Suite B Profile of Certificate Management over CMS
RFC 6403
Document | Type |
RFC - Historic
(November 2011; No errata)
Status changed by status-change-suiteb-to-historic
Was draft-turner-suiteb-cmc (individual in sec area)
|
|
---|---|---|---|
Authors | Michael Peck , Lydia Zieglar , Sean Turner | ||
Last updated | 2018-08-01 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 6403 (Historic) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
IESG note | Sean Turner (turners@ieca.com) is the document shepherd. | ||
Send notices to | mpeck@alumni.virginia.edu |
Internet Engineering Task Force (IETF) L. Zieglar Request for Comments: 6403 NSA Category: Informational S. Turner ISSN: 2070-1721 IECA M. Peck November 2011 Suite B Profile of Certificate Management over CMS Abstract The United States government has published guidelines for "NSA Suite B Cryptography", which defines cryptographic algorithm policy for national security applications. This document specifies a profile of the Certificate Management over CMS (CMC) protocol for managing Suite B X.509 public key certificates. This profile is a refinement of RFCs 5272, 5273, and 5274. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6403. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Zieglar, et al. Informational [Page 1] RFC 6403 Suite B CMC Profile November 2011 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1. Introduction This document specifies a profile for using the Certificate Management over CMS (CMC) protocol, defined in [RFC5272], [RFC5273], and [RFC5274], and updated by [RFC6402], to manage X.509 public key certificates compliant with the United States National Security Agency's Suite B Cryptography as defined in the Suite B Certificate and Certificate Revocation List (CRL) Profile [RFC5759]. This document specifically focuses on defining CMC interactions for both initial enrollment and rekey of Suite B public key certificates between a client and a Certification Authority (CA). One or more Registration Authorities (RAs) may act as intermediaries between the client and the CA. This profile may be further tailored by specific communities to meet their needs. Specific communities will also define Certificate Policies that implementations need to comply with. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. The terminology in [RFC5272] Section 2.1 applies to this profile. 3. Requirements and Assumptions All key pairs are on either the curve P-256 or the curve P-384. FIPS 186-3 [DSS], Appendix B.4, provides useful guidance for elliptic curve key pair generation that SHOULD be followed by systems that conform to this document. This document assumes that the required trust anchors have been securely provisioned to the client and, when applicable, to any RAs. All requirements in [RFC5272], [RFC5273], [RFC5274], and [RFC6402] apply, except where overridden by this profile. This profile was developed with the scenarios described in Appendix A in mind. However, use of this profile is not limited to just those scenarios. The term "client" in this profile typically refers to an end-entity. However, it may instead refer to a third party acting on the end- entity's behalf. The client may or may not be the entity that Zieglar, et al. Informational [Page 2] RFC 6403 Suite B CMC Profile November 2011 actually generates the key pair, but it does perform the CMC protocol interactions with the RA and/or CA. For example, the client may be a token management system that communicates with a cryptographic token through an out-of-band secure protocol. This profile uses the term "rekey" in the same manner as does CMCShow full document text