datatracker.ietf.org
Sign in
Version 5.6.4.p1, 2014-10-20
Report a bug

Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
RFC 4210

Document type: RFC - Proposed Standard (September 2005; Errata)
Updated by RFC 6712
Obsoletes RFC 2510
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4210 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: <kent@bbn.com>, <wpolk@nist.gov>

Network Working Group                                           C. Adams
Request for Comments: 4210                          University of Ottawa
Obsoletes: 2510                                               S. Farrell
Category: Standards Track                         Trinity College Dublin
                                                                T. Kause
                                                                     SSH
                                                              T. Mononen
                                                                 SafeNet
                                                          September 2005

               Internet X.509 Public Key Infrastructure
                 Certificate Management Protocol (CMP)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes the Internet X.509 Public Key Infrastructure
   (PKI) Certificate Management Protocol (CMP).  Protocol messages are
   defined for X.509v3 certificate creation and management.  CMP
   provides on-line interactions between PKI components, including an
   exchange between a Certification Authority (CA) and a client system.

Table of Contents

   1. Introduction ....................................................5
   2. Requirements ....................................................5
   3. PKI Management Overview .........................................5
      3.1. PKI Management Model .......................................6
           3.1.1. Definitions of PKI Entities .........................6
                  3.1.1.1. Subjects and End Entities ..................6
                  3.1.1.2. Certification Authority ....................7
                  3.1.1.3. Registration Authority .....................7
           3.1.2. PKI Management Requirements .........................8
           3.1.3. PKI Management Operations ..........................10
   4. Assumptions and Restrictions ...................................14
      4.1. End Entity Initialization .................................14

Adams, et al.               Standards Track                     [Page 1]
RFC 4210                          CMP                     September 2005

      4.2. Initial Registration/Certification ........................14
           4.2.1. Criteria Used ......................................15
                  4.2.1.1. Initiation of Registration/Certification ..15
                  4.2.1.2. End Entity Message Origin Authentication ..15
                  4.2.1.3. Location of Key Generation ................15
                  4.2.1.4. Confirmation of Successful Certification ..16
           4.2.2. Mandatory Schemes ..................................16
                  4.2.2.1. Centralized Scheme ........................16
                  4.2.2.2. Basic Authenticated Scheme ................17
      4.3. Proof-of-Possession (POP) of Private Key ..................17
           4.3.1. Signature Keys .....................................18
           4.3.2. Encryption Keys ....................................18
           4.3.3. Key Agreement Keys .................................19
      4.4. Root CA Key Update ........................................19
           4.4.1. CA Operator Actions ................................20
           4.4.2. Verifying Certificates .............................21
                  4.4.2.1. Verification in Cases 1, 4, 5, and 8 ......22
                  4.4.2.2. Verification in Case 2 ....................22
                  4.4.2.3. Verification in Case 3 ....................23
                  4.4.2.4. Failure of Verification in Case 6 .........23
                  4.4.2.5. Failure of Verification in Case 7 .........23
           4.4.3. Revocation - Change of CA Key ......................23
   5. Data Structures ................................................24
      5.1. Overall PKI Message .......................................24
           5.1.1. PKI Message Header .................................24
                  5.1.1.1. ImplicitConfirm ...........................27
                  5.1.1.2. ConfirmWaitTime ...........................27
           5.1.2. PKI Message Body ...................................27
           5.1.3. PKI Message Protection .............................28
                  5.1.3.1. Shared Secret Information .................29
                  5.1.3.2. DH Key Pairs ..............................30

[include full document text]