draft-ietf-lamps-cmp-updates-05.txt   draft-ietf-lamps-cmp-updates-06.txt 
LAMPS Working Group H. Brockhaus LAMPS Working Group H. Brockhaus
Internet-Draft Siemens Internet-Draft Siemens
Updates: 4210, 6712 (if approved) September 22, 2020 Updates: 4210, 6712 (if approved) November 2, 2020
Intended status: Standards Track Intended status: Standards Track
Expires: March 26, 2021 Expires: May 6, 2021
CMP Updates CMP Updates
draft-ietf-lamps-cmp-updates-05 draft-ietf-lamps-cmp-updates-06
Abstract Abstract
This document contains a set of updates to the base syntax and This document contains a set of updates to the base syntax and
transport of Certificate Management Protocol (CMP) version 2. This transport of Certificate Management Protocol (CMP) version 2. This
document updates RFC 4210 and RFC 6712. document updates RFC 4210 and RFC 6712.
Specifically, the CMP services updated in this document comprise the Specifically, the CMP services updated in this document comprise the
enabling of using EnvelopedData instead of EncryptedValue, adding new enabling of using EnvelopedData instead of EncryptedValue, adding new
general message types, the definition of extended key usages to general message types, the definition of extended key usages to
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 26, 2021. This Internet-Draft will expire on May 6, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 33 skipping to change at page 2, line 33
Pair Types . . . . . . . . . . . . . . . . . . . . . . . 10 Pair Types . . . . . . . . . . . . . . . . . . . . . . . 10
2.8. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 10 2.8. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 10
2.9. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 10 2.9. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 10
2.10. New Section 5.3.19.15 - Root CA Certificates Update . . . 11 2.10. New Section 5.3.19.15 - Root CA Certificates Update . . . 11
2.11. New Section 5.3.19.16 - Certificate Request Template . . 11 2.11. New Section 5.3.19.16 - Certificate Request Template . . 11
2.12. Update Section 5.3.22 - Polling Request and Response . . 12 2.12. Update Section 5.3.22 - Polling Request and Response . . 12
2.13. Update Section 9 - IANA Considerations . . . . . . . . . 13 2.13. Update Section 9 - IANA Considerations . . . . . . . . . 13
2.14. Update Appendix B - The Use of Revocation Passphrase . . 14 2.14. Update Appendix B - The Use of Revocation Passphrase . . 14
2.15. Update Appendix C - Request Message Behavioral 2.15. Update Appendix C - Request Message Behavioral
Clarifications . . . . . . . . . . . . . . . . . . . . . 15 Clarifications . . . . . . . . . . . . . . . . . . . . . 15
2.16. Update Appendix D.4. - Initial Registration/Certification 2.16. Update Appendix D.2. - Algorithm Use Profile . . . . . . 16
2.17. Update Appendix D.4. - Initial Registration/Certification
(Basic Authenticated Scheme) . . . . . . . . . . . . . . 16 (Basic Authenticated Scheme) . . . . . . . . . . . . . . 16
3. Updates to RFC 6712 - HTTP Transfer for the Certificate 3. Updates to RFC 6712 - HTTP Transfer for the Certificate
Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 16 Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 16
3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 16 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 16
3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 16 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 17
3.3. Update Section 6. - IANA Considerations . . . . . . . . . 18 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 18
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.1. Normative References . . . . . . . . . . . . . . . . . . 19 7.1. Normative References . . . . . . . . . . . . . . . . . . 19
7.2. Informative References . . . . . . . . . . . . . . . . . 20 7.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 20 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 21
A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 20 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 21
A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 33 A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 33
Appendix B. History of changes . . . . . . . . . . . . . . . . . 45 Appendix B. History of changes . . . . . . . . . . . . . . . . . 46
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 48 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 49
1. Introduction 1. Introduction
[RFC Editor: please delete]: !!! The change history was moved to
Appendix B !!!
While using CMP [RFC4210] in industrial and IoT environments and While using CMP [RFC4210] in industrial and IoT environments and
developing the Lightweight CMP Profile developing the Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile] some limitations were [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were
identified in the original CMP specification. This document updates identified in the original CMP specification. This document updates
RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these
limitations. limitations.
In general, this document aims to improve the crypto agility of CMP In general, this document aims to improve the crypto agility of CMP
to be flexible to react on future advances in cryptography. to be flexible to react on future advances in cryptography.
This document also introduces new extended key usages to identify CMP This document also introduces new extended key usages to identify CMP
endpoints on registration and certification authorities. endpoints on registration and certification authorities.
1.1. Convention and Terminology 1.1. Convention and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all capitals, as shown
In this document, these words will appear with that interpretation here.
only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying significance described in RFC 2119.
Technical terminology is used in conformance with RFC 4210 [RFC4210], Technical terminology is used in conformance with RFC 4210 [RFC4210],
RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words
are used: are used:
CA: Certification authority, which issues certificates. CA: Certification authority, which issues certificates.
RA: Registration authority, an optional system component to which a RA: Registration authority, an optional system component to which a
CA delegates certificate management functions such as CA delegates certificate management functions such as
authorization checks. authorization checks.
skipping to change at page 16, line 5 skipping to change at page 16, line 5
-- * Section 5.2.2 of this specification). Therefore, this document -- * Section 5.2.2 of this specification). Therefore, this document
-- * makes the behavioral clarification of specifying that the -- * makes the behavioral clarification of specifying that the
-- * contents of "thisMessage" MUST be encoded either as -- * contents of "thisMessage" MUST be encoded either as
-- * "EnvelopedData" or "EncryptedValue" (only for backward -- * "EnvelopedData" or "EncryptedValue" (only for backward
-- * compatibility) and then wrapped in a BIT STRING. This allows -- * compatibility) and then wrapped in a BIT STRING. This allows
-- * the necessary conveyance and protection of the private key -- * the necessary conveyance and protection of the private key
-- * while maintaining bits-on-the-wire compatibility with RFC 4211 -- * while maintaining bits-on-the-wire compatibility with RFC 4211
-- * [RFC4211]. -- * [RFC4211].
-- ********** -- **********
2.16. Update Appendix D.4. - Initial Registration/Certification (Basic 2.16. Update Appendix D.2. - Algorithm Use Profile
Appendix D.2 of RFC 4210 [RFC4210] provides a list of Algorithms
implementations must support when claiming conformance with PKI
Management Message Profiles as specified in CMP Appendix D.2
[RFC4210].
Replace the text of the section with the following text.
For specifications of algorithms identifiers and respective
conventions for conforming implementations, please refer to CMP
Algorithms Appendix A.1 [I-D.ietf-lamps-cmp-algorithms].
2.17. Update Appendix D.4. - Initial Registration/Certification (Basic
Authenticated Scheme) Authenticated Scheme)
Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/ Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/
certification scheme. This scheme shall continue to use certification scheme. This scheme shall continue to use
EncryptedValue for backward compatibility reasons. EncryptedValue for backward compatibility reasons.
Replace the comment after the privateKey field of Replace the comment after the privateKey field of
crc[1].certifiedKeyPair in the syntax of the Initialization Response crc[1].certifiedKeyPair in the syntax of the Initialization Response
message with the following text. message with the following text.
skipping to change at page 18, line 33 skipping to change at page 19, line 4
cmp IETF cmp IETF
4. IANA Considerations 4. IANA Considerations
This document contains an update to the IANA Consideration sections This document contains an update to the IANA Consideration sections
to be added to [RFC4210] and [RFC6712]. to be added to [RFC4210] and [RFC6712].
< TBD: This document updates the ASN.1 modules of RFC 4210 Appendix F < TBD: This document updates the ASN.1 modules of RFC 4210 Appendix F
[RFC4210] and RFC 5912 Section 9 [RFC5912]. New OIDs TBD1 and TBD2 [RFC4210] and RFC 5912 Section 9 [RFC5912]. New OIDs TBD1 and TBD2
need to be registered to identify the updates ASN.1 modules. > need to be registered to identify the updates ASN.1 modules. >
< TBD: New OIDs TBD3 (id-regCtrl-algId) and TBD4 (id-regCtrl-
rsaKeyLen) need to be registered. >
< TBD: The existing description and information of id-kp-cmcRA and < TBD: The existing description and information of id-kp-cmcRA and
id-kp-cmcCA need to be updated to reflect their extended usage. > id-kp-cmcCA need to be updated to reflect their extended usage. >
5. Security Considerations 5. Security Considerations
No changes are made to the existing security considerations of No changes are made to the existing security considerations of
RFC 4210 [RFC4210] and RFC 6712 [RFC6712]. RFC 4210 [RFC4210] and RFC 6712 [RFC6712].
6. Acknowledgements 6. Acknowledgements
skipping to change at page 19, line 9 skipping to change at page 19, line 30
Gustavsson for reviewing and providing valuable suggestions on the Gustavsson for reviewing and providing valuable suggestions on the
approvement of this document. approvement of this document.
I also like to thank all reviewers of this document for their I also like to thank all reviewers of this document for their
valuable feedback. valuable feedback.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-lamps-cmp-algorithms]
Brockhaus, H., "CMP Algorithms", draft-ietf-lamps-cmp-
algorithms-00 (work in progress), October 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985, Classes and Attribute Types Version 2.0", RFC 2985,
DOI 10.17487/RFC2985, November 2000, DOI 10.17487/RFC2985, November 2000,
<https://www.rfc-editor.org/info/rfc2985>. <https://www.rfc-editor.org/info/rfc2985>.
skipping to change at page 20, line 19 skipping to change at page 20, line 49
[RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key [RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key
Infrastructure -- HTTP Transfer for the Certificate Infrastructure -- HTTP Transfer for the Certificate
Management Protocol (CMP)", RFC 6712, Management Protocol (CMP)", RFC 6712,
DOI 10.17487/RFC6712, September 2012, DOI 10.17487/RFC6712, September 2012,
<https://www.rfc-editor.org/info/rfc6712>. <https://www.rfc-editor.org/info/rfc6712>.
[RFC7299] Housley, R., "Object Identifier Registry for the PKIX [RFC7299] Housley, R., "Object Identifier Registry for the PKIX
Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014,
<https://www.rfc-editor.org/info/rfc7299>. <https://www.rfc-editor.org/info/rfc7299>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8515] Jethanandani, M. and M. Reina Ortega, "URN Namespace for [RFC8515] Jethanandani, M. and M. Reina Ortega, "URN Namespace for
ETSI Documents", RFC 8515, DOI 10.17487/RFC8515, February ETSI Documents", RFC 8515, DOI 10.17487/RFC8515, February
2019, <https://www.rfc-editor.org/info/rfc8515>. 2019, <https://www.rfc-editor.org/info/rfc8515>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-lamps-lightweight-cmp-profile] [I-D.ietf-lamps-lightweight-cmp-profile]
Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP
Profile", draft-ietf-lamps-lightweight-cmp-profile-02 Profile", draft-ietf-lamps-lightweight-cmp-profile-03
(work in progress), July 2020. (work in progress), October 2020.
[IEEE802.1AR] [IEEE802.1AR]
IEEE, "802.1AR Secure Device Identifier", June 2018, IEEE, "802.1AR Secure Device Identifier", June 2018,
<http://standards.ieee.org/findstds/standard/802.1AR- <http://standards.ieee.org/findstds/standard/802.1AR-
2009.html>. 2009.html>.
Appendix A. ASN.1 Modules Appendix A. ASN.1 Modules
A.1. 1988 ASN.1 Module A.1. 1988 ASN.1 Module
skipping to change at page 45, line 34 skipping to change at page 46, line 17
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of changes Appendix B. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 05 -> 06:
o Added the update of Appendix D.2 with the reference to the new CMP
Algorithms document as decided in IETF 108
o Updated the IANA considerations to register new OIDs for id-
regCtrl-algId and d-regCtrl-rsaKeyLen.
o Minor changes and corrections
From version 04 -> 05: From version 04 -> 05:
o Added Section 2.6 and Section 2.7 to clarify the usage of these o Added Section 2.6 and Section 2.7 to clarify the usage of these
general messages types with EC curves (see thread general messages types with EC curves (see thread
"AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue "AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue
in CMP headers") in CMP headers")
o Split former section 2.7 on adding 'CA Certificates', 'Root CA o Split former section 2.7 on adding 'CA Certificates', 'Root CA
Certificates Update', and 'Certificate Request Template' in three Certificates Update', and 'Certificate Request Template' in three
separate sections for easier readability separate sections for easier readability
 End of changes. 17 change blocks. 
21 lines changed or deleted 56 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/