draft-ietf-lamps-cmp-updates-09.txt   draft-ietf-lamps-cmp-updates-10.txt 
LAMPS Working Group H. Brockhaus LAMPS Working Group H. Brockhaus
Internet-Draft D. von Oheimb Internet-Draft D. von Oheimb
Updates: 4210, 5912, 6712 (if approved) Siemens Updates: 4210, 5912, 6712 (if approved) Siemens
Intended status: Standards Track 30 April 2021 Intended status: Standards Track 4 May 2021
Expires: 1 November 2021 Expires: 5 November 2021
Certificate Management Protocol (CMP) Updates Certificate Management Protocol (CMP) Updates
draft-ietf-lamps-cmp-updates-09 draft-ietf-lamps-cmp-updates-10
Abstract Abstract
This document contains a set of updates to the syntax and transport This document contains a set of updates to the syntax and transport
of Certificate Management Protocol (CMP) version 2. This document of Certificate Management Protocol (CMP) version 2. This document
updates RFC 4210 and RFC 6712. updates RFC 4210 and RFC 6712.
The aspects of CMP updated in this document are using EnvelopedData The aspects of CMP updated in this document are using EnvelopedData
instead of EncryptedValue, clarifying the handling of p10cr messages, instead of EncryptedValue, clarifying the handling of p10cr messages,
improving the crypto agility, as well as adding new general message improving the crypto agility, as well as adding new general message
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 November 2021. This Internet-Draft will expire on 5 November 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 13 skipping to change at page 3, line 13
3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 20 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 20
3.3. Update Section 6. - IANA Considerations . . . . . . . . . 21 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 21
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
7.1. Normative References . . . . . . . . . . . . . . . . . . 22 7.1. Normative References . . . . . . . . . . . . . . . . . . 22
7.2. Informative References . . . . . . . . . . . . . . . . . 24 7.2. Informative References . . . . . . . . . . . . . . . . . 24
Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 24 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 24
A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25
A.2. 2021 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 37 A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 37
Appendix B. History of changes . . . . . . . . . . . . . . . . . 50 Appendix B. History of changes . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
1. Introduction 1. Introduction
While using CMP [RFC4210] in industrial and IoT environments and While using CMP [RFC4210] in industrial and IoT environments and
developing the Lightweight CMP Profile developing the Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile] some limitations were [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were
identified in the original CMP specification. This document updates identified in the original CMP specification. This document updates
RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these
skipping to change at page 25, line 27 skipping to change at page 25, line 27
BEGIN BEGIN
-- EXPORTS ALL -- -- EXPORTS ALL --
IMPORTS IMPORTS
Certificate, CertificateList, Extensions, AlgorithmIdentifier, Certificate, CertificateList, Extensions, AlgorithmIdentifier,
UTF8String, id-kp -- if required; otherwise, comment out UTF8String, id-kp -- if required; otherwise, comment out
FROM PKIX1Explicit88 {iso(1) identified-organization(3) FROM PKIX1Explicit88 {iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit-88(1)} id-mod(0) id-pkix1-explicit-88(18)}
GeneralName, KeyIdentifier GeneralName, KeyIdentifier
FROM PKIX1Implicit88 {iso(1) identified-organization(3) FROM PKIX1Implicit88 {iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-implicit-88(2)} id-mod(0) id-pkix1-implicit-88(19)}
CertTemplate, PKIPublicationInfo, EncryptedKey, CertId, CertTemplate, PKIPublicationInfo, EncryptedKey, CertId,
CertReqMessages, Controls, id-regCtrl CertReqMessages, Controls, id-regCtrl
FROM PKIXCRMF-2005 {iso(1) identified-organization(3) FROM PKIXCRMF-2005 {iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-crmf2005(36)} id-mod(0) id-mod-crmf2005(36)}
-- The import of EncryptedKey is added due to the updates made -- The import of EncryptedKey is added due to the updates made
-- in CMP Updates [thisRFC]]. EncryptedValue does not need to -- in CMP Updates [thisRFC]]. EncryptedValue does not need to
-- be imported anymore and is therefore removed here. -- be imported anymore and is therefore removed here.
-- see also the behavioral clarifications to CRMF codified in -- see also the behavioral clarifications to CRMF codified in
-- Appendix C of this specification -- Appendix C of this specification
CertificationRequest CertificationRequest
FROM PKCS-10 {iso(1) member-body(2) FROM PKCS-10 {iso(1) member-body(2)
us(840) rsadsi(113549) us(840) rsadsi(113549)
pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)} pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)}
-- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT
-- tags). Alternatively, implementers may directly include -- tags). Alternatively, implementers may directly include
-- the [PKCS10] syntax in this module -- the [PKCS10] syntax in this module
localKeyId
FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)}
-- The import of localKeyId is added due to the updates made in
-- CMP Updates [thisRFC]
EnvelopedData, SignedData EnvelopedData, SignedData
FROM CryptographicMessageSyntax2004 { iso(1) FROM CryptographicMessageSyntax2004 { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) cms-2004(24) }
-- The import of EnvelopedData and SignedData is added due to -- The import of EnvelopedData and SignedData is added due to
-- the updates made in CMP Updates [thisRFC] -- the updates made in CMP Updates [thisRFC]
; ;
-- the rest of the module contains locally-defined OIDs and -- the rest of the module contains locally-defined OIDs and
skipping to change at page 37, line 22 skipping to change at page 37, line 16
-- operations, added due to the changes made in -- operations, added due to the changes made in
-- CMP Updates [thisRFC] -- CMP Updates [thisRFC]
-- The EKUs for the CA and RA are reused from CMC as defined in -- The EKUs for the CA and RA are reused from CMC as defined in
-- [RFC6402] -- [RFC6402]
-- --
-- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 }
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
-- There is no 1988 ASN.1 module of PKCS#9 available to import the
-- syntax of the localKeyId attribute type and value from. Therefore,
-- the syntax is added here as needed for the updates made in
-- CMP Updates [thisRFC]
pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) 9}
pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21}
localKeyIdValue ::= OCTET STRING
END -- of CMP module END -- of CMP module
A.2. 2021 ASN.1 Module A.2. 2002 ASN.1 Module
This section contains the updated 2002 ASN.1 module for [RFC5912]. This section contains the updated 2002 ASN.1 module for [RFC5912].
This module replaces the module in Section 9 of that document. The This module replaces the module in Section 9 of that document. The
module contains those changes to the normative ASN.1 module from module contains those changes to the normative ASN.1 module from
RFC4210 Appendix F [RFC4210] that were to update to 2002 ASN.1 RFC4210 Appendix F [RFC4210] that were to update to 2002 ASN.1
standard done in [RFC5912] as well as changes made in this document. standard done in [RFC5912] as well as changes made in this document.
PKIXCMP-2021 PKIXCMP-2021
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
skipping to change at page 50, line 10 skipping to change at page 50, line 19
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of changes Appendix B. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 9 -> 10:
* Added 1988 ASN.1 syntax for localKeyId attribute to Appendix A.1
From version 08 -> 09: From version 08 -> 09:
* Deleted specific definition of CMP CA and CMP RA in Section 2.2 * Deleted specific definition of CMP CA and CMP RA in Section 2.2
and only reference RFC 6402 for definition of id-kp-cmcCA and id- and only reference RFC 6402 for definition of id-kp-cmcCA and id-
kp-cmcRA to resolve the ToDo below based on feedback of Tomas kp-cmcRA to resolve the ToDo below based on feedback of Tomas
Gustavesson Gustavesson
* Added Section 2.4. and 2.5 to define id-it-rootCaCert and id-it- * Added Section 2.4. and 2.5 to define id-it-rootCaCert and id-it-
certProfile to be used in Section 2.14 and 2.15 certProfile to be used in Section 2.14 and 2.15
* Added reference to CMP Algorithms in Section 2.8 * Added reference to CMP Algorithms in Section 2.8
* Extended Section 2.14 to explicitly indicate the root CA an update * Extended Section 2.14 to explicitly indicate the root CA an update
 End of changes. 10 change blocks. 
15 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/