draft-ietf-lamps-rfc7030est-clarify-04.txt   draft-ietf-lamps-rfc7030est-clarify-05.txt 
LAMPS Working Group M. Richardson LAMPS Working Group M. Richardson
Internet-Draft Sandelman Software Works Internet-Draft Sandelman Software Works
Updates: RFC7030 (if approved) T. Werner Updates: RFC7030 (if approved) T. Werner
Intended status: Standards Track Siemens Intended status: Standards Track Siemens
Expires: October 29, 2020 W. Pan Expires: November 7, 2020 W. Pan
Huawei Technologies Huawei Technologies
April 27, 2020 May 06, 2020
Clarification of Enrollment over Secure Transport (EST): transfer Clarification of Enrollment over Secure Transport (EST): transfer
encodings and ASN.1 encodings and ASN.1
draft-ietf-lamps-rfc7030est-clarify-04 draft-ietf-lamps-rfc7030est-clarify-05
Abstract Abstract
This document updates RFC7030: Enrollment over Secure Transport (EST) This document updates RFC7030: Enrollment over Secure Transport (EST)
to resolve some errata that was reported, and which has proven to to resolve some errata that was reported, and which has proven to
cause interoperability issues when RFC7030 was extended. cause interoperability issues when RFC7030 was extended.
This document deprecates the specification of "Content-Transfer- This document deprecates the specification of "Content-Transfer-
Encoding" headers for EST endpoints. This document fixes some Encoding" headers for EST endpoints. This document fixes some
syntactical errors in ASN.1 that was presented. syntactical errors in ASN.1 that was presented.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 29, 2020. This Internet-Draft will expire on November 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 16 skipping to change at page 2, line 16
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Changes to EST endpoint processing . . . . . . . . . . . . . 3 3. Changes to EST endpoint processing . . . . . . . . . . . . . 3
3.1. Whitespace processing . . . . . . . . . . . . . . . . . . 3 3.1. Whitespace processing . . . . . . . . . . . . . . . . . . 4
4. Clarification of ASN.1 for Certificate Attribute set. . . . . 4 4. Clarification of ASN.1 for Certificate Attribute set. . . . . 4
4.1. CSR Attributes Response . . . . . . . . . . . . . . . . . 4 4.1. CSR Attributes Response . . . . . . . . . . . . . . . . . 4
5. Clarification of error messages for certificate enrollment 5. Clarification of error messages for certificate enrollment
operations . . . . . . . . . . . . . . . . . . . . . . . . . 6 operations . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Updating section 4.2.3: Simple Enroll and Re-enroll 5.1. Updating section 4.2.3: Simple Enroll and Re-enroll
Response . . . . . . . . . . . . . . . . . . . . . . . . 6 Response . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2. Updating section 4.4.2: Server-Side Key Generation 5.2. Updating section 4.4.2: Server-Side Key Generation
Response . . . . . . . . . . . . . . . . . . . . . . . . 6 Response . . . . . . . . . . . . . . . . . . . . . . . . 6
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
10.1. Normative References . . . . . . . . . . . . . . . . . . 7 10.1. Normative References . . . . . . . . . . . . . . . . . . 7
10.2. Informative References . . . . . . . . . . . . . . . . . 9 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 10
Appendix B. FAKE REFERENCES . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
[RFC7030] defines the Enrollment over Secure Transport, or EST [RFC7030] defines the Enrollment over Secure Transport, or EST
protocol. protocol.
This specification defines a number of HTTP end points for This specification defines a number of HTTP end points for
certificate enrollment and management. The details of the certificate enrollment and management. The details of the
transaction were defined in terms of MIME headers as defined in transaction were defined in terms of MIME headers as defined in
skipping to change at page 8, line 5 skipping to change at page 8, line 9
<https://www.rfc-editor.org/errata/eid5107>. <https://www.rfc-editor.org/errata/eid5107>.
[errata5108] [errata5108]
"EST errata 5108: use of Content-Type for error message", "EST errata 5108: use of Content-Type for error message",
n.d., <https://www.rfc-editor.org/errata/eid5108>. n.d., <https://www.rfc-editor.org/errata/eid5108>.
[errata5904] [errata5904]
"EST errata 5904: use Content-Transfer-Encoding", n.d., "EST errata 5904: use Content-Transfer-Encoding", n.d.,
<https://www.rfc-editor.org/errata/eid5904>. <https://www.rfc-editor.org/errata/eid5904>.
[I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-41 (work in progress), April 2020.
[IEC62351] [IEC62351]
International Electrotechnical Commission, "Power systems International Electrotechnical Commission, "Power systems
management and associated information exchange - Data and management and associated information exchange - Data and
communications security - Part 9: Cyber security key communications security - Part 9: Cyber security key
management for power system equipment", ISO/ management for power system equipment", ISO/
IEC 62351-9:2017, 2017. IEC 62351-9:2017, 2017.
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
skipping to change at page 8, line 37 skipping to change at page 8, line 35
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986, Request Syntax Specification Version 1.7", RFC 2986,
DOI 10.17487/RFC2986, November 2000, DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>. <https://www.rfc-editor.org/info/rfc2986>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/info/rfc4648>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>.
[RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules
for the Cryptographic Message Syntax (CMS) and the Public
Key Infrastructure Using X.509 (PKIX)", RFC 6268,
DOI 10.17487/RFC6268, July 2011,
<https://www.rfc-editor.org/info/rfc6268>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, "Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013, DOI 10.17487/RFC7030, October 2013,
<https://www.rfc-editor.org/info/rfc7030>. <https://www.rfc-editor.org/info/rfc7030>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8179] Bradner, S. and J. Contreras, "Intellectual Property [RFC8179] Bradner, S. and J. Contreras, "Intellectual Property
skipping to change at page 9, line 24 skipping to change at page 9, line 36
One: Parameterization of ASN.1 Specifications.", ISO/ One: Parameterization of ASN.1 Specifications.", ISO/
IEC 8824-2:2002, 2002. IEC 8824-2:2002, 2002.
[X690] ITU-T, "Information technology - ASN.1 encoding Rules: [X690] ITU-T, "Information technology - ASN.1 encoding Rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER).", ISO/IEC 8825-1:2002, 2002. (DER).", ISO/IEC 8825-1:2002, 2002.
10.2. Informative References 10.2. Informative References
[I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-41 (work in progress), April 2020.
[RFC2307] Howard, L., "An Approach for Using LDAP as a Network [RFC2307] Howard, L., "An Approach for Using LDAP as a Network
Information Service", RFC 2307, DOI 10.17487/RFC2307, Information Service", RFC 2307, DOI 10.17487/RFC2307,
March 1998, <https://www.rfc-editor.org/info/rfc2307>. March 1998, <https://www.rfc-editor.org/info/rfc2307>.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, Transfer Protocol -- HTTP/1.1", RFC 2616,
DOI 10.17487/RFC2616, June 1999, DOI 10.17487/RFC2616, June 1999,
<https://www.rfc-editor.org/info/rfc2616>. <https://www.rfc-editor.org/info/rfc2616>.
skipping to change at page 11, line 24 skipping to change at page 11, line 24
IMPORTS IMPORTS
Attribute Attribute
FROM CryptographicMessageSyntax-2010 -- [RFC6268] FROM CryptographicMessageSyntax-2010 -- [RFC6268]
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-cms-2009(58) } id-mod-cms-2009(58) }
ATTRIBUTE ATTRIBUTE
FROM PKIX-CommonTypes-2009 FROM PKIX-CommonTypes-2009 -- [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } ; mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } ;
-- CSR Attributes -- CSR Attributes
CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID CsrAttrs ::= SEQUENCE SIZE (0..MAX) OF AttrOrOID
AttrOrOID ::= CHOICE { AttrOrOID ::= CHOICE {
oid OBJECT IDENTIFIER, oid OBJECT IDENTIFIER,
attribute Attribute {{AttrSet}} } attribute Attribute {{AttrSet}} }
skipping to change at page 12, line 5 skipping to change at page 12, line 5
{ TYPE AsymmetricDecryptKeyIdentifier { TYPE AsymmetricDecryptKeyIdentifier
IDENTIFIED BY id-aa-asymmDecryptKeyID } IDENTIFIED BY id-aa-asymmDecryptKeyID }
id-aa-asymmDecryptKeyID OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-aa-asymmDecryptKeyID OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 54 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) aa(2) 54 }
AsymmetricDecryptKeyIdentifier ::= OCTET STRING AsymmetricDecryptKeyIdentifier ::= OCTET STRING
END END
Appendix B. FAKE REFERENCES
RFC-EDITOR: please remove this section. It exists just to reference
[RFC6268] and [RFC5912].
Authors' Addresses Authors' Addresses
Michael Richardson Michael Richardson
Sandelman Software Works Sandelman Software Works
Email: mcr+ietf@sandelman.ca Email: mcr+ietf@sandelman.ca
Thomas Werner Thomas Werner
Siemens Siemens
 End of changes. 12 change blocks. 
13 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/