datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Certificate Management over CMS (CMC)
RFC 5272

Document type: RFC - Proposed Standard (June 2008; Errata)
Updated by RFC 6402
Obsoletes RFC 2797
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5272 (Proposed Standard)
Responsible AD: Tim Polk
Send notices to: kent@bbn.com, stefans@microsoft.com, jimsch@exmsft.com

Network Working Group                                          J. Schaad
Request for Comments: 5272                       Soaring Hawk Consulting
Obsoletes: 2797                                                 M. Myers
Category: Standards Track                      TraceRoute Security, Inc.
                                                               June 2008

                 Certificate Management over CMS (CMC)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document defines the base syntax for CMC, a Certificate
   Management protocol using the Cryptographic Message Syntax (CMS).
   This protocol addresses two immediate needs within the Internet
   Public Key Infrastructure (PKI) community:

   1.  The need for an interface to public key certification products
       and services based on CMS and PKCS #10 (Public Key Cryptography
       Standard), and

   2.  The need for a PKI enrollment protocol for encryption only keys
       due to algorithm or hardware design.

   CMC also requires the use of the transport document and the
   requirements usage document along with this document for a full
   definition.

Schaad & Myers              Standards Track                     [Page 1]
RFC 5272                    CMC: Structures                    June 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Protocol Requirements  . . . . . . . . . . . . . . . . . .  4
     1.2.  Requirements Terminology . . . . . . . . . . . . . . . . .  5
     1.3.  Changes since RFC 2797 . . . . . . . . . . . . . . . . . .  5
   2.  Protocol Overview  . . . . . . . . . . . . . . . . . . . . . .  5
     2.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  7
     2.2.  Protocol Requests/Responses  . . . . . . . . . . . . . . .  9
   3.  PKI Requests . . . . . . . . . . . . . . . . . . . . . . . . . 10
     3.1.  Simple PKI Request . . . . . . . . . . . . . . . . . . . . 10
     3.2.  Full PKI Request . . . . . . . . . . . . . . . . . . . . . 12
       3.2.1.  PKIData Content Type . . . . . . . . . . . . . . . . . 13
         3.2.1.1.  Control Syntax . . . . . . . . . . . . . . . . . . 14
         3.2.1.2.  Certification Request Formats  . . . . . . . . . . 15
           3.2.1.2.1.  PKCS #10 Certification Syntax  . . . . . . . . 16
           3.2.1.2.2.  CRMF Certification Syntax  . . . . . . . . . . 17
           3.2.1.2.3.  Other Certification Request  . . . . . . . . . 18
         3.2.1.3.  Content Info Objects . . . . . . . . . . . . . . . 19
           3.2.1.3.1.  Authenticated Data . . . . . . . . . . . . . . 19
           3.2.1.3.2.  Data . . . . . . . . . . . . . . . . . . . . . 20
           3.2.1.3.3.  Enveloped Data . . . . . . . . . . . . . . . . 20
           3.2.1.3.4.  Signed Data  . . . . . . . . . . . . . . . . . 20
         3.2.1.4.  Other Message Bodies . . . . . . . . . . . . . . . 21
       3.2.2.  Body Part Identification . . . . . . . . . . . . . . . 21
       3.2.3.  CMC Unsigned Data Attribute  . . . . . . . . . . . . . 22
   4.  PKI Responses  . . . . . . . . . . . . . . . . . . . . . . . . 23
     4.1.  Simple PKI Response  . . . . . . . . . . . . . . . . . . . 23
     4.2.  Full PKI Response  . . . . . . . . . . . . . . . . . . . . 24
       4.2.1.  PKIResponse Content Type . . . . . . . . . . . . . . . 24
   5.  Application of Encryption to a PKI Request/Response  . . . . . 25
   6.  Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
     6.1.  CMC Status Info Controls . . . . . . . . . . . . . . . . . 28
       6.1.1.  Extended CMC Status Info Control . . . . . . . . . . . 28
       6.1.2.  CMC Status Info Control  . . . . . . . . . . . . . . . 30
       6.1.3.  CMCStatus Values . . . . . . . . . . . . . . . . . . . 31
       6.1.4.  CMCFailInfo  . . . . . . . . . . . . . . . . . . . . . 32
     6.2.  Identification and Identity Proof Controls . . . . . . . . 33
       6.2.1.  Identity Proof Version 2 Control . . . . . . . . . . . 33
       6.2.2.  Identity Proof Control . . . . . . . . . . . . . . . . 35
       6.2.3.  Identification Control . . . . . . . . . . . . . . . . 35
       6.2.4.  Hardware Shared-Secret Token Generation  . . . . . . . 36
     6.3.  Linking Identity and POP Information . . . . . . . . . . . 36
       6.3.1.  Cryptographic Linkage  . . . . . . . . . . . . . . . . 37
         6.3.1.1.  POP Link Witness Version 2 Controls  . . . . . . . 37
         6.3.1.2.  POP Link Witness Control . . . . . . . . . . . . . 38

[include full document text]