Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMS
RFC 8756

Document Type RFC - Informational (March 2020; No errata)
Last updated 2020-03-27
Stream ISE
Formats plain text html xml pdf htmlized bibtex
IETF conflict review conflict-review-jenkins-cnsa-cmc-profile
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
Shepherd write-up Show (last changed 2019-04-23)
IESG IESG state RFC 8756 (Informational)
Telechat date
Responsible AD (None)
Send notices to Adrian Farrel <rfc-ise@rfc-editor.org>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions


Independent Submission                                        M. Jenkins
Request for Comments: 8756                                    L. Zieglar
Category: Informational                                              NSA
ISSN: 2070-1721                                               March 2020

     Commercial National Security Algorithm (CNSA) Suite Profile of
                    Certificate Management over CMS

Abstract

   This document specifies a profile of the Certificate Management over
   CMS (CMC) protocol for managing X.509 public key certificates in
   applications that use the Commercial National Security Algorithm
   (CNSA) Suite published by the United States Government.

   The profile applies to the capabilities, configuration, and operation
   of all components of US National Security Systems that manage X.509
   public key certificates over CMS.  It is also appropriate for all
   other US Government systems that process high-value information.

   The profile is made publicly available here for use by developers and
   operators of these and any other system deployments.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8756.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
     1.1.  Terminology
   2.  The Commercial National Security Algorithm Suite
   3.  Requirements and Assumptions
   4.  Client Requirements: Generating PKI Requests
     4.1.  Tagged Certification Request
     4.2.  Certificate Request Message
   5.  RA Requirements
     5.1.  RA Processing of Requests
     5.2.  RA-Generated PKI Requests
     5.3.  RA-Generated PKI Responses
   6.  CA Requirements
     6.1.  CA Processing of PKI Requests
     6.2.  CA-Generated PKI Responses
   7.  Client Requirements: Processing PKI Responses
   8.  Shared-Secrets
   9.  Security Considerations
   10. IANA Considerations
   11. References
     11.1.  Normative References
     11.2.  Informative References
   Appendix A.  Scenarios
     A.1.  Initial Enrollment
     A.2.  Rekey
   Authors' Addresses

1.  Introduction

   This document specifies a profile of the Certificate Management over
   CMS (CMC) protocol to comply with the United States National Security
   Agency's Commercial National Security Algorithm (CNSA) Suite [CNSA].
   The profile applies to the capabilities, configuration, and operation
   of all components of US National Security Systems [SP80059].  It is
   also appropriate for all other US Government systems that process
   high-value information.  It is made publicly available for use by
   developers and operators of these and any other system deployments.

   This document does not define any new cryptographic algorithm suites;
   instead, it defines a CNSA-compliant profile of CMC.  CMC is defined
   in [RFC5272], [RFC5273], and [RFC5274] and is updated by [RFC6402].
   This document profiles CMC to manage X.509 public key certificates in
   compliance with the CNSA Suite Certificate and Certificate Revocation
   List (CRL) profile [RFC8603].  This document specifically focuses on
   defining CMC interactions for both the initial enrollment and rekey
   of CNSA Suite public key certificates between a client and a
   Certification Authority (CA).  One or more Registration Authorities
   (RAs) may act as intermediaries between the client and the CA.  This
   profile may be further tailored by specific communities to meet their
   needs.  Specific communities will also define certificate policies
   that implementations need to comply with.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   The terminology in [RFC5272], Section 2.1 applies to this profile.

   The term "certificate request" is used to refer to a single PKCS #10
Show full document text