Suite B Profile of Certificate Management over CMS
RFC 6403

Document Type RFC - Historic (November 2011; No errata)
Was draft-turner-suiteb-cmc (individual in sec area)
Authors Michael Peck  , Lydia Zieglar  , Sean Turner 
Last updated 2018-08-01
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 6403 (Historic)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
IESG note Sean Turner ( is the document shepherd.
Send notices to
Internet Engineering Task Force (IETF)                        L. Zieglar
Request for Comments: 6403                                           NSA
Category: Informational                                        S. Turner
ISSN: 2070-1721                                                     IECA
                                                                 M. Peck
                                                           November 2011

           Suite B Profile of Certificate Management over CMS


   The United States government has published guidelines for "NSA
   Suite B Cryptography", which defines cryptographic algorithm policy
   for national security applications.  This document specifies a
   profile of the Certificate Management over CMS (CMC) protocol for
   managing Suite B X.509 public key certificates.  This profile is a
   refinement of RFCs 5272, 5273, and 5274.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must

Zieglar, et al.               Informational                     [Page 1]
RFC 6403                   Suite B CMC Profile             November 2011

   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   This document specifies a profile for using the Certificate
   Management over CMS (CMC) protocol, defined in [RFC5272], [RFC5273],
   and [RFC5274], and updated by [RFC6402], to manage X.509 public key
   certificates compliant with the United States National Security
   Agency's Suite B Cryptography as defined in the Suite B Certificate
   and Certificate Revocation List (CRL) Profile [RFC5759].  This
   document specifically focuses on defining CMC interactions for both
   initial enrollment and rekey of Suite B public key certificates
   between a client and a Certification Authority (CA).  One or more
   Registration Authorities (RAs) may act as intermediaries between the
   client and the CA.  This profile may be further tailored by specific
   communities to meet their needs.  Specific communities will also
   define Certificate Policies that implementations need to comply with.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

   The terminology in [RFC5272] Section 2.1 applies to this profile.

3.  Requirements and Assumptions

   All key pairs are on either the curve P-256 or the curve P-384.  FIPS
   186-3 [DSS], Appendix B.4, provides useful guidance for elliptic
   curve key pair generation that SHOULD be followed by systems that
   conform to this document.

   This document assumes that the required trust anchors have been
   securely provisioned to the client and, when applicable, to any RAs.

   All requirements in [RFC5272], [RFC5273], [RFC5274], and [RFC6402]
   apply, except where overridden by this profile.

   This profile was developed with the scenarios described in Appendix A
   in mind.  However, use of this profile is not limited to just those

   The term "client" in this profile typically refers to an end-entity.
   However, it may instead refer to a third party acting on the end-
   entity's behalf.  The client may or may not be the entity that

Zieglar, et al.               Informational                     [Page 2]
RFC 6403                   Suite B CMC Profile             November 2011

   actually generates the key pair, but it does perform the CMC protocol
   interactions with the RA and/or CA.  For example, the client may be a
   token management system that communicates with a cryptographic token
   through an out-of-band secure protocol.

   This profile uses the term "rekey" in the same manner as does CMC
Show full document text