--- 1/draft-ietf-lamps-cmp-updates-09.txt 2021-05-04 10:13:11.900197140 -0700 +++ 2/draft-ietf-lamps-cmp-updates-10.txt 2021-05-04 10:13:12.008199823 -0700 @@ -1,19 +1,19 @@ LAMPS Working Group H. Brockhaus Internet-Draft D. von Oheimb Updates: 4210, 5912, 6712 (if approved) Siemens -Intended status: Standards Track 30 April 2021 -Expires: 1 November 2021 +Intended status: Standards Track 4 May 2021 +Expires: 5 November 2021 Certificate Management Protocol (CMP) Updates - draft-ietf-lamps-cmp-updates-09 + draft-ietf-lamps-cmp-updates-10 Abstract This document contains a set of updates to the syntax and transport of Certificate Management Protocol (CMP) version 2. This document updates RFC 4210 and RFC 6712. The aspects of CMP updated in this document are using EnvelopedData instead of EncryptedValue, clarifying the handling of p10cr messages, improving the crypto agility, as well as adding new general message @@ -32,21 +32,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 1 November 2021. + This Internet-Draft will expire on 5 November 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -96,21 +96,21 @@ 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 20 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 21 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 7.1. Normative References . . . . . . . . . . . . . . . . . . 22 7.2. Informative References . . . . . . . . . . . . . . . . . 24 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 24 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 - A.2. 2021 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 37 + A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 37 Appendix B. History of changes . . . . . . . . . . . . . . . . . 50 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 1. Introduction While using CMP [RFC4210] in industrial and IoT environments and developing the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were identified in the original CMP specification. This document updates RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these @@ -1131,52 +1131,45 @@ BEGIN -- EXPORTS ALL -- IMPORTS Certificate, CertificateList, Extensions, AlgorithmIdentifier, UTF8String, id-kp -- if required; otherwise, comment out FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-explicit-88(1)} + id-mod(0) id-pkix1-explicit-88(18)} GeneralName, KeyIdentifier FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) - id-mod(0) id-pkix1-implicit-88(2)} + id-mod(0) id-pkix1-implicit-88(19)} CertTemplate, PKIPublicationInfo, EncryptedKey, CertId, CertReqMessages, Controls, id-regCtrl FROM PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-crmf2005(36)} -- The import of EncryptedKey is added due to the updates made -- in CMP Updates [thisRFC]]. EncryptedValue does not need to -- be imported anymore and is therefore removed here. -- see also the behavioral clarifications to CRMF codified in -- Appendix C of this specification CertificationRequest FROM PKCS-10 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-10(10) modules(1) pkcs-10(1)} -- (specified in RFC 2986 with 1993 ASN.1 syntax and IMPLICIT -- tags). Alternatively, implementers may directly include -- the [PKCS10] syntax in this module - - localKeyId - FROM PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) - pkcs(1) pkcs-9(9) modules(0) pkcs-9(1)} - -- The import of localKeyId is added due to the updates made in - -- CMP Updates [thisRFC] - EnvelopedData, SignedData FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } -- The import of EnvelopedData and SignedData is added due to -- the updates made in CMP Updates [thisRFC] ; -- the rest of the module contains locally-defined OIDs and @@ -1700,23 +1695,35 @@ -- operations, added due to the changes made in -- CMP Updates [thisRFC] -- The EKUs for the CA and RA are reused from CMC as defined in -- [RFC6402] -- -- id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } + -- There is no 1988 ASN.1 module of PKCS#9 available to import the + -- syntax of the localKeyId attribute type and value from. Therefore, + -- the syntax is added here as needed for the updates made in + -- CMP Updates [thisRFC] + + pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) 9} + + pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21} + + localKeyIdValue ::= OCTET STRING + END -- of CMP module -A.2. 2021 ASN.1 Module +A.2. 2002 ASN.1 Module This section contains the updated 2002 ASN.1 module for [RFC5912]. This module replaces the module in Section 9 of that document. The module contains those changes to the normative ASN.1 module from RFC4210 Appendix F [RFC4210] that were to update to 2002 ASN.1 standard done in [RFC5912] as well as changes made in this document. PKIXCMP-2021 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) @@ -2316,20 +2322,24 @@ -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } END Appendix B. History of changes Note: This appendix will be deleted in the final version of the document. + From version 9 -> 10: + + * Added 1988 ASN.1 syntax for localKeyId attribute to Appendix A.1 + From version 08 -> 09: * Deleted specific definition of CMP CA and CMP RA in Section 2.2 and only reference RFC 6402 for definition of id-kp-cmcCA and id- kp-cmcRA to resolve the ToDo below based on feedback of Tomas Gustavesson * Added Section 2.4. and 2.5 to define id-it-rootCaCert and id-it- certProfile to be used in Section 2.14 and 2.15 * Added reference to CMP Algorithms in Section 2.8 * Extended Section 2.14 to explicitly indicate the root CA an update