Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMS
RFC 8756
| Document | Type |
RFC - Informational
(March 2020; No errata)
Was draft-jenkins-cnsa-cmc-profile (individual)
|
|
|---|---|---|---|
| Authors | Michael Jenkins , Lydia Zieglar | ||
| Last updated | 2020-03-27 | ||
| Stream | ISE | ||
| Formats | plain text html xml pdf htmlized bibtex | ||
| IETF conflict review | conflict-review-jenkins-cnsa-cmc-profile | ||
| Stream | ISE state | Published RFC | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | Adrian Farrel | ||
| Shepherd write-up | Show (last changed 2019-04-23) | ||
| IESG | IESG state | RFC 8756 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | Adrian Farrel <rfc-ise@rfc-editor.org> | ||
| IANA | IANA review state | IANA OK - No Actions Needed | |
| IANA action state | No IANA Actions | ||
Independent Submission M. Jenkins
Request for Comments: 8756 L. Zieglar
Category: Informational NSA
ISSN: 2070-1721 March 2020
Commercial National Security Algorithm (CNSA) Suite Profile of
Certificate Management over CMS
Abstract
This document specifies a profile of the Certificate Management over
CMS (CMC) protocol for managing X.509 public key certificates in
applications that use the Commercial National Security Algorithm
(CNSA) Suite published by the United States Government.
The profile applies to the capabilities, configuration, and operation
of all components of US National Security Systems that manage X.509
public key certificates over CMS. It is also appropriate for all
other US Government systems that process high-value information.
The profile is made publicly available here for use by developers and
operators of these and any other system deployments.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not candidates for any level of Internet Standard;
see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8756.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction
1.1. Terminology
2. The Commercial National Security Algorithm Suite
3. Requirements and Assumptions
4. Client Requirements: Generating PKI Requests
4.1. Tagged Certification Request
4.2. Certificate Request Message
5. RA Requirements
5.1. RA Processing of Requests
5.2. RA-Generated PKI Requests
5.3. RA-Generated PKI Responses
6. CA Requirements
6.1. CA Processing of PKI Requests
6.2. CA-Generated PKI Responses
7. Client Requirements: Processing PKI Responses
8. Shared-Secrets
9. Security Considerations
10. IANA Considerations
11. References
11.1. Normative References
11.2. Informative References
Appendix A. Scenarios
A.1. Initial Enrollment
A.2. Rekey
Authors' Addresses
1. Introduction
This document specifies a profile of the Certificate Management over
CMS (CMC) protocol to comply with the United States National Security
Agency's Commercial National Security Algorithm (CNSA) Suite [CNSA].
The profile applies to the capabilities, configuration, and operation
of all components of US National Security Systems [SP80059]. It is
also appropriate for all other US Government systems that process
high-value information. It is made publicly available for use by
developers and operators of these and any other system deployments.
This document does not define any new cryptographic algorithm suites;
instead, it defines a CNSA-compliant profile of CMC. CMC is defined
in [RFC5272], [RFC5273], and [RFC5274] and is updated by [RFC6402].
This document profiles CMC to manage X.509 public key certificates in
compliance with the CNSA Suite Certificate and Certificate Revocation
List (CRL) profile [RFC8603]. This document specifically focuses on
defining CMC interactions for both the initial enrollment and rekey
of CNSA Suite public key certificates between a client and a
Certification Authority (CA). One or more Registration Authorities
(RAs) may act as intermediaries between the client and the CA. This
profile may be further tailored by specific communities to meet their
needs. Specific communities will also define certificate policies
that implementations need to comply with.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The terminology in [RFC5272], Section 2.1 applies to this profile.
The term "certificate request" is used to refer to a single PKCS #10
Show full document text