< draft-ietf-pkix-rfc5272-bis-07.txt   draft-ietf-pkix-rfc5272-bis-08.txt >
Network Working Group J. Schaad Network Working Group J. Schaad
Internet-Draft Soaring Hawk Consulting Internet-Draft Soaring Hawk Consulting
Updates: 5272, 5273, 5274 September 6, 2011 Updates: 5272, 5273, 5274 September 12, 2011
(if approved) (if approved)
Intended status: Standards Track Intended status: Standards Track
Expires: March 9, 2012 Expires: March 15, 2012
Certificate Management over CMS (CMC) Updates Certificate Management over CMS (CMC) Updates
draft-ietf-pkix-rfc5272-bis-07 draft-ietf-pkix-rfc5272-bis-08
Abstract Abstract
This document contains a set of updates to the base syntax for CMC, a This document contains a set of updates to the base syntax for CMC, a
Certificate Management protocol using the Cryptographic Message Certificate Management protocol using the Cryptographic Message
Syntax (CMS). This document updates RFC 5272, RFC 5273 and RFC 5274. Syntax (CMS). This document updates RFC 5272, RFC 5273 and RFC 5274.
The new items in this document are: New controls for future work in The new items in this document are: New controls for future work in
doing server side key generation. Definition of a Subject doing server side key generation. Definition of a Subject
Information Access value to identify CMC servers. The registration Information Access value to identify CMC servers. The registration
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 9, 2012. This Internet-Draft will expire on March 15, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Terminology . . . . . . . . . . . . . . . . . 3 1.1. Requirements Terminology . . . . . . . . . . . . . . . . . 3
2. Updates to RFC 5272 - Certificate Management over CMS (CMC) . 4 2. Updates to RFC 5272 - Certificate Management over CMS (CMC) . 4
2.1. New Section 1.3. Changes Since RFC 5272 . . . . . . . . . 4 2.1. New Section 1.3. Changes Since RFC 5272 . . . . . . . . . 4
2.2. Update Section 6. Controls . . . . . . . . . . . . . . . . 4 2.2. Update Section 6. Controls . . . . . . . . . . . . . . . . 4
2.3. Replace Section 6.3. Linking Identity and POP 2.3. Replace Section 6.3. Linking Identity and POP
Information . . . . . . . . . . . . . . . . . . . . . . . 4 Information . . . . . . . . . . . . . . . . . . . . . . . 5
2.4. Replace Section 6.3.3. Renewal and Rekey Messages . . . . 5 2.4. Replace Section 6.3.3. Renewal and Rekey Messages . . . . 5
2.5. New Section 6.20 RA Identity Proof Witness control . . . . 6 2.5. New Section 6.20 RA Identity Proof Witness control . . . . 6
2.6. New Section 6.21 Response Body Control . . . . . . . . . . 7 2.6. New Section 6.21 Response Body Control . . . . . . . . . . 7
2.7. New Section 7. Other Attributes . . . . . . . . . . . . . 8 2.7. New Section 7. Other Attributes . . . . . . . . . . . . . 8
2.8. New Section 7.1 Change Subject Name Attribute . . . . . . 8 2.8. New Section 7.1 Change Subject Name Attribute . . . . . . 9
2.9. New Section 9. Certificate Requirements . . . . . . . . . 10 2.9. New Section 9. Certificate Requirements . . . . . . . . . 10
2.10. New Section 9.1. Extended Key Usage . . . . . . . . . . . 10 2.10. New Section 9.1. Extended Key Usage . . . . . . . . . . . 10
2.11. New Section 9.2. Subject Information Access . . . . . . . 10 2.11. New Section 9.2. Subject Information Access . . . . . . . 11
2.12. Updates Section 8. Security Considerations . . . . . . . . 11 2.12. Updates Section 8. Security Considerations . . . . . . . . 11
3. Updates to RFC 5273 - Certificate Management over CMS 3. Updates to RFC 5273 - Certificate Management over CMS
(CMC): Transport Protocols . . . . . . . . . . . . . . . . . . 12 (CMC): Transport Protocols . . . . . . . . . . . . . . . . . . 13
3.1. Update to Section 5 TCP-Based Protocol . . . . . . . . . . 12 3.1. Update to Section 5 TCP-Based Protocol . . . . . . . . . . 13
3.2. New Section 6. IANA Considerations . . . . . . . . . . . . 12 3.2. New Section 6. IANA Considerations . . . . . . . . . . . . 13
4. Updates to RFC 5274 - Certificate Management Message over 4. Updates to RFC 5274 - Certificate Management Message over
CMS (CMC): Compliance Requirements . . . . . . . . . . . . . . 13 CMS (CMC): Compliance Requirements . . . . . . . . . . . . . . 14
4.1. Update to Section 4.2 Controls . . . . . . . . . . . . . . 13 4.1. Update to Section 4.2 Controls . . . . . . . . . . . . . . 14
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Normative References . . . . . . . . . . . . . . . . . . . 16 7.1. Normative References . . . . . . . . . . . . . . . . . . . 17
7.2. Informational References . . . . . . . . . . . . . . . . . 16 7.2. Informational References . . . . . . . . . . . . . . . . . 17
Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 17 Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . . 18
A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 17 A.1. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 18
A.2. 2008 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 A.2. 2008 ASN.1 Module . . . . . . . . . . . . . . . . . . . . 26
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 39 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction 1. Introduction
While dealing with the Suite B profile of CMC While dealing with the Suite B profile of CMC
[I-D.turner-suiteb-cmc], a number of deficiencies were noted in the [I-D.turner-suiteb-cmc], a number of deficiencies were noted in the
current base CMC specification. This document has a set of updates current base CMC specification. This document has a set of updates
to [RFC5272], [RFC5273] and [RFC5274] to deal with those issues. to [RFC5272], [RFC5273] and [RFC5274] to deal with those issues.
1.1. Requirements Terminology 1.1. Requirements Terminology
skipping to change at page 4, line 30 skipping to change at page 4, line 30
Response Body allows for an RA to identify a nested response for Response Body allows for an RA to identify a nested response for
an EE to process. an EE to process.
o Creation of a new attribute, Change Subject Name, that allows a o Creation of a new attribute, Change Subject Name, that allows a
client to request a change in the subject name and subject client to request a change in the subject name and subject
alternate name fields in a certificate. alternate name fields in a certificate.
o Add Extended Key Usages for CMC - Defined a new Subject o Add Extended Key Usages for CMC - Defined a new Subject
Information Access to hold locations to contact the CMC server. Information Access to hold locations to contact the CMC server.
o Clarify that the use of a pre-existing certificate is not limited
to just renewal and rekey messages and is required for support.
This formalizes a requirement for the ability to do renewal and
rekey which previsously was implicity.
2.2. Update Section 6. Controls 2.2. Update Section 6. Controls
Table 1 is to be updated by the addition of the following rows: Table 1 is to be updated by the addition of the following rows:
+--------------------------+-----------+--------------+---------+ +--------------------------+-----------+--------------+---------+
| Control Identifier | OID | Syntax | Section | | Control Identifier | OID | Syntax | Section |
+--------------------------+-----------+--------------+---------+ +--------------------------+-----------+--------------+---------+
| id-cmc-raIdentityWitness | id-cmc 35 | BodyPartPath | 6.20 | | id-cmc-raIdentityWitness | id-cmc 35 | BodyPartPath | 6.20 |
| | | | | | | | | |
| id-cmc-responseBody | id-cmc 37 | BodyPartPath | 6.21 | | id-cmc-responseBody | id-cmc 37 | BodyPartPath | 6.21 |
skipping to change at page 11, line 25 skipping to change at page 11, line 40
Section 3.2.) The semantics of other name forms of accessLocation Section 3.2.) The semantics of other name forms of accessLocation
(when accessMethod is id-ad-cmc) are not defined by this (when accessMethod is id-ad-cmc) are not defined by this
specification. specification.
The ASN.1 for this extension is: GeneralName The ASN.1 for this extension is: GeneralName
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 } id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
2.12. Updates Section 8. Security Considerations 2.12. Updates Section 8. Security Considerations
The following paragraph is to be added to the end of section 8. The following paragraphs are to be added to the end of section 8.
A number of controls such as the RA Identity Proof Witness control A number of controls such as the RA Identity Proof Witness control
exist for an RA to either make assertions about or modify a exist for an RA to either make assertions about or modify a
certificate request. Any upstream request processor, such as a CA, certificate request. Any upstream request processor, such as a CA,
MUST verify that the RA is fully identified and authorized to make MUST verify that the RA is fully identified and authorized to make
assertion or modification it is claiming. If it is not identified or assertion or modification it is claiming. If it is not identified or
authorized then any request MUST be rejected. authorized then any request MUST be rejected.
CMC servers, both RAs and CAs, need to due diligence in checking the
contents of a certificate request. At an absolute minimum all fields
should be checked to ensure that the policies of the CA/RA are
correctly enforced. While all fields need to be checked, special
care should be taken with names, name forms, algorithm choices and
algorithm parameters.
3. Updates to RFC 5273 - Certificate Management over CMS (CMC): 3. Updates to RFC 5273 - Certificate Management over CMS (CMC):
Transport Protocols Transport Protocols
3.1. Update to Section 5 TCP-Based Protocol 3.1. Update to Section 5 TCP-Based Protocol
The following replaces paragraph 3 in section 5. The following replaces paragraph 3 in section 5.
CMC requires a registered port number to send and receive CMC CMC requires a registered port number to send and receive CMC
messages over TCP. The title of this IP Protocol number is "pkix- messages over TCP. The title of this IP Protocol number is "pkix-
cmc". The value of this TCP port is TBD1. cmc". The value of this TCP port is TBD1.
Prior to this update, CMC did not have a registred port number and
used an externally configured port from the Private Port range.
Client implementations MAY want to continue to allow for this to
occur. Servers SHOULD change to use the new port. It is expected
that HTTP will continue to be the primary transport method used by
CMC installations.
3.2. New Section 6. IANA Considerations 3.2. New Section 6. IANA Considerations
This is a new section to be inserted before the current section 6. This is a new section to be inserted before the current section 6.
IANA is requested to assign a TCP port number in the Registered Port IANA is requested to assign a TCP port number in the Registered Port
Number range for the use of CMC. Number range for the use of CMC.
Service name: pkix-cmc Service name: pkix-cmc
Port Number: [ TBD1 ] Port Number: [ TBD1 ]
Transport protocol: TCP Transport protocol: TCP
skipping to change at page 17, line 14 skipping to change at page 18, line 14
Appendix A. ASN.1 Modules Appendix A. ASN.1 Modules
A.1. 1988 ASN.1 Module A.1. 1988 ASN.1 Module
This section contains the updated ASN.1 module for [RFC5272]. This This section contains the updated ASN.1 module for [RFC5272]. This
module replaces the module in Appendix A. Although a 2008 ASN.1 module replaces the module in Appendix A. Although a 2008 ASN.1
Module is provided, this remains the normative module as per the Module is provided, this remains the normative module as per the
policy of the PKIX working group. policy of the PKIX working group.
EnrollmentMessageSyntax-2011-v08 EnrollmentMessageSyntax-2011-v88
{ iso(1) identified-organization(3) dod(4) internet(1) { iso(1) identified-organization(3) dod(4) internet(1)
security(5) mechansims(5) pkix(7) id-mod(0) security(5) mechansims(5) pkix(7) id-mod(0)
id-mod-enrollMsgSyntax-2011-88(76) } id-mod-enrollMsgSyntax-2011-88(76) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All -- -- EXPORTS All --
-- The types and values defined in this module are exported for use -- The types and values defined in this module are exported for use
-- in the other ASN.1 modules. Other applications may use them for -- in the other ASN.1 modules. Other applications may use them for
-- their own purposes. -- their own purposes.
IMPORTS IMPORTS
-- PKIX Part 1 - Implicit From [RFC5280] -- PKIX Part 1 - Implicit From [RFC5280]
GeneralName, CRLReason, ReasonFlags, GeneralNames GeneralName, CRLReason, ReasonFlags, GeneralNames
FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit(19)} id-pkix1-implicit(19)}
-- PKIX Part 1 - Explicit From [RFC5280] -- PKIX Part 1 - Explicit From [RFC5280]
AlgorithmIdentifier, Extension, Name, CertificateSerialNumber, AlgorithmIdentifier, Extension, Name, CertificateSerialNumber,
id-ad, id-kp id-ad, id-kp
FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18)} id-pkix1-explicit(18)}
-- Cryptographic Message Syntax FROM [CMS] -- Cryptographic Message Syntax FROM [CMS]
ContentInfo, Attribute, IssuerAndSerialNumber ContentInfo, Attribute, IssuerAndSerialNumber
FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) FROM CryptographicMessageSyntax2004 { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
modules(0) cms-2004(24)} modules(0) cms-2004(24)}
-- CRMF FROM [RFC4211] -- CRMF FROM [RFC4211]
CertReqMsg, PKIPublicationInfo, CertTemplate CertReqMsg, PKIPublicationInfo, CertTemplate
FROM PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6) FROM PKIXCRMF-2005 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-crmf2005(36)}; id-mod-crmf2005(36)};
-- Global Types -- Global Types
-- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
-- The content of this type conforms to RFC 2279. -- The content of this type conforms to RFC 2279.
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) } dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls id-cmc OBJECT IDENTIFIER ::= {id-pkix 7} -- CMC controls
id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types id-cct OBJECT IDENTIFIER ::= {id-pkix 12} -- CMC content types
-- The following controls have the type OCTET STRING -- The following controls have the type OCTET STRING
id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3} id-cmc-identityProof OBJECT IDENTIFIER ::= {id-cmc 3}
id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4} id-cmc-dataReturn OBJECT IDENTIFIER ::= {id-cmc 4}
id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18} id-cmc-regInfo OBJECT IDENTIFIER ::= {id-cmc 18}
id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19} id-cmc-responseInfo OBJECT IDENTIFIER ::= {id-cmc 19}
id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21} id-cmc-queryPending OBJECT IDENTIFIER ::= {id-cmc 21}
id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22} id-cmc-popLinkRandom OBJECT IDENTIFIER ::= {id-cmc 22}
id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23} id-cmc-popLinkWitness OBJECT IDENTIFIER ::= {id-cmc 23}
-- The following controls have the type UTF8String -- The following controls have the type UTF8String
id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2} id-cmc-identification OBJECT IDENTIFIER ::= {id-cmc 2}
-- The following controls have the type INTEGER -- The following controls have the type INTEGER
id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5} id-cmc-transactionId OBJECT IDENTIFIER ::= {id-cmc 5}
-- The following controls have the type OCTET STRING -- The following controls have the type OCTET STRING
id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6} id-cmc-senderNonce OBJECT IDENTIFIER ::= {id-cmc 6}
id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7} id-cmc-recipientNonce OBJECT IDENTIFIER ::= {id-cmc 7}
-- This is the content type used for a request message in the protocol -- This is the content type used for a request message
-- in the protocol
id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 } id-cct-PKIData OBJECT IDENTIFIER ::= { id-cct 2 }
PKIData ::= SEQUENCE { PKIData ::= SEQUENCE {
controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest, reqSequence SEQUENCE SIZE(0..MAX) OF TaggedRequest,
cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
} }
bodyIdMax INTEGER ::= 4294967295 bodyIdMax INTEGER ::= 4294967295
BodyPartID ::= INTEGER(0..bodyIdMax) BodyPartID ::= INTEGER(0..bodyIdMax)
TaggedAttribute ::= SEQUENCE { TaggedAttribute ::= SEQUENCE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
attrType OBJECT IDENTIFIER, attrType OBJECT IDENTIFIER,
attrValues SET OF AttributeValue attrValues SET OF AttributeValue
} }
AttributeValue ::= ANY AttributeValue ::= ANY
TaggedRequest ::= CHOICE { TaggedRequest ::= CHOICE {
tcr [0] TaggedCertificationRequest, tcr [0] TaggedCertificationRequest,
crm [1] CertReqMsg, crm [1] CertReqMsg,
orm [2] SEQUENCE { orm [2] SEQUENCE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
requestMessageType OBJECT IDENTIFIER, requestMessageType OBJECT IDENTIFIER,
requestMessageValue ANY DEFINED BY requestMessageType requestMessageValue ANY DEFINED BY requestMessageType
} }
} }
TaggedCertificationRequest ::= SEQUENCE { TaggedCertificationRequest ::= SEQUENCE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
certificationRequest CertificationRequest certificationRequest CertificationRequest
} }
CertificationRequest ::= SEQUENCE { CertificationRequest ::= SEQUENCE {
certificationRequestInfo SEQUENCE { certificationRequestInfo SEQUENCE {
version INTEGER, version INTEGER,
subject Name, subject Name,
subjectPublicKeyInfo SEQUENCE { subjectPublicKeyInfo SEQUENCE {
algorithm AlgorithmIdentifier, algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }, subjectPublicKey BIT STRING },
attributes [0] IMPLICIT SET OF Attribute }, attributes [0] IMPLICIT SET OF Attribute },
signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING signature BIT STRING
} }
TaggedContentInfo ::= SEQUENCE { TaggedContentInfo ::= SEQUENCE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
contentInfo ContentInfo contentInfo ContentInfo
} }
OtherMsg ::= SEQUENCE { OtherMsg ::= SEQUENCE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
otherMsgType OBJECT IDENTIFIER, otherMsgType OBJECT IDENTIFIER,
otherMsgValue ANY DEFINED BY otherMsgType } otherMsgValue ANY DEFINED BY otherMsgType }
-- This defines the response message in the protocol -- This defines the response message in the protocol
id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 } id-cct-PKIResponse OBJECT IDENTIFIER ::= { id-cct 3 }
ResponseBody ::= PKIResponse ResponseBody ::= PKIResponse
PKIResponse ::= SEQUENCE { PKIResponse ::= SEQUENCE {
controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute, controlSequence SEQUENCE SIZE(0..MAX) OF TaggedAttribute,
cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo, cmsSequence SEQUENCE SIZE(0..MAX) OF TaggedContentInfo,
otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg otherMsgSequence SEQUENCE SIZE(0..MAX) OF OtherMsg
} }
-- Used to return status state in a response -- Used to return status state in a response
id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1} id-cmc-statusInfo OBJECT IDENTIFIER ::= {id-cmc 1}
CMCStatusInfo ::= SEQUENCE { CMCStatusInfo ::= SEQUENCE {
cMCStatus CMCStatus, cMCStatus CMCStatus,
bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID, bodyList SEQUENCE SIZE (1..MAX) OF BodyPartID,
statusString UTF8String OPTIONAL, statusString UTF8String OPTIONAL,
otherInfo CHOICE { otherInfo CHOICE {
failInfo CMCFailInfo, failInfo CMCFailInfo,
pendInfo PendInfo } OPTIONAL pendInfo PendInfo } OPTIONAL
} }
PendInfo ::= SEQUENCE { PendInfo ::= SEQUENCE {
pendToken OCTET STRING, pendToken OCTET STRING,
pendTime GeneralizedTime pendTime GeneralizedTime
} }
CMCStatus ::= INTEGER { CMCStatus ::= INTEGER {
success (0), success (0),
failed (2), failed (2),
pending (3), pending (3),
noSupport (4), noSupport (4),
confirmRequired (5), confirmRequired (5),
popRequired (6), popRequired (6),
partial (7) partial (7)
} }
-- Note: -- Note:
-- The spelling of unsupportedExt is corrected in this version. -- The spelling of unsupportedExt is corrected in this version.
-- In RFC 2797, it was unsuportedExt. -- In RFC 2797, it was unsuportedExt.
CMCFailInfo ::= INTEGER { CMCFailInfo ::= INTEGER {
badAlg (0), badAlg (0),
badMessageCheck (1), badMessageCheck (1),
badRequest (2), badRequest (2),
badTime (3), badTime (3),
badCertId (4), badCertId (4),
unsupportedExt (5), unsupportedExt (5),
mustArchiveKeys (6), mustArchiveKeys (6),
badIdentity (7), badIdentity (7),
popRequired (8), popRequired (8),
popFailed (9), popFailed (9),
noKeyReuse (10), noKeyReuse (10),
internalCAError (11), internalCAError (11),
tryLater (12), tryLater (12),
authDataFail (13) authDataFail (13)
} }
-- Used for RAs to add extensions to certification requests -- Used for RAs to add extensions to certification requests
id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8} id-cmc-addExtensions OBJECT IDENTIFIER ::= {id-cmc 8}
AddExtensions ::= SEQUENCE { AddExtensions ::= SEQUENCE {
pkiDataReference BodyPartID, pkiDataReference BodyPartID,
certReferences SEQUENCE OF BodyPartID, certReferences SEQUENCE OF BodyPartID,
extensions SEQUENCE OF Extension extensions SEQUENCE OF Extension
} }
id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9} id-cmc-encryptedPOP OBJECT IDENTIFIER ::= {id-cmc 9}
id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10} id-cmc-decryptedPOP OBJECT IDENTIFIER ::= {id-cmc 10}
EncryptedPOP ::= SEQUENCE { EncryptedPOP ::= SEQUENCE {
request TaggedRequest, request TaggedRequest,
cms ContentInfo, cms ContentInfo,
thePOPAlgID AlgorithmIdentifier, thePOPAlgID AlgorithmIdentifier,
witnessAlgID AlgorithmIdentifier, witnessAlgID AlgorithmIdentifier,
witness OCTET STRING witness OCTET STRING
} }
DecryptedPOP ::= SEQUENCE { DecryptedPOP ::= SEQUENCE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
thePOPAlgID AlgorithmIdentifier, thePOPAlgID AlgorithmIdentifier,
thePOP OCTET STRING thePOP OCTET STRING
} }
id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11} id-cmc-lraPOPWitness OBJECT IDENTIFIER ::= {id-cmc 11}
LraPopWitness ::= SEQUENCE { LraPopWitness ::= SEQUENCE {
pkiDataBodyid BodyPartID, pkiDataBodyid BodyPartID,
bodyIds SEQUENCE OF BodyPartID bodyIds SEQUENCE OF BodyPartID
} }
-- --
id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15} id-cmc-getCert OBJECT IDENTIFIER ::= {id-cmc 15}
GetCert ::= SEQUENCE { GetCert ::= SEQUENCE {
issuerName GeneralName, issuerName GeneralName,
serialNumber INTEGER } serialNumber INTEGER }
id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16} id-cmc-getCRL OBJECT IDENTIFIER ::= {id-cmc 16}
GetCRL ::= SEQUENCE { GetCRL ::= SEQUENCE {
issuerName Name, issuerName Name,
cRLName GeneralName OPTIONAL, cRLName GeneralName OPTIONAL,
time GeneralizedTime OPTIONAL, time GeneralizedTime OPTIONAL,
reasons ReasonFlags OPTIONAL } reasons ReasonFlags OPTIONAL }
id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17} id-cmc-revokeRequest OBJECT IDENTIFIER ::= {id-cmc 17}
RevokeRequest ::= SEQUENCE { RevokeRequest ::= SEQUENCE {
issuerName Name, issuerName Name,
serialNumber INTEGER, serialNumber INTEGER,
reason CRLReason, reason CRLReason,
invalidityDate GeneralizedTime OPTIONAL, invalidityDate GeneralizedTime OPTIONAL,
passphrase OCTET STRING OPTIONAL, passphrase OCTET STRING OPTIONAL,
comment UTF8String OPTIONAL } comment UTF8String OPTIONAL }
id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24} id-cmc-confirmCertAcceptance OBJECT IDENTIFIER ::= {id-cmc 24}
CMCCertId ::= IssuerAndSerialNumber CMCCertId ::= IssuerAndSerialNumber
-- The following is used to request V3 extensions be added to a -- The following is used to request V3 extensions be added to a
-- certificate -- certificate
id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) id-ExtensionReq OBJECT IDENTIFIER ::= {iso(1) member-body(2)
rsadsi(113549) pkcs(1) pkcs-9(9) 14} us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 14}
ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension ExtensionReq ::= SEQUENCE SIZE (1..MAX) OF Extension
-- The following exists to allow Diffie-Hellman Certification -- The following exists to allow Diffie-Hellman Certification
-- Requests Messages to be well-formed -- Requests Messages to be well-formed
id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2} id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
NoSignatureValue ::= OCTET STRING NoSignatureValue ::= OCTET STRING
-- Unauthenticated attribute to carry removable data. -- Unauthenticated attribute to carry removable data.
-- This could be used in an update of "CMC Extensions: Server Side -- This could be used in an update of "CMC Extensions: Server
-- Key Generation and Key Escrow" (February 2005) and in other -- Side Key Generation and Key Escrow" (February 2005) and in
-- documents. -- other documents.
id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-aa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)} rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2)}
id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34} id-aa-cmc-unsignedData OBJECT IDENTIFIER ::= {id-aa 34}
CMCUnsignedData ::= SEQUENCE { CMCUnsignedData ::= SEQUENCE {
bodyPartPath BodyPartPath, bodyPartPath BodyPartPath,
identifier OBJECT IDENTIFIER, identifier OBJECT IDENTIFIER,
content ANY DEFINED BY identifier content ANY DEFINED BY identifier
} }
-- Replaces CMC Status Info -- Replaces CMC Status Info
-- --
id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25} id-cmc-statusInfoV2 OBJECT IDENTIFIER ::= {id-cmc 25}
CMCStatusInfoV2 ::= SEQUENCE { CMCStatusInfoV2 ::= SEQUENCE {
cMCStatus CMCStatus, cMCStatus CMCStatus,
bodyList SEQUENCE SIZE (1..MAX) OF bodyList SEQUENCE SIZE (1..MAX) OF
BodyPartReference, BodyPartReference,
statusString UTF8String OPTIONAL, statusString UTF8String OPTIONAL,
otherInfo CHOICE { otherInfo CHOICE {
failInfo CMCFailInfo, failInfo CMCFailInfo,
pendInfo PendInfo, pendInfo PendInfo,
extendedFailInfo SEQUENCE { extendedFailInfo SEQUENCE {
failInfoOID OBJECT IDENTIFIER, failInfoOID OBJECT IDENTIFIER,
failInfoValue AttributeValue failInfoValue AttributeValue
} }
} OPTIONAL } OPTIONAL
} }
BodyPartReference ::= CHOICE { BodyPartReference ::= CHOICE {
bodyPartID BodyPartID, bodyPartID BodyPartID,
bodyPartPath BodyPartPath bodyPartPath BodyPartPath
} }
BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID BodyPartPath ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
-- Allow for distribution of trust anchors -- Allow for distribution of trust anchors
-- --
id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26} id-cmc-trustedAnchors OBJECT IDENTIFIER ::= {id-cmc 26}
PublishTrustAnchors ::= SEQUENCE { PublishTrustAnchors ::= SEQUENCE {
seqNumber INTEGER, seqNumber INTEGER,
hashAlgorithm AlgorithmIdentifier, hashAlgorithm AlgorithmIdentifier,
anchorHashes SEQUENCE OF OCTET STRING anchorHashes SEQUENCE OF OCTET STRING
} }
id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27} id-cmc-authData OBJECT IDENTIFIER ::= {id-cmc 27}
AuthPublish ::= BodyPartID AuthPublish ::= BodyPartID
-- These two items use BodyPartList -- These two items use BodyPartList
id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28} id-cmc-batchRequests OBJECT IDENTIFIER ::= {id-cmc 28}
id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29} id-cmc-batchResponses OBJECT IDENTIFIER ::= {id-cmc 29}
BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID BodyPartList ::= SEQUENCE SIZE (1..MAX) OF BodyPartID
-- --
id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30} id-cmc-publishCert OBJECT IDENTIFIER ::= {id-cmc 30}
CMCPublicationInfo ::= SEQUENCE { CMCPublicationInfo ::= SEQUENCE {
hashAlg AlgorithmIdentifier, hashAlg AlgorithmIdentifier,
certHashes SEQUENCE OF OCTET STRING, certHashes SEQUENCE OF OCTET STRING,
pubInfo PKIPublicationInfo pubInfo PKIPublicationInfo
} }
id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31} id-cmc-modCertTemplate OBJECT IDENTIFIER ::= {id-cmc 31}
ModCertTemplate ::= SEQUENCE { ModCertTemplate ::= SEQUENCE {
pkiDataReference BodyPartPath, pkiDataReference BodyPartPath,
certReferences BodyPartList, certReferences BodyPartList,
replace BOOLEAN DEFAULT TRUE, replace BOOLEAN DEFAULT TRUE,
certTemplate CertTemplate certTemplate CertTemplate
} }
-- Inform follow on servers that one or more controls have already -- Inform follow on servers that one or more controls have already
-- been processed -- been processed
id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32} id-cmc-controlProcessed OBJECT IDENTIFIER ::= {id-cmc 32}
ControlsProcessed ::= SEQUENCE { ControlsProcessed ::= SEQUENCE {
bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference bodyList SEQUENCE SIZE(1..MAX) OF BodyPartReference
} }
-- Identity Proof control w/ algorithm agility -- Identity Proof control w/ algorithm agility
id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 34 } id-cmc-identityProofV2 OBJECT IDENTIFIER ::= { id-cmc 34 }
IdentifyProofV2 ::= SEQUENCE { IdentifyProofV2 ::= SEQUENCE {
proofAlgID AlgorithmIdentifier, proofAlgID AlgorithmIdentifier,
macAlgId AlgorithmIdentifier, macAlgId AlgorithmIdentifier,
witness OCTET STRING witness OCTET STRING
} }
id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 33 } id-cmc-popLinkWitnessV2 OBJECT IDENTIFIER ::= { id-cmc 33 }
PopLinkWitnessV2 ::= SEQUENCE { PopLinkWitnessV2 ::= SEQUENCE {
keyGenAlgorithm AlgorithmIdentifier, keyGenAlgorithm AlgorithmIdentifier,
macAlgorithm AlgorithmIdentifier, macAlgorithm AlgorithmIdentifier,
witness OCTET STRING witness OCTET STRING
} }
-- --
id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35} id-cmc-raIdentityWitness OBJECT IDENTIFIER ::= {id-cmc 35}
-- --
-- Allow for an End-Entity to request a change in name -- Allow for an End-Entity to request a change in name
-- This item is added to RegControlSet in CRMF -- This item is added to RegControlSet in CRMF
-- --
id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36} id-cmc-changeSubjectName OBJECT IDENTIFIER ::= {id-cmc 36}
ChangeSubjectName ::= SEQUENCE { ChangeSubjectName ::= SEQUENCE {
subject Name OPTIONAL, subject Name OPTIONAL,
subjectAlt GeneralNames OPTIONAL subjectAlt GeneralNames OPTIONAL
} }
-- (WITH COMPONENTS {..., subject PRESENT} | -- (WITH COMPONENTS {..., subject PRESENT} |
-- WITH COMPONENTS {..., subjectAlt PRESENT} ) -- WITH COMPONENTS {..., subjectAlt PRESENT} )
-- --
-- Embedded response from a third party for processing -- Embedded response from a third party for processing
-- --
id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37} id-cmc-responseBody OBJECT IDENTIFIER ::= {id-cmc 37}
-- --
-- Key purpose identifiers are in the extended key usage extension -- Key purpose identifiers are in the extended key usage extension
-- --
id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 } id-kp-cmcCA OBJECT IDENTIFIER ::= { id-kp 27 }
id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 28 } id-kp-cmcArchive OBJECT IDENTIFIER ::= { id-kp 28 }
-- --
-- Subject Information Access identifier -- Subject Information Access identifier
-- --
id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 } id-ad-cmc OBJECT IDENTIFIER ::= { id-ad 12 }
END END
A.2. 2008 ASN.1 Module A.2. 2008 ASN.1 Module
An updated 2008 ASN.1 module has been provided as part of this An updated 2008 ASN.1 module has been provided as part of this
update. The module contains changes that were made as part of the update. The module contains changes that were made as part of the
re-write to current ASN.1 standards in [RFC5912] as well as the re-write to current ASN.1 standards in [RFC5912] as well as the
changes for this document. changes for this document.
EnrollmentMessageSyntax-2011-v08 EnrollmentMessageSyntax-2011-v08
{iso(1) identified-organization(3) dod(6) internet(1) {iso(1) identified-organization(3) dod(6) internet(1)
 End of changes. 112 change blocks. 
339 lines changed or deleted 359 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/