--- 1/draft-ietf-lamps-cmp-updates-05.txt 2020-11-02 08:15:23.159370779 -0800 +++ 2/draft-ietf-lamps-cmp-updates-06.txt 2020-11-02 08:15:23.255373190 -0800 @@ -1,19 +1,19 @@ LAMPS Working Group H. Brockhaus Internet-Draft Siemens -Updates: 4210, 6712 (if approved) September 22, 2020 +Updates: 4210, 6712 (if approved) November 2, 2020 Intended status: Standards Track -Expires: March 26, 2021 +Expires: May 6, 2021 CMP Updates - draft-ietf-lamps-cmp-updates-05 + draft-ietf-lamps-cmp-updates-06 Abstract This document contains a set of updates to the base syntax and transport of Certificate Management Protocol (CMP) version 2. This document updates RFC 4210 and RFC 6712. Specifically, the CMP services updated in this document comprise the enabling of using EnvelopedData instead of EncryptedValue, adding new general message types, the definition of extended key usages to @@ -29,21 +29,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 26, 2021. + This Internet-Draft will expire on May 6, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -68,63 +68,65 @@ Pair Types . . . . . . . . . . . . . . . . . . . . . . . 10 2.8. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 10 2.9. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 10 2.10. New Section 5.3.19.15 - Root CA Certificates Update . . . 11 2.11. New Section 5.3.19.16 - Certificate Request Template . . 11 2.12. Update Section 5.3.22 - Polling Request and Response . . 12 2.13. Update Section 9 - IANA Considerations . . . . . . . . . 13 2.14. Update Appendix B - The Use of Revocation Passphrase . . 14 2.15. Update Appendix C - Request Message Behavioral Clarifications . . . . . . . . . . . . . . . . . . . . . 15 - 2.16. Update Appendix D.4. - Initial Registration/Certification + 2.16. Update Appendix D.2. - Algorithm Use Profile . . . . . . 16 + 2.17. Update Appendix D.4. - Initial Registration/Certification (Basic Authenticated Scheme) . . . . . . . . . . . . . . 16 3. Updates to RFC 6712 - HTTP Transfer for the Certificate Management Protocol (CMP) . . . . . . . . . . . . . . . . . . 16 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 16 - 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 16 + 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 17 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 18 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 - 5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 7.1. Normative References . . . . . . . . . . . . . . . . . . 19 - 7.2. Informative References . . . . . . . . . . . . . . . . . 20 - Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 20 - A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 20 + 7.2. Informative References . . . . . . . . . . . . . . . . . 21 + Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 21 + A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 21 A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 33 - Appendix B. History of changes . . . . . . . . . . . . . . . . . 45 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 48 + Appendix B. History of changes . . . . . . . . . . . . . . . . . 46 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 49 1. Introduction + [RFC Editor: please delete]: !!! The change history was moved to + Appendix B !!! + While using CMP [RFC4210] in industrial and IoT environments and developing the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were identified in the original CMP specification. This document updates RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these limitations. In general, this document aims to improve the crypto agility of CMP to be flexible to react on future advances in cryptography. This document also introduces new extended key usages to identify CMP endpoints on registration and certification authorities. 1.1. Convention and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119 [RFC2119]. - - In this document, these words will appear with that interpretation - only when in ALL CAPS. Lower case uses of these words are not to be - interpreted as carrying significance described in RFC 2119. + document are to be interpreted as described in BCP 14 [RFC2119] + [RFC8174] when, and only when, they appear in all capitals, as shown + here. Technical terminology is used in conformance with RFC 4210 [RFC4210], RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words are used: CA: Certification authority, which issues certificates. RA: Registration authority, an optional system component to which a CA delegates certificate management functions such as authorization checks. @@ -697,21 +699,34 @@ -- * Section 5.2.2 of this specification). Therefore, this document -- * makes the behavioral clarification of specifying that the -- * contents of "thisMessage" MUST be encoded either as -- * "EnvelopedData" or "EncryptedValue" (only for backward -- * compatibility) and then wrapped in a BIT STRING. This allows -- * the necessary conveyance and protection of the private key -- * while maintaining bits-on-the-wire compatibility with RFC 4211 -- * [RFC4211]. -- ********** -2.16. Update Appendix D.4. - Initial Registration/Certification (Basic +2.16. Update Appendix D.2. - Algorithm Use Profile + + Appendix D.2 of RFC 4210 [RFC4210] provides a list of Algorithms + implementations must support when claiming conformance with PKI + Management Message Profiles as specified in CMP Appendix D.2 + [RFC4210]. + + Replace the text of the section with the following text. + + For specifications of algorithms identifiers and respective + conventions for conforming implementations, please refer to CMP + Algorithms Appendix A.1 [I-D.ietf-lamps-cmp-algorithms]. + +2.17. Update Appendix D.4. - Initial Registration/Certification (Basic Authenticated Scheme) Appendix D.4 of RFC 4210 [RFC4210] provides the initial registration/ certification scheme. This scheme shall continue to use EncryptedValue for backward compatibility reasons. Replace the comment after the privateKey field of crc[1].certifiedKeyPair in the syntax of the Initialization Response message with the following text. @@ -822,20 +836,22 @@ cmp IETF 4. IANA Considerations This document contains an update to the IANA Consideration sections to be added to [RFC4210] and [RFC6712]. < TBD: This document updates the ASN.1 modules of RFC 4210 Appendix F [RFC4210] and RFC 5912 Section 9 [RFC5912]. New OIDs TBD1 and TBD2 need to be registered to identify the updates ASN.1 modules. > + < TBD: New OIDs TBD3 (id-regCtrl-algId) and TBD4 (id-regCtrl- + rsaKeyLen) need to be registered. > < TBD: The existing description and information of id-kp-cmcRA and id-kp-cmcCA need to be updated to reflect their extended usage. > 5. Security Considerations No changes are made to the existing security considerations of RFC 4210 [RFC4210] and RFC 6712 [RFC6712]. 6. Acknowledgements @@ -846,20 +862,24 @@ Gustavsson for reviewing and providing valuable suggestions on the approvement of this document. I also like to thank all reviewers of this document for their valuable feedback. 7. References 7.1. Normative References + [I-D.ietf-lamps-cmp-algorithms] + Brockhaus, H., "CMP Algorithms", draft-ietf-lamps-cmp- + algorithms-00 (work in progress), October 2020. + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object Classes and Attribute Types Version 2.0", RFC 2985, DOI 10.17487/RFC2985, November 2000, . @@ -905,30 +925,34 @@ [RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key Infrastructure -- HTTP Transfer for the Certificate Management Protocol (CMP)", RFC 6712, DOI 10.17487/RFC6712, September 2012, . [RFC7299] Housley, R., "Object Identifier Registry for the PKIX Working Group", RFC 7299, DOI 10.17487/RFC7299, July 2014, . + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + [RFC8515] Jethanandani, M. and M. Reina Ortega, "URN Namespace for ETSI Documents", RFC 8515, DOI 10.17487/RFC8515, February 2019, . 7.2. Informative References [I-D.ietf-lamps-lightweight-cmp-profile] Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP - Profile", draft-ietf-lamps-lightweight-cmp-profile-02 - (work in progress), July 2020. + Profile", draft-ietf-lamps-lightweight-cmp-profile-03 + (work in progress), October 2020. [IEEE802.1AR] IEEE, "802.1AR Secure Device Identifier", June 2018, . Appendix A. ASN.1 Modules A.1. 1988 ASN.1 Module @@ -2120,20 +2142,30 @@ -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } END Appendix B. History of changes Note: This appendix will be deleted in the final version of the document. + From version 05 -> 06: + + o Added the update of Appendix D.2 with the reference to the new CMP + Algorithms document as decided in IETF 108 + + o Updated the IANA considerations to register new OIDs for id- + regCtrl-algId and d-regCtrl-rsaKeyLen. + + o Minor changes and corrections + From version 04 -> 05: o Added Section 2.6 and Section 2.7 to clarify the usage of these general messages types with EC curves (see thread "AlgorithmIdentifier parameters NULL value - Re: InfoTypeAndValue in CMP headers") o Split former section 2.7 on adding 'CA Certificates', 'Root CA Certificates Update', and 'Certificate Request Template' in three separate sections for easier readability