draft-ietf-lamps-rfc7030est-clarify-00.txt   draft-ietf-lamps-rfc7030est-clarify-01.txt 
LAMPS Working Group M. Richardson LAMPS Working Group M. Richardson
Internet-Draft Sandelman Software Works Internet-Draft Sandelman Software Works
Intended status: Standards Track T. Werner Intended status: Standards Track T. Werner
Expires: July 6, 2020 Siemens Expires: September 6, 2020 Siemens
W. Pan W. Pan
Huawei Technologies Huawei Technologies
January 03, 2020 March 05, 2020
Clarification of Enrollment over Secure Transport (EST): transfer Clarification of Enrollment over Secure Transport (EST): transfer
encodings and ASN.1 encodings and ASN.1
draft-ietf-lamps-rfc7030est-clarify-00 draft-ietf-lamps-rfc7030est-clarify-01
Abstract Abstract
This document updates RFC7030: Enrollment over Secure Transport (EST) This document updates RFC7030: Enrollment over Secure Transport (EST)
to resolve some errata that was reported, and which has proven to to resolve some errata that was reported, and which has proven to
have interoperability when RFC7030 has been extended. have interoperability when RFC7030 has been extended.
This document deprecates the specification of "Content-Transfer- This document deprecates the specification of "Content-Transfer-
Encoding" headers for EST endpoints, providing a way to do this in an Encoding" headers for EST endpoints, providing a way to do this in an
upward compatible way. This document fixes some syntactical errors upward compatible way. This document fixes some syntactical errors
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 6, 2020. This Internet-Draft will expire on September 6, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
4. Changes to EST endpoint processing . . . . . . . . . . . . . 3 4. Changes to EST endpoint processing . . . . . . . . . . . . . 3
5. Clarification of ASN.1 for Certificate Attribute set. . . . . 4 5. Clarification of ASN.1 for Certificate Attribute set. . . . . 4
5.1. CSR Attributes Response . . . . . . . . . . . . . . . . . 4 5.1. CSR Attributes Response . . . . . . . . . . . . . . . . . 4
6. Clarification of error messages for certificate enrollment 6. Clarification of error messages for certificate enrollment
operations . . . . . . . . . . . . . . . . . . . . . . . . . 6 operations . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Updating section 4.2.3: Simple Enroll and Re-enroll
Response . . . . . . . . . . . . . . . . . . . . . . . . 6
6.2. Updating section 4.4.2: Server-Side Key Generation
Response . . . . . . . . . . . . . . . . . . . . . . . . 6
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 10.1. Normative References . . . . . . . . . . . . . . . . . . 7
11.1. Normative References . . . . . . . . . . . . . . . . . . 6 10.2. Informative References . . . . . . . . . . . . . . . . . 8
11.2. Informative References . . . . . . . . . . . . . . . . . 7 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
[RFC7030] defines the Enrollment over Secure Transport, or EST [RFC7030] defines the Enrollment over Secure Transport, or EST
protocol. protocol.
This specification defines a number of HTTP end points for This specification defines a number of HTTP end points for
certificate enrollment and management. The details of the certificate enrollment and management. The details of the
transaction were defined in terms of MIME headers as defined in transaction were defined in terms of MIME headers as defined in
[RFC2045], rather than in terms of the HTTP protocol as defined in [RFC2045], rather than in terms of the HTTP protocol as defined in
skipping to change at page 6, line 8 skipping to change at page 6, line 8
2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03 03 ~~~ 2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03 03 ~~~
and then base64 encodes the resulting ASN.1 SEQUENCE to produce: and then base64 encodes the resulting ASN.1 SEQUENCE to produce:
MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ
BgcrBgEBAQEWBggqhkjOPQQDAw== BgcrBgEBAQEWBggqhkjOPQQDAw==
6. Clarification of error messages for certificate enrollment 6. Clarification of error messages for certificate enrollment
operations operations
errata 5108. [errata5108] clarifies what format the error messages are to be in.
Previously a client might be confused into believing that an error
returned with type text/plain was not intended to be an error.
6.1. Updating section 4.2.3: Simple Enroll and Re-enroll Response
Replace:
If the content-type is not set, the response data MUST be a
plaintext human-readable error message containing explanatory
information describing why the request was rejected (for
example, indicating that CSR attributes are incomplete).
with:
If the content-type is not set, the response data must be a
plaintext human-readable error message containing explanatory
information describing why the request was rejected (for
example, indicating that CSR attributes are incomplete).
Servers MAY use the "text/plain" content-type [RFC2046]
for human-readable errors.
6.2. Updating section 4.4.2: Server-Side Key Generation Response
Replace:
If the content-type is not set, the response data MUST be a
plaintext human-readable error message.
with:
If the content-type is not set, the response data must be a
plaintext human-readable error message.
Servers MAY use the "text/plain" content-type [RFC2046]
for human-readable errors.
7. Privacy Considerations 7. Privacy Considerations
This document does not disclose any additional identifies to either This document does not disclose any additional identifies to either
active or passive observer would see with [RFC7030]. active or passive observer would see with [RFC7030].
8. Security Considerations 8. Security Considerations
This document clarifies an existing security mechanism. An option is This document clarifies an existing security mechanism. # IANA
introduced to the security mechanism using an implicit negotiation. Considerations
9. IANA Considerations
The ASN.1 module in Appendix A of this doucment makes use of object The ASN.1 module in Appendix A of this doucment makes use of object
identifiers (OIDs). This document requests that IANA register an OID identifiers (OIDs). This document requests that IANA register an OID
in the SMI Security for PKIX Arc in the Module identifiers subarc in the SMI Security for PKIX Arc in the Module identifiers subarc
(1.3.6.1.5.5.7.0) for the ASN.1 module. The OID for the Asymmetric (1.3.6.1.5.5.7.0) for the ASN.1 module. The OID for the Asymmetric
Decryption Key Identifier (1.2.840.113549.1.9.16.2.54) was previously Decryption Key Identifier (1.2.840.113549.1.9.16.2.54) was previously
defined in [RFC7030]. IANA is requested to update the "Reference" defined in [RFC7030].
column for the Asymmetric Decryption Key Identifier attribute to also
include a reference to this doducment.
10. Acknowledgements IANA is requested to update the "Reference" column for the Asymmetric
Decryption Key Identifier attribute to also include a reference to
this doducment.
9. Acknowledgements
This work was supported by the Huawei Technologies. This work was supported by the Huawei Technologies.
The ASN.1 Module was assembled by Russ Housley and formatted by Sean The ASN.1 Module was assembled by Russ Housley and formatted by Sean
Turner. Turner.
11. References 10. References
11.1. Normative References 10.1. Normative References
[I-D.ietf-anima-bootstrapping-keyinfra] [I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Eckert, T., Behringer, M., Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-32 (work in progress), December 2019. keyinfra-37 (work in progress), February 2020.
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
<https://www.rfc-editor.org/info/rfc2045>. <https://www.rfc-editor.org/info/rfc2045>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
skipping to change at page 7, line 44 skipping to change at page 8, line 34
[X683] ITU-T, "Information technology - Abstract Syntax Notation [X683] ITU-T, "Information technology - Abstract Syntax Notation
One: Parameterization of ASN.1 Specifications.", ISO/ One: Parameterization of ASN.1 Specifications.", ISO/
IEC 8824-2:2002, 2002. IEC 8824-2:2002, 2002.
[X690] ITU-T, "Information technology - ASN.1 encoding Rules: [X690] ITU-T, "Information technology - ASN.1 encoding Rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER).", ISO/IEC 8825-1:2002, 2002. (DER).", ISO/IEC 8825-1:2002, 2002.
11.2. Informative References 10.2. Informative References
[errata4384] [errata4384]
"EST errata 4384: ASN.1 encoding error", n.d., "EST errata 4384: ASN.1 encoding error", n.d.,
<https://www.rfc-editor.org/errata/eid4384>. <https://www.rfc-editor.org/errata/eid4384>.
[errata5107] [errata5107]
"EST errata 5107: use Content-Transfer-Encoding", n.d., "EST errata 5107: use Content-Transfer-Encoding", n.d.,
<https://www.rfc-editor.org/errata/eid5107>. <https://www.rfc-editor.org/errata/eid5107>.
[errata5108] [errata5108]
 End of changes. 14 change blocks. 
25 lines changed or deleted 62 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/