| draft-ietf-lamps-cmp-updates-05.txt | draft-ietf-lamps-cmp-updates-06.txt | |||
|---|---|---|---|---|
| LAMPS Working Group H. Brockhaus | LAMPS Working Group H. Brockhaus | |||
| Internet-Draft Siemens | Internet-Draft Siemens | |||
| Updates: 4210, 6712 (if approved) September 22, 2020 | Updates: 4210, 6712 (if approved) November 2, 2020 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: March 26, 2021 | Expires: May 6, 2021 | |||
| CMP Updates | CMP Updates | |||
| draft-ietf-lamps-cmp-updates-05 | draft-ietf-lamps-cmp-updates-06 | |||
| Abstract | Abstract | |||
| This document contains a set of updates to the base syntax and | This document contains a set of updates to the base syntax and | |||
| transport of Certificate Management Protocol (CMP) version 2. This | transport of Certificate Management Protocol (CMP) version 2. This | |||
| document updates RFC 4210 and RFC 6712. | document updates RFC 4210 and RFC 6712. | |||
| Specifically, the CMP services updated in this document comprise the | Specifically, the CMP services updated in this document comprise the | |||
| enabling of using EnvelopedData instead of EncryptedValue, adding new | enabling of using EnvelopedData instead of EncryptedValue, adding new | |||
| general message types, the definition of extended key usages to | general message types, the definition of extended key usages to | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 26, 2021. | This Internet-Draft will expire on May 6, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 33 ¶ | skipping to change at page 2, line 33 ¶ | |||
| Pair Types . . . . . . . . . . . . . . . . . . . . . . . 10 | Pair Types . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 2.8. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 10 | 2.8. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 10 | |||
| 2.9. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 10 | 2.9. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 10 | |||
| 2.10. New Section 5.3.19.15 - Root CA Certificates Update . . . 11 | 2.10. New Section 5.3.19.15 - Root CA Certificates Update . . . 11 | |||
| 2.11. New Section 5.3.19.16 - Certificate Request Template . . 11 | 2.11. New Section 5.3.19.16 - Certificate Request Template . . 11 | |||
| 2.12. Update Section 5.3.22 - Polling Request and Response . . 12 | 2.12. Update Section 5.3.22 - Polling Request and Response . . 12 | |||
| 2.13. Update Section 9 - IANA Considerations . . . . . . . . . 13 | 2.13. Update Section 9 - IANA Considerations . . . . . . . . . 13 | |||
| 2.14. Update Appendix B - The Use of Revocation Passphrase . . 14 | 2.14. Update Appendix B - The Use of Revocation Passphrase . . 14 | |||
| 2.15. Update Appendix C - Request Message Behavioral | 2.15. Update Appendix C - Request Message Behavioral | |||
| Clarifications . . . . . . . . . . . . . . . . . . . . . 15 | Clarifications . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 2.16. Update Appendix D.4. - Initial Registration/Certification | 2.16. Update Appendix D.2. - Algorithm Use Profile . . . . . . 16 | |||
| 2.17. Update Appendix D.4. - Initial Registration/Certification | ||||
| (Basic Authenticated Scheme) . . . . . . . . . . . . . . 16 | (Basic Authenticated Scheme) . . . . . . . . . . . . . . 16 | |||
| 3. Updates to RFC 6712 - HTTP Transfer for the Certificate | 3. Updates to RFC 6712 - HTTP Transfer for the Certificate | |||
| Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 16 | Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 16 | |||
| 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 16 | 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 16 | |||
| 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 16 | 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 17 | |||
| 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 18 | 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 18 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 20 | 7.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 20 | Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 21 | |||
| A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 20 | A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 21 | |||
| A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 33 | A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 33 | |||
| Appendix B. History of changes . . . . . . . . . . . . . . . . . 45 | Appendix B. History of changes . . . . . . . . . . . . . . . . . 46 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 48 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC Editor: please delete]: !!! The change history was moved to | ||||
| Appendix B !!! | ||||
| While using CMP [RFC4210] in industrial and IoT environments and | While using CMP [RFC4210] in industrial and IoT environments and | |||
| developing the Lightweight CMP Profile | developing the Lightweight CMP Profile | |||
| [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were | [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were | |||
| identified in the original CMP specification. This document updates | identified in the original CMP specification. This document updates | |||
| RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these | RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these | |||
| limitations. | limitations. | |||
| In general, this document aims to improve the crypto agility of CMP | In general, this document aims to improve the crypto agility of CMP | |||
| to be flexible to react on future advances in cryptography. | to be flexible to react on future advances in cryptography. | |||
| This document also introduces new extended key usages to identify CMP | This document also introduces new extended key usages to identify CMP | |||
| endpoints on registration and certification authorities. | endpoints on registration and certification authorities. | |||
| 1.1. Convention and Terminology | 1.1. Convention and Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in BCP 14 [RFC2119] | |||
| [RFC8174] when, and only when, they appear in all capitals, as shown | ||||
| In this document, these words will appear with that interpretation | here. | |||
| only when in ALL CAPS. Lower case uses of these words are not to be | ||||
| interpreted as carrying significance described in RFC 2119. | ||||
| Technical terminology is used in conformance with RFC 4210 [RFC4210], | Technical terminology is used in conformance with RFC 4210 [RFC4210], | |||
| RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words | RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words | |||
| are used: | are used: | |||
| CA: Certification authority, which issues certificates. | CA: Certification authority, which issues certificates. | |||
| RA: Registration authority, an optional system component to which a | RA: Registration authority, an optional system component to which a | |||
| CA delegates certificate management functions such as | CA delegates certificate management functions such as | |||
| authorization checks. | authorization checks. | |||
| skipping to change at page 16, line 5 ¶ | skipping to change at page 16, line 5 ¶ | |||
| -- * Section 5.2.2 of this specification). Therefore, this document | -- * Section 5.2.2 of this specification). Therefore, this document | |||
| -- * makes the behavioral clarification of specifying that the | -- * makes the behavioral clarification of specifying that the | |||
| -- * contents of "thisMessage" MUST be encoded either as | -- * contents of "thisMessage" MUST be encoded either as | |||
| -- * "EnvelopedData" or "EncryptedValue" (only for backward | -- * "EnvelopedData" or "EncryptedValue" (only for backward | |||
| -- * compatibility) and then wrapped in a BIT STRING. This allows | -- * compatibility) and then wrapped in a BIT STRING. This allows | |||
| -- * the necessary conveyance and protection of the private key | -- * the necessary conveyance and protection of the private key | |||
| -- * while maintaining bits-on-the-wire compatibility with RFC 4211 | -- * while maintaining bits-on-the-wire compatibility with RFC 4211 | |||
| -- * [RFC4211]. | -- * [RFC4211]. | |||
| -- ********** | -- ********** | |||
| 2.16. Update Appendix D.4. - Initial Registration/Certification (Basic | 2.16. Update Appendix D.2. - Algorithm Use Profile | |||
| Appendix D.2 of RFC 4210 [RFC4210] provides a list of Algorithms | ||||
| implementations must support when claiming conformance with PKI | ||||
| Management Message Profiles as specified in CMP Appendix D.2 | ||||
| [RFC4210]. | ||||
| Replace the text of the section with the following text. | ||||
| For specifications of algorithms identifiers and respective | ||||
| conventions for conforming implementations, please refer to CMP | ||||
| Algorithms Appendix A.1 [I-D.ietf-lamps-cmp-algorithms]. | ||||
| 2.17. Update Appendix D.4. - Initial Registration/Certification (Basic | ||||
| Authenticated Scheme) | Authenticated Scheme) | |||
| Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/ | Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/ | |||
| certification scheme. This scheme shall continue to use | certification scheme. This scheme shall continue to use | |||
| EncryptedValue for backward compatibility reasons. | EncryptedValue for backward compatibility reasons. | |||
| Replace the comment after the privateKey field of | Replace the comment after the privateKey field of | |||
| crc[1].certifiedKeyPair in the syntax of the Initialization Response | crc[1].certifiedKeyPair in the syntax of the Initialization Response | |||
| message with the following text. | message with the following text. | |||
| skipping to change at page 18, line 33 ¶ | skipping to change at page 19, line 4 ¶ | |||
| cmp IETF | cmp IETF | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document contains an update to the IANA Consideration sections | This document contains an update to the IANA Consideration sections | |||
| to be added to [RFC4210] and [RFC6712]. | to be added to [RFC4210] and [RFC6712]. | |||
| < TBD: This document updates the ASN.1 modules of RFC 4210 Appendix F | < TBD: This document updates the ASN.1 modules of RFC 4210 Appendix F | |||
| [RFC4210] and RFC 5912 Section 9 [RFC5912]. New OIDs TBD1 and TBD2 | [RFC4210] and RFC 5912 Section 9 [RFC5912]. New OIDs TBD1 and TBD2 | |||
| need to be registered to identify the updates ASN.1 modules. > | need to be registered to identify the updates ASN.1 modules. > | |||
| < TBD: New OIDs TBD3 (id-regCtrl-algId) and TBD4 (id-regCtrl- | ||||
| rsaKeyLen) need to be registered. > | ||||
| < TBD: The existing description and information of id-kp-cmcRA and | < TBD: The existing description and information of id-kp-cmcRA and | |||
| id-kp-cmcCA need to be updated to reflect their extended usage. > | id-kp-cmcCA need to be updated to reflect their extended usage. > | |||
| 5. Security Considerations | 5. Security Considerations | |||
| No changes are made to the existing security considerations of | No changes are made to the existing security considerations of | |||
| RFC 4210 [RFC4210] and RFC 6712 [RFC6712]. | RFC 4210 [RFC4210] and RFC 6712 [RFC6712]. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| skipping to change at page 19, line 9 ¶ | skipping to change at page 19, line 30 ¶ | |||
| Gustavsson for reviewing and providing valuable suggestions on the | Gustavsson for reviewing and providing valuable suggestions on the | |||
| approvement of this document. | approvement of this document. | |||
| I also like to thank all reviewers of this document for their | I also like to thank all reviewers of this document for their | |||
| valuable feedback. | valuable feedback. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-lamps-cmp-algorithms] | ||||
| Brockhaus, H., "CMP Algorithms", draft-ietf-lamps-cmp- | ||||
| algorithms-00 (work in progress), October 2020. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object | [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object | |||
| Classes and Attribute Types Version 2.0", RFC 2985, | Classes and Attribute Types Version 2.0", RFC 2985, | |||
| DOI 10.17487/RFC2985, November 2000, | DOI 10.17487/RFC2985, November 2000, | |||
| <https://www.rfc-editor.org/info/rfc2985>. | <https://www.rfc-editor.org/info/rfc2985>. | |||
| skipping to change at page 20, line 19 ¶ | skipping to change at page 20, line 49 ¶ | |||
| [RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key | [RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key | |||
| Infrastructure -- HTTP Transfer for the Certificate | Infrastructure -- HTTP Transfer for the Certificate | |||
| Management Protocol (CMP)", RFC 6712, | Management Protocol (CMP)", RFC 6712, | |||
| DOI 10.17487/RFC6712, September 2012, | DOI 10.17487/RFC6712, September 2012, | |||
| <https://www.rfc-editor.org/info/rfc6712>. | <https://www.rfc-editor.org/info/rfc6712>. | |||
| [RFC7299] Housley, R., "Object Identifier Registry for the PKIX | [RFC7299] Housley, R., "Object Identifier Registry for the PKIX | |||
| Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, | Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, | |||
| <https://www.rfc-editor.org/info/rfc7299>. | <https://www.rfc-editor.org/info/rfc7299>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8515] Jethanandani, M. and M. Reina Ortega, "URN Namespace for | [RFC8515] Jethanandani, M. and M. Reina Ortega, "URN Namespace for | |||
| ETSI Documents", RFC 8515, DOI 10.17487/RFC8515, February | ETSI Documents", RFC 8515, DOI 10.17487/RFC8515, February | |||
| 2019, <https://www.rfc-editor.org/info/rfc8515>. | 2019, <https://www.rfc-editor.org/info/rfc8515>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [I-D.ietf-lamps-lightweight-cmp-profile] | [I-D.ietf-lamps-lightweight-cmp-profile] | |||
| Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP | Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP | |||
| Profile", draft-ietf-lamps-lightweight-cmp-profile-02 | Profile", draft-ietf-lamps-lightweight-cmp-profile-03 | |||
| (work in progress), July 2020. | (work in progress), October 2020. | |||
| [IEEE802.1AR] | [IEEE802.1AR] | |||
| IEEE, "802.1AR Secure Device Identifier", June 2018, | IEEE, "802.1AR Secure Device Identifier", June 2018, | |||
| <http://standards.ieee.org/findstds/standard/802.1AR- | <http://standards.ieee.org/findstds/standard/802.1AR- | |||
| 2009.html>. | 2009.html>. | |||
| Appendix A. ASN.1 Modules | Appendix A. ASN.1 Modules | |||
| A.1. 1988 ASN.1 Module | A.1. 1988 ASN.1 Module | |||
| skipping to change at page 45, line 34 ¶ | skipping to change at page 46, line 17 ¶ | |||
| -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | |||
| id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | |||
| END | END | |||
| Appendix B. History of changes | Appendix B. History of changes | |||
| Note: This appendix will be deleted in the final version of the | Note: This appendix will be deleted in the final version of the | |||
| document. | document. | |||
| From version 05 -> 06: | ||||
| o Added the update of Appendix D.2 with the reference to the new CMP | ||||
| Algorithms document as decided in IETF 108 | ||||
| o Updated the IANA considerations to register new OIDs for id- | ||||
| regCtrl-algId and d-regCtrl-rsaKeyLen. | ||||
| o Minor changes and corrections | ||||
| From version 04 -> 05: | From version 04 -> 05: | |||
| o Added Section 2.6 and Section 2.7 to clarify the usage of these | o Added Section 2.6 and Section 2.7 to clarify the usage of these | |||
| general messages types with EC curves (see thread | general messages types with EC curves (see thread | |||
| "AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue | "AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue | |||
| in CMP headers") | in CMP headers") | |||
| o Split former section 2.7 on adding 'CA Certificates', 'Root CA | o Split former section 2.7 on adding 'CA Certificates', 'Root CA | |||
| Certificates Update', and 'Certificate Request Template' in three | Certificates Update', and 'Certificate Request Template' in three | |||
| separate sections for easier readability | separate sections for easier readability | |||
| End of changes. 17 change blocks. | ||||
| 21 lines changed or deleted | 56 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||