Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile
RFC 8603
Document | Type |
RFC - Informational
(May 2019; No errata)
Was draft-jenkins-cnsa-cert-crl-profile (individual)
|
|
---|---|---|---|
Authors | Michael Jenkins , Lydia Zieglar | ||
Last updated | 2019-05-15 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
IETF conflict review | conflict-review-jenkins-cnsa-cert-crl-profile | ||
Stream | ISE state | Published RFC | |
Consensus Boilerplate | Unknown | ||
Document shepherd | Adrian Farrel | ||
Shepherd write-up | Show (last changed 2018-11-08) | ||
IESG | IESG state | RFC 8603 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | Adrian Farrel <rfc-ise@rfc-editor.org> | ||
IANA | IANA review state | IANA OK - No Actions Needed | |
IANA action state | No IANA Actions |
Independent Submission M. Jenkins Request for Comments: 8603 L. Zieglar Category: Informational NSA ISSN: 2070-1721 May 2019 Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile Abstract This document specifies a base profile for X.509 v3 Certificates and X.509 v2 Certificate Revocation Lists (CRLs) for use with the United States National Security Agency's Commercial National Security Algorithm (CNSA) Suite. The profile applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ such X.509 certificates. US National Security Systems are described in NIST Special Publication 800-59. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8603. Jenkins & Zieglar Informational [Page 1] RFC 8603 CNSA Suite Certificate and CRL Profile May 2019 Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Commercial National Security Algorithm Suite . . . . . . 4 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. General Requirements and Assumptions . . . . . . . . . . . . 4 4.1. Implementing the CNSA Suite . . . . . . . . . . . . . . . 5 4.2. CNSA Suite Object Identifiers . . . . . . . . . . . . . . 6 5. CNSA Suite Base Certificate Required Values . . . . . . . . . 7 5.1. signatureAlgorithm . . . . . . . . . . . . . . . . . . . 7 5.2. signatureValue . . . . . . . . . . . . . . . . . . . . . 7 5.3. Version . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.4. SubjectPublicKeyInfo . . . . . . . . . . . . . . . . . . 8 6. Certificate Extensions for Particular Types of Certificates . 9 6.1. CNSA Suite Self-Signed CA Certificates . . . . . . . . . 9 6.2. CNSA Suite Non-Self-Signed CA Certificates . . . . . . . 9 6.3. CNSA Suite End-Entity Signature and Key Establishment Certificates . . . . . . . . . . . . . . . . . . . . . . 10 7. CNSA Suite CRL Requirements . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Jenkins & Zieglar Informational [Page 2] RFC 8603 CNSA Suite Certificate and CRL Profile May 2019 1. Introduction This document specifies a base profile for X.509 v3 Certificates and X.509 v2 Certificate Revocation Lists (CRLs) for use by applications that support the United States National Security Agency's Commercial National Security Algorithm (CNSA) Suite [CNSA]. The profile applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ such X.509 certificates. US National Security Systems are described in NIST Special Publication 800-59 [SP80059]. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of theseShow full document text