Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMS
RFC 8756
Document | Type |
RFC - Informational
(March 2020; No errata)
Was draft-jenkins-cnsa-cmc-profile (individual)
|
|
---|---|---|---|
Authors | Michael Jenkins , Lydia Zieglar | ||
Last updated | 2020-03-27 | ||
Stream | ISE | ||
Formats | plain text html xml pdf htmlized bibtex | ||
IETF conflict review | conflict-review-jenkins-cnsa-cmc-profile | ||
Stream | ISE state | Published RFC | |
Consensus Boilerplate | Unknown | ||
Document shepherd | Adrian Farrel | ||
Shepherd write-up | Show (last changed 2019-04-23) | ||
IESG | IESG state | RFC 8756 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | Adrian Farrel <rfc-ise@rfc-editor.org> | ||
IANA | IANA review state | IANA OK - No Actions Needed | |
IANA action state | No IANA Actions |
Independent Submission M. Jenkins Request for Comments: 8756 L. Zieglar Category: Informational NSA ISSN: 2070-1721 March 2020 Commercial National Security Algorithm (CNSA) Suite Profile of Certificate Management over CMS Abstract This document specifies a profile of the Certificate Management over CMS (CMC) protocol for managing X.509 public key certificates in applications that use the Commercial National Security Algorithm (CNSA) Suite published by the United States Government. The profile applies to the capabilities, configuration, and operation of all components of US National Security Systems that manage X.509 public key certificates over CMS. It is also appropriate for all other US Government systems that process high-value information. The profile is made publicly available here for use by developers and operators of these and any other system deployments. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8756. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction 1.1. Terminology 2. The Commercial National Security Algorithm Suite 3. Requirements and Assumptions 4. Client Requirements: Generating PKI Requests 4.1. Tagged Certification Request 4.2. Certificate Request Message 5. RA Requirements 5.1. RA Processing of Requests 5.2. RA-Generated PKI Requests 5.3. RA-Generated PKI Responses 6. CA Requirements 6.1. CA Processing of PKI Requests 6.2. CA-Generated PKI Responses 7. Client Requirements: Processing PKI Responses 8. Shared-Secrets 9. Security Considerations 10. IANA Considerations 11. References 11.1. Normative References 11.2. Informative References Appendix A. Scenarios A.1. Initial Enrollment A.2. Rekey Authors' Addresses 1. Introduction This document specifies a profile of the Certificate Management over CMS (CMC) protocol to comply with the United States National Security Agency's Commercial National Security Algorithm (CNSA) Suite [CNSA]. The profile applies to the capabilities, configuration, and operation of all components of US National Security Systems [SP80059]. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments. This document does not define any new cryptographic algorithm suites; instead, it defines a CNSA-compliant profile of CMC. CMC is defined in [RFC5272], [RFC5273], and [RFC5274] and is updated by [RFC6402]. This document profiles CMC to manage X.509 public key certificates in compliance with the CNSA Suite Certificate and Certificate Revocation List (CRL) profile [RFC8603]. This document specifically focuses on defining CMC interactions for both the initial enrollment and rekey of CNSA Suite public key certificates between a client and a Certification Authority (CA). One or more Registration Authorities (RAs) may act as intermediaries between the client and the CA. This profile may be further tailored by specific communities to meet their needs. Specific communities will also define certificate policies that implementations need to comply with. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The terminology in [RFC5272], Section 2.1 applies to this profile. The term "certificate request" is used to refer to a single PKCS #10Show full document text