idnits 2.17.1 draft-richardson-lamps-rfc7030est-clarify-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The abstract seems to indicate that this document updates RFC7030, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 18, 2019) is 1745 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-45) exists of draft-ietf-anima-bootstrapping-keyinfra-21 -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LAMPS Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Standards Track T. Werner 5 Expires: December 20, 2019 Siemens 6 W. Pan 7 Huawei Technologies 8 June 18, 2019 10 Clarification of Enrollment over Secure Transport (EST): transfer 11 encodings and ASN.1 12 draft-richardson-lamps-rfc7030est-clarify-02 14 Abstract 16 This document updates RFC7030: Enrollment over Secure Transport (EST) 17 to resolve some errata that was reported, and which has proven to 18 have interoperability when RFC7030 has been extended. 20 This document deprecates the specification of "Content-Transfer- 21 Encoding" headers for EST endpoints, providing a way to do this in an 22 upward compatible way. This document additional defines a GRASP 23 discovery mechanism for EST endpoints, and specifies requirements for 24 them. 26 Finally, this document fixes some syntactical errors in ASN.1 that 27 was presented. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on December 20, 2019. 46 Copyright Notice 48 Copyright (c) 2019 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (https://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 66 4. Changes to EST endpoint processing . . . . . . . . . . . . . 3 67 5. Clarification of ASN.1 for Certificate Attribute set. . . . . 4 68 6. Clarification of error messages for certificate enrollment 69 operations . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4 71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 4 72 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 73 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 74 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 75 11.1. Normative References . . . . . . . . . . . . . . . . . . 4 76 11.2. Informative References . . . . . . . . . . . . . . . . . 5 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 79 1. Introduction 81 [RFC7030] defines the Enrollment over Secure Transport, or EST 82 protocol. 84 This specification defines a number of HTTP end points for 85 certificate enrollment and management. The details of the 86 transaction were defined in terms of MIME headers as defined in 87 [RFC2045], rather than in terms of the HTTP protocol as defined in 88 [RFC2616] and [RFC7230]. 90 [RFC2616] and later [RFC7231] Appendix A.5 has text specifically 91 deprecating Content-Transfer-Encoding. 93 [RFC7030] calls it out this header incorrectly. 95 [I-D.ietf-anima-bootstrapping-keyinfra] extends [RFC7030], adding new 96 functionality, and interop testing of the protocol has revealed that 97 unusual processing called out in [RFC7030] causes confusion. 99 EST is currently specified as part of IEC 62351, and is widely used 100 in Government, Utilities and Financial markets today. 102 Changes to [RFC7030] to bring it inline with typical HTTP processing 103 would change the on-wire protocol in a way that is not backwards 104 compatible. Reports from the field suggest that many implementations 105 do not send the Content-Transfer-Encoding, and many of them ignore 106 it. 108 This document therefore revises [RFC7030] to reflect the field 109 reality, deprecating the extranous field. 111 This document deals with errata numbers [errata4384], [errata5107], 112 and [errata5108]. 114 2. Terminology 116 The abbreviation "CTE" is used to denote the Content-Transfer- 117 Encoding header, and the abbreviation "CTE-base64" is used to denote 118 a request or response whose Content-Transfer-Encoding header contains 119 the value "base64". 121 3. Requirements Language 123 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 124 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 125 and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 126 [RFC2119] and indicate requirement levels for compliant STuPiD 127 implementations. 129 4. Changes to EST endpoint processing 131 The [RFC7030] sections 4.1.3 (CA Certificates Response, /cacerts), 132 4.3.1/4.3.2 (Full CMC, /fullcmc), 4.4.2 (Server-Side Key Generation, 133 /serverkeygen), and 4.5.2 (CSR Attributes, /csrattrs) specify the use 134 of base64 encoding with a Content-Transsfer-Encoding for requests and 135 response. 137 This document updates [RFC7030] to require the POST request and 138 payload response of all endpoints in to be [RFC4648] section 4 Base64 139 encoded DER. This format is to be used regardless of whether there 140 is any Content-Transfer-Encoding header, and any value in that header 141 is to be ignored. 143 5. Clarification of ASN.1 for Certificate Attribute set. 145 errata 4384. 147 6. Clarification of error messages for certificate enrollment 148 operations 150 errata 5108. 152 7. Privacy Considerations 154 This document does not disclose any additional identifies to either 155 active or passive observer would see with [RFC7030]. 157 8. Security Considerations 159 This document clarifies an existing security mechanism. An option is 160 introduced to the security mechanism using an implicit negotiation. 162 9. IANA Considerations 164 This document does not require any registrations. 166 10. Acknowledgements 168 This work was supported by the Huawei Technologies. 170 11. References 172 11.1. Normative References 174 [I-D.ietf-anima-bootstrapping-keyinfra] 175 Pritikin, M., Richardson, M., Behringer, M., Bjarnason, 176 S., and K. Watsen, "Bootstrapping Remote Secure Key 177 Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- 178 keyinfra-21 (work in progress), June 2019. 180 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 181 Requirement Levels", BCP 14, RFC 2119, 182 DOI 10.17487/RFC2119, March 1997, 183 . 185 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 186 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 187 . 189 [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., 190 "Enrollment over Secure Transport", RFC 7030, 191 DOI 10.17487/RFC7030, October 2013, 192 . 194 11.2. Informative References 196 [errata4384] 197 "EST errata 4384: ASN.1 encoding error", n.d., 198 . 200 [errata5107] 201 "EST errata 5107: use Content-Transfer-Encoding", n.d., 202 . 204 [errata5108] 205 "EST errata 5108: use of Content-Type for error message", 206 n.d., . 208 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 209 Extensions (MIME) Part One: Format of Internet Message 210 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 211 . 213 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 214 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 215 Transfer Protocol -- HTTP/1.1", RFC 2616, 216 DOI 10.17487/RFC2616, June 1999, 217 . 219 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 220 Protocol (HTTP/1.1): Message Syntax and Routing", 221 RFC 7230, DOI 10.17487/RFC7230, June 2014, 222 . 224 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 225 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 226 DOI 10.17487/RFC7231, June 2014, 227 . 229 Authors' Addresses 231 Michael Richardson 232 Sandelman Software Works 234 Email: mcr+ietf@sandelman.ca 235 Thomas Werner 236 Siemens 238 Email: thomas.werner@siemens.com 240 Wei Pan 241 Huawei Technologies 243 Email: william.panwei@huawei.com