draft-ietf-lamps-cmp-updates-18.txt   draft-ietf-lamps-cmp-updates-19.txt 
LAMPS Working Group H. Brockhaus, Ed. LAMPS Working Group H. Brockhaus, Ed.
Internet-Draft D. von Oheimb Internet-Draft D. von Oheimb
Updates: 4210, 5912, 6712 (if approved) Siemens Updates: 4210, 5912, 6712 (if approved) Siemens
Intended status: Standards Track J. Gray Intended status: Standards Track J. Gray
Expires: 8 October 2022 Entrust Expires: 26 November 2022 Entrust
6 April 2022 25 May 2022
Certificate Management Protocol (CMP) Updates Certificate Management Protocol (CMP) Updates
draft-ietf-lamps-cmp-updates-18 draft-ietf-lamps-cmp-updates-19
Abstract Abstract
This document contains a set of updates to the syntax and transfer of This document contains a set of updates to the syntax and transfer of
Certificate Management Protocol (CMP) version 2. This document Certificate Management Protocol (CMP) version 2. This document
updates RFC 4210, RFC 5912, and RFC 6712. updates RFC 4210, RFC 5912, and RFC 6712.
The aspects of CMP updated in this document are using EnvelopedData The aspects of CMP updated in this document are using EnvelopedData
instead of EncryptedValue, clarifying the handling of p10cr messages, instead of EncryptedValue, clarifying the handling of p10cr messages,
improving the crypto agility, as well as adding new general message improving the crypto agility, as well as adding new general message
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 October 2022. This Internet-Draft will expire on 26 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 45 skipping to change at page 2, line 45
Content . . . . . . . . . . . . . . . . . . . . . . . . 12 Content . . . . . . . . . . . . . . . . . . . . . . . . 12
2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 13 2.11. Update Section 5.3.19.2. - Signing Key Pair Types . . . . 13
2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key 2.12. Update Section 5.3.19.3. - Encryption/Key Agreement Key
Pair Types . . . . . . . . . . . . . . . . . . . . . . . 13 Pair Types . . . . . . . . . . . . . . . . . . . . . . . 13
2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13 2.13. Replace Section 5.3.19.9. - Revocation Passphrase . . . . 13
2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 14 2.14. New Section 5.3.19.14 - CA Certificates . . . . . . . . . 14
2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 14 2.15. New Section 5.3.19.15 - Root CA Certificate Update . . . 14
2.16. New Section 5.3.19.16 - Certificate Request Template . . 15 2.16. New Section 5.3.19.16 - Certificate Request Template . . 15
2.17. New Section 5.3.19.17 - CRL Update Retrieval . . . . . . 16 2.17. New Section 5.3.19.17 - CRL Update Retrieval . . . . . . 16
2.18. Update Section 5.3.21 - Error Message Content . . . . . . 17 2.18. Update Section 5.3.21 - Error Message Content . . . . . . 17
2.19. Replace Section 5.3.22 - Polling Request and Response . . 18 2.19. Replace Section 5.3.22 - Polling Request and Response . . 17
2.20. Update Section 7 - Version Negotiation . . . . . . . . . 22 2.20. Update Section 7 - Version Negotiation . . . . . . . . . 22
2.21. Update Section 7.1.1. - Clients Talking to RFC 2510 2.21. Update Section 7.1.1. - Clients Talking to RFC 2510
Servers . . . . . . . . . . . . . . . . . . . . . . . . 24 Servers . . . . . . . . . . . . . . . . . . . . . . . . 24
2.22. Add Section 8.4 - Private Keys for Certificate Signing and 2.22. Add Section 8.4 - Private Keys for Certificate Signing and
CMP Message Protection . . . . . . . . . . . . . . . . . 24 CMP Message Protection . . . . . . . . . . . . . . . . . 24
2.23. Add Section 8.5 - Entropy of Random Numbers, Key Pairs, and 2.23. Add Section 8.5 - Entropy of Random Numbers, Key Pairs, and
Shared Secret Information . . . . . . . . . . . . . . . 24 Shared Secret Information . . . . . . . . . . . . . . . 24
2.24. Add Section 8.6 - Trust Anchor Provisioning Using CMP 2.24. Add Section 8.6 - Trust Anchor Provisioning Using CMP
Messages . . . . . . . . . . . . . . . . . . . . . . . . 25 Messages . . . . . . . . . . . . . . . . . . . . . . . . 25
skipping to change at page 17, line 8 skipping to change at page 17, line 8
This MAY be used by the client to get new CRLs, specifying the source This MAY be used by the client to get new CRLs, specifying the source
of the CRLs and the thisUpdate value of the latest CRL it already of the CRLs and the thisUpdate value of the latest CRL it already
has, if available. A CRL source is given either by a has, if available. A CRL source is given either by a
DistributionPointName or the GeneralNames of the issuing CA. The DistributionPointName or the GeneralNames of the issuing CA. The
DistributionPointName should be treated as an internal pointer to DistributionPointName should be treated as an internal pointer to
identify a CRL that the server already has and not as a way to ask identify a CRL that the server already has and not as a way to ask
the server to fetch CRLs from external locations. The server shall the server to fetch CRLs from external locations. The server shall
provide only those CRLs that are more recent than the ones indicated provide only those CRLs that are more recent than the ones indicated
by the client. by the client.
GenMsg: {id-it TBD1}, SEQUENCE SIZE (1..MAX) OF CRLStatus GenMsg: {id-it 22}, SEQUENCE SIZE (1..MAX) OF CRLStatus
GenRep: {id-it TBD2}, SEQUENCE SIZE (1..MAX) OF GenRep: {id-it 23}, SEQUENCE SIZE (1..MAX) OF
CertificateList | < absent > CertificateList | < absent >
CRLSource ::= CHOICE { CRLSource ::= CHOICE {
dpn [0] DistributionPointName, dpn [0] DistributionPointName,
issuer [1] GeneralNames } issuer [1] GeneralNames }
CRLStatus ::= SEQUENCE { CRLStatus ::= SEQUENCE {
source CRLSource, source CRLSource,
thisUpdate Time OPTIONAL } thisUpdate Time OPTIONAL }
< TBD: Add requested OIDs for id-it-crlStatusList (TBD1) and id-it-
crls (TBD2). >
2.18. Update Section 5.3.21 - Error Message Content 2.18. Update Section 5.3.21 - Error Message Content
Section 5.3.21 of RFC 4210 [RFC4210] describes the regular use of Section 5.3.21 of RFC 4210 [RFC4210] describes the regular use of
error messages. This document adds a use by a PKI management entity error messages. This document adds a use by a PKI management entity
to initiate delayed delivery in response to certConf, rr, and genm to initiate delayed delivery in response to certConf, rr, and genm
requests and to error messages. requests and to error messages.
Replace the first sentence of the first paragraph with the following Replace the first sentence of the first paragraph with the following
one: one:
skipping to change at page 27, line 25 skipping to change at page 27, line 25
| 17 | id-it-caCerts | [thisRFC] | | 17 | id-it-caCerts | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
| 18 | id-it-rootCaKeyUpdate | [thisRFC] | | 18 | id-it-rootCaKeyUpdate | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
| 19 | id-it-certReqTemplate | [thisRFC] | | 19 | id-it-certReqTemplate | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
| 20 | id-it-rootCaCert | [thisRFC] | | 20 | id-it-rootCaCert | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
| 21 | id-it-certProfile | [thisRFC] | | 21 | id-it-certProfile | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
| TBD1 | id-it-crlStatusList | [thisRFC] | | 22 | id-it-crlStatusList | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
| TBD2 | id-it-crls | [thisRFC] | | 23 | id-it-crls | [thisRFC] |
+---------+-----------------------+------------+ +---------+-----------------------+------------+
Table 2: Addition to the PKIX CMP Table 2: Addition to the PKIX CMP
Information Types Registry Information Types Registry
< TBD: Add requested OIDs for id-it-crlStatusList (TBD1) and id-it-
crls (TBD2). >
In the SMI-numbers registry " SMI Security for PKIX CRMF Registration In the SMI-numbers registry " SMI Security for PKIX CRMF Registration
Controls (1.3.6.1.5.5.7.5.1)" (see https://www.iana.org/assignments/ Controls (1.3.6.1.5.5.7.5.1)" (see https://www.iana.org/assignments/
smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.5.1) as smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.5.1) as
defined in RFC 7299 [RFC7299] two additions have been performed. defined in RFC 7299 [RFC7299] two additions have been performed.
Two new entries have been added: Two new entries have been added:
+=========+======================+============+ +=========+======================+============+
| Decimal | Description | References | | Decimal | Description | References |
+=========+======================+============+ +=========+======================+============+
skipping to change at page 32, line 35 skipping to change at page 32, line 35
This document defines a new entry with the following content in the This document defines a new entry with the following content in the
"Well-Known URIs" registry (see https://www.iana.org/assignments/ "Well-Known URIs" registry (see https://www.iana.org/assignments/
well-known-uris/) as defined in RFC 8615 [RFC8615]. well-known-uris/) as defined in RFC 8615 [RFC8615].
URI Suffix: cmp URI Suffix: cmp
Change Controller: IETF Change Controller: IETF
References: [thisRFC] [I-D.ietf-ace-cmpv2-coap-transport] References: [thisRFC] [I-D.ietf-ace-cmpv2-coap-transport]
Related Information: CMP has a sub-registry at Related Information: CMP has a sub-registry at
[https://www.iana.org/assignments/cmp/] [https://www.iana.org/assignments/cmp/]
< TBD: The temporary registration of cmp URI suffix must be updated
from provisional to permanent. >
6.2. CMP Well-Known URI Registry 6.2. CMP Well-Known URI Registry
This document defines a new protocol registry group entitled This document defines a new protocol registry group entitled
"Certificate Management Protocol (CMP)" (at "Certificate Management Protocol (CMP)" (at
https://www.iana.org/assignments/cmp/) with a new registry "CMP Well- https://www.iana.org/assignments/cmp/) with a new registry "CMP Well-
Known URI Path Segments" containing three columns: Path Segment, Known URI Path Segments" containing three columns: Path Segment,
Description, and Reference. New items can be added using the Description, and Reference. New items can be added using the
Specification Required RFC 8615 [RFC8615] process. The initial Specification Required RFC 8615 [RFC8615] process. The initial
contents of this registry is: contents of this registry is:
Path Segment: p Path Segment: p
Description: Indicates that the next path segment specifies, e.g., Description: Indicates that the next path segment specifies, e.g.,
a CA or certificate profile name a CA or certificate profile name
References: [thisRFC] [I-D.ietf-ace-cmpv2-coap-transport] References: [thisRFC] [I-D.ietf-ace-cmpv2-coap-transport]
< TBD: A new protocol registry group "Certificate Management Protocol
(CMP)" (at https://www.iana.org/assignments/cmp) and an initial entry
'p' must be registered. >
4. IANA Considerations 4. IANA Considerations
This document contains an update to the IANA Consideration sections This document contains an update to the IANA Consideration sections
to be added to [RFC4210] and [RFC6712]. to be added to [RFC4210] and [RFC6712].
This document updates the ASN.1 modules of RFC 4210 Appendix F This document updates the ASN.1 modules of RFC 4210 Appendix F
[RFC4210] and RFC 5912 Section 9 [RFC5912]. The OIDs 99 (id-mod- [RFC4210] and RFC 5912 Section 9 [RFC5912]. The OIDs 99 (id-mod-
cmp2021-88) and 100 (id-mod-cmp2021-02) were registered in the SMI cmp2021-88) and 100 (id-mod-cmp2021-02) were registered in the SMI
Security for PKIX Module Identifier registry to identify the updated Security for PKIX Module Identifier registry to identify the updated
ASN.1 modules. ASN.1 modules.
< TBD: The temporary registration of cmp URI suffix expires
2022-05-20. The registration must be extended in time or update from
provisional to permanent. >
< TBD: New protocol registry group "Certificate Management Protocol
(CMP)" (at https://www.iana.org/assignments/cmp) and new registry
"CMP Well-Known URI Path Segments" with the initial entry 'p' must be
registered at IANA. >
5. Security Considerations 5. Security Considerations
The security considerations of RFC 4210 [RFC4210] are extended in The security considerations of RFC 4210 [RFC4210] are extended in
Section 2.22 to Section 2.24. No changes are made to the existing Section 2.22 to Section 2.24. No changes are made to the existing
security considerations of RFC 6712 [RFC6712]. security considerations of RFC 6712 [RFC6712].
6. Acknowledgements 6. Acknowledgements
Special thank goes to Jim Schaad for his guidance and the inspiration Special thank goes to Jim Schaad for his guidance and the inspiration
on structuring and writing this document we got from [RFC6402] which on structuring and writing this document we got from [RFC6402] which
skipping to change at page 34, line 9 skipping to change at page 34, line 9
Sahni, M. and S. Tripathi, "CoAP Transfer for the Sahni, M. and S. Tripathi, "CoAP Transfer for the
Certificate Management Protocol", Work in Progress, Certificate Management Protocol", Work in Progress,
Internet-Draft, draft-ietf-ace-cmpv2-coap-transport-04, 8 Internet-Draft, draft-ietf-ace-cmpv2-coap-transport-04, 8
November 2021, <https://datatracker.ietf.org/doc/html/ November 2021, <https://datatracker.ietf.org/doc/html/
draft-ietf-ace-cmpv2-coap-transport-04>. draft-ietf-ace-cmpv2-coap-transport-04>.
[I-D.ietf-lamps-cmp-algorithms] [I-D.ietf-lamps-cmp-algorithms]
Brockhaus, H., Aschauer, H., Ounsworth, M., and J. Gray, Brockhaus, H., Aschauer, H., Ounsworth, M., and J. Gray,
"Certificate Management Protocol (CMP) Algorithms", Work "Certificate Management Protocol (CMP) Algorithms", Work
in Progress, Internet-Draft, draft-ietf-lamps-cmp- in Progress, Internet-Draft, draft-ietf-lamps-cmp-
algorithms-12, 6 April 2022, algorithms-13, 13 May 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps- <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
cmp-algorithms-12>. cmp-algorithms-13>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2510] Adams, C. and S. Farrell, "Internet X.509 Public Key [RFC2510] Adams, C. and S. Farrell, "Internet X.509 Public Key
Infrastructure Certificate Management Protocols", Infrastructure Certificate Management Protocols",
RFC 2510, DOI 10.17487/RFC2510, March 1999, RFC 2510, DOI 10.17487/RFC2510, March 1999,
<https://www.rfc-editor.org/info/rfc2510>. <https://www.rfc-editor.org/info/rfc2510>.
skipping to change at page 36, line 22 skipping to change at page 36, line 22
[CVE-2008-0166] [CVE-2008-0166]
National Institute of Science and Technology (NIST), National Institute of Science and Technology (NIST),
"National Vulnerability Database - CVE-2008-0166", 13 May "National Vulnerability Database - CVE-2008-0166", 13 May
2008, <https://nvd.nist.gov/vuln/detail/CVE-2008-0166>. 2008, <https://nvd.nist.gov/vuln/detail/CVE-2008-0166>.
[I-D.ietf-lamps-lightweight-cmp-profile] [I-D.ietf-lamps-lightweight-cmp-profile]
Brockhaus, H., Oheimb, D. V., and S. Fries, "Lightweight Brockhaus, H., Oheimb, D. V., and S. Fries, "Lightweight
Certificate Management Protocol (CMP) Profile", Work in Certificate Management Protocol (CMP) Profile", Work in
Progress, Internet-Draft, draft-ietf-lamps-lightweight- Progress, Internet-Draft, draft-ietf-lamps-lightweight-
cmp-profile-10, 1 February 2022, cmp-profile-12, 13 May 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps- <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
lightweight-cmp-profile-10>. lightweight-cmp-profile-12>.
[IEEE.802.1AR_2018] [IEEE.802.1AR_2018]
IEEE, "IEEE Standard for Local and metropolitan area IEEE, "IEEE Standard for Local and metropolitan area
networks - Secure Device Identity", IEEE 802.1AR-2018, networks - Secure Device Identity", IEEE 802.1AR-2018,
DOI 10.1109/IEEESTD.2018.8423794, 2 August 2018, DOI 10.1109/IEEESTD.2018.8423794, 2 August 2018,
<https://ieeexplore.ieee.org/document/8423794>. <https://ieeexplore.ieee.org/document/8423794>.
[ISO.20543-2019] [ISO.20543-2019]
International Organization for Standardization (ISO), International Organization for Standardization (ISO),
"Information technology -- Security techniques -- Test and "Information technology -- Security techniques -- Test and
skipping to change at page 49, line 20 skipping to change at page 49, line 20
-- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19}
-- CertReqTemplateValue ::= CertReqTemplateContent -- CertReqTemplateValue ::= CertReqTemplateContent
-- - id-it-certReqTemplate added in CMP Updates [thisRFC] -- - id-it-certReqTemplate added in CMP Updates [thisRFC]
-- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20}
-- RootCaCertValue ::= CMPCertificate -- RootCaCertValue ::= CMPCertificate
-- - id-it-rootCaCert added in CMP Updates [thisRFC] -- - id-it-rootCaCert added in CMP Updates [thisRFC]
-- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21}
-- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF
-- UTF8String -- UTF8String
-- - id-it-certProfile added in CMP Updates [thisRFC] -- - id-it-certProfile added in CMP Updates [thisRFC]
-- id-it-crlStatusList OBJECT IDENTIFIER ::= {id-it TBD1} -- id-it-crlStatusList OBJECT IDENTIFIER ::= {id-it 22}
-- CRLStatusListValue ::= SEQUENCE SIZE (1..MAX) OF -- CRLStatusListValue ::= SEQUENCE SIZE (1..MAX) OF
-- CRLStatus -- CRLStatus
-- - id-it-crlStatusList added in CMP Updates [thisRFC] -- - id-it-crlStatusList added in CMP Updates [thisRFC]
-- id-it-crls OBJECT IDENTIFIER ::= {id-it TBD2} -- id-it-crls OBJECT IDENTIFIER ::= {id-it 23}
-- CRLsValue ::= SEQUENCE SIZE (1..MAX) OF -- CRLsValue ::= SEQUENCE SIZE (1..MAX) OF
-- CertificateList -- CertificateList
-- - id-it-crls added in CMP Updates [thisRFC] -- - id-it-crls added in CMP Updates [thisRFC]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
skipping to change at page 62, line 48 skipping to change at page 62, line 48
-- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19} -- id-it-certReqTemplate OBJECT IDENTIFIER ::= {id-it 19}
-- CertReqTemplateValue ::= CertReqTemplateContent -- CertReqTemplateValue ::= CertReqTemplateContent
-- - id-it-certReqTemplate added in CMP Updates [thisRFC] -- - id-it-certReqTemplate added in CMP Updates [thisRFC]
-- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20} -- id-it-rootCaCert OBJECT IDENTIFIER ::= {id-it 20}
-- RootCaCertValue ::= CMPCertificate -- RootCaCertValue ::= CMPCertificate
-- - id-it-rootCaCert added in CMP Updates [thisRFC] -- - id-it-rootCaCert added in CMP Updates [thisRFC]
-- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21} -- id-it-certProfile OBJECT IDENTIFIER ::= {id-it 21}
-- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF -- CertProfileValue ::= SEQUENCE SIZE (1..MAX) OF
-- UTF8String -- UTF8String
-- - id-it-certProfile added in CMP Updates [thisRFC] -- - id-it-certProfile added in CMP Updates [thisRFC]
-- id-it-crlStatusList OBJECT IDENTIFIER ::= {id-it TBD1} -- id-it-crlStatusList OBJECT IDENTIFIER ::= {id-it 22}
-- CRLStatusListValue ::= SEQUENCE SIZE (1..MAX) OF -- CRLStatusListValue ::= SEQUENCE SIZE (1..MAX) OF
-- CRLStatus -- CRLStatus
-- - id-it-crlStatusList added in CMP Updates [thisRFC] -- - id-it-crlStatusList added in CMP Updates [thisRFC]
-- id-it-crls OBJECT IDENTIFIER ::= {id-it TBD2} -- id-it-crls OBJECT IDENTIFIER ::= {id-it 23}
-- CRLsValue ::= SEQUENCE SIZE (1..MAX) OF -- CRLsValue ::= SEQUENCE SIZE (1..MAX) OF
-- CertificateList -- CertificateList
-- - id-it-crls added in CMP Updates [thisRFC] -- - id-it-crls added in CMP Updates [thisRFC]
-- --
-- where -- where
-- --
-- id-pkix OBJECT IDENTIFIER ::= { -- id-pkix OBJECT IDENTIFIER ::= {
-- iso(1) identified-organization(3) -- iso(1) identified-organization(3)
-- dod(6) internet(1) security(5) mechanisms(5) pkix(7)} -- dod(6) internet(1) security(5) mechanisms(5) pkix(7)}
-- and -- and
skipping to change at page 64, line 39 skipping to change at page 64, line 39
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of Changes Appendix B. History of Changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 18 -> 19:
* Deleted the Comments on IANA ToDos and changed the decimals TBD1
-> 22 and TBD2 -> 23
* Updated Section 3.4 regarding ToDos updating the well-known URI
registration.
From version 17 -> 18: From version 17 -> 18:
* Addressed comments from AD Evaluation (see thread "AD Review of * Addressed comments from AD Evaluation (see thread "AD Review of
draft-ietf-lamps-cmp-updates-17") draft-ietf-lamps-cmp-updates-17")
* Added Section 2.8 to clarify on the usage of GeneralizedTime (see * Added Section 2.8 to clarify on the usage of GeneralizedTime (see
thread "draft-ietf-lamps-cmp-updates: fractional seconds") thread "draft-ietf-lamps-cmp-updates: fractional seconds")
* Updated Section 3.4 introducing the path segment 'p' to indicate * Updated Section 3.4 introducing the path segment 'p' to indicate
the following arbitrary label according to the discussion during the following arbitrary label according to the discussion during
IETF 113 (see thread "/.well-known/brski reference to brski- IETF 113 (see thread "/.well-known/brski reference to brski-
registry") registry")
* Capitalized all headlines * Capitalized all headlines
From version 16 -> 17: From version 16 -> 17:
* Removed the pre-RFC5378 work disclaimer after the RFC 4210 authors * Removed the pre-RFC5378 work disclaimer after the RFC 4210 authors
granted BCP78 rights to the IETF Trust granted BCP78 rights to the IETF Trust
 End of changes. 22 change blocks. 
32 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/