draft-ietf-lamps-cmp-updates-23.original   draft-ietf-lamps-cmp-updates-24.txt 
LAMPS Working Group H. Brockhaus, Ed. LAMPS Working Group H. Brockhaus, Ed.
Internet-Draft D. von Oheimb Internet-Draft D. von Oheimb
Updates: 4210, 5912, 6712 (if approved) Siemens Updates: 4210, 5912, 6712 (if approved) Siemens
Intended status: Standards Track J. Gray Intended status: Standards Track J. Gray
Expires: 31 December 2022 Entrust Expires: 13 January 2024 Entrust
29 June 2022 12 July 2023
Certificate Management Protocol (CMP) Updates Certificate Management Protocol (CMP) Updates
draft-ietf-lamps-cmp-updates-23 draft-ietf-lamps-cmp-updates-24
Abstract Abstract
This document contains a set of updates to the syntax and transfer of This document contains a set of updates to the syntax and transfer of
Certificate Management Protocol (CMP) version 2. This document Certificate Management Protocol (CMP) version 2. This document
updates RFC 4210, RFC 5912, and RFC 6712. updates RFC 4210, RFC 5912, and RFC 6712.
The aspects of CMP updated in this document are using EnvelopedData The aspects of CMP updated in this document are using EnvelopedData
instead of EncryptedValue, clarifying the handling of p10cr messages, instead of EncryptedValue, clarifying the handling of p10cr messages,
improving the crypto agility, as well as adding new general message improving the crypto agility, as well as adding new general message
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 31 December 2022. This Internet-Draft will expire on 13 January 2024.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
skipping to change at page 4, line 29 skipping to change at page 4, line 29
replaced, or added to the current text of the respective RFCs. replaced, or added to the current text of the respective RFCs.
The authors acknowledge that the style of the document is hard to The authors acknowledge that the style of the document is hard to
read because the original RFCs must be read along with this document read because the original RFCs must be read along with this document
to get the complete content. The working group decided to use this to get the complete content. The working group decided to use this
approach in order to keep the changes to RFC 4210 [RFC4210] and approach in order to keep the changes to RFC 4210 [RFC4210] and
RFC 6712 [RFC6712] to the required minimum. This was meant to speed RFC 6712 [RFC6712] to the required minimum. This was meant to speed
up the editorial process and to minimize the effort spent on up the editorial process and to minimize the effort spent on
reviewing the whole text of the original documents. reviewing the whole text of the original documents.
Nevertheless, in the meantime RFC4210bis [I-D.ietf-lamps-rfc4210bis]
and RFC6712bis [I-D.ietf-lamps-rfc6712bis] drafts were submitted
incorporating the changes listed in this document into the original
RFC text.
1.1. Convention and Terminology 1.1. Convention and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Technical terminology is used in conformance with RFC 4210 [RFC4210], Technical terminology is used in conformance with RFC 4210 [RFC4210],
RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words RFC 4211 [RFC4211], and RFC 5280 [RFC5280]. The following key words
skipping to change at page 7, line 39 skipping to change at page 7, line 39
itself. The CA may delegate its authorization by placing itself. The CA may delegate its authorization by placing
the id-kp-cmKGA extended key usage in the certificate used the id-kp-cmKGA extended key usage in the certificate used
to authenticate the origin of the generated private key. to authenticate the origin of the generated private key.
The authorization may also be determined through local The authorization may also be determined through local
configuration of the end entity. configuration of the end entity.
2.3. Update Section 5.1.1. - PKI Message Header 2.3. Update Section 5.1.1. - PKI Message Header
Section 5.1.1 of RFC 4210 [RFC4210] describes the PKI message header. Section 5.1.1 of RFC 4210 [RFC4210] describes the PKI message header.
This document introduces the new version 3 indicating support of This document introduces the new version 3 indicating support of
EnvelopedData as specified in Section 2.7. EnvelopedData as specified in Section 2.7 and hashAlg as specified in
Section 2.10.
Replace the ASN.1 Syntax of PKIHeader and the subsequent description Replace the ASN.1 Syntax of PKIHeader and the subsequent description
of pvno with the following text: of pvno with the following text:
PKIHeader ::= SEQUENCE { PKIHeader ::= SEQUENCE {
pvno INTEGER { cmp1999(1), cmp2000(2), pvno INTEGER { cmp1999(1), cmp2000(2),
cmp2021(3) }, cmp2021(3) },
sender GeneralName, sender GeneralName,
recipient GeneralName, recipient GeneralName,
messageTime [0] GeneralizedTime OPTIONAL, messageTime [0] GeneralizedTime OPTIONAL,
skipping to change at page 11, line 39 skipping to change at page 11, line 39
The content of the EnvelopedData structure, as specified in CMS The content of the EnvelopedData structure, as specified in CMS
section 6 [RFC5652], MUST be encrypted using a newly generated section 6 [RFC5652], MUST be encrypted using a newly generated
symmetric content-encryption key. This content-encryption key MUST symmetric content-encryption key. This content-encryption key MUST
be securely provided to the recipient using one of three key be securely provided to the recipient using one of three key
management techniques. management techniques.
The choice of the key management technique to be used by the sender The choice of the key management technique to be used by the sender
depends on the credential available at the recipient: depends on the credential available at the recipient:
* Recipient's certificate that contains a key usage extension * Recipient's certificate with an algorithm identifier and a public
asserting keyAgreement: The content-encryption key will be key that supports key transport and where any given key usage
protected using the key agreement key management technique, as extension allows keyEncipherment: The content-encryption key will
specified in CMS section 6.2.2 [RFC5652]. This is the preferred be protected using the key transport key management technique, as
technique. specified in CMS Section 6.2.1 [RFC5652].
* Recipient's certificate that contains a key usage extension * Recipient's certificate with an algorithm identifier and a public
asserting keyEncipherment: The content-encryption key will be key that supports key agreement and where any given key usage
protected using the key transport key management technique, as extension allows keyAgreement: The content-encryption key will be
specified in CMS section 6.2.1 [RFC5652]. protected using the key agreement key management technique, as
specified in CMS Section 6.2.2 [RFC5652].
* A password or shared secret: The content-encryption key will be * A password or shared secret: The content-encryption key will be
protected using the password-based key management technique, as protected using the password-based key management technique, as
specified in CMS section 6.2.4 [RFC5652]. specified in CMS Section 6.2.4 [RFC5652].
2.8. New Section 5.2.9 - GeneralizedTime 2.8. New Section 5.2.9 - GeneralizedTime
The following subsection point implementers to [RFC5280] regarding The following subsection point implementers to [RFC5280] regarding
usage of GeneralizedTime. usage of GeneralizedTime.
Insert this section after Section 5.2.8.4: Insert this section after Section 5.2.8.4:
5.2.9 GeneralizedTime 5.2.9 GeneralizedTime
skipping to change at page 26, line 6 skipping to change at page 26, line 6
Implementations must generate nonces and private keys from random Implementations must generate nonces and private keys from random
input. The use of inadequate pseudo-random number generators (PRNGs) input. The use of inadequate pseudo-random number generators (PRNGs)
to generate cryptographic keys can result in little or no security. to generate cryptographic keys can result in little or no security.
An attacker may find it much easier to reproduce the PRNG environment An attacker may find it much easier to reproduce the PRNG environment
that produced the keys and to search the resulting small set of that produced the keys and to search the resulting small set of
possibilities than brute-force searching the whole key space. As an possibilities than brute-force searching the whole key space. As an
example of predictable random numbers see [CVE-2008-0166]; example of predictable random numbers see [CVE-2008-0166];
consequences of low-entropy random numbers are discussed in Mining consequences of low-entropy random numbers are discussed in Mining
Your Ps and Qs [MiningPsQs]. The generation of quality random Your Ps and Qs [MiningPsQs]. The generation of quality random
numbers is difficult. ISO/IEC 20543:2019 [ISO.20543-2019], NIST SP numbers is difficult. ISO/IEC 20543:2019 [ISO.20543-2019], NIST SP
800-90A Rev.1 [NIST.SP.800-90Ar1], BSI AIS 31 V2.0 [AIS31], and 800-90A Rev.1 [NIST_SP_800_90Ar1], BSI AIS 31 V2.0 [AIS31], and
others offer valuable guidance in this area. others offer valuable guidance in this area.
If shared secret information is generated by a cryptographically If shared secret information is generated by a cryptographically
secure random-number generator (CSRNG) it is safe to assume that the secure random-number generator (CSRNG) it is safe to assume that the
entropy of the shared secret information equals its bit length. If entropy of the shared secret information equals its bit length. If
no CSRNG is used, the entropy of a shared secret information depends no CSRNG is used, the entropy of a shared secret information depends
on the details of the generation process and cannot be measured on the details of the generation process and cannot be measured
securely after it has been generated. If user-generated passwords securely after it has been generated. If user-generated passwords
are used as shared secret information, their entropy cannot be are used as shared secret information, their entropy cannot be
measured and are typically insufficient for protected delivery of measured and are typically insufficient for protected delivery of
skipping to change at page 29, line 24 skipping to change at page 29, line 24
-- * contains the subject and publicKey values, then poposkInput -- * contains the subject and publicKey values, then poposkInput
-- * MUST be omitted and the signature MUST be computed on the -- * MUST be omitted and the signature MUST be computed on the
-- * DER-encoded value of CertReqMsg certReq (or the DER- -- * DER-encoded value of CertReqMsg certReq (or the DER-
-- * encoded value of AltCertTemplate). If -- * encoded value of AltCertTemplate). If
-- * certTemplate/altCertTemplate does not contain both the -- * certTemplate/altCertTemplate does not contain both the
-- * subject and public key values (i.e., if it contains only -- * subject and public key values (i.e., if it contains only
-- * one of these, or neither), then poposkInput MUST be present -- * one of these, or neither), then poposkInput MUST be present
-- * and MUST be signed. -- * and MUST be signed.
-- ********** -- **********
Replace the comment within the ASN.1 syntax coming after the Replace the ASN.1 syntax of POPOPrivKey with the following text:
definition of POPOPrivKey with the following text:
POPOPrivKey ::= CHOICE {
thisMessage [0] BIT STRING, -- deprecated
subsequentMessage [1] SubsequentMessage,
dhMAC [2] BIT STRING, -- deprecated
agreeMAC [3] PKMACValue,
encryptedKey [4] EnvelopedData }
-- ********** -- **********
-- * the type of "thisMessage" is given as BIT STRING in RFC 4211 -- * When using CMP V2 the encrypted value MUST be transferred in
-- * [RFC4211]; it should be "EncryptedKey" (in accordance with -- * the thisMessage field that is given as BIT STRING in [RFC4211]
-- * Section 5.2.2 of this specification). Therefore, this -- * but it requires EncryptedValue. Therefore, this document makes
-- * document makes the behavioral clarification of specifying -- * the behavioral clarification for CMP V2 of specifying that the
-- * that the contents of "thisMessage" MUST be encoded either as -- * contents of "thisMessage" MUST be encoded as an
-- * "EnvelopedData" or "EncryptedValue" (only for backward -- * EncryptedValue and then wrapped in a BIT STRING.
-- * compatibility) and then wrapped in a BIT STRING. This -- * When using CMP V3 the encrypted value MUST be transferred
-- * allows the necessary conveyance and protection of the -- * in the encryptedKey field as specified in Section 5.2.2.
-- * private key while maintaining bits-on-the-wire compatibility
-- * with RFC4210 and [RFCXXXX].
-- ********** -- **********
2.28. Update Appendix D.1. - General Rules for Interpretation of These 2.28. Update Appendix D.1. - General Rules for Interpretation of These
Profiles Profiles
Appendix D.1 of RFC 4210 [RFC4210] provides general rules for Appendix D.1 of RFC 4210 [RFC4210] provides general rules for
interpretation of the PKI management messages profiles specified in interpretation of the PKI management messages profiles specified in
Appendix D and Appendix E of RFC 4210 [RFC4210]. This document Appendix D and Appendix E of RFC 4210 [RFC4210]. This document
updates a sentence regarding the new protocol version cmp2021. updates a sentence regarding the new protocol version cmp2021.
skipping to change at page 34, line 44 skipping to change at page 34, line 45
We also thank all reviewers of this document for their valuable We also thank all reviewers of this document for their valuable
feedback. feedback.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-ace-cmpv2-coap-transport] [I-D.ietf-ace-cmpv2-coap-transport]
Sahni, M. and S. Tripathi, "CoAP Transfer for the Sahni, M. and S. Tripathi, "CoAP Transfer for the
Certificate Management Protocol", Work in Progress, Certificate Management Protocol", Work in Progress,
Internet-Draft, draft-ietf-ace-cmpv2-coap-transport-04, 8 Internet-Draft, draft-ietf-ace-cmpv2-coap-transport-10, 15
November 2021, <https://datatracker.ietf.org/doc/html/ May 2023, <https://datatracker.ietf.org/doc/html/draft-
draft-ietf-ace-cmpv2-coap-transport-04>. ietf-ace-cmpv2-coap-transport-10>.
[I-D.ietf-lamps-cmp-algorithms] [I-D.ietf-lamps-cmp-algorithms]
Brockhaus, H., Aschauer, H., Ounsworth, M., and J. Gray, Brockhaus, H., Aschauer, H., Ounsworth, M., and J. Gray,
"Certificate Management Protocol (CMP) Algorithms", Work "Certificate Management Protocol (CMP) Algorithms", Work
in Progress, Internet-Draft, draft-ietf-lamps-cmp- in Progress, Internet-Draft, draft-ietf-lamps-cmp-
algorithms-15, 2 June 2022, algorithms-15, 2 June 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps- <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
cmp-algorithms-15>. cmp-algorithms-15>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
skipping to change at page 37, line 14 skipping to change at page 37, line 14
<https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ <https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/
Zertifizierung/Interpretationen/AIS_31_Functionality_class Zertifizierung/Interpretationen/AIS_31_Functionality_class
es_for_random_number_generators_e.pdf>. es_for_random_number_generators_e.pdf>.
[CVE-2008-0166] [CVE-2008-0166]
National Institute of Science and Technology (NIST), National Institute of Science and Technology (NIST),
"National Vulnerability Database - CVE-2008-0166", 13 May "National Vulnerability Database - CVE-2008-0166", 13 May
2008, <https://nvd.nist.gov/vuln/detail/CVE-2008-0166>. 2008, <https://nvd.nist.gov/vuln/detail/CVE-2008-0166>.
[I-D.ietf-lamps-lightweight-cmp-profile] [I-D.ietf-lamps-lightweight-cmp-profile]
Brockhaus, H., Oheimb, D. V., and S. Fries, "Lightweight Brockhaus, H., von Oheimb, D., and S. Fries, "Lightweight
Certificate Management Protocol (CMP) Profile", Work in Certificate Management Protocol (CMP) Profile", Work in
Progress, Internet-Draft, draft-ietf-lamps-lightweight- Progress, Internet-Draft, draft-ietf-lamps-lightweight-
cmp-profile-12, 13 May 2022, cmp-profile-21, 17 February 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps- <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
lightweight-cmp-profile-12>. lightweight-cmp-profile-21>.
[IEEE.802.1AR_2018] [I-D.ietf-lamps-rfc4210bis]
IEEE, "IEEE Standard for Local and metropolitan area Brockhaus, H., von Oheimb, D., Ounsworth, M., and J. Gray,
networks - Secure Device Identity", IEEE 802.1AR-2018, "Internet X.509 Public Key Infrastructure -- Certificate
DOI 10.1109/IEEESTD.2018.8423794, 2 August 2018, Management Protocol (CMP)", Work in Progress, Internet-
<https://ieeexplore.ieee.org/document/8423794>. Draft, draft-ietf-lamps-rfc4210bis-07, 19 June 2023,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
rfc4210bis-07>.
[I-D.ietf-lamps-rfc6712bis]
Brockhaus, H., von Oheimb, D., Ounsworth, M., and J. Gray,
"Internet X.509 Public Key Infrastructure -- HTTP Transfer
for the Certificate Management Protocol (CMP)", Work in
Progress, Internet-Draft, draft-ietf-lamps-rfc6712bis-03,
10 February 2023, <https://datatracker.ietf.org/doc/html/
draft-ietf-lamps-rfc6712bis-03>.
[ISO.20543-2019] [ISO.20543-2019]
International Organization for Standardization (ISO), International Organization for Standardization (ISO),
"Information technology -- Security techniques -- Test and "Information technology -- Security techniques -- Test and
analysis methods for random bit generators within ISO/IEC analysis methods for random bit generators within ISO/IEC
19790 and ISO/IEC 15408", ISO Draft Standard 20543-2019, 19790 and ISO/IEC 15408", ISO Draft Standard 20543-2019,
October 2019. October 2019.
[MiningPsQs] [MiningPsQs]
Security'12: Proceedings of the 21st USENIX conference on Security'12: Proceedings of the 21st USENIX conference on
Security symposium, Heninger, N., Durumeric, Z., Wustrow, Security symposium, Heninger, N., Durumeric, Z., Wustrow,
E., and J. A. Halderman, "Mining Your Ps and Qs: Detection E., and J. A. Halderman, "Mining Your Ps and Qs: Detection
of Widespread Weak Keys in Network Devices", August 2012, of Widespread Weak Keys in Network Devices", August 2012,
<https://www.usenix.org/conference/usenixsecurity12/ <https://www.usenix.org/conference/usenixsecurity12/
technical-sessions/presentation/heninger>. technical-sessions/presentation/heninger>.
[NIST.SP.800-90Ar1] [NIST_SP_800_90Ar1]
Barker, Elaine B. and John M. Kelsey, "Recommendation for Barker, E. B., Kelsey, J. M., and NIST, "Recommendation
Random Number Generation Using Deterministic Random Bit for Random Number Generation Using Deterministic Random
Generators", NIST NIST SP 800-90Ar1, Bit Generators", NIST Special Publications
DOI 10.6028/NIST.SP.800-90Ar1, June 2015, (General) 800-90Ar1, DOI 10.6028/NIST.SP.800-90Ar1, June
2015,
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-90Ar1.pdf>. NIST.SP.800-90Ar1.pdf>.
[PKCS11] RSA Laboratories, "The Public-Key Cryptography Standards - [PKCS11] RSA Laboratories, "The Public-Key Cryptography Standards -
Cryptographic Token Interface Standard. Version 2.10", Cryptographic Token Interface Standard. Version 2.10",
December 1999, December 1999,
<https://www.cryptsoft.com/pkcs11doc/STANDARD/ <https://www.cryptsoft.com/pkcs11doc/STANDARD/
pkcs11v2-10.pdf>. pkcs11v2-10.pdf>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
skipping to change at page 65, line 41 skipping to change at page 65, line 46
-- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 } -- id-kp-cmcRA OBJECT IDENTIFIER ::= { id-kp 28 }
id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 } id-kp-cmKGA OBJECT IDENTIFIER ::= { id-kp 32 }
END END
Appendix B. History of Changes Appendix B. History of Changes
[RFC Editor: This appendix must be deleted in the final version of [RFC Editor: This appendix must be deleted in the final version of
the document.] the document.]
From version 23 -> 24:
* Added a note to Section 1 informing about rfc4210bis and
rfc6712bis activity
* Updated Section 2.7 on guidance which CMS key management technique
to use with encrypted values (see thread "CMS: selection of key
management technique to use for EnvelopedData")
* Updated Section 2.27 to align usage of EnvelopedData in
POPOPrivKey (see thread "draft-ietf-lamps-cmp-updates Section 2.27
- Alignment with RFC4211 syntax")
From version 22 -> 23: From version 22 -> 23:
* Addressed comments from IESG discussion (see thread "Francesca * Addressed comments from IESG discussion (see thread "Francesca
Palombini's No Objection on draft-ietf-lamps-cmp-updates-22: (with Palombini's No Objection on draft-ietf-lamps-cmp-updates-22: (with
COMMENT)") COMMENT)")
* Addressed comment from Carl (see thread "Paul Wouters' Discuss on * Addressed comment from Carl (see thread "Paul Wouters' Discuss on
draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)") draft-ietf-lamps-cmp-updates-21: (with DISCUSS and COMMENT)")
From version 21 -> 22: From version 21 -> 22:
 End of changes. 20 change blocks. 
45 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.48.