RFC 7192, DOI 10.17487/RFC7192, April 2014, RFC 7192, DOI 10.17487/RFC7192, April 2014,
<https://www.rfc-editor.org/info/rfc7192>. <https://www.rfc-editor.org/info/rfc7192>.
[RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A., [RFC7292] Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A.,
and M. Scott, "PKCS #12: Personal Information Exchange and M. Scott, "PKCS #12: Personal Information Exchange
Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014, Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014,
<https://www.rfc-editor.org/info/rfc7292>. <https://www.rfc-editor.org/info/rfc7292>.
[RFC7906] Timmel, P., Housley, R., and S. Turner, "NSA's [RFC7906] Timmel, P., Housley, R., and S. Turner, "NSA's
Cryptographic Message Syntax (CMS) Key Management Cryptographic Message Syntax (CMS) Key Management
Attributes", RFC 7906, DOI 10.17487/RFC7906, June 2016, Attributes", RFC 7906, DOI 10.17487/RFC7906, June 2016,
<https://www.rfc-editor.org/info/rfc7906>. <https://www.rfc-editor.org/info/rfc7906>.
[RFC8295] Turner, S., "EST (Enrollment over Secure Transport) [RFC8295] Turner, S., "EST (Enrollment over Secure Transport)
Extensions", RFC 8295, DOI 10.17487/RFC8295, January 2018, Extensions", RFC 8295, DOI 10.17487/RFC8295, January 2018,
<https://www.rfc-editor.org/info/rfc8295>. <https://www.rfc-editor.org/info/rfc8295>.
[RFC8603] Jenkins, M. and L. Zieglar, "Commercial National Security [RFC8603] Jenkins, M. and L. Zieglar, "Commercial National Security
Algorithm (CNSA) Suite Certificate and Certificate Algorithm (CNSA) Suite Certificate and Certificate
Revocation List (CRL) Profile", RFC 8603, DOI Revocation List (CRL) Profile", RFC 8603,
10.17487/RFC8603, May 2019, <https://www.rfc- DOI 10.17487/RFC8603, May 2019,
editor.org/info/rfc8603>. <https://www.rfc-editor.org/info/rfc8603>.
[RFC8755] Jenkins, M., "Using CNSA Suite Algorithms in [RFC8755] Jenkins, M., "Using Commercial National Security Algorithm
Secure/Multipurpose Internet Mail Extensions(S/MIME)", Suite Algorithms in Secure/Multipurpose Internet Mail
RFC 8755, DOI 10.17487/RFC8755, March 2020, Extensions", RFC 8755, DOI 10.17487/RFC8755, March 2020,
<https://www.rfc-editor.org/info/rfc8755>. <https://www.rfc-editor.org/info/rfc8755>.
[RFC8756] Jenkins, M. and L. Zieglar, "Commercial [RFC8756] Jenkins, M. and L. Zieglar, "Commercial National Security
National Security Algorithm (CNSA) Suite Profile of Algorithm (CNSA) Suite Profile of Certificate Management
Certificate Management over CMS", RFC 8756, over CMS", RFC 8756, DOI 10.17487/RFC8756, March 2020,
DOI 10.17487/RFC8756, March 2020, <https://www.rfc-editor.org/info/rfc8756>.
<https://www.rfc-editor.org/info/rfc8756>.
[XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and [RFC9151] Cooley, D., "Commercial National Security Algorithm (CNSA)
F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth Suite Profile for TLS and DTLS 1.2 and 1.3", RFC 9151,
Edition)", World Wide Web Consortium Recommendation DOI 10.17487/RFC9151, April 2022,
REC-xml-20081126, November 2008, <https://www.rfc-editor.org/info/rfc9151>.
<https://www.w3.org/TR/2008/REC-xml-20081126/>.
[SP 800-59] National Institute of Standards and Technology, [SP-800-59]
"Guideline for Identifying an Information System as a National Institute of Standards and Technology, "Guideline
National Security System", SP 800-59, August 2003, for Identifying an Information System as a National
<https://csrc.nist.gov/publications/detail/sp/800- Security System", DOI 10.6028/NIST.SP.800-59, NIST Special
59/final>. Publication 800-59, August 2003,
<https://csrc.nist.gov/publications/detail/sp/800-59/
final>.
[ID.cnsa-tls-profile] Authors, "Commercial National Security [XML] Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E.,
Algorithm (CNSA) Suite Profile of TLS", work-in-progress, and F. Yergeau, "Extensible Markup Language (XML) 1.0
<https://www.ietf.org/internet-drafts/draft-cooley-cnsa- (Fifth Edition)", World Wide Web Consortium
dtls-tls-profile-04>. Recommendation REC-xml-20081126, November 2008,
<https://www.w3.org/TR/2008/REC-xml-20081126/>.
12.2. Informative References 12.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI Requirement Levels", BCP 14, RFC 2119,
10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Authors' Addresses Authors' Addresses
Michael Jenkins Michael Jenkins
National Security Agency National Security Agency
Email: mjjenki@cyber.nsa.gov
EMail: mjjenki@cyber.nsa.gov
Sean Turner Sean Turner
sn3rd sn3rd
Email: sean@sn3rd.com
EMail: sean@sn3rd.com
 End of changes. 126 change blocks. 
481 lines changed or deleted 502 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/