--- 1/draft-ietf-lamps-cmp-updates-11.txt 2021-07-09 08:13:16.601310568 -0700 +++ 2/draft-ietf-lamps-cmp-updates-12.txt 2021-07-09 08:13:16.705313167 -0700 @@ -1,19 +1,19 @@ LAMPS Working Group H. Brockhaus Internet-Draft D. von Oheimb Updates: 4210, 5912, 6712 (if approved) Siemens -Intended status: Standards Track 30 June 2021 -Expires: 1 January 2022 +Intended status: Standards Track 9 July 2021 +Expires: 10 January 2022 Certificate Management Protocol (CMP) Updates - draft-ietf-lamps-cmp-updates-11 + draft-ietf-lamps-cmp-updates-12 Abstract This document contains a set of updates to the syntax and transport of Certificate Management Protocol (CMP) version 2. This document updates RFC 4210 and RFC 6712. The aspects of CMP updated in this document are using EnvelopedData instead of EncryptedValue, clarifying the handling of p10cr messages, improving the crypto agility, as well as adding new general message @@ -37,21 +37,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 1 January 2022. + This Internet-Draft will expire on 10 January 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -72,53 +72,53 @@ 2.4. New Section 5.1.1.3. - RootCaCert . . . . . . . . . . . . 7 2.5. New Section 5.1.1.4. - CertProfile . . . . . . . . . . . 8 2.6. Update Section 5.1.3.1. - Shared Secret Information . . . 8 2.7. Replace Section 5.1.3.4 - Multiple Protection . . . . . . 8 2.8. Replace Section 5.2.2. - Encrypted Values . . . . . . . . 9 2.9. Update Section 5.3.4. - Certification Response . . . . . 11 2.10. Update Section 5.3.18. - Certificate Confirmation Content . . . . . . . . . . . . . . . . . . . . . . . . 12 2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 12 2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key - Pair Types . . . . . . . . . . . . . . . . . . . . . . . 12 + Pair Types . . . . . . . . . . . . . . . . . . . . . . . 13 2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13 2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 13 - 2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 13 + 2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 14 2.16. New Section 5.3.19.16 - Certificate Request Template . . 14 - 2.17. Update Section 5.3.22 - Polling Request and Response . . 15 + 2.17. Update Section 5.3.22 - Polling Request and Response . . 16 2.18. Update Section 7 - Version Negotiation . . . . . . . . . 16 2.19. Update Section 7.1.1. - Clients Talking to RFC 2510 Servers . . . . . . . . . . . . . . . . . . . . . . . . 17 2.20. Update Section 9 - IANA Considerations . . . . . . . . . 17 2.21. Update Appendix B - The Use of Revocation Passphrase . . 19 2.22. Update Appendix C - Request Message Behavioral - Clarifications . . . . . . . . . . . . . . . . . . . . . 19 + Clarifications . . . . . . . . . . . . . . . . . . . . . 20 2.23. Update Appendix D.1. - General Rules for Interpretation of These Profiles . . . . . . . . . . . . . . . . . . . . . 20 - 2.24. Update Appendix D.2. - Algorithm Use Profile . . . . . . 20 + 2.24. Update Appendix D.2. - Algorithm Use Profile . . . . . . 21 2.25. Update Appendix D.4. - Initial Registration/Certification (Basic Authenticated Scheme) . . . . . . . . . . . . . . 21 3. Updates to RFC 6712 - HTTP Transfer for the Certificate Management Protocol (CMP) . . . . . . . . . . . . . . . . 21 3.1. New Section 1.1. - Changes since RFC 6712 . . . . . . . . 21 - 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 21 + 3.2. Replace Section 3.6. - HTTP Request-URI . . . . . . . . . 22 3.3. Update Section 6. - IANA Considerations . . . . . . . . . 22 - 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 + 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 5. Security Considerations . . . . . . . . . . . . . . . . . . . 23 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 7.1. Normative References . . . . . . . . . . . . . . . . . . 23 7.2. Informative References . . . . . . . . . . . . . . . . . 25 - Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 25 - A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 - A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 38 + Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 26 + A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 26 + A.2. 2002 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 39 Appendix B. History of changes . . . . . . . . . . . . . . . . . 51 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 1. Introduction While using CMP [RFC4210] in industrial and IoT environments and developing the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile] some limitations were identified in the original CMP specification. This document updates RFC 4210 [RFC4210] and RFC 6712 [RFC6712] to overcome these @@ -324,26 +324,34 @@ 2.5. New Section 5.1.1.4. - CertProfile Section 5.1.1 of RFC 4210 [RFC4210] defines the PKIHeader and id-it OIDs to be used in the generalInfo field. This section introduces id-it-certProfile. Insert this section after Section 5.1.1.3: 5.1.1.4. CertProfile - This is used by the EE to indicate a specific certificate profile, + This is used by the EE to indicate specific certificate profiles, e.g., when requesting a new certificate or a certificate request template, see Section 5.3.19.16. id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} - CertProfileValue ::= UTF8String + CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String + + When used in a ir/cr/kur/genm, the value MUST NOT contain more + elements than the number of CertReqMsg or InfoTypeAndValue elements + and the certificate profile names refer to the elements in the given + order. + + When used in a p10cr, the value MUST NOT contain multiple certificate + profile names. 2.6. Update Section 5.1.3.1. - Shared Secret Information Section 5.1.3.1 of RFC 4210 [RFC4210] describes the MAC based protection of a PKIMessage using the algorithm id-PasswordBasedMac. Replace the first paragraph with the following text: In this case, the sender and recipient share secret information with sufficient entropy (established via out-of-band means or from a @@ -1696,21 +1706,21 @@ -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} -- CertReqTemplateValue ::= CertReqTemplateContent -- - id-it-certReqTemplate added in CMP Updates [thisRFC] -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} -- RootCaCertValue ::= CMPCertificate -- - id-it-rootCaCert added in CMP Updates [thisRFC] -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} - -- CertProfileValue ::= UTF8String + -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String -- - id-it-certProfile added in CMP Updates [thisRFC] -- -- where -- -- id-pkix OBJECT IDENTIFIER ::= { -- iso(1) identified-organization(3) -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- and -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- @@ -2307,21 +2319,21 @@ -- id-it-rootCaKeyUpdate OBJECT IDENTIFIER ::= {id-it 18} -- RootCaKeyUpdateValue ::= RootCaKeyUpdateContent -- - id-it-rootCaKeyUpdate added in CMP Updates [thisRFC] -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} -- CertReqTemplateValue ::= CertReqTemplateContent -- - id-it-certReqTemplate added in CMP Updates [thisRFC] -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} -- RootCaCertValue ::= CMPCertificate -- - id-it-rootCaCert added in CMP Updates [thisRFC] -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} - -- CertProfileValue ::= UTF8String + -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF UTF8String -- - id-it-certProfile added in CMP Updates [thisRFC] -- -- where -- -- id-pkix OBJECT IDENTIFIER ::= { -- iso(1) identified-organization(3) -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- and -- id-it OBJECT IDENTIFIER ::= {id-pkix 4} -- @@ -2387,20 +2399,26 @@ -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } END Appendix B. History of changes Note: This appendix will be deleted in the final version of the document. + From version 11 -> 12: + + * Extended Section 2.5 and the ASN.1 modules in Appendix A to allow + a sequence of certificate profiles in CertProfileValue (see thread + "id-it-CertProfile in draft-ietf-lamps-cmp-updates") + From version 10 -> 11: * Add Section 2.10 to add an additional hashAlg field to the CertStatus type to support certificates signed with a signature algorithm not explicitly indicating a hash algorithm in the AlgorithmIdentifier (see thread "Hash algorithm to us for calculating certHash") * Added newly registered OIDs and temporarily registered URI suffix * Exchanged the import of CertificationRequest from RFC 2986 to the definition from RFC 6402 Appendix A.1 (see thread "CMP Update of