This document profiles certificate enrollment for clients using CMC (RFC
5272) defined ³simple² PKI messages over a secure transport. In addition
to supporting certificate enrollment and renewal functions, EST also
provides a means to obtain copies of a Certificate Authority¹s
certificates, have a public key pair generated on behalf of the client,
and query the EST server on the attributes required in a certificate
request. Where this reduced set of management functionality is
inadequate, EST also allows the conveyance of full CMC (RFC 5272)
messages. EST is designed to be a standards-track profile of CMC
appropriate for solutions currently leveraging the widely implemented
but never fully standardized Simple Certificate Enrollment Protocol
(SCEP). It improves on that protocol by supporting a wider range of
algorithms as well as using TLS for added authentication, encryption,
and data integrity and aligning with existing CMC.
Working Group Summary
This draft is a product of the PKIX WG. It has gone through several
revisions within the WG, incorporating input from several major reviews
by Steve Kent and Russ Housley as well as reviews from outside sources.
The draft has not elicited much in the way of controversy, reflecting
only specialized interest in certificate enrollment protocols.
The document does require a fair bit of background in X.509, ASN.1, and
the re-used technologies in order to understand and implement the
protocol. However, implementations have been created by two of the
authors and one non-author implementor using disparate code bases.
Members of the Wi-Fi Alliance (WFA) have also implemented EST as part of
the WFA¹s Hotspot 2.0 efforts. Thus it is believed that EST
implementations can be created from its specification.
Stefan Santesson (stefan at aaa-sec.com) is the document shepherd.
Sean Turner (turners at ieca.com) is the responsible Area Director.