| draft-ietf-lamps-cmp-updates-09.txt | draft-ietf-lamps-cmp-updates-10.txt | |||
|---|---|---|---|---|
| LAMPS Working Group H. Brockhaus | LAMPS Working Group H. Brockhaus | |||
| Internet-Draft D. von Oheimb | Internet-Draft D. von Oheimb | |||
| Updates: 4210, 5912, 6712 (if approved) Siemens | Updates: 4210, 5912, 6712 (if approved) Siemens | |||
| Intended status: Standards Track 30 April 2021 | Intended status: Standards Track 4 May 2021 | |||
| Expires: 1 November 2021 | Expires: 5 November 2021 | |||
| Certificate Management Protocol (CMP) Updates | Certificate Management Protocol (CMP) Updates | |||
| draft-ietf-lamps-cmp-updates-09 | draft-ietf-lamps-cmp-updates-10 | |||
| Abstract | Abstract | |||
| This document contains a set of updates to the syntax and transport | This document contains a set of updates to the syntax and transport | |||
| of Certificate Management Protocol (CMP) version 2. This document | of Certificate Management Protocol (CMP) version 2. This document | |||
| updates RFC 4210 and RFC 6712. | updates RFC 4210 and RFC 6712. | |||
| The aspects of CMP updated in this document are using EnvelopedData | The aspects of CMP updated in this document are using EnvelopedData | |||
| instead of EncryptedValue, clarifying the handling of p10cr messages, | instead of EncryptedValue, clarifying the handling of p10cr messages, | |||
| improving the crypto agility, as well as adding new general message | improving the crypto agility, as well as adding new general message | |||
| skipping to change at page 1, line 43 ¶ | skipping to change at page 1, line 43 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 1 November 2021. | This Internet-Draft will expire on 5 November 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 3, line 13 ¶ | skipping to change at page 3, line 13 ¶ | |||
| 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 20 | 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 20 | |||
| 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 21 | 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 21 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 22 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 22 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 24 | 7.2. Informative References . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 24 | Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 24 | |||
| A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 | A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 | |||
| A.2. 2021 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 37 | A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 37 | |||
| Appendix B. History of changes . . . . . . . . . . . . . . . . . 50 | Appendix B. History of changes . . . . . . . . . . . . . . . . . 50 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 1. Introduction | 1. Introduction | |||
| While using CMP [RFC4210] in industrial and IoT environments and | While using CMP [RFC4210] in industrial and IoT environments and | |||
| developing the Lightweight CMP Profile | developing the Lightweight CMP Profile | |||
| [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were | [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were | |||
| identified in the original CMP specification. This document updates | identified in the original CMP specification. This document updates | |||
| RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these | RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these | |||
| skipping to change at page 25, line 27 ¶ | skipping to change at page 25, line 27 ¶ | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL -- | -- EXPORTS ALL -- | |||
| IMPORTS | IMPORTS | |||
| Certificate, CertificateList, Extensions, AlgorithmIdentifier, | Certificate, CertificateList, Extensions, AlgorithmIdentifier, | |||
| UTF8String, id-kp -- if required; otherwise, comment out | UTF8String, id-kp -- if required; otherwise, comment out | |||
| FROM PKIX1Explicit88 {iso(1) identified-organization(3) | FROM PKIX1Explicit88 {iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-explicit-88(1)} | id-mod(0) id-pkix1-explicit-88(18)} | |||
| GeneralName, KeyIdentifier | GeneralName, KeyIdentifier | |||
| FROM PKIX1Implicit88 {iso(1) identified-organization(3) | FROM PKIX1Implicit88 {iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-implicit-88(2)} | id-mod(0) id-pkix1-implicit-88(19)} | |||
| CertTemplate, PKIPublicationInfo, EncryptedKey, CertId, | CertTemplate, PKIPublicationInfo, EncryptedKey, CertId, | |||
| CertReqMessages, Controls, id-regCtrl | CertReqMessages, Controls, id-regCtrl | |||
| FROM PKIXCRMF-2005 {iso(1) identified-organization(3) | FROM PKIXCRMF-2005 {iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-mod-crmf2005(36)} | id-mod(0) id-mod-crmf2005(36)} | |||
| -- The import of EncryptedKey is added due to the updates made | -- The import of EncryptedKey is added due to the updates made | |||
| -- in CMP Updates [thisRFC]]. EncryptedValue does not need to | -- in CMP Updates [thisRFC]]. EncryptedValue does not need to | |||
| -- be imported anymore and is therefore removed here. | -- be imported anymore and is therefore removed here. | |||
| -- see also the behavioral clarifications to CRMF codified in | -- see also the behavioral clarifications to CRMF codified in | |||
| -- Appendix C of this specification | -- Appendix C of this specification | |||
| CertificationRequest | CertificationRequest | |||
| FROM PKCS-10 {iso(1) member-body(2) | FROM PKCS-10 {iso(1) member-body(2) | |||
| us(840) rsadsi(113549) | us(840) rsadsi(113549) | |||
| pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)} | pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)} | |||
| -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT | -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT | |||
| -- tags). Alternatively, implementers may directly include | -- tags). Alternatively, implementers may directly include | |||
| -- the [PKCS10] syntax in this module | -- the [PKCS10] syntax in this module | |||
| localKeyId | ||||
| FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) | ||||
| pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)} | ||||
| -- The import of localKeyId is added due to the updates made in | ||||
| -- CMP Updates [thisRFC] | ||||
| EnvelopedData, SignedData | EnvelopedData, SignedData | |||
| FROM CryptographicMessageSyntax2004 { iso(1) | FROM CryptographicMessageSyntax2004 { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | |||
| smime(16) modules(0) cms-2004(24) } | smime(16) modules(0) cms-2004(24) } | |||
| -- The import of EnvelopedData and SignedData is added due to | -- The import of EnvelopedData and SignedData is added due to | |||
| -- the updates made in CMP Updates [thisRFC] | -- the updates made in CMP Updates [thisRFC] | |||
| ; | ; | |||
| -- the rest of the module contains locally-defined OIDs and | -- the rest of the module contains locally-defined OIDs and | |||
| skipping to change at page 37, line 22 ¶ | skipping to change at page 37, line 16 ¶ | |||
| -- operations, added due to the changes made in | -- operations, added due to the changes made in | |||
| -- CMP Updates [thisRFC] | -- CMP Updates [thisRFC] | |||
| -- The EKUs for the CA and RA are reused from CMC as defined in | -- The EKUs for the CA and RA are reused from CMC as defined in | |||
| -- [RFC6402] | -- [RFC6402] | |||
| -- | -- | |||
| -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } | -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } | |||
| -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | |||
| id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | |||
| -- There is no 1988 ASN.1 module of PKCS#9 available to import the | ||||
| -- syntax of the localKeyId attribute type and value from. Therefore, | ||||
| -- the syntax is added here as needed for the updates made in | ||||
| -- CMP Updates [thisRFC] | ||||
| pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) | ||||
| rsadsi(113549) pkcs(1) 9} | ||||
| pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21} | ||||
| localKeyIdValue ::= OCTET STRING | ||||
| END -- of CMP module | END -- of CMP module | |||
| A.2. 2021 ASN.1 Module | A.2. 2002 ASN.1 Module | |||
| This section contains the updated 2002 ASN.1 module for [RFC5912]. | This section contains the updated 2002 ASN.1 module for [RFC5912]. | |||
| This module replaces the module in Section 9 of that document. The | This module replaces the module in Section 9 of that document. The | |||
| module contains those changes to the normative ASN.1 module from | module contains those changes to the normative ASN.1 module from | |||
| RFC4210 Appendix F [RFC4210] that were to update to 2002 ASN.1 | RFC4210 Appendix F [RFC4210] that were to update to 2002 ASN.1 | |||
| standard done in [RFC5912] as well as changes made in this document. | standard done in [RFC5912] as well as changes made in this document. | |||
| PKIXCMP-2021 | PKIXCMP-2021 | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| skipping to change at page 50, line 10 ¶ | skipping to change at page 50, line 19 ¶ | |||
| -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } | |||
| id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } | |||
| END | END | |||
| Appendix B. History of changes | Appendix B. History of changes | |||
| Note: This appendix will be deleted in the final version of the | Note: This appendix will be deleted in the final version of the | |||
| document. | document. | |||
| From version 9 -> 10: | ||||
| * Added 1988 ASN.1 syntax for localKeyId attribute to Appendix A.1 | ||||
| From version 08 -> 09: | From version 08 -> 09: | |||
| * Deleted specific definition of CMP CA and CMP RA in Section 2.2 | * Deleted specific definition of CMP CA and CMP RA in Section 2.2 | |||
| and only reference RFC 6402 for definition of id-kp-cmcCA and id- | and only reference RFC 6402 for definition of id-kp-cmcCA and id- | |||
| kp-cmcRA to resolve the ToDo below based on feedback of Tomas | kp-cmcRA to resolve the ToDo below based on feedback of Tomas | |||
| Gustavesson | Gustavesson | |||
| * Added Section 2.4. and 2.5 to define id-it-rootCaCert and id-it- | * Added Section 2.4. and 2.5 to define id-it-rootCaCert and id-it- | |||
| certProfile to be used in Section 2.14 and 2.15 | certProfile to be used in Section 2.14 and 2.15 | |||
| * Added reference to CMP Algorithms in Section 2.8 | * Added reference to CMP Algorithms in Section 2.8 | |||
| * Extended Section 2.14 to explicitly indicate the root CA an update | * Extended Section 2.14 to explicitly indicate the root CA an update | |||
| End of changes. 10 change blocks. | ||||
| 15 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||