Certificate Management over CMS (CMC)
RFC 5272
Document | Type |
RFC - Proposed Standard
(June 2008; Errata)
Updated by RFC 6402
Obsoletes RFC 2797
|
|
---|---|---|---|
Authors | Michael Myers , Jim Schaad | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5272 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | (None) |
Network Working Group J. Schaad Request for Comments: 5272 Soaring Hawk Consulting Obsoletes: 2797 M. Myers Category: Standards Track TraceRoute Security, Inc. June 2008 Certificate Management over CMS (CMC) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This document defines the base syntax for CMC, a Certificate Management protocol using the Cryptographic Message Syntax (CMS). This protocol addresses two immediate needs within the Internet Public Key Infrastructure (PKI) community: 1. The need for an interface to public key certification products and services based on CMS and PKCS #10 (Public Key Cryptography Standard), and 2. The need for a PKI enrollment protocol for encryption only keys due to algorithm or hardware design. CMC also requires the use of the transport document and the requirements usage document along with this document for a full definition. Schaad & Myers Standards Track [Page 1] RFC 5272 CMC: Structures June 2008 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Protocol Requirements . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Terminology . . . . . . . . . . . . . . . . . 5 1.3. Changes since RFC 2797 . . . . . . . . . . . . . . . . . . 5 2. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 2.2. Protocol Requests/Responses . . . . . . . . . . . . . . . 9 3. PKI Requests . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.1. Simple PKI Request . . . . . . . . . . . . . . . . . . . . 10 3.2. Full PKI Request . . . . . . . . . . . . . . . . . . . . . 12 3.2.1. PKIData Content Type . . . . . . . . . . . . . . . . . 13 3.2.1.1. Control Syntax . . . . . . . . . . . . . . . . . . 14 3.2.1.2. Certification Request Formats . . . . . . . . . . 15 3.2.1.2.1. PKCS #10 Certification Syntax . . . . . . . . 16 3.2.1.2.2. CRMF Certification Syntax . . . . . . . . . . 17 3.2.1.2.3. Other Certification Request . . . . . . . . . 18 3.2.1.3. Content Info Objects . . . . . . . . . . . . . . . 19 3.2.1.3.1. Authenticated Data . . . . . . . . . . . . . . 19 3.2.1.3.2. Data . . . . . . . . . . . . . . . . . . . . . 20 3.2.1.3.3. Enveloped Data . . . . . . . . . . . . . . . . 20 3.2.1.3.4. Signed Data . . . . . . . . . . . . . . . . . 20 3.2.1.4. Other Message Bodies . . . . . . . . . . . . . . . 21 3.2.2. Body Part Identification . . . . . . . . . . . . . . . 21 3.2.3. CMC Unsigned Data Attribute . . . . . . . . . . . . . 22 4. PKI Responses . . . . . . . . . . . . . . . . . . . . . . . . 23 4.1. Simple PKI Response . . . . . . . . . . . . . . . . . . . 23 4.2. Full PKI Response . . . . . . . . . . . . . . . . . . . . 24 4.2.1. PKIResponse Content Type . . . . . . . . . . . . . . . 24 5. Application of Encryption to a PKI Request/Response . . . . . 25 6. Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 6.1. CMC Status Info Controls . . . . . . . . . . . . . . . . . 28 6.1.1. Extended CMC Status Info Control . . . . . . . . . . . 28 6.1.2. CMC Status Info Control . . . . . . . . . . . . . . . 30 6.1.3. CMCStatus Values . . . . . . . . . . . . . . . . . . . 31 6.1.4. CMCFailInfo . . . . . . . . . . . . . . . . . . . . . 32 6.2. Identification and Identity Proof Controls . . . . . . . . 33 6.2.1. Identity Proof Version 2 Control . . . . . . . . . . . 33 6.2.2. Identity Proof Control . . . . . . . . . . . . . . . . 35 6.2.3. Identification Control . . . . . . . . . . . . . . . . 35 6.2.4. Hardware Shared-Secret Token Generation . . . . . . . 36 6.3. Linking Identity and POP Information . . . . . . . . . . . 36 6.3.1. Cryptographic Linkage . . . . . . . . . . . . . . . . 37 6.3.1.1. POP Link Witness Version 2 Controls . . . . . . . 37 6.3.1.2. POP Link Witness Control . . . . . . . . . . . . . 38 6.3.1.3. POP Link Random Control . . . . . . . . . . . . . 38 6.3.2. Shared-Secret/Subject DN Linking . . . . . . . . . . . 39Show full document text