| draft-ietf-lamps-rfc7030est-clarify-00.txt | draft-ietf-lamps-rfc7030est-clarify-01.txt | |||
|---|---|---|---|---|
| LAMPS Working Group M. Richardson | LAMPS Working Group M. Richardson | |||
| Internet-Draft Sandelman Software Works | Internet-Draft Sandelman Software Works | |||
| Intended status: Standards Track T. Werner | Intended status: Standards Track T. Werner | |||
| Expires: July 6, 2020 Siemens | Expires: September 6, 2020 Siemens | |||
| W. Pan | W. Pan | |||
| Huawei Technologies | Huawei Technologies | |||
| January 03, 2020 | March 05, 2020 | |||
| Clarification of Enrollment over Secure Transport (EST): transfer | Clarification of Enrollment over Secure Transport (EST): transfer | |||
| encodings and ASN.1 | encodings and ASN.1 | |||
| draft-ietf-lamps-rfc7030est-clarify-00 | draft-ietf-lamps-rfc7030est-clarify-01 | |||
| Abstract | Abstract | |||
| This document updates RFC7030: Enrollment over Secure Transport (EST) | This document updates RFC7030: Enrollment over Secure Transport (EST) | |||
| to resolve some errata that was reported, and which has proven to | to resolve some errata that was reported, and which has proven to | |||
| have interoperability when RFC7030 has been extended. | have interoperability when RFC7030 has been extended. | |||
| This document deprecates the specification of "Content-Transfer- | This document deprecates the specification of "Content-Transfer- | |||
| Encoding" headers for EST endpoints, providing a way to do this in an | Encoding" headers for EST endpoints, providing a way to do this in an | |||
| upward compatible way. This document fixes some syntactical errors | upward compatible way. This document fixes some syntactical errors | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 6, 2020. | This Internet-Draft will expire on September 6, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Changes to EST endpoint processing . . . . . . . . . . . . . 3 | 4. Changes to EST endpoint processing . . . . . . . . . . . . . 3 | |||
| 5. Clarification of ASN.1 for Certificate Attribute set. . . . . 4 | 5. Clarification of ASN.1 for Certificate Attribute set. . . . . 4 | |||
| 5.1. CSR Attributes Response . . . . . . . . . . . . . . . . . 4 | 5.1. CSR Attributes Response . . . . . . . . . . . . . . . . . 4 | |||
| 6. Clarification of error messages for certificate enrollment | 6. Clarification of error messages for certificate enrollment | |||
| operations . . . . . . . . . . . . . . . . . . . . . . . . . 6 | operations . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. Updating section 4.2.3: Simple Enroll and Re-enroll | ||||
| Response . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 6.2. Updating section 4.4.2: Server-Side Key Generation | ||||
| Response . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 10.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 7 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 9 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
| 1. Introduction | 1. Introduction | |||
| [RFC7030] defines the Enrollment over Secure Transport, or EST | [RFC7030] defines the Enrollment over Secure Transport, or EST | |||
| protocol. | protocol. | |||
| This specification defines a number of HTTP end points for | This specification defines a number of HTTP end points for | |||
| certificate enrollment and management. The details of the | certificate enrollment and management. The details of the | |||
| transaction were defined in terms of MIME headers as defined in | transaction were defined in terms of MIME headers as defined in | |||
| [RFC2045], rather than in terms of the HTTP protocol as defined in | [RFC2045], rather than in terms of the HTTP protocol as defined in | |||
| skipping to change at page 6, line 8 ¶ | skipping to change at page 6, line 8 ¶ | |||
| 2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03 03 ~~~ | 2b 06 01 01 01 01 16 06 08 2a 86 48 ce 3d 04 03 03 ~~~ | |||
| and then base64 encodes the resulting ASN.1 SEQUENCE to produce: | and then base64 encodes the resulting ASN.1 SEQUENCE to produce: | |||
| MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ | MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ | |||
| BgcrBgEBAQEWBggqhkjOPQQDAw== | BgcrBgEBAQEWBggqhkjOPQQDAw== | |||
| 6. Clarification of error messages for certificate enrollment | 6. Clarification of error messages for certificate enrollment | |||
| operations | operations | |||
| errata 5108. | [errata5108] clarifies what format the error messages are to be in. | |||
| Previously a client might be confused into believing that an error | ||||
| returned with type text/plain was not intended to be an error. | ||||
| 6.1. Updating section 4.2.3: Simple Enroll and Re-enroll Response | ||||
| Replace: | ||||
| If the content-type is not set, the response data MUST be a | ||||
| plaintext human-readable error message containing explanatory | ||||
| information describing why the request was rejected (for | ||||
| example, indicating that CSR attributes are incomplete). | ||||
| with: | ||||
| If the content-type is not set, the response data must be a | ||||
| plaintext human-readable error message containing explanatory | ||||
| information describing why the request was rejected (for | ||||
| example, indicating that CSR attributes are incomplete). | ||||
| Servers MAY use the "text/plain" content-type [RFC2046] | ||||
| for human-readable errors. | ||||
| 6.2. Updating section 4.4.2: Server-Side Key Generation Response | ||||
| Replace: | ||||
| If the content-type is not set, the response data MUST be a | ||||
| plaintext human-readable error message. | ||||
| with: | ||||
| If the content-type is not set, the response data must be a | ||||
| plaintext human-readable error message. | ||||
| Servers MAY use the "text/plain" content-type [RFC2046] | ||||
| for human-readable errors. | ||||
| 7. Privacy Considerations | 7. Privacy Considerations | |||
| This document does not disclose any additional identifies to either | This document does not disclose any additional identifies to either | |||
| active or passive observer would see with [RFC7030]. | active or passive observer would see with [RFC7030]. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| This document clarifies an existing security mechanism. An option is | This document clarifies an existing security mechanism. # IANA | |||
| introduced to the security mechanism using an implicit negotiation. | Considerations | |||
| 9. IANA Considerations | ||||
| The ASN.1 module in Appendix A of this doucment makes use of object | The ASN.1 module in Appendix A of this doucment makes use of object | |||
| identifiers (OIDs). This document requests that IANA register an OID | identifiers (OIDs). This document requests that IANA register an OID | |||
| in the SMI Security for PKIX Arc in the Module identifiers subarc | in the SMI Security for PKIX Arc in the Module identifiers subarc | |||
| (1.3.6.1.5.5.7.0) for the ASN.1 module. The OID for the Asymmetric | (1.3.6.1.5.5.7.0) for the ASN.1 module. The OID for the Asymmetric | |||
| Decryption Key Identifier (1.2.840.113549.1.9.16.2.54) was previously | Decryption Key Identifier (1.2.840.113549.1.9.16.2.54) was previously | |||
| defined in [RFC7030]. IANA is requested to update the "Reference" | defined in [RFC7030]. | |||
| column for the Asymmetric Decryption Key Identifier attribute to also | ||||
| include a reference to this doducment. | ||||
| 10. Acknowledgements | IANA is requested to update the "Reference" column for the Asymmetric | |||
| Decryption Key Identifier attribute to also include a reference to | ||||
| this doducment. | ||||
| 9. Acknowledgements | ||||
| This work was supported by the Huawei Technologies. | This work was supported by the Huawei Technologies. | |||
| The ASN.1 Module was assembled by Russ Housley and formatted by Sean | The ASN.1 Module was assembled by Russ Housley and formatted by Sean | |||
| Turner. | Turner. | |||
| 11. References | 10. References | |||
| 11.1. Normative References | 10.1. Normative References | |||
| [I-D.ietf-anima-bootstrapping-keyinfra] | [I-D.ietf-anima-bootstrapping-keyinfra] | |||
| Pritikin, M., Richardson, M., Eckert, T., Behringer, M., | Pritikin, M., Richardson, M., Eckert, T., Behringer, M., | |||
| and K. Watsen, "Bootstrapping Remote Secure Key | and K. Watsen, "Bootstrapping Remote Secure Key | |||
| Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- | Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- | |||
| keyinfra-32 (work in progress), December 2019. | keyinfra-37 (work in progress), February 2020. | |||
| [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part One: Format of Internet Message | Extensions (MIME) Part One: Format of Internet Message | |||
| Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, | Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, | |||
| <https://www.rfc-editor.org/info/rfc2045>. | <https://www.rfc-editor.org/info/rfc2045>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 7, line 44 ¶ | skipping to change at page 8, line 34 ¶ | |||
| [X683] ITU-T, "Information technology - Abstract Syntax Notation | [X683] ITU-T, "Information technology - Abstract Syntax Notation | |||
| One: Parameterization of ASN.1 Specifications.", ISO/ | One: Parameterization of ASN.1 Specifications.", ISO/ | |||
| IEC 8824-2:2002, 2002. | IEC 8824-2:2002, 2002. | |||
| [X690] ITU-T, "Information technology - ASN.1 encoding Rules: | [X690] ITU-T, "Information technology - ASN.1 encoding Rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER).", ISO/IEC 8825-1:2002, 2002. | (DER).", ISO/IEC 8825-1:2002, 2002. | |||
| 11.2. Informative References | 10.2. Informative References | |||
| [errata4384] | [errata4384] | |||
| "EST errata 4384: ASN.1 encoding error", n.d., | "EST errata 4384: ASN.1 encoding error", n.d., | |||
| <https://www.rfc-editor.org/errata/eid4384>. | <https://www.rfc-editor.org/errata/eid4384>. | |||
| [errata5107] | [errata5107] | |||
| "EST errata 5107: use Content-Transfer-Encoding", n.d., | "EST errata 5107: use Content-Transfer-Encoding", n.d., | |||
| <https://www.rfc-editor.org/errata/eid5107>. | <https://www.rfc-editor.org/errata/eid5107>. | |||
| [errata5108] | [errata5108] | |||
| End of changes. 14 change blocks. | ||||
| 25 lines changed or deleted | 62 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||