< draft-ietf-pkix-rfc2511bis-03.txt		draft-ietf-pkix-rfc2511bis-04.txt >
	Internet Draft M. Myers (TraceRoute Security)		Internet Draft M. Myers (TraceRoute Security)
	PKIX Working Group C. Adams (Entrust)		PKIX Working Group C. Adams (Entrust)
	November 2001 D. Solo (Citicorp)		December 2001 D. Solo (Citicorp)
	expires in six months D. Kemp (DoD)		expires in six months D. Kemp (DoD)
	Internet X.509 Public Key Infrastructure		Internet X.509 Public Key Infrastructure
	Certificate Request Message Format (CRMF)		Certificate Request Message Format (CRMF)
	<draft-ietf-pkix-rfc2511bis-03.txt>		<draft-ietf-pkix-rfc2511bis-04.txt>
	Status of this Memo		Status of this Memo
	This document is an Internet-Draft and is in full conformance with		This document is an Internet-Draft and is in full conformance with
	all provisions of Section 10 of RFC 2026.		all provisions of Section 10 of RFC 2026.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF), its areas, and its working groups. Note that other		Task Force (IETF), its areas, and its working groups. Note that other
	groups may also distribute working documents as Internet-Drafts.		groups may also distribute working documents as Internet-Drafts.
	skipping to change at page 8, line 43 ¶		skipping to change at page 8, line 43 ¶
	An authenticator control contains information used in an ongoing		An authenticator control contains information used in an ongoing
	basis to establish a non-cryptographic check of identity in		basis to establish a non-cryptographic check of identity in
	communication with the CA. Examples include: mother's maiden name,		communication with the CA. Examples include: mother's maiden name,
	last four digits of social security number, or other knowledge-based		last four digits of social security number, or other knowledge-based
	information shared with the subscriber's CA; a hash of such		information shared with the subscriber's CA; a hash of such
	information; or other information produced for this purpose. The		information; or other information produced for this purpose. The
	value for an authenticator control may be generated by the subscriber		value for an authenticator control may be generated by the subscriber
	or by the CA.		or by the CA.
	In some instances of use the value for regToken could be a text		In some instances of use the value for authenticator could be a text
	string or a numeric quantity such as a random number. The value in		string or a numeric quantity such as a random number. The value in
	the latter case could be encoded either as a binary quantity or as a		the latter case could be encoded either as a binary quantity or as a
	text string representation of the binary quantity. To ensure a		text string representation of the binary quantity. To ensure a
	uniform encoding of values regardless of the nature of the quantity,		uniform encoding of values regardless of the nature of the quantity,
	the encoding of authenticator SHALL be UTF8.		the encoding of authenticator SHALL be UTF8.
	6.3 Publication Information Control		6.3 Publication Information Control
	The pkiPublicationInfo control enables subscribers to control the		The pkiPublicationInfo control enables subscribers to control the
	CA's publication of the certificate. It is defined by the following		CA's publication of the certificate. It is defined by the following
	skipping to change at page 10, line 39 ¶		skipping to change at page 10, line 39 ¶
	-- algorithm used to encrypt the symmetric key		-- algorithm used to encrypt the symmetric key
	valueHint [4] OCTET STRING OPTIONAL,		valueHint [4] OCTET STRING OPTIONAL,
	-- a brief description or identifier of the encValue content		-- a brief description or identifier of the encValue content
	-- (may be meaningful only to the sending entity, and used only		-- (may be meaningful only to the sending entity, and used only
	-- if EncryptedValue might be re-examined by the sending entity		-- if EncryptedValue might be re-examined by the sending entity
	-- in the future)		-- in the future)
	encValue BIT STRING }		encValue BIT STRING }
	-- When EncryptedValue is used to carry a private key (as opposed to		-- When EncryptedValue is used to carry a private key (as opposed to
	-- a certificate), implementations MUST support the encValue field		-- a certificate), implementations MUST support the encValue field
	-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],		-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
			-- section 12.11. If encValue contains some other format/encoding
			-- for the private key, the first octet of valueHint MAY be used
			-- to indicate the format/encoding (but note that the possible values
			-- of this octet are not specified at this time). In all cases, the
			-- intendedAlg field MUST be used to indicate at least the OID of
			-- the intended algorithm of the private key, unless this information
			-- is known a priori to both sender and receiver by some other means.
	KeyGenParameters ::= OCTET STRING		KeyGenParameters ::= OCTET STRING
	An alternative to sending the key is to send the information about		An alternative to sending the key is to send the information about
	how to re-generate the key using the KeyGenParameters choice (e.g.,		how to re-generate the key using the KeyGenParameters choice (e.g.,
	for many RSA implementations one could send the first random numbers		for many RSA implementations one could send the first random numbers
	tested for primality). The actual syntax for this parameter may be		tested for primality). The actual syntax for this parameter may be
	defined in a subsequent version of this document or in another		defined in a subsequent version of this document or in another
	standard.		standard.
	skipping to change at page 12, line 21 ¶		skipping to change at page 12, line 21 ¶
	strongly recommended if it contains subscriber-sensitive information		strongly recommended if it contains subscriber-sensitive information
	and if the CA has an encryption certificate that is known to the end		and if the CA has an encryption certificate that is known to the end
	entity.		entity.
	9. References		9. References
	[HMAC] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-		[HMAC] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
	Hashing for Message Authentication", RFC 2104, February 1997.		Hashing for Message Authentication", RFC 2104, February 1997.
	[PKCS11] RSA Laboratories, The Public-Key Cryptography Standards -		[PKCS11] RSA Laboratories, The Public-Key Cryptography Standards -
	"PKCS #11 v2.10: Cryptographic Token Interface Standard", RSA		"PKCS #11 v2.11: Cryptographic Token Interface Standard", RSA
	Security Inc., December 1999.		Security Inc., June 2001.
	10. Acknowledgments		10. Acknowledgments
	The authors gratefully acknowledge the contributions of Barbara Fox,		The authors gratefully acknowledge the contributions of Barbara Fox,
	Warwick Ford, Russ Housley and John Pawling, whose review and		Warwick Ford, Russ Housley and John Pawling, whose review and
	comments significantly clarified and improved the utility of this		comments significantly clarified and improved the utility of this
	specification. The members of the ca-talk mailing list also		specification. The members of the ca-talk mailing list also
	provided significant input with respect to interoperability testing.		provided significant input with respect to interoperability testing.
	11. Authors' Addresses		11. Authors' Addresses
	skipping to change at page 23, line 31 ¶		skipping to change at page 23, line 31 ¶
	valueHint [4] OCTET STRING OPTIONAL,		valueHint [4] OCTET STRING OPTIONAL,
	-- a brief description or identifier of the encValue content		-- a brief description or identifier of the encValue content
	-- (may be meaningful only to the sending entity, and used only		-- (may be meaningful only to the sending entity, and used only
	-- if EncryptedValue might be re-examined by the sending entity		-- if EncryptedValue might be re-examined by the sending entity
	-- in the future)		-- in the future)
	encValue BIT STRING }		encValue BIT STRING }
	-- the encrypted value itself		-- the encrypted value itself
	-- When EncryptedValue is used to carry a private key (as opposed to		-- When EncryptedValue is used to carry a private key (as opposed to
	-- a certificate), implementations MUST support the encValue field		-- a certificate), implementations MUST support the encValue field
	-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],		-- containing an encrypted PrivateKeyInfo as defined in [PKCS11],
			-- section 12.11. If encValue contains some other format/encoding
			-- for the private key, the first octet of valueHint MAY be used
			-- to indicate the format/encoding (but note that the possible values
			-- of this octet are not specified at this time). In all cases, the
			-- intendedAlg field MUST be used to indicate at least the OID of
			-- the intended algorithm of the private key, unless this information
			-- is known a priori to both sender and receiver by some other means.
	KeyGenParameters ::= OCTET STRING		KeyGenParameters ::= OCTET STRING
	id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 }		id-regCtrl-oldCertID OBJECT IDENTIFIER ::= { id-regCtrl 5 }
	--with syntax:		--with syntax:
	OldCertId ::= CertId		OldCertId ::= CertId
	CertId ::= SEQUENCE {		CertId ::= SEQUENCE {
	issuer GeneralName,		issuer GeneralName,
	serialNumber INTEGER }		serialNumber INTEGER }
	skipping to change at page 25, line 6 ¶		skipping to change at page 25, line 6 ¶
	--with syntax		--with syntax
	UTF8Pairs ::= UTF8String		UTF8Pairs ::= UTF8String
	id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 }		id-regInfo-certReq OBJECT IDENTIFIER ::= { id-regInfo 2 }
	--with syntax		--with syntax
	CertReq ::= CertRequest		CertReq ::= CertRequest
	END		END
	APPENDIX D - Full Copyright Statement		APPENDIX D - Full Copyright Statement
	Copyright (C) The Internet Society 1999. All Rights Reserved.		Copyright (C) The Internet Society 2001. All Rights Reserved.
	This document and translations of it may be copied and furnished to		This document and translations of it may be copied and furnished to
	others, and derivative works that comment on or otherwise explain it		others, and derivative works that comment on or otherwise explain it
	or assist in its implementation may be prepared, copied, published		or assist in its implementation may be prepared, copied, published
	and distributed, in whole or in part, without restriction of any		and distributed, in whole or in part, without restriction of any
	kind, provided that the above copyright notice and this paragraph are		kind, provided that the above copyright notice and this paragraph are
	included on all such copies and derivative works. However, this		included on all such copies and derivative works. However, this
	document itself may not be modified in any way, such as by removing		document itself may not be modified in any way, such as by removing
	the copyright notice or references to the Internet Society or other		the copyright notice or references to the Internet Society or other
	Internet organizations, except as needed for the purpose of develop-		Internet organizations, except as needed for the purpose of develop-
	ing Internet standards in which case the procedures for copyrights		ing Internet standards in which case the procedures for copyrights
End of changes. 7 change blocks.
	6 lines changed or deleted		20 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/