<?xml version="1.0"encoding="US-ASCII"?> <!-- change the "txt" on the previous line to "xml" to make this a valid XML2RFC template --> <!-- this is version 5 of this xml2rfc template -->encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"[ <!ENTITYRFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC4210 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4210.xml"> <!ENTITY RFC6712 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6712.xml"> <!ENTITY RFC7252 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7252.xml"> <!ENTITY RFC7959 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7959.xml"> <!ENTITY RFC8446 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8446.xml"> <!ENTITY RFC8323 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8323.xml"> <!ENTITY RFC8615 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8615.xml"> <!ENTITY RFC6690 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6690.xml"> <!ENTITY RFC5280 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5280.xml"> <!ENTITY RFC7641 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7641.xml"> <!ENTITY RFC9147 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9147.xml">nbsp " "> <!ENTITYRFC9112 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.9112.xml">zwsp "​"> <!ENTITYI-D.ietf-lamps-lightweight-cmp-profile SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-lamps-lightweight-cmp-profile-21.xml">nbhy "‑"> <!ENTITYI-D.ietf-lamps-cmp-updates SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-lamps-cmp-updates-23.xml">wj "⁠"> ]><?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc strict="no"?> <?rfc rfcedstyle="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-ace-cmpv2-coap-transport-10"ipr="trust200902">number="9482" ipr="trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.17.1 --> <front> <title abbrev="CoAP Transfer forthe CMP">CoAPCMP">Constrained Application Protocol (CoAP) Transfer for the Certificate Management Protocol</title> <seriesInfo name="RFC" value="9482"/> <author fullname="Mohit Sahni" initials="M" role="editor" surname="Sahni"> <organization>Palo Alto Networks</organization> <address> <postal> <street>3000 Tannery Way</street> <city>Santa Clara</city> <region>CA</region> <code>95054</code><country>US</country><country>United States of America</country> </postal> <email>msahni@paloaltonetworks.com</email> </address> </author> <author fullname="Saurabh Tripathi" initials="S" role="editor" surname="Tripathi"> <organization>Palo Alto Networks</organization> <address> <postal> <street>3000 Tannery Way</street> <city>Santa Clara</city> <region>CA</region> <code>95054</code><country>US</country><country>United States of America</country> </postal> <email>stripathi@paloaltonetworks.com</email> </address> </author><!-- month and day will be generated automatically by XML2RFC; be sure the year is current.--><date year="2023"/> <!-- IETF area is optional --> <area>Authentication and Authorization for Constrained Environments</area> <!--WG name at the upperleft corner of the doc, IETF is fine for non-WG IETF submissions --> <workgroup>ACE</workgroup> <!--add additional keywords here for IETF website search engine -->month="October"/> <area>sec</area> <workgroup>ace</workgroup> <abstract> <t> This document specifies the use of the Constrained Application Protocol (CoAP) as a transfer mechanism for the Certificate Management Protocol (CMP). CMP defines the interaction between various PKI entities for the purpose of certificate creation and management. CoAP is an HTTP-like client-server protocol used by various constrained devices in theIoTInternet of Things space. </t> </abstract> </front> <middle> <sectiontitle="Introduction" anchor="sect-1">anchor="sect-1" numbered="true" toc="default"> <name>Introduction</name> <t> The Certificate Management Protocol (CMP) <xref target="RFC4210"/>format="default"/> is used by the PKI entities for the generation and management of certificates. One of the requirements ofCertificate Management ProtocolCMP is to be independent of the transport protocol in use. CMP has mechanisms to take care of required transactions, errorreportingreporting, and protection of messages. </t> <t> The Constrained Application Protocol (CoAP) defined in <xref target="RFC7252"/>,format="default"/>, <xref target="RFC7959"/>format="default"/>, and <xref target="RFC8323"/>format="default"/> is a client-server protocol like HTTP. It is designed to be used by constrained devices over constrained networks. The recommended transport for CoAP isUDP, howeverUDP; however, <xref target="RFC8323"/>format="default"/> specifies the support of CoAP over TCP,TLSTLS, andWebsockets.WebSockets. </t> <t> This document specifies the use of CoAP over UDP as a transport medium forthe CMP version 2<xref target="RFC4210"/>,format="default">CMP version 2</xref>, <xreftarget="I-D.ietf-lamps-cmp-updates">target="RFC9480" format="default"> CMP version 3 </xref>designated(designated as CMP in thisdocumentdocument), and the <xreftarget="I-D.ietf-lamps-lightweight-cmp-profile">Lightweighttarget="RFC9483" format="default">Lightweight CMP Profile</xref>.This document, inIn general, this document follows the HTTP transfer for CMP specifications defined in <xref target="RFC6712"/>format="default"/> and specifies the requirements for using CoAP as a transfer mechanism fortheCMP. </t> <t> This document also provides guidance on how to use a "CoAP-to-HTTP" proxy to ease adoption of a CoAP transfer mechanism by enabling the interconnection with existing PKI entities already providing CMP over HTTP. </t> <sectiontitle="Terminology">numbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",and "OPTIONAL""<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119" />target="RFC2119"/> <xreftarget="RFC8174" />target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> </section> <sectiontitle="CoAPanchor="sect-2" numbered="true" toc="default"> <name>CoAP Transfer Mechanism forCMP" anchor="sect-2">CMP</name> <t> A CMP transaction consists of exchanging PKIMessages <xref target="RFC4210"/>format="default"/> between PKIEnd Entitiesend entities (EEs),Registration Authoritiesregistration authorities (RAs), andCertification Authoritiescertification authorities (CAs). If the EEs are constraineddevicesdevices, then they may prefer, as a CMP client, the use of CoAP instead of HTTP as the transfer mechanism.TheIn general, the RAs andCAs, in general,CAs are not constrained and can support both CoAP and HTTPClientclient andServerserver implementations. This section specifies how to use CoAP as the transfer mechanism forthe Certificate Management Protocol.CMP. </t> <sectiontitle="CoAPanchor="sect-2.1" numbered="true" toc="default"> <name>CoAP URIFormat" anchor="sect-2.1">Format</name> <t> The CoAP URI format is described insection 6 of<xref target="RFC7252"/>.section="6" sectionFormat="of" format="default"/>. The CoAP endpointsMUST<bcp14>MUST</bcp14> support use of the path prefix "/.well-known/" as defined in <xref target="RFC8615"/>format="default"/> and the registered name "cmp" to help with endpoint discovery and interoperability. Optional path segmentsMAY<bcp14>MAY</bcp14> be added after the registered application name(i.e.(i.e., after "/.well-known/cmp") to provide distinction. The path segment 'p' followed by an arbitraryLabel <name>couldcould, forexampleexample, support the differentiation of specific CAs or certificate profiles. Further path segments,e.g.,for example, as specified inthe Lightweight<xref target="RFC9483">Lightweight CMPProfile [I-D.ietf-lamps-lightweight-cmp-profile],Profile</xref>, could indicate PKI management operations using an operationLabel <operation>. A valid full CMP URI can look like this: </t><figure> <artwork> <![CDATA[<artwork name="" type="" align="left" alt=""><![CDATA[ coap://www.example.com/.well-known/cmp coap://www.example.com/.well-known/cmp/<operation> coap://www.example.com/.well-known/cmp/p/<profileLabel> coap://www.example.com/.well-known/cmp/p/<profileLabel>/<operation>]]> </artwork> </figure>]]></artwork> </section> <sectiontitle="Discoveryanchor="sect-2.2" numbered="true" toc="default"> <name>Discovery of CMPRA/CA" anchor="sect-2.2">RA/CA</name> <t> The EEs can be configured with enough information to form the CMP server URI. The minimum information that can be configured is thescheme i.e.scheme, i.e., "coap:" or"coaps:""coaps:", and the authority portion of the URI,e.g.e.g., "example.com:5683". If the port number is not specified in the authority, then the defaultportsport numbersMUST<bcp14>MUST</bcp14> be assumed for the "coap:" andthe"coaps:" scheme URIs. The default port forcoap:"coap:" scheme URIs is 5683 and the default port forcoaps:"coaps:" scheme URIs is 5684 <xref target="RFC7252"/>.format="default"/>. </t> <t> Optionally, in the environments where a LocalRegistration Authority (LRA)RA ora LocalCA is deployed, EEs can also use the CoAP service discovery mechanism <xref target="RFC7252"/>format="default"/> to discover the URI of the Local RA or CA. The CoAP CMP endpoints supporting service discoveryMUST<bcp14>MUST</bcp14> also support resource discovery in theCoREConstrained RESTful Environments (CoRE) LinkFormatFormat, as described in <xref target="RFC6690"/>.format="default"/>. TheLink MUSTlink <bcp14>MUST</bcp14> include the 'ct' attribute defined insection 7.2.1 of<xref target="RFC7252"/>section="7.2.1" sectionFormat="of" format="default"/> with the value of"application/pkixcmp""application/pkixcmp", as defined in theCoAP Content-Formats"CoAP Content-Formats" IANA registry. </t> </section> <sectiontitle="CoAPanchor="sect-2.3" numbered="true" toc="default"> <name>CoAP RequestFormat" anchor="sect-2.3">Format</name> <t> The CMP PKIMessagesMUST<bcp14>MUST</bcp14> be DER encoded and sent as the body of the CoAP POST request. A CMP clientMUST<bcp14>MUST</bcp14> send each CoAPrequestsrequest marked as a Confirmable message <xref target="RFC7252"/>.format="default"/>. If the CoAP request issuccessfulsuccessful, then the CMP RA or CAMUST<bcp14>MUST</bcp14> return a Success 2.xx responsecode otherwisecode; otherwise, the CMP RA or CAMUST<bcp14>MUST</bcp14> return an appropriate Client Error 4.xx or Server Error 5.xx response code. A CMP RA or CA may choose to send aPiggybackedpiggybacked response <xref target="RFC7252"/>format="default"/> to theclientclient, or itMAY<bcp14>MAY</bcp14> send aSeparateseparate response <xref target="RFC7252"/>format="default"/> in case it takes some time forCA orthe RA or CA to process the CMP transaction. </t> <t> When transferring CMPPKIMesssagePKIMessage overCoAPCoAP, the content-format "application/pkixcmp"MUST<bcp14>MUST</bcp14> be used. </t> </section> <sectiontitle="CoAPanchor="sect-2.4" numbered="true" toc="default"> <name>CoAP Block-Wise TransferMode" anchor="sect-2.4">Mode</name> <t> A CMPPKIMesssagePKIMessage consists of a header, body, protection, and extraCertsstructuresstructure, which may contain many optional and potentially large fields. Thus, a CMP message can be much larger than the Maximum Transmission Unit (MTU) of the outgoing interface of the device. The EEs and RAs orCAs, MUSTCAs <bcp14>MUST</bcp14> use theBlock-Wiseblock-wise transfer mode <xref target="RFC7959"/>format="default"/> to transfer such large messages instead of relying on IP fragmentation. </t> <t> If a CoAP-to-HTTP proxy is in the path between EEs andCAan RA or EEs andRA then,a CA and if the server supports, then itMUST<bcp14>MUST</bcp14> use the chunked transfer encoding <xref target="RFC9112"/>format="default"/> to send data over the HTTP transport. The proxyMUST<bcp14>MUST</bcp14> try to reduce the number of packets sent by using an optimal chunk length for the HTTP transport. </t> </section> <sectiontitle="Multicast CoAP" anchor="sect-2.5">anchor="sect-2.5" numbered="true" toc="default"> <name>Multicast CoAP</name> <t> CMP PKIMessages sent over CoAPMUST NOT<bcp14>MUST NOT</bcp14> use a Multicast destination address. </t> </section> <sectiontitle="Announcement PKIMessage" anchor="sect-2.6">anchor="sect-2.6" numbered="true" toc="default"> <name>Announcement PKIMessage</name> <t> A CMP server may publishannouncements,announcements that can beeventtriggered by an event orperiodic,periodicly for the other PKI entities. Here is the list of CMP announcement messages prefixed by their respective ASN.1 identifier(section 5.1.2(see <xreftarget="RFC4210"/>) </t> <figure> <artwork> <![CDATA[target="RFC4210" format="default" sectionFormat="of" section="5.1.2"/>): </t> <artwork name="" type="" align="left" alt=""><![CDATA[ [15] CA Key Update Announcement [16] Certificate Announcement [17] Revocation Announcement [18] CRL Announcement]]> </artwork> </figure>]]></artwork> <t> An EEMAY<bcp14>MAY</bcp14> use the CoAP ObserveoptionOption <xref target="RFC7641"/>format="default"/> to register itself to get any announcement messages from the RA or CA. The EE can send a GET request to the server's URI suffixed by "/ann". Forexampleexample, a path to register for announcement messages may look like this:<figure> <artwork> <![CDATA[</t> <artwork name="" type="" align="left" alt=""><![CDATA[ coap://www.example.com/.well-known/cmp/ann coap://www.example.com/.well-known/cmp/p/<profileLabel>/ann]]> </artwork> </figure>]]></artwork> <t> If the server supports CMPAnnouncementsannouncement messages, then itMUST<bcp14>MUST</bcp14> send an appropriate Success 2.xx responsecode, otherwisecode; otherwise, itMUST<bcp14>MUST</bcp14> send an appropriate Client Error 4.xx or Server Error 5.xx response code. If for some reason the server cannot add the client to its list of observers for the announcements, it can omit the ObserveoptionOption <xref target="RFC7641"/>format="default"/> in the response to the client.A client onUpon receiving a Success 2.xxsuccessresponse without the ObserveoptionOption <xref target="RFC7641"/> MAY tryformat="default"/>, after sometimetime, a client <bcp14>MAY</bcp14> try to register again for announcements from the CMP server. Since a server can remove the EE from the list of observers for announcement messages, an EESHOULD<bcp14>SHOULD</bcp14> periodicallyre-registerreregister itself for announcement messages. </t> <t> Alternatively, an EEMAY<bcp14>MAY</bcp14> periodically poll for the current status of the CA via the "PKI Information Request"message,message; seesection 6.5 of<xref target="RFC4210"/>.section="6.5" sectionFormat="of" format="default"/>. If supported, EEsMAY<bcp14>MAY</bcp14> also use"Support Messages""support messages" defined insection 4.3 of<xreftarget="I-D.ietf-lamps-lightweight-cmp-profile">Lightweighttarget="RFC9483" section="4.3" sectionFormat="of" format="default">Lightweight CMP Profile</xref> to get information about the CA status. These mechanisms will help constraineddevices,devices that are acting asEEs,EEs to conserve resources by eliminating the need to create an endpoint for receiving notifications from the RA or CA. It will also simplify the implementation of a CoAP-to-HTTP proxy. </t> </section> </section> <sectiontitle="Proxy Support" anchor="sect-3">anchor="sect-3" numbered="true" toc="default"> <name>Proxy Support</name> <t> This section provides guidance on using a CoAP-to-HTTP proxy between EEs and RAs or CAs in order to avoid changes to the existing PKI implementation. </t> <t> Since the CMP payload is the same over CoAP and HTTP transfer mechanisms, a CoAP-to-HTTP cross-protocol proxy can be implemented based onsection 10 of<xref target="RFC7252"/>.section="10" sectionFormat="of" format="default"/>. The CoAP-to-HTTP proxy can either be located closer to the EEs or closer to the RA or CA. The proxyMAY<bcp14>MAY</bcp14> support service discovery and resourcediscoverydiscovery, as described insection 2.2.<xref target="sect-2.2"/>. The CoAP-to-HTTP proxyMUST<bcp14>MUST</bcp14> function as a reverse proxy, only permitting connections to a limited set ofpre-configuredpreconfigured servers. It is out of scope of this document to specify how a reverse proxy can route CoAP client requests to one of the configured servers. Some recommended mechanisms are as follows: </t><t> <list style="symbols"> <?rfc subcompact="yes"?> <t> Use<ul spacing="normal"> <li>Use the Uri-Path option to identify aserver. </t> <t> Useserver.</li> <li>Use separate hostnames for each of the configured servers and then use the Uri-Host option for routing the CoAPrequests. </t> <t> Userequests.</li> <li>Use separate hostnames for each of the configured servers and then use Server Name Indication <xref target="RFC8446"/>format="default"/> in case of the "coaps://" scheme for routing CoAPrequests. </t> </list> </t> <t></t>requests.</li> </ul> <t/> </section> <sectiontitle="Security Considerations" anchor="sect-4"> <list style="symbols"> <t>anchor="sect-4" numbered="true" toc="default"> <name>Security Considerations</name> <ul spacing="compact"> <li> If PKIProtection is used, the PKIHeader and PKIBody of the CMPprotocolare cryptographically protected against malicious modifications. As such, UDP can be used without compromising the security of theCMP protocol.CMP. SecurityConsiderationsconsiderations for CoAP are defined in <xref target="RFC7252"/>. </t> <t>format="default"/>. </li> <li> The CMPprotocoldoes not provide confidentiality of the CMP payloads. If confidentiality is desired, CoAP over DTLS <xreftarget="RFC9147"/> SHOULDtarget="RFC9147" format="default"/> <bcp14>SHOULD</bcp14> be used to provide confidentiality for the CMPpayloads, althoughpayloads; although, it cannot conceal that the CMPprotocolis used within the DTLS layer.</t> <t> Section 9.1 of</li> <li> <xref target="RFC7252"/>section="9.1" sectionFormat="of" format="default"/> defines how to use DTLS <xref target="RFC9147"/>format="default"/> for securingtheCoAP. DTLS <xref target="RFC9147"/>format="default"/> associationsSHOULD<bcp14>SHOULD</bcp14> be kept alive andre-usedreused where possible to amortize on the additional overhead of DTLS on constrained devices.</t> <t></li> <li> An EE might not witness all of theAnnouncementannouncement messages when using the CoAP ObserveoptionOption <xref target="RFC7641"/>,format="default"/>, since the ObserveoptionOption is a "best-effort" approach and the server might lose its state for subscribers to its announcement messages. The EEs may use an alternate method described insection 2.6<xref target="sect-2.6"/> to obtain time criticalchangeschanges, such asCRLCertificate Revocation List (CRL) <xreftarget="RFC5280"/>target="RFC5280" format="default"/> updates.</t> <t></li> <li> ImplementationsSHOULD<bcp14>SHOULD</bcp14> use the available datagram size and avoid sending small datagrams containing partial CMP PKIMessage data in order to reduce memory usage for packet buffering.</t> <t></li> <li> A CoAP-to-HTTP proxy can also protect the PKI entities by handling UDP and CoAP messages. The proxy can mitigateattacksattacks, likedenial of servicedenial-of-service attacks, replayattacksattacks, and resource-exhaustionattacksattacks, by enforcing basiccheckschecks, like validating that the ASN.1 syntax is compliant to CMP messages and validating the PKIMessage protection before sending them to PKI entities.</t> <t></li> <li> Since theProxyproxy may have access to theCMP-LevelCMP-level metadata and control over the flow of CMPmessages thereforemessages, properrole basedrole-based access control should be in place. The proxy can be deployed at the edge of the"End Entities""end entities" network or in front of an RA and CA to protect them.TheHowever, the proxyhowevermay itself be vulnerable to resource-exhaustion attacks as it's required to buffer the CMP messages received over CoAP transport before sending it to the HTTP endpoint. This can be mitigated by using short timers for discarding the buffered messages and rate limiting clients based on the resource usage.</t> </list></li> </ul> </section> <sectiontitle="IANA Considerations" anchor="sect-5"> <t> This document adds a new entry to the <eref target="https://www.iana.org/assignments/core-parameters/core-parameters.xhtml#content-formats">CoAP Content-Formatsanchor="sect-5" numbered="true" toc="default"> <name>IANA Considerations</name> <!-- Note: IANARegistry</eref> forremoved thecode of content-type "application/pkixcmp", for transferring CMP transactions over CoAP,"Content Coding text from CoAP Content-Format 259" based on feedback from theidentifier range 256-9999 reserved for IETF specifications. </t> <t> Type name: application </t> <t> Subtype name: pkixcmp </t>DE. --> <t>Encoding: Content may contain arbitrary octet values. The octet values are the ASN.1 DER encoding of a PKI message, as definedIANA has registered "application/pkixcmp" (ID 259) in the<xref target="RFC4210" /> specifications.<eref target="https://www.iana.org/assignments/core-parameters" brackets="angle">"CoAP Content-Formats" registry</eref> to transfer CMP transactions over CoAP. </t><t> Reference: This document and<dl newline="false" spacing="compact"> <dt>Type name:</dt> <dd>application</dd> <dt>Subtype name:</dt> <dd>pkixcmp</dd> <dt>Reference:</dt> <dd>RFC 9482 <xref target="RFC4210"/> </t> <t> This documentformat="default"/></dd> </dl> <t>IANA has alsoaddsregistered a new path segment "ann"toin the <ereftarget="https://www.iana.org/assignments/cmp/cmp.xhtml#cmp-well-known-uri">CMPtarget="https://www.iana.org/assignments/cmp" brackets="angle">"CMP Well-Known URI PathSegments</eref> IANA registrySegments" registry</eref> for the EEs to register themselves for the announcement messages. </t><t> Path Segment: ann </t> <t> Description: The<dl newline="false" spacing="compact"> <dt>Path Segment:</dt> <dd>ann</dd> <dt>Description:</dt> <dd>The path to send a GET request with the CoAPObserverObserve Option to register for CMP announcementmessages. </t> <t> Reference: This document. </t>messages.</dd> <dt>Reference:</dt> <dd>RFC 9482</dd> </dl> <t>ThisIANA has added this documentreferencesas a reference for thecmp,"cmp" entry in the <ereftarget="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">Well-Known URIs</eref>target="https://www.iana.org/assignments/well-known-uris" brackets="angle">"Well-Known URIs" registry</eref>. </t> <t> IANAregistry. Please add a reference ofhas also added this documentto the <eref target="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">Well-Known URIs</eref> IANA registryas a reference forthat entry. </t> <t> This document also refersthepath segment"p" entry in the <ereftarget="https://www.iana.org/assignments/cmp/cmp.xhtml#cmp-well-known-uri">CMP Well-Known URI Path Segments</eref> IANA registry. Please add a reference of this document to the <eref target="https://www.iana.org/assignments/cmp/cmp.xhtml#cmp-well-known-uri">CMPtarget="https://www.iana.org/assignments/cmp/" brackets="angle">"CMP Well-Known URI PathSegments</eref> for that path segment. </t> <t> [Note RFC Editor]: This document should be published together or after the <xref target="I-D.ietf-lamps-cmp-updates"> CMP version 3 </xref> as it references IANA entries created by that Internet draft.Segments" registry</eref>. </t> </section> </middle> <back> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6712.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4210.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"/> <reference anchor="RFC9480" target="https://www.rfc-editor.org/info/rfc9480"> <front> <title>Certificate Management Protocol (CMP) Updates</title> <author initials='H' surname='Brockhaus' fullname='Hendrik Brockhaus' role='editor'> <organization /> </author> <author initials='D' surname='von Oheimb' fullname='David von Oheimb'> <organization /> </author> <author initials="J" surname="Gray" fullname="John Gray"> <organization/> </author> <date year='2023' month='October'/> </front> <seriesInfo name="RFC" value="9480"/> <seriesInfo name="DOI" value="10.17487/RFC9480"/> </reference> <reference anchor="RFC9483" target="https://www.rfc-editor.org/info/rfc9483"> <front> <title>Lightweight Certificate Management Protocol (CMP) Profile</title> <author initials='H' surname='Brockhaus' fullname='Hendrik Brockhaus'> <organization /> </author> <author initials='D' surname='von Oheimb' fullname='David von Oheimb'> <organization /> </author> <author initials='S' surname='Fries' fullname='Steffen Fries'> <organization /> </author> <date year='2023' month='October'/> </front> <seriesInfo name="RFC" value="9483"/> <seriesInfo name="DOI" value="10.17487/RFC9483"/> </reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8615.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6690.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7641.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9112.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8323.xml"/> </references> </references> <sectiontitle="Acknowledgments" anchor="sect-6">anchor="sect-6" numbered="false" toc="default"> <name>Acknowledgements</name> <t> The authors would like to thankHendrik Brockhaus, David<contact fullname="Hendrik Brockhaus"/>, <contact fullname="David vonOheimb,Oheimb"/>, andAndreas Kretschmer<contact fullname="Andreas Kretschmer"/> for their guidance in writing the content of this document and providing valuable feedback. </t> </section></middle> <back> <!-- References Section --> <references title="Normative References"> &RFC2119; &RFC8174; &RFC6712; &RFC4210; &RFC7252; &RFC7959; &I-D.ietf-lamps-cmp-updates; &I-D.ietf-lamps-lightweight-cmp-profile; &RFC8615; &RFC6690; &RFC7641; &RFC9147; &RFC9112; </references> <references title="Informative References"> &RFC5280; &RFC8446; &RFC8323; </references></back> </rfc>