Certificate Management over CMS (CMC)
RFC 5272
Document Type RFC - Proposed Standard (June 2008; Errata)
Updated by RFC 6402
Obsoletes RFC 2797
Authors Michael Myers  , Jim Schaad 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Early Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5272 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          J. Schaad
Request for Comments: 5272                       Soaring Hawk Consulting
Obsoletes: 2797                                                 M. Myers
Category: Standards Track                      TraceRoute Security, Inc.
                                                               June 2008

                 Certificate Management over CMS (CMC)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document defines the base syntax for CMC, a Certificate
   Management protocol using the Cryptographic Message Syntax (CMS).
   This protocol addresses two immediate needs within the Internet
   Public Key Infrastructure (PKI) community:

   1.  The need for an interface to public key certification products
       and services based on CMS and PKCS #10 (Public Key Cryptography
       Standard), and

   2.  The need for a PKI enrollment protocol for encryption only keys
       due to algorithm or hardware design.

   CMC also requires the use of the transport document and the
   requirements usage document along with this document for a full
   definition.

Schaad & Myers              Standards Track                     [Page 1]
RFC 5272                    CMC: Structures                    June 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Protocol Requirements  . . . . . . . . . . . . . . . . . .  4
     1.2.  Requirements Terminology . . . . . . . . . . . . . . . . .  5
     1.3.  Changes since RFC 2797 . . . . . . . . . . . . . . . . . .  5
   2.  Protocol Overview  . . . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  7
     2.2.  Protocol Requests/Responses  . . . . . . . . . . . . . . .  9
   3.  PKI Requests . . . . . . . . . . . . . . . . . . . . . . . . . 10
     3.1.  Simple PKI Request . . . . . . . . . . . . . . . . . . . . 10
     3.2.  Full PKI Request . . . . . . . . . . . . . . . . . . . . . 12
       3.2.1.  PKIData Content Type . . . . . . . . . . . . . . . . . 13
         3.2.1.1.  Control Syntax . . . . . . . . . . . . . . . . . . 14
         3.2.1.2.  Certification Request Formats  . . . . . . . . . . 15
           3.2.1.2.1.  PKCS #10 Certification Syntax  . . . . . . . . 16
           3.2.1.2.2.  CRMF Certification Syntax  . . . . . . . . . . 17
           3.2.1.2.3.  Other Certification Request  . . . . . . . . . 18
         3.2.1.3.  Content Info Objects . . . . . . . . . . . . . . . 19
           3.2.1.3.1.  Authenticated Data . . . . . . . . . . . . . . 19
           3.2.1.3.2.  Data . . . . . . . . . . . . . . . . . . . . . 20
           3.2.1.3.3.  Enveloped Data . . . . . . . . . . . . . . . . 20
           3.2.1.3.4.  Signed Data  . . . . . . . . . . . . . . . . . 20
         3.2.1.4.  Other Message Bodies . . . . . . . . . . . . . . . 21
       3.2.2.  Body Part Identification . . . . . . . . . . . . . . . 21
       3.2.3.  CMC Unsigned Data Attribute  . . . . . . . . . . . . . 22
   4.  PKI Responses  . . . . . . . . . . . . . . . . . . . . . . . . 23
     4.1.  Simple PKI Response  . . . . . . . . . . . . . . . . . . . 23
     4.2.  Full PKI Response  . . . . . . . . . . . . . . . . . . . . 24
       4.2.1.  PKIResponse Content Type . . . . . . . . . . . . . . . 24
   5.  Application of Encryption to a PKI Request/Response  . . . . . 25
   6.  Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
     6.1.  CMC Status Info Controls . . . . . . . . . . . . . . . . . 28
       6.1.1.  Extended CMC Status Info Control . . . . . . . . . . . 28
       6.1.2.  CMC Status Info Control  . . . . . . . . . . . . . . . 30
       6.1.3.  CMCStatus Values . . . . . . . . . . . . . . . . . . . 31
       6.1.4.  CMCFailInfo  . . . . . . . . . . . . . . . . . . . . . 32
     6.2.  Identification and Identity Proof Controls . . . . . . . . 33
       6.2.1.  Identity Proof Version 2 Control . . . . . . . . . . . 33
       6.2.2.  Identity Proof Control . . . . . . . . . . . . . . . . 35
       6.2.3.  Identification Control . . . . . . . . . . . . . . . . 35
       6.2.4.  Hardware Shared-Secret Token Generation  . . . . . . . 36
     6.3.  Linking Identity and POP Information . . . . . . . . . . . 36
       6.3.1.  Cryptographic Linkage  . . . . . . . . . . . . . . . . 37
         6.3.1.1.  POP Link Witness Version 2 Controls  . . . . . . . 37
         6.3.1.2.  POP Link Witness Control . . . . . . . . . . . . . 38
         6.3.1.3.  POP Link Random Control  . . . . . . . . . . . . . 38
       6.3.2.  Shared-Secret/Subject DN Linking . . . . . . . . . . . 39
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools